Skip to content

Instantly share code, notes, and snippets.

@mjzone
Created April 27, 2024 21:17
Show Gist options
  • Save mjzone/0cfcd12695c83e35ddecf1a03528db26 to your computer and use it in GitHub Desktop.
Save mjzone/0cfcd12695c83e35ddecf1a03528db26 to your computer and use it in GitHub Desktop.
service: vpc-access-demo
provider:
name: aws
runtime: nodejs16.x
region: us-west-1
iam:
role:
statements:
- Effect: Allow
Action:
- dynamodb:GetItem
Resource:
- "Fn::GetAtt": [MJZoneRBPTable, Arn]
functions:
vpcLambda:
handler: handler.vpcLambda
vpc:
securityGroupIds:
- sg-018583fbee298d0c6
subnetIds:
- subnet-0ad7a47aa7f612345
- subnet-098f34a53c7512345
environment:
DYNAMODB_TABLE: "mjzone-rbp-table"
nonVpcLambda:
handler: handler.nonVpcLambda
environment:
DYNAMODB_TABLE: "mjzone-rbp-table"
resources:
Resources:
MJZoneRBPTable:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "mjzone-rbp-table"
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: "pk"
AttributeType: "S"
KeySchema:
- AttributeName: "pk"
KeyType: "HASH"
ResourcePolicy:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: DenyAccessUnlessViaVPCEndpoint
Effect: Deny
Principal: "*"
Action:
- dynamodb:GetItem
- dynamodb:Query
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- dynamodb:BatchGetItem
- dynamodb:BatchWriteItem
Resource: arn:aws:dynamodb:us-west-1:123456665536:table/mjzone-rbp-table
Condition:
StringNotEquals:
aws:sourceVpce: !Ref ddbVPCEndpoint
ddbVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: com.amazonaws.us-west-1.dynamodb
VpcEndpointType: Gateway
VpcId: vpc-0bf32d97b40191234
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment