gwsu2008 · August 9, 2020 15:15
diff --git a/Cloudformation-InLine-Lambda.yml b/Cloudformation-InLine-Lambda.yml
 EndpointServiceTag:
    Type: 'AWS::Lambda::Function'
    Properties:
      Handler: index.lambda_handler
      Role: !GetAtt LambdaRole.Arn
      Code:
        ZipFile: |
          import json
          import boto3
          import cfnresponse
          client = boto3.client('ec2')
          def lambda_handler(event, context):
              print("Received event: " + json.dumps(event, indent=2))
              responseData={}
              try:
                  if event['RequestType'] == 'Delete':
                    print("Nothing to delete")
                  elif event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
                    print("Request Type:",event['RequestType'])
                    endpoint_service_id = event['ResourceProperties']['EndpointServiceId']
                    tag_value = event['ResourceProperties']['TagValue']
                    print("Endpoint service id: {}".format(endpoint_service_id))
                    print("Tag value: {}".format(tag_value))
                    response = client.create_tags(Resources=[endpoint_service_id], Tags=[{'Key': 'Name', 'Value': tag_value}])
                    print(response)
                    print("Sending response to custom resource")
                  responseStatus = 'SUCCESS'
              except Exception as e:
                  print('Failed to process:', e)
                  responseStatus = 'FAILED'
                  responseData = {'FAILED': 'Check Cloudwatch Logs for errors.'}
              cfnresponse.send(event, context, responseStatus, responseData)
      Runtime: python3.6
      Timeout: 60

  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                'lambda.amazonaws.com'
      Policies:
        - PolicyName: !Sub ${StackName}-VPCE-access
          PolicyDocument:
            Statement:
              - Sid: LambdaExecuteRole
                Effect: 'Allow'
                Action:
                  - 'tag:*'
                  - 'ec2:Describe*'
                  - 'ec2:CreateTags'
                  - 'ec2:DeleteTags'
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'

  TagEndpointService:
    Type: Custom::EndpointServiceTag
    DependsOn:
      - LambdaRole
      - EndpointServiceTag
      - EndPointService
    Properties:
      ServiceToken: !GetAtt EndpointServiceTag.Arn
      EndpointServiceId: !Ref EndPointService
      TagValue: !Sub "${StackName}-${ServiceName}-vpce"
	EndpointServiceTag:
	Type: 'AWS::Lambda::Function'
	Properties:
	Handler: index.lambda_handler
	Role: !GetAtt LambdaRole.Arn
	Code:
	ZipFile: \|
	import json
	import boto3
	import cfnresponse
	client = boto3.client('ec2')
	def lambda_handler(event, context):
	print("Received event: " + json.dumps(event, indent=2))
	responseData={}
	try:
	if event['RequestType'] == 'Delete':
	print("Nothing to delete")
	elif event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
	print("Request Type:",event['RequestType'])
	endpoint_service_id = event['ResourceProperties']['EndpointServiceId']
	tag_value = event['ResourceProperties']['TagValue']
	print("Endpoint service id: {}".format(endpoint_service_id))
	print("Tag value: {}".format(tag_value))
	response = client.create_tags(Resources=[endpoint_service_id], Tags=[{'Key': 'Name', 'Value': tag_value}])
	print(response)
	print("Sending response to custom resource")
	responseStatus = 'SUCCESS'
	except Exception as e:
	print('Failed to process:', e)
	responseStatus = 'FAILED'
	responseData = {'FAILED': 'Check Cloudwatch Logs for errors.'}
	cfnresponse.send(event, context, responseStatus, responseData)
	Runtime: python3.6
	Timeout: 60

	LambdaRole:
	Type: AWS::IAM::Role
	Properties:
	Path: /
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Action: 'sts:AssumeRole'
	Effect: Allow
	Principal:
	Service:
	'lambda.amazonaws.com'
	Policies:
	- PolicyName: !Sub ${StackName}-VPCE-access
	PolicyDocument:
	Statement:
	- Sid: LambdaExecuteRole
	Effect: 'Allow'
	Action:
	- 'tag:*'
	- 'ec2:Describe*'
	- 'ec2:CreateTags'
	- 'ec2:DeleteTags'
	- 'logs:CreateLogGroup'
	- 'logs:CreateLogStream'
	- 'logs:PutLogEvents'
	Resource: '*'

	TagEndpointService:
	Type: Custom::EndpointServiceTag
	DependsOn:
	- LambdaRole
	- EndpointServiceTag
	- EndPointService
	Properties:
	ServiceToken: !GetAtt EndpointServiceTag.Arn
	EndpointServiceId: !Ref EndPointService
	TagValue: !Sub "${StackName}-${ServiceName}-vpce"