-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtemplate.yaml
174 lines (158 loc) · 5.84 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
SAM Template for QLDB Streams Sample application.
This template:
1) Creates a Kinesis Stream
2) Creates a Lambda
3) Maps lambda to the Kinesis Stream
4) Creates RegistrationNotifierKinesisRole which will be used by QLDB to write to Kinesis
5) Creates SNS topic and SQS Subscription
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 3
Metadata:
AWS::ServerlessRepo::Application:
Name: amazon-qldb-streams-dmv-sample-lambda-python
Description: This sample demonstrates how to use QLDB Streams. The sample consists of a lambda function written in python which gets triggered for QLDB Streams and send messages to a SQS queue.
Author: Amazon QLDB
SpdxLicenseId: Apache-2.0
Labels: ['aws_qldb_sample', 'qldb_streams']
HomePageUrl: https://github.com/aws-samples/amazon-qldb-streams-dmv-sample-lambda-python
SemanticVersion: 0.0.1
SourceCodeUrl: https://github.com/aws-samples/amazon-qldb-streams-dmv-sample-lambda-python
Resources:
RegistrationNotifierLambdaRole: # Used by lambda to read Kinesis Streams, publish sns and send logs to cloudwatch.
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- qldb.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- kinesis:ListStreams
- kinesis:DescribeStream
- kinesis:GetRecords
- kinesis:GetShardIterator
- kinesis:PutRecord
Resource: !GetAtt RegistrationNotificationStreamKinesis.Arn
- Effect: Allow
Action:
- 'sns:Publish'
Resource: !Ref RegistrationNotificationSNSTopic
- Effect: Allow
Action:
- 'sqs:SendMessage'
Resource: !GetAtt RegistrationNotifierFailureQueue.Arn
RegistrationNotifierKinesisRole: # Used by QLDB to write to Kinesis Streams
Type: AWS::IAM::Role
Properties:
RoleName: RegistrationNotifierKinesisRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: qldb.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: QLDBStreamKinesisPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- kinesis:ListShards
- kinesis:DescribeStream
- kinesis:PutRecord*
Resource: !GetAtt RegistrationNotificationStreamKinesis.Arn
RegistrationNotifierLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
FunctionName: RegistrationNotifierLambda
CodeUri: qldb_streaming_sample/
Handler: app.lambda_handler
Runtime: python3.7
Role: !GetAtt RegistrationNotifierLambdaRole.Arn
Events:
Stream:
Type: Kinesis
Properties:
Stream: !GetAtt RegistrationNotificationStreamKinesis.Arn
StartingPosition: TRIM_HORIZON
MaximumRetryAttempts: 0
Environment:
Variables:
SNS_ARN: !Ref RegistrationNotificationSNSTopic
DeadLetterQueue:
Type: SQS
TargetArn: !GetAtt RegistrationNotifierFailureQueue.Arn
RegistrationNotificationStreamKinesis:
Type: AWS::Kinesis::Stream
Properties:
Name: RegistrationNotificationStreamKinesis
RetentionPeriodHours: 168
ShardCount: 1
StreamEncryption:
EncryptionType: KMS
KeyId: alias/aws/kinesis
RegistrationNotificationSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: RegistrationNotificationSNSTopic
KmsMasterKeyId: alias/aws/sns
RegistrationNotifierFailureQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: RegistrationNotifierFailureQueue
KmsMasterKeyId: alias/aws/sqs
RegistrationNotificationQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: RegistrationNotificationQueue
KmsMasterKeyId: alias/aws/sqs
AllowSnsToSqsQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- Ref: RegistrationNotificationQueue
PolicyDocument:
Version: "2012-10-17"
Id: "SQSQueuePolicy"
Statement:
- Resource: !GetAtt RegistrationNotificationQueue.Arn
Effect: "Allow"
Sid: "Allow-SNS-SendMessage"
Action:
- "SQS:SendMessage"
Principal: "*"
Condition:
ArnEquals:
aws:SourceArn: !Ref RegistrationNotificationSNSTopic
RegistrationNotificationSNSTopicSubscriptions:
Type: 'AWS::SNS::Subscription'
Properties:
TopicArn: !Ref RegistrationNotificationSNSTopic
Endpoint: !GetAtt RegistrationNotificationQueue.Arn
Protocol: sqs
RawMessageDelivery: 'true'
Outputs:
RegistrationNotifierKinesisRole:
Description: "IAM Role for QLDB. Will enable QLDB to write to Kinesis Streams"
Value: !GetAtt RegistrationNotifierLambdaRole.Arn