generated from Sage-Bionetworks-IT/lambda-template
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathtemplate.yaml
119 lines (112 loc) · 3.76 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
ALB rule-making lambda
Parameters:
OidcClientSecretKeyName:
Description: 'The name of the key that stores the OAuth 2.0 client secret'
Type: String
OidcIssuer:
Description: 'The OIDC issuer identifier of the identity provider'
Type: String
OidcAuthorizationEndpoint:
Description: 'The authorization endpoint of the identity provider'
Type: String
OidcTokenEndpoint:
Description: 'The token endpoint of the identity provider'
Type: String
OidcUserInfoEndpoint:
Description: 'The user info endpoint of the identity provider'
Type: String
OidcClientId:
Description: 'The OAuth 2.0 client identifier'
Type: String
KmsDecryptPolicyArn:
Description: 'The ARN of the KMS decryption policy'
Type: String
SessionCookieNamePrefix:
Description: 'The prefix of the name of the cookie storing the user authentication information'
Type: String
SessionTimeout:
Description: 'The duration (in seconds) for which an access token is kept before retrieving a new one'
Type: Number
Default: 86400
Globals:
Function:
Timeout: 30
Resources:
ALBListenerRuleFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ruler/
Handler: app.handler
Runtime: python3.11
Role: !GetAtt ALBListenerRuleFunctionRole.Arn
Environment:
Variables:
OIDC_CLIENT_SECRET_KEYNAME: !Ref OidcClientSecretKeyName
OIDC_ISSUER: !Ref OidcIssuer
OIDC_AUTHORIZATION_ENDPOINT: !Ref OidcAuthorizationEndpoint
OIDC_TOKEN_ENDPOINT: !Ref OidcTokenEndpoint
OIDC_USER_INFO_ENDPOINT: !Ref OidcUserInfoEndpoint
OIDC_CLIENT_ID: !Ref OidcClientId
SESSION_COOKIE_NAME_PREFIX: !Ref SessionCookieNamePrefix
SESSION_TIMEOUT: !Ref SessionTimeout
ALBListenerRuleFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- !Ref ALBListenerRuleFunctionPolicy
- !Ref SsmManagedPolicy
- !Ref KmsDecryptPolicyArn
ALBListenerRuleFunctionPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: DoElbStuff
Effect: 'Allow'
Action:
- 'elasticloadbalancing:*'
Resource: '*'
SsmManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: GetParamAccess
Action:
- 'ssm:*'
Effect: Allow
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${OidcClientSecretKeyName}'
Outputs:
ALBListenerRuleFunctionName:
Value: !Ref ALBListenerRuleFunction
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-FunctionName'
ALBListenerRuleFunctionArn:
Value: !GetAtt ALBListenerRuleFunction.Arn
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-FunctionArn'
ALBListenerRuleFunctionRole:
Description: 'Role reference for the Ruler lambda'
Value: !Ref ALBListenerRuleFunctionRole
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-ALBListenerRuleFunctionRole'
ALBListenerRuleFunctionRoleArn:
Description: 'Role ARN for the Ruler lambda'
Value: !GetAtt ALBListenerRuleFunctionRole.Arn
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-ALBListenerRuleFunctionRoleArn'