t_wの輪郭

Feedlyでフォローするボタン
LambdaEFS
あれ【WIP】EFS付きLambdaのCloudFormationテンプレート
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "{\"createdOn\":\"Windows\",\"createdBy\":\"Amplify\",\"createdWith\":\"12.10.1\",\"stackType\":\"function-Lambda\",\"metadata\":{}}",
  "Parameters": {
    "CloudWatchRule": {
      "Type": "String",
      "Default": "NONE",
      "Description": " Schedule Expression"
    },
    "deploymentBucketName": {
      "Type": "String"
    },
    "env": {
      "Type": "String"
    },
    "s3Key": {
      "Type": "String"
    }
  },
  "Conditions": {
    "ShouldNotCreateEnvResources": {
      "Fn::Equals": [
        {
          "Ref": "env"
        },
        "NONE"
      ]
    }
  },
  "Resources": {
    "LambdaFunction": {
      "Type": "AWS::Lambda::Function",
      "DependsOn": "EfsAccessPoint",
      "Metadata": {
        "aws:asset:path": "./src",
        "aws:asset:property": "Code"
      },
      "Properties": {
        "Code": {
          "S3Bucket": {
            "Ref": "deploymentBucketName"
          },
          "S3Key": {
            "Ref": "s3Key"
          }
        },
        "Handler": "index.handler",
        "FileSystemConfigs": [
          {
            "Arn": {
              "Fn::GetAtt": [
                "EfsAccessPoint",
                "Arn"
              ]
            },
            "LocalMountPath": "/mnt/efs"
          }
        ],
        "FunctionName": {
          "Fn::If": [
            "ShouldNotCreateEnvResources",
            "duckdb",
            {
              "Fn::Join": [
                "",
                [
                  "duckdb",
                  "-",
                  {
                    "Ref": "env"
                  }
                ]
              ]
            }
          ]
        },
        "Environment": {
          "Variables": {
            "ENV": {
              "Ref": "env"
            },
            "REGION": {
              "Ref": "AWS::Region"
            }
          }
        },
        "Role": {
          "Fn::GetAtt": [
            "LambdaExecutionRole",
            "Arn"
          ]
        },
        "VpcConfig": {
          "SubnetIds": [
            {
              "Ref": "PrivateSubnet"
            }
          ],
          "SecurityGroupIds": [
            {
              "Ref": "VpcSecurityGroup"
            }
          ]
        },
        "Runtime": "python3.8",
        "Layers": [],
        "Timeout": 25
      }
    },
    "LambdaExecutionRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Fn::If": [
            "ShouldNotCreateEnvResources",
            "knownetLambdaRolebe22db37",
            {
              "Fn::Join": [
                "",
                [
                  "knownetLambdaRolebe22db37",
                  "-",
                  {
                    "Ref": "env"
                  }
                ]
              ]
            }
          ]
        },
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "Ec2CreateNetworkInterface",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "lambdaexecutionpolicy": {
      "DependsOn": [
        "LambdaExecutionRole"
      ],
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "lambda-execution-policy",
        "Roles": [
          {
            "Ref": "LambdaExecutionRole"
          }
        ],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": {
                "Fn::Sub": [
                  "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
                  {
                    "region": {
                      "Ref": "AWS::Region"
                    },
                    "account": {
                      "Ref": "AWS::AccountId"
                    },
                    "lambda": {
                      "Ref": "LambdaFunction"
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    },
    "EFS": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "AvailabilityZoneName": "ap-northeast-1a",
        "BackupPolicy": {
          "Status": "DISABLED"
        },
        "BypassPolicyLockoutSafetyCheck": false,
        "Encrypted": true,
        "FileSystemProtection": {
          "ReplicationOverwriteProtection": "ENABLED"
        },
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "duckdb-efs"
          }
        ],
        "PerformanceMode": "generalPurpose",
        "ThroughputMode": "bursting"
      }
    },
    "EfsMountTarget": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": {
          "Ref": "EFS"
        },
        "SecurityGroups": [
          {
            "Ref": "VpcSecurityGroup"
          }
        ],
        "SubnetId": {
          "Ref": "PrivateSubnet"
        }
      }
    },
    "EfsAccessPoint": {
      "Type": "AWS::EFS::AccessPoint",
      "Properties": {
        "AccessPointTags": [
          {
            "Key": "Name",
            "Value": "duckdb-efs-ap"
          }
        ],
        "FileSystemId": {
          "Ref": "EFS"
        }
      }
    },
    "VPC": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": false,
        "EnableDnsSupport": false,
        "InstanceTenancy": "default",
        "Tags": [
          {
            "Key": "Name",
            "Value": "duckdb-vpc"
          }
        ]
      }
    },
    "PrivateSubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "AvailabilityZone": "ap-northeast-1a",
        "CidrBlock": "10.0.0.0/24",
        "EnableDns64": false,
        "VpcId": {
          "Ref": "VPC"
        },
        "Tags": [
          {
            "Key": "Name",
            "Value": "duckdb-vpc-private-subnet"
          }
        ]
      }
    },
    "VpcSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Security Group for EFS",
        "VpcId": {
          "Ref": "VPC"
        }
      }
    },
    "CustomLambdaExecutionPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "custom-lambda-execution-policy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "ec2:CreateNetworkInterface"
              ],
              "Resource": [
                "*"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "Roles": [
          {
            "Ref": "LambdaExecutionRole"
          }
        ]
      },
      "DependsOn": "LambdaExecutionRole"
    }
  },
  "Outputs": {
    "Name": {
      "Value": {
        "Ref": "LambdaFunction"
      }
    },
    "Arn": {
      "Value": {
        "Fn::GetAtt": [
          "LambdaFunction",
          "Arn"
        ]
      }
    },
    "Region": {
      "Value": {
        "Ref": "AWS::Region"
      }
    },
    "LambdaExecutionRole": {
      "Value": {
        "Ref": "LambdaExecutionRole"
      }
    },
    "LambdaExecutionRoleArn": {
      "Value": {
        "Fn::GetAtt": [
          "LambdaExecutionRole",
          "Arn"
        ]
      }
    }
  }
}

あれ

2024/2/21 20:18:00

IAMロール:ap-northeast-1_*********_Full-access

                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteVpc",
                "ec2:ModifyVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:CreateSubnet",
                "ec2:DeleteSubnet",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:CreateRoute",
                "ec2:DeleteRoute",
                "ec2:CreateRouteTable",
                "ec2:DeleteRouteTable",
                "ec2:DescribeRouteTables",
                "ec2:AssociateRouteTable",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "elasticfilesystem:*",
                "cloudformation:CancelUpdateStack",
                "cloudformation:RollbackStack"