Skip to content

Instantly share code, notes, and snippets.

@sangdongvan

sangdongvan/aws-codelab-lambda-java.yaml

Created June 4, 2019 01:54
Show Gist options
  • Save sangdongvan/3a063a9ba88747e60b574d54a6ca8560 to your computer and use it in GitHub Desktop.
Save sangdongvan/3a063a9ba88747e60b574d54a6ca8560 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
aws-codelab-lambda-java.yaml
AWSTemplateFormatVersion: 2010-09-09
Conditions:
CreateCodeBuildResources: !Equals
- true
- true
CreateWebSiteS3Bucket: !Equals
- false
- true
Description: A Java Spring web service deployed to AWS Lambda.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Application
Parameters:
- ProjectId
CodeBuildImage: aws/codebuild/eb-java-8-amazonlinux-64:2.4.3
CodeBuildImageOverride: aws/codebuild/eb-java-8-amazonlinux-64:2.4.3
IsWebsite: false
ProjectTemplateId: webservice-javaspring-lambda
WebsiteS3Bucket: !Ref 'WebsiteS3Bucket'
Parameters:
ProjectId:
AllowedPattern: ^[a-z]([a-z0-9-])+$
ConstraintDescription: Project IDs must be between 2 and 15 characters, begin with a letter, and only contain lowercase letters, numbers, and hyphens (-).
Description: Project ID.
MaxLength: 15
MinLength: 2
Type: String
RepositoryName:
Description: AWS CodeCommit repository name.
MaxLength: 100
MinLength: 1
Type: String
Resources:
CloudFormationTrustRole:
Description: Creating service role in IAM for AWS CloudFormation
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Path: /
Policies:
- PolicyDocument:
Statement:
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/*'
- Action:
- apigateway:DELETE
- apigateway:GET
- apigateway:PATCH
- apigateway:POST
- apigateway:PUT
- codedeploy:CreateApplication
- codedeploy:CreateDeployment
- codedeploy:CreateDeploymentConfig
- codedeploy:CreateDeploymentGroup
- codedeploy:DeleteApplication
- codedeploy:DeleteDeployment
- codedeploy:DeleteDeploymentConfig
- codedeploy:DeleteDeploymentGroup
- codedeploy:GetDeployment
- codedeploy:GetDeploymentConfig
- codedeploy:GetDeploymentGroup
- codedeploy:RegisterApplicationRevision
- codestar:SyncResources
- config:DeleteConfigRule
- config:DescribeConfigRules
- config:ListTagsForResource
- config:PutConfigRule
- config:TagResource
- config:UntagResource
- dynamodb:CreateTable
- dynamodb:DeleteTable
- dynamodb:DescribeContinuousBackups
- dynamodb:DescribeTable
- dynamodb:DescribeTimeToLive
- dynamodb:ListTagsOfResource
- dynamodb:TagResource
- dynamodb:UntagResource
- dynamodb:UpdateContinuousBackups
- dynamodb:UpdateTable
- dynamodb:UpdateTimeToLive
- ec2:AssociateIamInstanceProfile
- ec2:AttachVolume
- ec2:CreateSecurityGroup
- ec2:createTags
- ec2:DescribeIamInstanceProfileAssociations
- ec2:DescribeInstances
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DetachVolume
- ec2:DisassociateIamInstanceProfile
- ec2:ModifyInstanceAttribute
- ec2:ModifyInstanceCreditSpecification
- ec2:ModifyInstancePlacement
- ec2:MonitorInstances
- ec2:ReplaceIamInstanceProfileAssociation
- ec2:RunInstances
- ec2:StartInstances
- ec2:StopInstances
- ec2:TerminateInstances
- events:DeleteRule
- events:DescribeRule
- events:ListTagsForResource
- events:PutRule
- events:PutTargets
- events:RemoveTargets
- events:TagResource
- events:UntagResource
- kinesis:AddTagsToStream
- kinesis:CreateStream
- kinesis:DecreaseStreamRetentionPeriod
- kinesis:DeleteStream
- kinesis:DescribeStream
- kinesis:IncreaseStreamRetentionPeriod
- kinesis:RemoveTagsFromStream
- kinesis:StartStreamEncryption
- kinesis:StopStreamEncryption
- kinesis:UpdateShardCount
- lambda:CreateAlias
- lambda:CreateFunction
- lambda:DeleteAlias
- lambda:DeleteFunction
- lambda:DeleteFunctionConcurrency
- lambda:GetFunction
- lambda:GetFunctionConfiguration
- lambda:ListTags
- lambda:ListVersionsByFunction
- lambda:PublishVersion
- lambda:PutFunctionConcurrency
- lambda:TagResource
- lambda:UntagResource
- lambda:UpdateAlias
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
- s3:CreateBucket
- s3:DeleteBucket
- s3:DeleteBucketWebsite
- s3:PutAccelerateConfiguration
- s3:PutAnalyticsConfiguration
- s3:PutBucketAcl
- s3:PutBucketCORS
- s3:PutBucketLogging
- s3:PutBucketNotification
- s3:PutBucketPublicAccessBlock
- s3:PutBucketVersioning
- s3:PutBucketWebsite
- s3:PutEncryptionConfiguration
- s3:PutInventoryConfiguration
- s3:PutLifecycleConfiguration
- s3:PutMetricsConfiguration
- s3:PutReplicationConfiguration
- sns:CreateTopic
- sns:DeleteTopic
- sns:GetTopicAttributes
- sns:ListSubscriptionsByTopic
- sns:ListTopics
- sns:SetSubscriptionAttributes
- sns:Subscribe
- sns:Unsubscribe
- sqs:CreateQueue
- sqs:DeleteQueue
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:ListQueueTags
- sqs:TagQueue
- sqs:UntagQueue
Effect: Allow
Resource: '*'
- Action:
- lambda:AddPermission
- lambda:RemovePermission
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:awscodestar-*'
- Action:
- iam:PassRole
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CodeStar-${ProjectId}*'
- Action:
- iam:PassRole
Condition:
StringEquals:
iam:PassedToService: codedeploy.amazonaws.com
Effect: Allow
Resource:
- !GetAtt
- CodeDeployTrustRole
- Arn
- Action:
- cloudformation:CreateChangeSet
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31'
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:aws:transform/CodeStar'
- Action:
- iam:CreateServiceLinkedRole
- iam:GetRole
- iam:DeleteRole
- iam:DeleteUser
Effect: Allow
Resource: '*'
- Action:
- iam:AttachRolePolicy
- iam:AttachUserPolicy
- iam:CreateRole
- iam:CreateUser
- iam:DeleteRolePolicy
- iam:DeleteUserPolicy
- iam:DetachUserPolicy
- iam:DetachRolePolicy
- iam:PutUserPermissionsBoundary
- iam:PutRolePermissionsBoundary
Condition:
StringEquals:
iam:PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'
Effect: Allow
Resource: '*'
- Action:
- kms:CreateKey
- kms:CreateAlias
- kms:DeleteAlias
- kms:DisableKey
- kms:EnableKey
- kms:UpdateAlias
- kms:TagResource
- kms:UntagResource
Effect: Allow
Resource: '*'
- Action:
- ssm:GetParameter*
Condition:
StringEquals:
ssm:ResourceTag/awscodestar:projectArn: !Sub 'arn:${AWS::Partition}:codestar:${AWS::Region}:${AWS::AccountId}:project/${ProjectId}'
Effect: Allow
Resource: '*'
PolicyName: CodeStarWorkerCloudFormationRolePolicy
RoleName: !Join
- '-'
- - CodeStarWorker
- !Ref 'ProjectId'
- CloudFormation
Type: AWS::IAM::Role
CodeBuildProject:
Condition: CreateCodeBuildResources
DependsOn:
- ToolChainRole
Properties:
Artifacts:
Packaging: zip
Type: codepipeline
Description: !Join
- ''
- - 'AWS CodeStar created CodeBuild Project for '
- !Ref 'ProjectId'
Environment:
ComputeType: small
EnvironmentVariables:
- Name: S3_BUCKET
Value: !Ref 'S3Bucket'
- Name: WEBSITE_S3_PREFIX
Value: !If
- CreateWebSiteS3Bucket
- !Join
- ''
- - https://s3.amazonaws.com/
- !Ref 'WebsiteS3Bucket'
- NoVal
- Name: WEBSITE_S3_BUCKET
Value: !If
- CreateWebSiteS3Bucket
- !Ref 'WebsiteS3Bucket'
- NoVal
- Name: PROJECT_ID
Value: !Ref 'ProjectId'
- Name: ACCOUNT_ID
Value: !Ref 'AWS::AccountId'
- Name: PARTITION
Value: !Ref 'AWS::Partition'
Image: aws/codebuild/eb-java-8-amazonlinux-64:2.4.3
Type: LINUX_CONTAINER
Name: !Ref 'ProjectId'
ServiceRole: !Ref 'ToolChainRole'
Source:
Type: codepipeline
Type: AWS::CodeBuild::Project
CodeCommitRepo:
Description: Creating AWS CodeCommit repository for application source code
Properties:
RepositoryDescription: !Join
- ''
- - !Ref 'ProjectId'
- ' project repository'
RepositoryName: !Ref 'RepositoryName'
Type: AWS::CodeCommit::Repository
CodeDeployTrustRole:
Description: The service role to be created in IAM for AWS CodeDeploy
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- codedeploy.amazonaws.com
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda'
Path: /
RoleName: !Sub 'CodeStarWorker-${ProjectId}-CodeDeploy'
Type: AWS::IAM::Role
PermissionsBoundaryPolicy:
Description: Creating an IAM managed policy for defining the permissions boundary for an AWS CodeStar project
Properties:
Description: IAM policy to define the permissions boundary for IAM entities created in an AWS CodeStar project
ManagedPolicyName: !Sub 'CodeStar_${ProjectId}_PermissionsBoundary'
PolicyDocument:
Statement:
- Action:
- '*'
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/awscodestar-${ProjectId}-lambda/*'
- !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectId}'
- !Sub 'arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}'
- !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${ProjectId}-Pipeline'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/*'
- !If
- CreateWebSiteS3Bucket
- !Sub 'arn:${AWS::Partition}:s3:::${WebsiteS3Bucket}'
- !Ref 'AWS::NoValue'
- !If
- CreateWebSiteS3Bucket
- !Sub 'arn:${AWS::Partition}:s3:::${WebsiteS3Bucket}/*'
- !Ref 'AWS::NoValue'
Sid: 1
- Action:
- kms:Encrypt
- kms:Decrypt
- kms:GenerateDataKey
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3'
Sid: 2
- Action:
- iam:PassRole
Effect: Allow
Resource:
- !GetAtt 'CloudFormationTrustRole.Arn'
Sid: 3
- Action:
- cloudtrail:CreateTrail
- cloudtrail:StartLogging
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:PutLogEvents
- sns:Get*
- sns:List*
- sns:Publish
- sns:Subscribe
- xray:Put*
Effect: Allow
Resource: '*'
Sid: 4
Version: 2012-10-17
Type: AWS::IAM::ManagedPolicy
ProjectPipeline:
DependsOn:
- ToolChainRole
- S3Bucket
- CodeBuildProject
- CloudFormationTrustRole
Description: Creating a deployment pipeline for your project in AWS CodePipeline
Properties:
ArtifactStore:
Location: !Ref 'S3Bucket'
Type: S3
Name: !Sub '${ProjectId}-Pipeline'
RoleArn: !GetAtt
- ToolChainRole
- Arn
Stages:
- Actions:
- ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
Configuration:
BranchName: master
PollForSourceChanges: false
RepositoryName: !Ref 'RepositoryName'
InputArtifacts: [
]
Name: ApplicationSource
OutputArtifacts:
- Name: !Sub '${ProjectId}-SourceArtifact'
RunOrder: 1
Name: Source
- Actions:
- ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: 1
Configuration:
ProjectName: !Ref 'ProjectId'
InputArtifacts:
- Name: !Sub '${ProjectId}-SourceArtifact'
Name: PackageExport
OutputArtifacts:
- Name: !Sub '${ProjectId}-BuildArtifact'
RunOrder: 1
Name: Build
- Actions:
- ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: 1
Configuration:
ActionMode: CHANGE_SET_REPLACE
Capabilities: CAPABILITY_NAMED_IAM
ChangeSetName: pipeline-changeset
ParameterOverrides: !Sub '{"ProjectId":"${ProjectId}", "CodeDeployRole":"${CodeDeployTrustRole.Arn}"}'
RoleArn: !GetAtt
- CloudFormationTrustRole
- Arn
StackName: !Sub 'awscodestar-${ProjectId}-lambda'
TemplateConfiguration: !Sub '${ProjectId}-BuildArtifact::template-configuration.json'
TemplatePath: !Sub '${ProjectId}-BuildArtifact::template-export.yml'
InputArtifacts:
- Name: !Sub '${ProjectId}-BuildArtifact'
Name: GenerateChangeSet
OutputArtifacts: [
]
RunOrder: 1
- ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: 1
Configuration:
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: pipeline-changeset
StackName: !Sub 'awscodestar-${ProjectId}-lambda'
InputArtifacts: [
]
Name: ExecuteChangeSet
OutputArtifacts: [
]
RunOrder: 2
Name: Deploy
Type: AWS::CodePipeline::Pipeline
S3ArtifactBucketPolicy:
Description: Setting Amazon S3 bucket policy for AWS CodePipeline access
Properties:
Bucket: !Ref 'S3Bucket'
PolicyDocument:
Id: SSEAndSSLPolicy
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
Condition:
Bool:
aws:SecureTransport: false
Effect: Allow
Principal:
AWS:
- !GetAtt
- ToolChainRole
- Arn
- !GetAtt
- CloudFormationTrustRole
- Arn
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/*'
Sid: WhitelistedGet
- Action:
- s3:PutObject
Effect: Allow
Principal:
AWS:
- !GetAtt
- ToolChainRole
- Arn
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/*'
Sid: WhitelistedPut
Version: 2012-10-17
Type: AWS::S3::BucketPolicy
S3Bucket:
DeletionPolicy: Retain
Description: Creating Amazon S3 bucket for AWS CodePipeline artifacts
Properties:
BucketName: !Join
- '-'
- - aws
- codestar
- !Ref 'AWS::Region'
- !Ref 'AWS::AccountId'
- !Ref 'ProjectId'
- pipe
Tags:
- Key: Name
Value: !Join
- '-'
- - !Ref 'ProjectId'
- S3Bucket
VersioningConfiguration:
Status: Enabled
Type: AWS::S3::Bucket
SourceEvent:
Properties:
Description: Rule for Amazon CloudWatch Events to detect changes to the source repository and trigger pipeline execution
EventPattern:
detail:
event:
- referenceCreated
- referenceUpdated
referenceName:
- master
referenceType:
- branch
detail-type:
- CodeCommit Repository State Change
resources:
- !GetAtt 'CodeCommitRepo.Arn'
source:
- aws.codecommit
Name: !Join
- '-'
- - awscodestar
- !Ref 'ProjectId'
- SourceEvent
State: ENABLED
Targets:
- Arn: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${ProjectId}-Pipeline'
Id: ProjectPipelineTarget
RoleArn: !GetAtt 'ToolChainRole.Arn'
Type: AWS::Events::Rule
ToolChainRole:
Description: Creating toolchain role in IAM for Amazon EC2 instances
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
- codedeploy.amazonaws.com
- codepipeline.amazonaws.com
- codestar.amazonaws.com
- elasticbeanstalk.amazonaws.com
- events.amazonaws.com
- lambda.amazonaws.com
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCodeCommitFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCodeBuildAdminAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCodeDeployFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCodePipelineFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSElasticBeanstalkFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSLambdaFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCodeStarFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchEventsFullAccess'
Path: /
PermissionsBoundary: !Ref 'PermissionsBoundaryPolicy'
Policies:
- PolicyDocument:
Statement:
- Action:
- kms:GenerateDataKey*
- kms:Encrypt
- kms:Decrypt
Effect: Allow
Resource: '*'
PolicyName: ToolChainWorkerPolicy
RoleName: !Sub 'CodeStarWorker-${ProjectId}-ToolChain'
Type: AWS::IAM::Role
WebsiteS3Bucket:
Condition: CreateWebSiteS3Bucket
DeletionPolicy: Retain
Description: Creating Amazon S3 bucket for Website static artifacts
Properties:
BucketName: !Sub 'aws-codestar-${AWS::Region}-${AWS::AccountId}-${ProjectId}-app'
Tags:
- Key: Name
Value: !Sub '${ProjectId}-WebsiteS3Bucket'
VersioningConfiguration:
Status: Enabled
Type: AWS::S3::Bucket
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment