-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfn.yaml
280 lines (274 loc) · 9 KB
/
cfn.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
AWSTemplateFormatVersion: '2010-09-09'
Description: lambda to replace the content-notifications-service
Parameters:
Stack:
Description: Stack name
Type: String
Default: content-api-mobile-notifications
App:
Description: Application name
Type: String
Default: mobile-notifications-content
Stage:
Description: Stage name
Type: String
AllowedValues:
- CODE
- PROD
Default: CODE
DeployBucket:
Description: S3 Bucket where RiffRaff uploads artifacts on deploy
Type: String
Default: content-api-dist
MobileAccountId:
Description: Account ID of the gu moble account which
Type: String
Default: 201359054765
CrossAccountBaseRoleName:
Description: Base constituent name of the mobile account roles to assume
Type: String
Default: mobile-content-notifications-lambda-cross-account
ConfigurationBucket:
Description: S3 Bucket containing app configuration
Type: String
Default: mobile-notifications-dist
KinesisStreamName:
Description: Capi kinesis stream
Type: String
Default: content-api-firehose-v2
BuildId:
Description: Tag to be used for the image URL, e.g. riff raff build id
Type: String
Default: dev
SharedResourcesStack:
Description: Mobile notification content shared resources, e.g ecr repositories
Type: String
Default: mobile-notifications-shared-resources
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Path: /
Policies:
- PolicyName: assume-mobile-ssm-read-config-role
PolicyDocument:
Statement:
Effect: Allow
Action: sts:AssumeRole
Resource: !Sub arn:aws:iam::${MobileAccountId}:role/${CrossAccountBaseRoleName}-ssm-${Stage}
- PolicyName: assume-mobile-dynamo-role
PolicyDocument:
Statement:
Effect: Allow
Action: sts:AssumeRole
Resource: !Sub arn:aws:iam::${MobileAccountId}:role/${CrossAccountBaseRoleName}-dynamo-${Stage}
- PolicyName: logs
PolicyDocument:
Statement:
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
- PolicyName: invoke-lambda
PolicyDocument:
Statement:
Effect: Allow
Action:
- lambda:InvokeFunction
Resource: "*"
- PolicyName: iam-read-and-assume
PolicyDocument:
Statement:
Effect: Allow
Action:
- iam:PassRole
- iam:GenerateCredentialReport
- iam:Get*
- iam:List*
Resource: "*"
- PolicyName: kinesis-read
PolicyDocument:
Statement:
Effect: Allow
Action:
- Kinesis:DescribeStream
- Kinesis:GetRecords
- Kinesis:GetShardIterator
- Kinesis:ListStream
Resource: "*"
- PolicyName: cloudwatch-put-metric-daata
PolicyDocument:
Statement:
Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource: "*"
ContentLambdaV2:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub ${App}-${Stage}-v2
PackageType: Image
Code:
ImageUri:
Fn::Join:
- ':'
- - Fn::ImportValue: !Sub ${SharedResourcesStack}-ContentLambdaContainerRepositoryUri
- !Ref BuildId
Environment:
Variables:
CrossAccountSsmReadingRole: !Sub arn:aws:iam::${MobileAccountId}:role/${CrossAccountBaseRoleName}-ssm-${Stage}
App: !Sub ${App}
Stack: !Sub ${Stack}
Stage: !Sub ${Stage}
Description: Lambda to send notification when new content is published
MemorySize: 4096
Role: !GetAtt ExecutionRole.Arn
Timeout: 60
ContentEventV2Source:
Type: AWS::Lambda::EventSourceMapping
Properties:
FunctionName: !Ref ContentLambdaV2
Enabled: true
EventSourceArn: !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${KinesisStreamName}-${Stage}
StartingPosition: LATEST
BisectBatchOnFunctionError: true
contentLambdaErrorPercentageAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
ActionsEnabled: true
AlarmActions:
- !Sub arn:aws:sns:${AWS::Region}:${MobileAccountId}:mobile-server-side
AlarmName:
Fn::Join:
- '-'
- - 'contentLambdaErrorPercentageAlarm'
- !Ref Stage
AlarmDescription: 'Triggers if mobile-notifications-content lambda does not execute successfully. Note: this lambda is hosted in the CAPI account. Impact - Users that are subscribed to tags or contributors on their mobile device may not be getting the latest updates'
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
Metrics:
- Expression: 100*m1/m2
Id: expr_1
Label:
Fn::Join:
- ""
- - "Error % of "
- Ref: ContentLambdaV2
- Id: m1
MetricStat:
Metric:
Dimensions:
- Name: FunctionName
Value:
Ref: ContentLambdaV2
MetricName: Errors
Namespace: AWS/Lambda
Period: 60
Stat: Sum
ReturnData: false
- Id: m2
MetricStat:
Metric:
Dimensions:
- Name: FunctionName
Value:
Ref: ContentLambdaV2
MetricName: Invocations
Namespace: AWS/Lambda
Period: 60
Stat: Sum
ReturnData: false
OKActions:
- !Sub arn:aws:sns:${AWS::Region}:${MobileAccountId}:mobile-server-side
Threshold: 1
TreatMissingData: notBreaching
DependsOn: ContentLambdaV2
LiveBlogLambdaV2:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub ${App}-liveblogs-${Stage}-v2
PackageType: Image
Code:
ImageUri:
Fn::Join:
- ':'
- - Fn::ImportValue: !Sub ${SharedResourcesStack}-LiveblogsLambdaContainerRepositoryUri
- !Ref BuildId
Environment:
Variables:
CrossAccountSsmReadingRole: !Sub arn:aws:iam::${MobileAccountId}:role/${CrossAccountBaseRoleName}-ssm-${Stage}
App: !Sub ${App}
Stack: !Sub ${Stack}
Stage: !Sub ${Stage}
Description: Lambda that sends push notifications when new key events are published on a liveblog
MemorySize: 4096
Role: !GetAtt ExecutionRole.Arn
Timeout: 60
LiveBlogEventSourceV2:
Type: AWS::Lambda::EventSourceMapping
Properties:
FunctionName: !Ref LiveBlogLambdaV2
Enabled: true
EventSourceArn: !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${KinesisStreamName}-${Stage}
StartingPosition: LATEST
BisectBatchOnFunctionError: true
liveBlogLambdaErrorPercentageAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
ActionsEnabled: true
AlarmActions:
- !Sub arn:aws:sns:${AWS::Region}:${MobileAccountId}:mobile-server-side
AlarmName:
Fn::Join:
- '-'
- - 'liveblogLambdaErrorPercentageAlarm'
- !Ref Stage
AlarmDescription: 'Triggers if mobile-notifications-content-liveblogs lambda does not execute successfully. Note: this lambda is hosted in the CAPI account. Impact - Users that are subscribed to liveblog notifications may not be getting the latest updates'
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
Metrics:
- Expression: 100*m1/m2
Id: expr_1
Label:
Fn::Join:
- ""
- - "Error % of "
- Ref: LiveBlogLambdaV2
- Id: m1
MetricStat:
Metric:
Dimensions:
- Name: FunctionName
Value:
Ref: LiveBlogLambdaV2
MetricName: Errors
Namespace: AWS/Lambda
Period: 60
Stat: Sum
ReturnData: false
- Id: m2
MetricStat:
Metric:
Dimensions:
- Name: FunctionName
Value:
Ref: LiveBlogLambdaV2
MetricName: Invocations
Namespace: AWS/Lambda
Period: 60
Stat: Sum
ReturnData: false
OKActions:
- !Sub arn:aws:sns:${AWS::Region}:${MobileAccountId}:mobile-server-side
Threshold: 1
TreatMissingData: notBreaching
DependsOn: LiveBlogLambdaV2