-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathregistration-cleaning-worker-cfn.yaml
181 lines (171 loc) · 4.85 KB
/
registration-cleaning-worker-cfn.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
AWSTemplateFormatVersion: 2010-09-09
Description: Consumes events produced by the notification service and sends notifications to individual devices
Parameters:
Stack:
Description: Stack name
Type: String
Default: mobile-notifications
App:
Description: Application name
Type: String
Stage:
Description: Stage name
Type: String
AllowedValues:
- CODE
- PROD
Default: CODE
BuildId:
Description: Tag to be used for the image URL, e.g. riff raff build id
Type: String
Default: dev
DeployBucket:
Description: Bucket where RiffRaff uploads artifacts on deploy
Type: String
Default: mobile-notifications-dist
VpcId:
Description: ID of the Notification VPC
Type: AWS::EC2::VPC::Id
VpcSubnets:
Description: Subnets to use in the VPC
Type: List<AWS::EC2::Subnet::Id>
VPCSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Description: The default security group of the VPC
FullyQualifiedHandler:
Description: The full name of the handler, including path, class name and method
Type: String
Resources:
Dlq:
Type: AWS::SQS::Queue
Sqs:
Type: AWS::SQS::Queue
Properties:
VisibilityTimeout: 300
MessageRetentionPeriod: 3600 # 1 hour
RedrivePolicy:
deadLetterTargetArn: !GetAtt Dlq.Arn
maxReceiveCount: 5
Tags:
- Key: Stage
Value: !Ref Stage
- Key: Stack
Value: !Ref Stack
- Key: App
Value: !Ref App
ExecutionRole:
Type: AWS::IAM::Role
DependsOn: Sqs
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: logs
PolicyDocument:
Statement:
- Effect: Allow
Action: logs:CreateLogGroup
Resource: !Sub "arn:aws:logs:eu-west-1:${AWS::AccountId}:*"
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- !Sub "arn:aws:logs:eu-west-1:${AWS::AccountId}:log-group:/aws/lambda/*:*"
- PolicyName: SQS
PolicyDocument:
Statement:
Effect: Allow
Action: sqs:*
Resource: !GetAtt Sqs.Arn
- PolicyName: VPC
PolicyDocument:
Statement:
Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
Resource: "*"
- PolicyName: Conf
PolicyDocument:
Statement:
- Action: ssm:GetParametersByPath
Effect: Allow
Resource:
!Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/notifications/${Stage}/workers/cleaner
- PolicyName: Cloudwatch
PolicyDocument:
Statement:
Effect: Allow
Action: cloudwatch:PutMetricData
Resource: "*"
- PolicyName: connectRdsProxy
PolicyDocument:
Statement:
- Action:
- rds-db:connect
Effect: Allow
Resource:
Fn::ImportValue: !Sub RegistrationsDbProxyId-${Stage}
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub Lambda to db in ${Stage}
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
FromPort: 443
IpProtocol: tcp
ToPort: 443
VpcId: !Ref VpcId
WorkerLambda:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub ${Stack}-${App}-ctr-${Stage}
PackageType: Image
Code:
ImageUri: !Join [':', [!ImportValue NotificationLambdaRepositoryUri, !Ref BuildId]]
Environment:
Variables:
Stage: !Ref Stage
Stack: !Ref Stack
App: !Ref App
Description: Pick tokens that have been marked for deletion from an SQS queue, and deletes them from the database
ImageConfig:
Command: [!Ref FullyQualifiedHandler]
MemorySize: 1024
Role: !GetAtt ExecutionRole.Arn
Timeout: 300
ReservedConcurrentExecutions: 100
VpcConfig:
SecurityGroupIds:
- !GetAtt LambdaSecurityGroup.GroupId
- !Ref VPCSecurityGroup
SubnetIds: !Ref VpcSubnets
Tags:
- Key: Stage
Value: !Ref Stage
- Key: Stack
Value: !Ref Stack
- Key: App
Value: !Ref App
SqsEventSourceMapping:
Type: AWS::Lambda::EventSourceMapping
DependsOn:
- Sqs
- WorkerLambda
Properties:
BatchSize: 1
Enabled: True
EventSourceArn: !GetAtt Sqs.Arn
FunctionName: !Sub ${Stack}-${App}-ctr-${Stage}
Outputs:
SQSArn:
Description: The arn of the sqs queue
Value: !GetAtt Sqs.Arn