-
Notifications
You must be signed in to change notification settings - Fork 320
/
backend.yml
112 lines (105 loc) · 3.68 KB
/
backend.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template for Hotel App with DynamoDB and App Runner, without networking.
Parameters:
HotelName:
Type: String
Default: AWS App Runner Hotel
Description: Enter a name for the Hotel. Default is AWS App Runner Hotel.
Environment:
Type: String
Default: dev
Description: Enter a name for the Environment. Default is dev, this is used later in the workshop to tag the environments
Resources:
# DynamoDB Table for Rooms
RoomsTable:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: !Sub "Rooms-${AWS::StackName}-${AWS::Region}"
AttributeDefinitions:
- AttributeName: "id"
AttributeType: "N"
KeySchema:
- AttributeName: "id"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEEnabled: true # Enable server-side encryption for the table
# IAM Role for App Runner to access DynamoDB
AppRunnerInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "AppRunnerHotelAppRole-${AWS::StackName}-${AWS::Region}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- tasks.apprunner.amazonaws.com
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: AppRunnerDynamoDBPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "dynamodb:PutItem"
- "dynamodb:GetItem"
- "dynamodb:Scan"
- "dynamodb:UpdateItem"
Resource: !GetAtt RoomsTable.Arn
- PolicyName: AppRunnerServiceRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:PutRetentionPolicy"
Resource: "arn:aws:logs:*:*:log-group:/aws/apprunner/*"
- Effect: Allow
Action:
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogStreams"
Resource: "arn:aws:logs:*:*:log-group:/aws/apprunner/*:log-stream:*"
# IAM Role for ECR Access
AppRunnerECRAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "AppRunnerHotelAppECRAccessRole-${AWS::StackName}-${AWS::Region}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- build.apprunner.amazonaws.com
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
#Sample Alarm - we will use this later to prove AWS CodePipeline Condition Gates
DynamoDBReadCapacityAlarm:
Type: "AWS::CloudWatch::Alarm"
Properties:
AlarmName: !Sub "HighReadCapacityAlarm-${AWS::StackName}-${AWS::Region}"
AlarmDescription: "Alarm if DynamoDB read capacity exceeds 80% of provisioned units"
Namespace: "AWS/DynamoDB"
MetricName: "ConsumedReadCapacityUnits"
Dimensions:
- Name: "TableName"
Value: !Ref RoomsTable
Statistic: "Average"
Period: 60
EvaluationPeriods: 1
Threshold: 4 # 80% of 5 ReadCapacityUnits
ComparisonOperator: "GreaterThanThreshold"
Outputs:
DynamoDBTableName:
Description: "Name of the DynamoDB Table"
Value: !Ref RoomsTable