forked from awslabs/aws-lambda-redshift-loader
-
Notifications
You must be signed in to change notification settings - Fork 0
/
deploy-vpc.yaml
128 lines (122 loc) · 4.62 KB
/
deploy-vpc.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#This is deploy.yaml V 0.9.1
#This file will set up most of what is needed to configure the Lambda Redshift database
#loader
#It will not create the KMS key required for encrypting the database password
#The user will need to create that key and assign it the alias "LambdaRedshiftLoaderKey"
#The config script will use the key by its alias
#
#Parameters and notes
#
#AvailabilityZone - Note that the stack will create in the current region by default, and
# the list of availability zones available will be created based on the
# region in which the user is creating the CloudFormation stack
#SecurityGroup - sets up the networking. Will require SSH and default Redshift port
# access.
#KeyName - the access key for SSH access to the driver EC2 instance.
#SubnetId - The subnet within your selected availability zone to use for the
# driver EC2 instance. Note that CloudFormation will *not* cross-check
# at runtime to verify that the subnet and availability zone match.
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
KmsKeyArn:
Description: "The KMS Key to use for Encryption of the database password"
Type: String
SecurityGroups:
Default: mygroup1, mygroup2
Description: Security Groups as CSV list to use for the deployed function (may be required for Redshift security policy)
Type: CommaDelimitedList
SubnetIds:
Default: subnet1, subnet2, subnet3
Description: List of private Subnets in VPC in which the function will egress network connections
Type: CommaDelimitedList
Resources:
RedshiftLoaderIamPolicy:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "RedshiftLambdaLoaderPolicy"
Roles:
- !Ref LambdaTriggerRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "dynamodb:CreateTable"
- "dynamodb:PutItem"
- "dynamodb:DeleteItem"
- "dynamodb:GetItem"
- "dynamodb:Scan"
- "dynamodb:Query"
- "dynamodb:UpdateItem"
- "dynamodb:DeleteTable"
- "dynamodb:UpdateTable"
- "dynamodb:GetRecords"
Resource:
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/LambdaRedshiftBatches
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/LambdaRedshiftBatchLoadConfig
- !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/LambdaRedshiftProcessedFiles
- Effect: "Allow"
Action:
- "lambda:CreateFunction"
- "lambda:AddPermission"
- "lambda:InvokeFunction"
- "lambda:GetFunction"
- "lambda:GetFunctionConfiguration"
- "lambda:DeleteFunction"
- "lambda:GetPolicy"
Resource:
'Fn::GetAtt':
- LambdaTriggerFunction
- Arn
- Effect: "Allow"
Action:
- "dynamodb:ListTables"
- "lambda:ListFunctions"
- "s3:List*"
- "s3:GetObject"
- "s3:PutObject"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
- Effect: "Allow"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
Resource: !Ref KmsKeyArn
LambdaTriggerRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
LambdaTriggerFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: 'LambdaRedshiftLoader'
Handler: index.handler
Role:
'Fn::GetAtt':
- LambdaTriggerRole
- Arn
Code:
S3Bucket: !Sub awslabs-code-${AWS::Region}
S3Key: 'LambdaRedshiftLoader/AWSLambdaRedshiftLoader-2.8.2.zip'
Runtime: nodejs12.x
VpcConfig:
SecurityGroupIds:
!Ref SecurityGroups
SubnetIds:
!Ref SubnetIds