mjzone · April 27, 2024 21:17
diff --git a/config.yml b/config.yml
 service: vpc-access-demo

 provider:
  name: aws
  runtime: nodejs16.x
  region: us-west-1
  iam:
    role:
      statements:
        - Effect: Allow
          Action:
            - dynamodb:GetItem
          Resource:
            - "Fn::GetAtt": [MJZoneRBPTable, Arn]

 functions:
  vpcLambda:
    handler: handler.vpcLambda
    vpc:
      securityGroupIds:
        - sg-018583fbee298d0c6
      subnetIds:
        - subnet-0ad7a47aa7f612345
        - subnet-098f34a53c7512345
    environment:
      DYNAMODB_TABLE: "mjzone-rbp-table"

  nonVpcLambda:
    handler: handler.nonVpcLambda
    environment:
      DYNAMODB_TABLE: "mjzone-rbp-table"

 resources:
  Resources:
    MJZoneRBPTable:
      Type: "AWS::DynamoDB::Table"
      Properties:
        TableName: "mjzone-rbp-table"
        BillingMode: PAY_PER_REQUEST
        AttributeDefinitions:
          - AttributeName: "pk"
            AttributeType: "S"
        KeySchema:
          - AttributeName: "pk"
            KeyType: "HASH"
        ResourcePolicy:
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: DenyAccessUnlessViaVPCEndpoint
                Effect: Deny
                Principal: "*"
                Action: 
                  - dynamodb:GetItem
                  - dynamodb:Query
                  - dynamodb:PutItem
                  - dynamodb:UpdateItem
                  - dynamodb:DeleteItem
                  - dynamodb:BatchGetItem
                  - dynamodb:BatchWriteItem
                Resource: arn:aws:dynamodb:us-west-1:123456665536:table/mjzone-rbp-table
                Condition:
                  StringNotEquals:
                    aws:sourceVpce: !Ref ddbVPCEndpoint
    ddbVPCEndpoint:
      Type: AWS::EC2::VPCEndpoint
      Properties:
        ServiceName: com.amazonaws.us-west-1.dynamodb
        VpcEndpointType: Gateway
        VpcId: vpc-0bf32d97b40191234
	service: vpc-access-demo

	provider:
	name: aws
	runtime: nodejs16.x
	region: us-west-1
	iam:
	role:
	statements:
	- Effect: Allow
	Action:
	- dynamodb:GetItem
	Resource:
	- "Fn::GetAtt": [MJZoneRBPTable, Arn]

	functions:
	vpcLambda:
	handler: handler.vpcLambda
	vpc:
	securityGroupIds:
	- sg-018583fbee298d0c6
	subnetIds:
	- subnet-0ad7a47aa7f612345
	- subnet-098f34a53c7512345
	environment:
	DYNAMODB_TABLE: "mjzone-rbp-table"

	nonVpcLambda:
	handler: handler.nonVpcLambda
	environment:
	DYNAMODB_TABLE: "mjzone-rbp-table"

	resources:
	Resources:
	MJZoneRBPTable:
	Type: "AWS::DynamoDB::Table"
	Properties:
	TableName: "mjzone-rbp-table"
	BillingMode: PAY_PER_REQUEST
	AttributeDefinitions:
	- AttributeName: "pk"
	AttributeType: "S"
	KeySchema:
	- AttributeName: "pk"
	KeyType: "HASH"
	ResourcePolicy:
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Sid: DenyAccessUnlessViaVPCEndpoint
	Effect: Deny
	Principal: "*"
	Action:
	- dynamodb:GetItem
	- dynamodb:Query
	- dynamodb:PutItem
	- dynamodb:UpdateItem
	- dynamodb:DeleteItem
	- dynamodb:BatchGetItem
	- dynamodb:BatchWriteItem
	Resource: arn:aws:dynamodb:us-west-1:123456665536:table/mjzone-rbp-table
	Condition:
	StringNotEquals:
	aws:sourceVpce: !Ref ddbVPCEndpoint
	ddbVPCEndpoint:
	Type: AWS::EC2::VPCEndpoint
	Properties:
	ServiceName: com.amazonaws.us-west-1.dynamodb
	VpcEndpointType: Gateway
	VpcId: vpc-0bf32d97b40191234