-
Notifications
You must be signed in to change notification settings - Fork 6
/
cloudformation.yml
134 lines (115 loc) · 5.7 KB
/
cloudformation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
AWSTemplateFormatVersion: "2010-09-09"
Description: "A Lambda function that receives CloudWatch Logs events from one Kinesis stream and writes them to another"
Parameters:
LambdaName:
Description: "Name of the Lambda function to create"
Type: "String"
Default: "CloudWatchLogsTransformer"
SourceBucket:
Description: "The S3 bucket where you uploaded the Lamdba deployment bundle"
Type: "String"
Default: ""
SourceKey:
Description: "The path in that bucket to the Lambda deployment bundle"
Type: "String"
Default: "cloudwatch_logs_transformer.zip"
SourceStreamName:
Description: "Name of the source Kinesis stream"
Type: "String"
Default: "CloudWatchSubscriptionDestination"
DestinationStreamName:
Description: "Name of the Kinesis stream that will receive transformed log events"
Type: "String"
Default: "AppenderExample"
Resources:
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/lambda/"
RoleName: !Sub "${LambdaName}-ExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action: "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
-
PolicyName: "ReadFromSource"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "kinesis:ListStreams"
- "kinesis:DescribeStream"
- "kinesis:GetShardIterator"
- "kinesis:GetRecords"
Resource: !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${SourceStreamName}"
-
PolicyName: "WriteToDestination"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "kinesis:PutRecords"
Resource: !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${DestinationStreamName}"
LambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
FunctionName: !Ref LambdaName
Description: "Responds to CloudWatch Logs events delivered via Kinesis stream"
Role: !GetAtt LambdaRole.Arn
Runtime: "python3.7"
Handler: "lambda_function.lambda_handler"
Code:
S3Bucket: !Ref SourceBucket
S3Key: !Ref SourceKey
MemorySize: 512
Timeout: 30
Environment:
Variables:
DESTINATION_STREAM_NAME: !Ref DestinationStreamName
EventSource:
Type: "AWS::Lambda::EventSourceMapping"
Properties:
EventSourceArn: !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${SourceStreamName}"
FunctionName: !Ref LambdaFunction
Enabled: true
StartingPosition: LATEST
BatchSize: 100
MaximumBatchingWindowInSeconds: 30
SubscriptionRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub "${LambdaName}-SubscriptionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service: !Sub "logs.${AWS::Region}.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
-
PolicyName: "KinesisWriter"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "kinesis:Describe*"
- "kinesis:CreateStream"
- "kinesis:Put*"
Resource: !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${SourceStreamName}"
Outputs:
SubscriptionRoleOutput:
Description: "The ARN of a role that allows CloudWatchLogs to write to the source stream"
Value: !GetAtt SubscriptionRole.Arn
SourceArnOutput:
Description: "The ARN of a the source stream (exposed to make subscribing easier)"
Value: !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${SourceStreamName}"