EFS付きLambda
2024/2/20 22:34:00
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "{\"createdOn\":\"Windows\",\"createdBy\":\"Amplify\",\"createdWith\":\"12.10.1\",\"stackType\":\"function-Lambda\",\"metadata\":{}}",
"Parameters": {
"CloudWatchRule": {
"Type": "String",
"Default": "NONE",
"Description": " Schedule Expression"
},
"deploymentBucketName": {
"Type": "String"
},
"env": {
"Type": "String"
},
"s3Key": {
"Type": "String"
}
},
"Conditions": {
"ShouldNotCreateEnvResources": {
"Fn::Equals": [
{
"Ref": "env"
},
"NONE"
]
}
},
"Resources": {
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"DependsOn": "EfsAccessPoint",
"Metadata": {
"aws:asset:path": "./src",
"aws:asset:property": "Code"
},
"Properties": {
"Code": {
"S3Bucket": {
"Ref": "deploymentBucketName"
},
"S3Key": {
"Ref": "s3Key"
}
},
"Handler": "index.handler",
"FileSystemConfigs": [
{
"Arn": {
"Fn::GetAtt": [
"EfsAccessPoint",
"Arn"
]
},
"LocalMountPath": "/mnt/efs"
}
],
"FunctionName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"duckdb",
{
"Fn::Join": [
"",
[
"duckdb",
"-",
{
"Ref": "env"
}
]
]
}
]
},
"Environment": {
"Variables": {
"ENV": {
"Ref": "env"
},
"REGION": {
"Ref": "AWS::Region"
}
}
},
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"VpcConfig": {
"SubnetIds": [
{
"Ref": "PrivateSubnet"
}
],
"SecurityGroupIds": [
{
"Ref": "VpcSecurityGroup"
}
]
},
"Runtime": "python3.8",
"Layers": [],
"Timeout": 25
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"knownetLambdaRolebe22db37",
{
"Fn::Join": [
"",
[
"knownetLambdaRolebe22db37",
"-",
{
"Ref": "env"
}
]
]
}
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": "Ec2CreateNetworkInterface",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
}
]
}
},
"lambdaexecutionpolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
}
]
}
}
},
"EFS": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"AvailabilityZoneName": "ap-northeast-1a",
"BackupPolicy": {
"Status": "DISABLED"
},
"BypassPolicyLockoutSafetyCheck": false,
"Encrypted": true,
"FileSystemProtection": {
"ReplicationOverwriteProtection": "ENABLED"
},
"FileSystemTags": [
{
"Key": "Name",
"Value": "duckdb-efs"
}
],
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting"
}
},
"EfsMountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": {
"Ref": "EFS"
},
"SecurityGroups": [
{
"Ref": "VpcSecurityGroup"
}
],
"SubnetId": {
"Ref": "PrivateSubnet"
}
}
},
"EfsAccessPoint": {
"Type": "AWS::EFS::AccessPoint",
"Properties": {
"AccessPointTags": [
{
"Key": "Name",
"Value": "duckdb-efs-ap"
}
],
"FileSystemId": {
"Ref": "EFS"
}
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsHostnames": false,
"EnableDnsSupport": false,
"InstanceTenancy": "default",
"Tags": [
{
"Key": "Name",
"Value": "duckdb-vpc"
}
]
}
},
"PrivateSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": "ap-northeast-1a",
"CidrBlock": "10.0.0.0/24",
"EnableDns64": false,
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "duckdb-vpc-private-subnet"
}
]
}
},
"VpcSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for EFS",
"VpcId": {
"Ref": "VPC"
}
}
},
"CustomLambdaExecutionPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "custom-lambda-execution-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
},
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
]
},
"DependsOn": "LambdaExecutionRole"
}
},
"Outputs": {
"Name": {
"Value": {
"Ref": "LambdaFunction"
}
},
"Arn": {
"Value": {
"Fn::GetAtt": [
"LambdaFunction",
"Arn"
]
}
},
"Region": {
"Value": {
"Ref": "AWS::Region"
}
},
"LambdaExecutionRole": {
"Value": {
"Ref": "LambdaExecutionRole"
}
},
"LambdaExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
}
}
}
}
IAMロール:ap-northeast-1_*********_Full-access
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:AssociateRouteTable",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"elasticfilesystem:*",
"cloudformation:CancelUpdateStack",
"cloudformation:RollbackStack"