AWSTemplateFormatVersion: "2010-09-09" Description: "sosw_orchestrator" Parameters: ExecutionPolicy: Description: "Managed execution policy for sosw lambdas." Type: String Default: 'AWSLambdaBasicExecutionRole' ConfigTableName: Description: "Config Table." Type: String Default: 'config' Resources: LambdaSoswOrchestratorRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - "lambda.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - !Sub "arn:aws:iam::aws:policy/service-role/${ExecutionPolicy}" Policies: - PolicyName: "SoswOrchestratorPermissions" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "dynamodb:*" Resource: # - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}/table/${Fn::ImportValue: 'sosw-ddb-tasks'}/*" - Fn::Join: - ':' - - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}" - Fn::Join: - '/' - - "table" - Fn::ImportValue: "sosw-ddb-tasks" - "*" - Fn::Join: - ':' - - "arn:aws:dynamodb" - !Ref AWS::Region - !Ref AWS::AccountId - Fn::Join: - '/' - - "table" - Fn::ImportValue: "sosw-ddb-tasks" # Closed tasks table and indexes - Effect: "Allow" Action: - "dynamodb:BatchGetItem" - "dynamodb:Describe*" - "dynamodb:Get*" - "dynamodb:Query" Resource: - Fn::Join: - ':' - - "arn:aws:dynamodb" - !Ref AWS::Region - !Ref AWS::AccountId - Fn::Join: - '/' - - "table" - Fn::ImportValue: "sosw-ddb-tasks-closed" - "index" - "*" - Fn::Join: - ':' - - "arn:aws:dynamodb" - !Ref AWS::Region - !Ref AWS::AccountId - Fn::Join: - '/' - - "table" - Fn::ImportValue: "sosw-ddb-tasks-closed" # CloudWatch metrics required for Ecology Client - Effect: "Allow" Action: "cloudwatch:GetMetric*" Resource: "*" # This allows Orchestrator to invoke ANY of your functions. This is far from a good security practice. # Please use the commented below example where you specify at least a prefix of function names. - Effect: "Allow" Action: - "lambda:InvokeFunction" - "lambda:Get*" Resource: "*" # Better example # - Effect: "Allow" # Action: "lambda:InvokeFunction" # Resource: # - Fn::Join: # - ':' # - - "arn:aws:lambda" # - !Ref AWS::Region # - !Ref AWS::AccountId # - 'function' # - 'sosw_managed_*' - Effect: "Allow" Action: "s3:*" Resource: - Fn::Join: - ':' - - "arn:aws:s3::" - Fn::Join: - '/' - - Fn::ImportValue: 'sosw-s3-bucket' - "sosw/*" # You can provide access explicitly here, but we normally recommend keeping it in the Custom policy of ConfigTable. # See examples/yaml/sosw-shared-dynamodb.yaml - Effect: "Allow" Action: - "dynamodb:Query" - "dynamodb:DescribeTable" Resource: - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ConfigTableName}" RoleName: "lambda_sosw_orchestrator" ################################# # Lambda Function for Essential # ################################# LambdaSoswOrchestrator: Type: "AWS::Lambda::Function" Properties: Code: S3Bucket: !Sub "sosw-s3-${AWS::AccountId}" S3Key: "sosw/packages/sosw_orchestrator.zip" Description: "ABS. CloudFormation managed sosw Orchestrator." FunctionName: "sosw_orchestrator" Handler: "app.lambda_handler" MemorySize: 256 Role: !GetAtt LambdaSoswOrchestratorRole.Arn Runtime: "python3.7" Timeout: 60 Tags: - Key: 'Environment' Value: 'dev' ############################################## # Permissions for CloudWatch ScheduledEvents # # The actual Rules are configured in the # # scheduled-rules.yaml template. # ############################################## PermissionForEventsToInvokeLambdaSoswOrchestrator: Type: "AWS::Lambda::Permission" Properties: FunctionName: Ref: "LambdaSoswOrchestrator" Action: "lambda:InvokeFunction" Principal: "events.amazonaws.com" ############################################# # Export Values to CloudFormation Namespace # ############################################# Outputs: LambdaSoswOrchestrator: Description: "Sosw Orchestrator Essential" Value: !GetAtt LambdaSoswOrchestrator.Arn Export: Name: "sosw-lambda-orchestrator"