-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
157 lines (140 loc) · 4.56 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Create a simple aip gateway that services access to s3 objects with lambda serving an s3 proxy mechanism
Parameters:
EnableCloudWatchMonitoring:
Type: String
Description: >
Flag to enable CloudWatch request metrics from S3 Object Lambda. This also creates CloudWatch alarms
to monitor the request metrics.
Default: false
AllowedValues: [ true, false ]
LambdaFunctionPayload:
Type: String
Default: ""
Description: An optional static payload that provides supplemental data to the Lambda function used to transform objects.
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${AWS::StackName}-assets
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-assets
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
DeletionPolicy: Delete
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: '*'
Effect: Allow
Resource:
- !GetAtt Bucket.Arn
- !Sub
- '${bucketARN}/*'
- bucketARN: !GetAtt Bucket.Arn
Principal:
AWS: '*'
Condition:
StringEquals:
's3:DataAccessPointAccount': !Sub ${AWS::AccountId}
# Using an EIP for the public addressing of the ec2 instead of simply using the PublicDnsName of the ec2 to avoid
# a circular reference between LambdaFunction, ObjectLambdaAccessPoint and EC2 resources.
EC2EIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
LambdaLogsGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Delete
Properties:
LogGroupName: !Sub /aws/lambda/${AWS::StackName}-s3-proxy
RetentionInDays: 90
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub ${AWS::StackName}-s3-proxy
Description: Receives https originated requests for s3 content and conditionally returns after applying authorization logic.
Runtime: nodejs14.x
Architectures: [ x86_64 ]
CodeUri: ./
Handler: src/Handler.GetAsset
Timeout: 60
Environment:
Variables:
S3_REGION: !Ref AWS::Region
S3_BUCKET: !Ref Bucket
EC2_HOSTNAME: !GetAtt EC2EIP.PublicIp
# EC2_HOSTNAME: !GetAtt EC2.Outputs.PublicDnsName
Policies:
- S3CrudPolicy:
BucketName: !Ref Bucket
- Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:*
Resource:
- !GetAtt LambdaLogsGroup.Arn
- Effect: Allow
Action:
s3-object-lambda:WriteGetObjectResponse
Resource:
'*'
SupportingAccessPoint:
Type: AWS::S3::AccessPoint
Properties:
Bucket: !Ref Bucket
Name: !Sub ${AWS::StackName}-ap
ObjectLambdaAccessPoint:
Type: AWS::S3ObjectLambda::AccessPoint
Properties:
Name: !Sub ${AWS::StackName}-olap
ObjectLambdaConfiguration:
AllowedFeatures:
- GetObject-Range
- GetObject-PartNumber
- HeadObject-Range
- HeadObject-PartNumber
CloudWatchMetricsEnabled: !Ref EnableCloudWatchMonitoring
SupportingAccessPoint: !GetAtt SupportingAccessPoint.Arn
TransformationConfigurations:
- Actions:
- GetObject
ContentTransformation:
AwsLambda:
FunctionArn: !GetAtt LambdaFunction.Arn
FunctionPayload: !Ref LambdaFunctionPayload
EC2:
Type: AWS::Serverless::Application
Properties:
Location: ./ec2.yaml
Tags:
Name: !Sub ${AWS::StackName}-ec2
TimeoutInMinutes: 30
Parameters:
S3BucketName: !Ref Bucket
ObjectLambdaAccessPointName: !Ref ObjectLambdaAccessPoint
ElasticIP: !GetAtt EC2EIP.PublicIp
LambdaArn: !GetAtt LambdaFunction.Arn
EC2EIPAssociation:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt EC2EIP.AllocationId
InstanceId: !GetAtt EC2.Outputs.InstanceId
Outputs:
AssetBucketName:
Description: The name of the assets bucket
Value: !Ref Bucket
ElasticIP:
Description: The public elastic ip url for the ec2 instance.
Value: !GetAtt EC2EIP.PublicIp