API tools faq
paste
Advertisement
uopspop

Untitled

uopspop
Nov 2nd, 2018
168
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 69.02 KB | None | 0 0
raw download clone embed print report
  1. {
  2. "AWSTemplateFormatVersion": "2010-09-09",
  3. "Description": "Git Webhooks to clone repository contents to S3. For integrating 3rd party git products with AWS Services like CodePipeline/CodeBuild (qs-1nfhrd9bh)",
  4. "Metadata": {
  5. "AWS::CloudFormation::Interface": {
  6. "ParameterGroups": [
  7. {
  8. "Label": {
  9. "default": "General Settings"
  10. },
  11. "Parameters": [
  12. "OutputBucketName",
  13. "CustomDomainName"
  14. ]
  15. },
  16. {
  17. "Label": {
  18. "default": "Git Pull Settings"
  19. },
  20. "Parameters": [
  21. "ApiSecret",
  22. "AllowedIps"
  23. ]
  24. },
  25. {
  26. "Label": {
  27. "default": "Zip Download Settings"
  28. },
  29. "Parameters": [
  30. "GitToken",
  31. "OauthKey",
  32. "OauthSecret"
  33. ]
  34. },
  35. {
  36. "Label": {
  37. "default": "AWS Quick Start Configuration"
  38. },
  39. "Parameters": [
  40. "QSS3BucketName",
  41. "QSS3KeyPrefix"
  42. ]
  43. }
  44. ],
  45. "ParameterLabels": {
  46. "AllowedIps": {
  47. "default": "Allowed IPs"
  48. },
  49. "ApiSecret": {
  50. "default": "API Secret"
  51. },
  52. "CustomDomainName": {
  53. "default": "Custom Domain Name"
  54. },
  55. "GitToken": {
  56. "default": "Git Personal Access Token"
  57. },
  58. "OauthKey": {
  59. "default": "OAuth2 Key"
  60. },
  61. "OauthSecret": {
  62. "default": "OAuth2 Secret"
  63. },
  64. "OutputBucketName": {
  65. "default": "Output S3 Bucket Name"
  66. },
  67. "QSS3BucketName": {
  68. "default": "Quick Start S3 Bucket Name"
  69. },
  70. "QSS3KeyPrefix": {
  71. "default": "Quick Start S3 Key Prefix"
  72. }
  73. }
  74. }
  75. },
  76. "Parameters": {
  77. "AllowedIps": {
  78. "Description": "gitpull method only. Comma seperated list of IP CIDR blocks for source IP authentication. The BitBucket Cloud IP ranges are provided as defaults.",
  79. "Type": "String",
  80. "Default": "34.198.203.127/32,34.198.178.64/32,34.198.32.85/32,104.192.136.0/21"
  81. },
  82. "ApiSecret": {
  83. "Description": "gitpull method only. WebHook Secrets for use with GitHub Enterprise and GitLab. If a secret is matched IP range authentication is bypassed. Cannot contain: , \\ \"",
  84. "Type": "String",
  85. "Default": "",
  86. "NoEcho": "true"
  87. },
  88. "CustomDomainName": {
  89. "Description": "Use a custom domain name for the webhook endpoint, if left blank API Gateway will create a domain name for you",
  90. "Type": "String",
  91. "Default": ""
  92. },
  93. "GitToken": {
  94. "NoEcho": "true",
  95. "Description": "zipdl method only. Personal access token, needed for GitHub Enterprise and GitLab",
  96. "Type": "String",
  97. "Default": "",
  98. "ConstraintDescription": "this token must be generated from the git server/provider"
  99. },
  100. "OauthKey": {
  101. "Description": "zipdl method only. OAuth2 Key needed for BitBucket",
  102. "Type": "String",
  103. "Default": "",
  104. "ConstraintDescription": "this key must be generated from the git server/provider"
  105. },
  106. "OauthSecret": {
  107. "NoEcho": "true",
  108. "Description": "zipdl method only. OAuth2 Secret needed for BitBucket",
  109. "Type": "String",
  110. "Default": "",
  111. "ConstraintDescription": "this secret must be generated from the git server/provider"
  112. },
  113. "OutputBucketName": {
  114. "Description": "OPTIONAL: Bucket Name where the zip file output should be placed, if left blank a bucket name will be automatically generated.",
  115. "Type": "String",
  116. "Default": ""
  117. },
  118. "QSS3BucketName": {
  119. "AllowedPattern": "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$",
  120. "ConstraintDescription": "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).",
  121. "Default": "aws-quickstart",
  122. "Description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).",
  123. "Type": "String"
  124. },
  125. "QSS3KeyPrefix": {
  126. "AllowedPattern": "^[0-9a-zA-Z-/]*$",
  127. "ConstraintDescription": "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).",
  128. "Default": "quickstart-git2s3/",
  129. "Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).",
  130. "Type": "String"
  131. }
  132. },
  133. "Conditions": {
  134. "UseAllowedIps": {
  135. "Fn::Not": [
  136. {
  137. "Fn::Equals": [
  138. {
  139. "Ref": "AllowedIps"
  140. },
  141. ""
  142. ]
  143. }
  144. ]
  145. },
  146. "UseApiSecret": {
  147. "Fn::Not": [
  148. {
  149. "Fn::Equals": [
  150. {
  151. "Ref": "ApiSecret"
  152. },
  153. ""
  154. ]
  155. }
  156. ]
  157. },
  158. "UseCustomDomain": {
  159. "Fn::Not": [
  160. {
  161. "Fn::Equals": [
  162. {
  163. "Ref": "CustomDomainName"
  164. },
  165. ""
  166. ]
  167. }
  168. ]
  169. },
  170. "UseGitToken": {
  171. "Fn::Not": [
  172. {
  173. "Fn::Equals": [
  174. {
  175. "Ref": "GitToken"
  176. },
  177. ""
  178. ]
  179. }
  180. ]
  181. },
  182. "UseOauthKey": {
  183. "Fn::Not": [
  184. {
  185. "Fn::Equals": [
  186. {
  187. "Ref": "OauthKey"
  188. },
  189. ""
  190. ]
  191. }
  192. ]
  193. },
  194. "UseOauthSecret": {
  195. "Fn::Not": [
  196. {
  197. "Fn::Equals": [
  198. {
  199. "Ref": "OauthSecret"
  200. },
  201. ""
  202. ]
  203. }
  204. ]
  205. },
  206. "AutoGenOutputBucketName": {
  207. "Fn::Not": [
  208. {
  209. "Fn::Equals": [
  210. {
  211. "Ref": "OutputBucketName"
  212. },
  213. ""
  214. ]
  215. }
  216. ]
  217. }
  218. },
  219. "Resources": {
  220. "LambdaZipsBucket": {
  221. "Type": "AWS::S3::Bucket",
  222. "Properties": {
  223. "Tags": []
  224. }
  225. },
  226. "CopyZips": {
  227. "Type": "AWS::CloudFormation::CustomResource",
  228. "Properties": {
  229. "ServiceToken": {
  230. "Fn::GetAtt": [
  231. "CopyZipsFunction",
  232. "Arn"
  233. ]
  234. },
  235. "DestBucket": {
  236. "Ref": "LambdaZipsBucket"
  237. },
  238. "SourceBucket": {
  239. "Ref": "QSS3BucketName"
  240. },
  241. "Prefix": {
  242. "Ref": "QSS3KeyPrefix"
  243. },
  244. "Objects": [
  245. "functions/packages/CreateSSHKey/lambda.zip",
  246. "functions/packages/DeleteBucketContents/lambda.zip",
  247. "functions/packages/GitPullS3/lambda.zip",
  248. "functions/packages/ZipDl/lambda.zip"
  249. ]
  250. }
  251. },
  252. "CopyZipsRole": {
  253. "Type": "AWS::IAM::Role",
  254. "Properties": {
  255. "AssumeRolePolicyDocument": {
  256. "Version": "2012-10-17",
  257. "Statement": [
  258. {
  259. "Effect": "Allow",
  260. "Principal": {
  261. "Service": "lambda.amazonaws.com"
  262. },
  263. "Action": "sts:AssumeRole"
  264. }
  265. ]
  266. },
  267. "ManagedPolicyArns": [
  268. "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  269. ],
  270. "Path": "/",
  271. "Policies": [
  272. {
  273. "PolicyName": "lambda-copier",
  274. "PolicyDocument": {
  275. "Version": "2012-10-17",
  276. "Statement": [
  277. {
  278. "Effect": "Allow",
  279. "Action": [
  280. "s3:GetObject"
  281. ],
  282. "Resource": [
  283. {
  284. "Fn::Sub": "arn:aws:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*"
  285. }
  286. ]
  287. },
  288. {
  289. "Effect": "Allow",
  290. "Action": [
  291. "s3:PutObject",
  292. "s3:DeleteObject"
  293. ],
  294. "Resource": [
  295. {
  296. "Fn::Sub": "arn:aws:s3:::${LambdaZipsBucket}/${QSS3KeyPrefix}*"
  297. }
  298. ]
  299. }
  300. ]
  301. }
  302. }
  303. ]
  304. }
  305. },
  306. "CopyZipsFunction": {
  307. "Type": "AWS::Lambda::Function",
  308. "Properties": {
  309. "Description": "Copies objects from a source S3 bucket to a destination",
  310. "Handler": "index.handler",
  311. "Runtime": "python2.7",
  312. "Role": {
  313. "Fn::GetAtt": [
  314. "CopyZipsRole",
  315. "Arn"
  316. ]
  317. },
  318. "Timeout": 240,
  319. "Code": {
  320. "ZipFile": {
  321. "Fn::Join": [
  322. "\n",
  323. [
  324. "import json",
  325. "import logging",
  326. "import threading",
  327. "import boto3",
  328. "import cfnresponse",
  329. "",
  330. "",
  331. "def copy_objects(source_bucket, dest_bucket, prefix, objects):",
  332. " s3 = boto3.client('s3')",
  333. " for o in objects:",
  334. " key = prefix + o",
  335. " copy_source = {",
  336. " 'Bucket': source_bucket,",
  337. " 'Key': key",
  338. " }",
  339. " s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key)",
  340. "",
  341. "",
  342. "def delete_objects(bucket, prefix, objects):",
  343. " s3 = boto3.client('s3')",
  344. " objects = {'Objects': [{'Key': prefix + o} for o in objects]}",
  345. " s3.delete_objects(Bucket=bucket, Delete=objects)",
  346. "",
  347. "",
  348. "def timeout(event, context):",
  349. " logging.error('Execution is about to time out, sending failure response to CloudFormation')",
  350. " cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)",
  351. "",
  352. "",
  353. "def handler(event, context):",
  354. " # make sure we send a failure to CloudFormation if the function is going to timeout",
  355. " timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context])",
  356. " timer.start()",
  357. "",
  358. " print('Received event: %s' % json.dumps(event))",
  359. " status = cfnresponse.SUCCESS",
  360. " try:",
  361. " source_bucket = event['ResourceProperties']['SourceBucket']",
  362. " dest_bucket = event['ResourceProperties']['DestBucket']",
  363. " prefix = event['ResourceProperties']['Prefix']",
  364. " objects = event['ResourceProperties']['Objects']",
  365. " if event['RequestType'] == 'Delete':",
  366. " delete_objects(dest_bucket, prefix, objects)",
  367. " else:",
  368. " copy_objects(source_bucket, dest_bucket, prefix, objects)",
  369. " except Exception as e:",
  370. " logging.error('Exception: %s' % e, exc_info=True)",
  371. " status = cfnresponse.FAILED",
  372. " finally:",
  373. " timer.cancel()",
  374. " cfnresponse.send(event, context, status, {}, None)",
  375. ""
  376. ]
  377. ]
  378. }
  379. }
  380. }
  381. },
  382. "KeyBucket": {
  383. "Type": "AWS::S3::Bucket",
  384. "Properties": {
  385. "Tags": []
  386. }
  387. },
  388. "OutputBucket": {
  389. "Type": "AWS::S3::Bucket",
  390. "Properties": {
  391. "BucketName": {
  392. "Fn::If": [
  393. "AutoGenOutputBucketName",
  394. {
  395. "Ref": "OutputBucketName"
  396. },
  397. {
  398. "Ref": "AWS::NoValue"
  399. }
  400. ]
  401. },
  402. "VersioningConfiguration": {
  403. "Status": "Enabled"
  404. },
  405. "Tags": []
  406. }
  407. },
  408. "KMSKey": {
  409. "Type": "AWS::KMS::Key",
  410. "Properties": {
  411. "Description": "git CodePipeline integration, used to encrypt/decrypt ssh keys stored in S3",
  412. "KeyPolicy": {
  413. "Version": "2012-10-17",
  414. "Statement": [
  415. {
  416. "Sid": "Allow access for Key Administrators",
  417. "Effect": "Allow",
  418. "Principal": {
  419. "AWS": [
  420. {
  421. "Fn::Join": [
  422. "",
  423. [
  424. "arn:aws:iam::",
  425. {
  426. "Ref": "AWS::AccountId"
  427. },
  428. ":root"
  429. ]
  430. ]
  431. }
  432. ]
  433. },
  434. "Action": [
  435. "kms:Create*",
  436. "kms:Describe*",
  437. "kms:Enable*",
  438. "kms:List*",
  439. "kms:Put*",
  440. "kms:Update*",
  441. "kms:Revoke*",
  442. "kms:Disable*",
  443. "kms:Get*",
  444. "kms:Delete*",
  445. "kms:ScheduleKeyDeletion",
  446. "kms:CancelKeyDeletion"
  447. ],
  448. "Resource": "*"
  449. },
  450. {
  451. "Sid": "Allow use of the key",
  452. "Effect": "Allow",
  453. "Principal": {
  454. "AWS": [
  455. {
  456. "Fn::Join": [
  457. "",
  458. [
  459. "arn:aws:iam::",
  460. {
  461. "Ref": "AWS::AccountId"
  462. },
  463. ":root"
  464. ]
  465. ]
  466. }
  467. ]
  468. },
  469. "Action": [
  470. "kms:Encrypt",
  471. "kms:Decrypt",
  472. "kms:ReEncrypt*",
  473. "kms:GenerateDataKey*",
  474. "kms:DescribeKey"
  475. ],
  476. "Resource": "*"
  477. },
  478. {
  479. "Sid": "Allow attachment of persistent resources",
  480. "Effect": "Allow",
  481. "Principal": {
  482. "AWS": [
  483. {
  484. "Fn::Join": [
  485. "",
  486. [
  487. "arn:aws:iam::",
  488. {
  489. "Ref": "AWS::AccountId"
  490. },
  491. ":root"
  492. ]
  493. ]
  494. }
  495. ]
  496. },
  497. "Action": [
  498. "kms:CreateGrant",
  499. "kms:ListGrants",
  500. "kms:RevokeGrant"
  501. ],
  502. "Resource": "*",
  503. "Condition": {
  504. "Bool": {
  505. "kms:GrantIsForAWSResource": true
  506. }
  507. }
  508. }
  509. ]
  510. }
  511. }
  512. },
  513. "CreateSSHKeyRole": {
  514. "Type": "AWS::IAM::Role",
  515. "Properties": {
  516. "AssumeRolePolicyDocument": {
  517. "Version": "2012-10-17",
  518. "Statement": [
  519. {
  520. "Effect": "Allow",
  521. "Principal": {
  522. "Service": "lambda.amazonaws.com"
  523. },
  524. "Action": "sts:AssumeRole"
  525. }
  526. ]
  527. },
  528. "Path": "/",
  529. "Policies": [
  530. {
  531. "PolicyName": "git2cp-sshkeygen",
  532. "PolicyDocument": {
  533. "Version": "2012-10-17",
  534. "Statement": [
  535. {
  536. "Effect": "Allow",
  537. "Action": [
  538. "s3:GetObject"
  539. ],
  540. "Resource": [
  541. {
  542. "Fn::Join": [
  543. "",
  544. [
  545. "arn:aws:s3:::",
  546. {
  547. "Ref": "KeyBucket"
  548. },
  549. "/crypto.zip"
  550. ]
  551. ]
  552. }
  553. ]
  554. },
  555. {
  556. "Effect": "Allow",
  557. "Action": [
  558. "s3:PutObject"
  559. ],
  560. "Resource": [
  561. {
  562. "Fn::Join": [
  563. "",
  564. [
  565. "arn:aws:s3:::",
  566. {
  567. "Ref": "KeyBucket"
  568. },
  569. "/enc_key"
  570. ]
  571. ]
  572. }
  573. ]
  574. },
  575. {
  576. "Effect": "Allow",
  577. "Action": [
  578. "kms:Encrypt"
  579. ],
  580. "Resource": [
  581. {
  582. "Fn::GetAtt": [
  583. "KMSKey",
  584. "Arn"
  585. ]
  586. }
  587. ]
  588. },
  589. {
  590. "Effect": "Allow",
  591. "Action": [
  592. "logs:CreateLogGroup",
  593. "logs:CreateLogStream",
  594. "logs:PutLogEvents"
  595. ],
  596. "Resource": [
  597. "arn:aws:logs:*:*:*"
  598. ]
  599. }
  600. ]
  601. }
  602. }
  603. ]
  604. }
  605. },
  606. "CreateSSHKeyLambda": {
  607. "DependsOn": "CopyZips",
  608. "Type": "AWS::Lambda::Function",
  609. "Properties": {
  610. "Handler": "lambda_function.lambda_handler",
  611. "MemorySize": "128",
  612. "Role": {
  613. "Fn::GetAtt": [
  614. "CreateSSHKeyRole",
  615. "Arn"
  616. ]
  617. },
  618. "Runtime": "python2.7",
  619. "Timeout": "300",
  620. "Code": {
  621. "S3Bucket": {
  622. "Ref": "LambdaZipsBucket"
  623. },
  624. "S3Key": {
  625. "Fn::Sub": "${QSS3KeyPrefix}functions/packages/CreateSSHKey/lambda.zip"
  626. }
  627. }
  628. }
  629. },
  630. "CreateSSHKey": {
  631. "Type": "AWS::CloudFormation::CustomResource",
  632. "Version": "1.0",
  633. "Properties": {
  634. "ServiceToken": {
  635. "Fn::GetAtt": [
  636. "CreateSSHKeyLambda",
  637. "Arn"
  638. ]
  639. },
  640. "KeyBucket": {
  641. "Ref": "KeyBucket"
  642. },
  643. "Region": {
  644. "Ref": "AWS::Region"
  645. },
  646. "KMSKey": {
  647. "Ref": "KMSKey"
  648. }
  649. }
  650. },
  651. "DeleteBucketContentsRole": {
  652. "Type": "AWS::IAM::Role",
  653. "Properties": {
  654. "AssumeRolePolicyDocument": {
  655. "Version": "2012-10-17",
  656. "Statement": [
  657. {
  658. "Effect": "Allow",
  659. "Principal": {
  660. "Service": "lambda.amazonaws.com"
  661. },
  662. "Action": "sts:AssumeRole"
  663. }
  664. ]
  665. },
  666. "Path": "/",
  667. "Policies": [
  668. {
  669. "PolicyName": "git2cp-deletebucketcontents",
  670. "PolicyDocument": {
  671. "Version": "2012-10-17",
  672. "Statement": [
  673. {
  674. "Effect": "Allow",
  675. "Action": [
  676. "s3:*"
  677. ],
  678. "Resource": [
  679. {
  680. "Fn::Join": [
  681. "",
  682. [
  683. "arn:aws:s3:::",
  684. {
  685. "Ref": "KeyBucket"
  686. },
  687. "/*"
  688. ]
  689. ]
  690. },
  691. {
  692. "Fn::Join": [
  693. "",
  694. [
  695. "arn:aws:s3:::",
  696. {
  697. "Ref": "OutputBucket"
  698. },
  699. "/*"
  700. ]
  701. ]
  702. },
  703. {
  704. "Fn::Join": [
  705. "",
  706. [
  707. "arn:aws:s3:::",
  708. {
  709. "Ref": "KeyBucket"
  710. }
  711. ]
  712. ]
  713. },
  714. {
  715. "Fn::Join": [
  716. "",
  717. [
  718. "arn:aws:s3:::",
  719. {
  720. "Ref": "OutputBucket"
  721. }
  722. ]
  723. ]
  724. }
  725. ]
  726. },
  727. {
  728. "Effect": "Allow",
  729. "Action": [
  730. "logs:CreateLogGroup",
  731. "logs:CreateLogStream",
  732. "logs:PutLogEvents"
  733. ],
  734. "Resource": [
  735. "arn:aws:logs:*:*:*"
  736. ]
  737. }
  738. ]
  739. }
  740. }
  741. ]
  742. }
  743. },
  744. "DeleteBucketContentsLambda": {
  745. "DependsOn": "CopyZips",
  746. "Type": "AWS::Lambda::Function",
  747. "Properties": {
  748. "Handler": "lambda_function.lambda_handler",
  749. "MemorySize": "128",
  750. "Role": {
  751. "Fn::GetAtt": [
  752. "DeleteBucketContentsRole",
  753. "Arn"
  754. ]
  755. },
  756. "Runtime": "python2.7",
  757. "Timeout": "300",
  758. "Code": {
  759. "S3Bucket": {
  760. "Ref": "LambdaZipsBucket"
  761. },
  762. "S3Key": {
  763. "Fn::Sub": "${QSS3KeyPrefix}functions/packages/DeleteBucketContents/lambda.zip"
  764. }
  765. }
  766. }
  767. },
  768. "DeleteBucketContents": {
  769. "Type": "AWS::CloudFormation::CustomResource",
  770. "Version": "1.0",
  771. "DependsOn": [
  772. "KeyBucket",
  773. "OutputBucket"
  774. ],
  775. "Properties": {
  776. "ServiceToken": {
  777. "Fn::GetAtt": [
  778. "DeleteBucketContentsLambda",
  779. "Arn"
  780. ]
  781. },
  782. "KeyBucket": {
  783. "Ref": "KeyBucket"
  784. },
  785. "OutputBucket": {
  786. "Ref": "OutputBucket"
  787. }
  788. }
  789. },
  790. "GitPullRole": {
  791. "Type": "AWS::IAM::Role",
  792. "Properties": {
  793. "AssumeRolePolicyDocument": {
  794. "Version": "2012-10-17",
  795. "Statement": [
  796. {
  797. "Effect": "Allow",
  798. "Principal": {
  799. "Service": "lambda.amazonaws.com"
  800. },
  801. "Action": "sts:AssumeRole"
  802. }
  803. ]
  804. },
  805. "Path": "/",
  806. "Policies": [
  807. {
  808. "PolicyName": "git2cp-gitpull",
  809. "PolicyDocument": {
  810. "Version": "2012-10-17",
  811. "Statement": [
  812. {
  813. "Effect": "Allow",
  814. "Action": [
  815. "kms:Decrypt"
  816. ],
  817. "Resource": [
  818. {
  819. "Fn::GetAtt": [
  820. "KMSKey",
  821. "Arn"
  822. ]
  823. }
  824. ]
  825. },
  826. {
  827. "Effect": "Allow",
  828. "Action": [
  829. "s3:PutObject"
  830. ],
  831. "Resource": [
  832. {
  833. "Fn::Join": [
  834. "",
  835. [
  836. "arn:aws:s3:::",
  837. {
  838. "Ref": "OutputBucket"
  839. }
  840. ]
  841. ]
  842. },
  843. {
  844. "Fn::Join": [
  845. "",
  846. [
  847. "arn:aws:s3:::",
  848. {
  849. "Ref": "OutputBucket"
  850. },
  851. "/*"
  852. ]
  853. ]
  854. }
  855. ]
  856. },
  857. {
  858. "Effect": "Allow",
  859. "Action": [
  860. "s3:GetObject"
  861. ],
  862. "Resource": [
  863. {
  864. "Fn::Join": [
  865. "",
  866. [
  867. "arn:aws:s3:::",
  868. {
  869. "Ref": "KeyBucket"
  870. },
  871. "/enc_key"
  872. ]
  873. ]
  874. }
  875. ]
  876. },
  877. {
  878. "Effect": "Allow",
  879. "Action": [
  880. "logs:CreateLogGroup",
  881. "logs:CreateLogStream",
  882. "logs:PutLogEvents"
  883. ],
  884. "Resource": [
  885. "arn:aws:logs:*:*:*"
  886. ]
  887. }
  888. ]
  889. }
  890. }
  891. ]
  892. }
  893. },
  894. "GitPullLambda": {
  895. "DependsOn": "CopyZips",
  896. "Type": "AWS::Lambda::Function",
  897. "Properties": {
  898. "Handler": "lambda_function.lambda_handler",
  899. "MemorySize": "128",
  900. "Role": {
  901. "Fn::GetAtt": [
  902. "GitPullRole",
  903. "Arn"
  904. ]
  905. },
  906. "Runtime": "python2.7",
  907. "Timeout": "300",
  908. "Code": {
  909. "S3Bucket": {
  910. "Ref": "LambdaZipsBucket"
  911. },
  912. "S3Key": {
  913. "Fn::Sub": "${QSS3KeyPrefix}functions/packages/GitPullS3/lambda.zip"
  914. }
  915. }
  916. }
  917. },
  918. "ZipDlRole": {
  919. "Type": "AWS::IAM::Role",
  920. "Properties": {
  921. "AssumeRolePolicyDocument": {
  922. "Statement": [
  923. {
  924. "Sid": "",
  925. "Effect": "Allow",
  926. "Principal": {
  927. "Service": [
  928. "lambda.amazonaws.com"
  929. ]
  930. },
  931. "Action": "sts:AssumeRole"
  932. }
  933. ]
  934. },
  935. "Path": "/",
  936. "Policies": [
  937. {
  938. "PolicyName": "git2cp-zipdl",
  939. "PolicyDocument": {
  940. "Version": "2012-10-17",
  941. "Statement": [
  942. {
  943. "Effect": "Allow",
  944. "Action": [
  945. "s3:PutObject"
  946. ],
  947. "Resource": [
  948. {
  949. "Fn::Join": [
  950. "",
  951. [
  952. "arn:aws:s3:::",
  953. {
  954. "Ref": "OutputBucket"
  955. }
  956. ]
  957. ]
  958. },
  959. {
  960. "Fn::Join": [
  961. "",
  962. [
  963. "arn:aws:s3:::",
  964. {
  965. "Ref": "OutputBucket"
  966. },
  967. "/*"
  968. ]
  969. ]
  970. }
  971. ]
  972. },
  973. {
  974. "Effect": "Allow",
  975. "Action": [
  976. "logs:CreateLogGroup",
  977. "logs:CreateLogStream",
  978. "logs:PutLogEvents"
  979. ],
  980. "Resource": [
  981. "arn:aws:logs:*:*:*"
  982. ]
  983. }
  984. ]
  985. }
  986. }
  987. ]
  988. }
  989. },
  990. "ZipDlLambda": {
  991. "DependsOn": "CopyZips",
  992. "Type": "AWS::Lambda::Function",
  993. "Properties": {
  994. "Handler": "lambda_function.lambda_handler",
  995. "Role": {
  996. "Fn::GetAtt": [
  997. "ZipDlRole",
  998. "Arn"
  999. ]
  1000. },
  1001. "Code": {
  1002. "S3Bucket": {
  1003. "Ref": "LambdaZipsBucket"
  1004. },
  1005. "S3Key": {
  1006. "Fn::Sub": "${QSS3KeyPrefix}functions/packages/ZipDl/lambda.zip"
  1007. }
  1008. },
  1009. "Runtime": "python2.7",
  1010. "MemorySize": 128,
  1011. "Timeout": 30
  1012. }
  1013. },
  1014. "WebHookRole": {
  1015. "Type": "AWS::IAM::Role",
  1016. "Properties": {
  1017. "AssumeRolePolicyDocument": {
  1018. "Version": "2012-10-17",
  1019. "Statement": [
  1020. {
  1021. "Effect": "Allow",
  1022. "Principal": {
  1023. "Service": "apigateway.amazonaws.com"
  1024. },
  1025. "Action": "sts:AssumeRole"
  1026. }
  1027. ]
  1028. },
  1029. "Path": "/",
  1030. "ManagedPolicyArns": [
  1031. "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
  1032. ],
  1033. "Policies": [
  1034. {
  1035. "PolicyName": "git2cp-webhook",
  1036. "PolicyDocument": {
  1037. "Version": "2012-10-17",
  1038. "Statement": [
  1039. {
  1040. "Effect": "Allow",
  1041. "Action": [
  1042. "lambda:InvokeAsync",
  1043. "lambda:InvokeFunction"
  1044. ],
  1045. "Resource": [
  1046. {
  1047. "Fn::GetAtt": [
  1048. "GitPullLambda",
  1049. "Arn"
  1050. ]
  1051. },
  1052. {
  1053. "Fn::GetAtt": [
  1054. "ZipDlLambda",
  1055. "Arn"
  1056. ]
  1057. }
  1058. ]
  1059. }
  1060. ]
  1061. }
  1062. }
  1063. ]
  1064. }
  1065. },
  1066. "WebHookApi": {
  1067. "Type": "AWS::ApiGateway::RestApi",
  1068. "Properties": {
  1069. "Body": {
  1070. "swagger": "2.0",
  1071. "info": {
  1072. "version": "2016-07-26T07:34:38Z",
  1073. "title": {
  1074. "Fn::Join": [
  1075. "",
  1076. [
  1077. "G2CP-",
  1078. {
  1079. "Ref": "AWS::StackName"
  1080. }
  1081. ]
  1082. ]
  1083. }
  1084. },
  1085. "schemes": [
  1086. "https"
  1087. ],
  1088. "paths": {
  1089. "/gitpull": {
  1090. "post": {
  1091. "consumes": [
  1092. "application/json"
  1093. ],
  1094. "produces": [
  1095. "application/json"
  1096. ],
  1097. "responses": {
  1098. "200": {
  1099. "description": "200 response",
  1100. "schema": {
  1101. "$ref": "#/definitions/Empty"
  1102. }
  1103. }
  1104. },
  1105. "x-amazon-apigateway-integration": {
  1106. "type": "aws",
  1107. "credentials": {
  1108. "Fn::GetAtt": [
  1109. "WebHookRole",
  1110. "Arn"
  1111. ]
  1112. },
  1113. "responses": {
  1114. "default": {
  1115. "statusCode": "200"
  1116. }
  1117. },
  1118. "requestParameters": {
  1119. "integration.request.header.X-Amz-Invocation-Type": "'Event'"
  1120. },
  1121. "passthroughBehavior": "when_no_templates",
  1122. "httpMethod": "POST",
  1123. "uri": {
  1124. "Fn::Join": [
  1125. "",
  1126. [
  1127. "arn:aws:apigateway:",
  1128. {
  1129. "Ref": "AWS::Region"
  1130. },
  1131. ":lambda:path//2015-03-31/functions/",
  1132. {
  1133. "Fn::GetAtt": [
  1134. "GitPullLambda",
  1135. "Arn"
  1136. ]
  1137. },
  1138. "/invocations"
  1139. ]
  1140. ]
  1141. },
  1142. "requestTemplates": {
  1143. "application/json": {
  1144. "Fn::Join": [
  1145. "",
  1146. [
  1147. "#set($allParams = $input.params())\n",
  1148. "{\n",
  1149. "\"body-json\" : $input.json('$'),\n",
  1150. "\"params\" : {\n",
  1151. "#foreach($type in $allParams.keySet())\n",
  1152. " #set($params = $allParams.get($type))\n",
  1153. "\"$type\" : {\n",
  1154. " #foreach($paramName in $params.keySet())\n",
  1155. " \"$paramName\" : \"$util.escapeJavaScript($params.get($paramName))\"\n",
  1156. " #if($foreach.hasNext),#end\n",
  1157. " #end\n",
  1158. "}\n",
  1159. " #if($foreach.hasNext),#end\n",
  1160. "#end\n",
  1161. "},\n",
  1162. "\"stage-variables\" : {\n",
  1163. "#foreach($key in $stageVariables.keySet())\n",
  1164. "\"$key\" : \"$util.escapeJavaScript($stageVariables.get($key))\"\n",
  1165. " #if($foreach.hasNext),#end\n",
  1166. "#end\n",
  1167. "},\n",
  1168. "\"context\" : {\n",
  1169. " \"account-id\" : \"$context.identity.accountId\",\n",
  1170. " \"api-id\" : \"$context.apiId\",\n",
  1171. " \"api-key\" : \"$context.identity.apiKey\",\n",
  1172. " \"authorizer-principal-id\" : \"$context.authorizer.principalId\",\n",
  1173. " \"caller\" : \"$context.identity.caller\",\n",
  1174. " \"cognito-authentication-provider\" : \"$context.identity.cognitoAuthenticationProvider\",\n",
  1175. " \"cognito-authentication-type\" : \"$context.identity.cognitoAuthenticationType\",\n",
  1176. " \"cognito-identity-id\" : \"$context.identity.cognitoIdentityId\",\n",
  1177. " \"cognito-identity-pool-id\" : \"$context.identity.cognitoIdentityPoolId\",\n",
  1178. " \"http-method\" : \"$context.httpMethod\",\n",
  1179. " \"stage\" : \"$context.stage\",\n",
  1180. " \"source-ip\" : \"$context.identity.sourceIp\",\n",
  1181. " \"user\" : \"$context.identity.user\",\n",
  1182. " \"user-agent\" : \"$context.identity.userAgent\",\n",
  1183. " \"user-arn\" : \"$context.identity.userArn\",\n",
  1184. " \"request-id\" : \"$context.requestId\",\n",
  1185. " \"resource-id\" : \"$context.resourceId\",\n",
  1186. " \"resource-path\" : \"$context.resourcePath\",\n",
  1187. " \"allowed-ips\" : \"$stageVariables.allowedips\",\n",
  1188. " \"api-secrets\" : \"$stageVariables.apisecrets\",\n",
  1189. " \"key-bucket\" : \"",
  1190. {
  1191. "Ref": "KeyBucket"
  1192. },
  1193. "\",\n",
  1194. " \"output-bucket\" : \"$stageVariables.outputbucket\",\n",
  1195. " \"public-key\" : \"",
  1196. {
  1197. "Ref": "CreateSSHKey"
  1198. },
  1199. "\",\n",
  1200. " \"raw-body\" : \"$util.escapeJavaScript($input.body).replace(\"\\'\",\"'\")\"\n",
  1201. " }\n",
  1202. "}"
  1203. ]
  1204. ]
  1205. }
  1206. }
  1207. }
  1208. }
  1209. },
  1210. "/zipdl": {
  1211. "post": {
  1212. "consumes": [
  1213. "application/json"
  1214. ],
  1215. "produces": [
  1216. "application/json"
  1217. ],
  1218. "responses": {
  1219. "200": {
  1220. "description": "200 response",
  1221. "schema": {
  1222. "$ref": "#/definitions/Empty"
  1223. }
  1224. }
  1225. },
  1226. "x-amazon-apigateway-integration": {
  1227. "type": "aws",
  1228. "credentials": {
  1229. "Fn::GetAtt": [
  1230. "WebHookRole",
  1231. "Arn"
  1232. ]
  1233. },
  1234. "responses": {
  1235. "default": {
  1236. "statusCode": "200"
  1237. }
  1238. },
  1239. "requestParameters": {
  1240. "integration.request.header.X-Amz-Invocation-Type": "'Event'"
  1241. },
  1242. "passthroughBehavior": "when_no_templates",
  1243. "httpMethod": "POST",
  1244. "uri": {
  1245. "Fn::Join": [
  1246. "",
  1247. [
  1248. "arn:aws:apigateway:",
  1249. {
  1250. "Ref": "AWS::Region"
  1251. },
  1252. ":lambda:path//2015-03-31/functions/",
  1253. {
  1254. "Fn::GetAtt": [
  1255. "ZipDlLambda",
  1256. "Arn"
  1257. ]
  1258. },
  1259. "/invocations"
  1260. ]
  1261. ]
  1262. },
  1263. "requestTemplates": {
  1264. "application/json": {
  1265. "Fn::Join": [
  1266. "",
  1267. [
  1268. "#set($allParams = $input.params())\n",
  1269. "{\n",
  1270. "\"body-json\" : $input.json('$'),\n",
  1271. "\"params\" : {\n",
  1272. "#foreach($type in $allParams.keySet())\n",
  1273. " #set($params = $allParams.get($type))\n",
  1274. "\"$type\" : {\n",
  1275. " #foreach($paramName in $params.keySet())\n",
  1276. " \"$paramName\" : \"$util.escapeJavaScript($params.get($paramName))\"\n",
  1277. " #if($foreach.hasNext),#end\n",
  1278. " #end\n",
  1279. "}\n",
  1280. " #if($foreach.hasNext),#end\n",
  1281. "#end\n",
  1282. "},\n",
  1283. "\"stage-variables\" : {\n",
  1284. "#foreach($key in $stageVariables.keySet())\n",
  1285. "\"$key\" : \"$util.escapeJavaScript($stageVariables.get($key))\"\n",
  1286. " #if($foreach.hasNext),#end\n",
  1287. "#end\n",
  1288. "},\n",
  1289. "\"context\" : {\n",
  1290. " \"account-id\" : \"$context.identity.accountId\",\n",
  1291. " \"api-id\" : \"$context.apiId\",\n",
  1292. " \"api-key\" : \"$context.identity.apiKey\",\n",
  1293. " \"authorizer-principal-id\" : \"$context.authorizer.principalId\",\n",
  1294. " \"caller\" : \"$context.identity.caller\",\n",
  1295. " \"cognito-authentication-provider\" : \"$context.identity.cognitoAuthenticationProvider\",\n",
  1296. " \"cognito-authentication-type\" : \"$context.identity.cognitoAuthenticationType\",\n",
  1297. " \"cognito-identity-id\" : \"$context.identity.cognitoIdentityId\",\n",
  1298. " \"cognito-identity-pool-id\" : \"$context.identity.cognitoIdentityPoolId\",\n",
  1299. " \"http-method\" : \"$context.httpMethod\",\n",
  1300. " \"stage\" : \"$context.stage\",\n",
  1301. " \"source-ip\" : \"$context.identity.sourceIp\",\n",
  1302. " \"user\" : \"$context.identity.user\",\n",
  1303. " \"user-agent\" : \"$context.identity.userAgent\",\n",
  1304. " \"user-arn\" : \"$context.identity.userArn\",\n",
  1305. " \"request-id\" : \"$context.requestId\",\n",
  1306. " \"resource-id\" : \"$context.resourceId\",\n",
  1307. " \"resource-path\" : \"$context.resourcePath\",\n",
  1308. " \"oauth-key\" : \"$stageVariables.oauthkey\",\n",
  1309. " \"oauth-secret\" : \"$stageVariables.oauthsecret\",\n",
  1310. " \"output-bucket\" : \"$stageVariables.outputbucket\",\n",
  1311. " \"git-token\" : \"$stageVariables.gittoken\"\n",
  1312. " }\n",
  1313. "}"
  1314. ]
  1315. ]
  1316. }
  1317. }
  1318. }
  1319. }
  1320. }
  1321. },
  1322. "securityDefinitions": {
  1323. "sigv4": {
  1324. "type": "apiKey",
  1325. "name": "Authorization",
  1326. "in": "header",
  1327. "x-amazon-apigateway-authtype": "awsSigv4"
  1328. }
  1329. },
  1330. "definitions": {
  1331. "Empty": {
  1332. "type": "object"
  1333. }
  1334. }
  1335. }
  1336. }
  1337. },
  1338. "WebHookApiDeployment": {
  1339. "Type": "AWS::ApiGateway::Deployment",
  1340. "Properties": {
  1341. "RestApiId": {
  1342. "Ref": "WebHookApi"
  1343. },
  1344. "StageName": "DummyStage"
  1345. }
  1346. },
  1347. "WebHookApiProdStage": {
  1348. "Type": "AWS::ApiGateway::Stage",
  1349. "Properties": {
  1350. "DeploymentId": {
  1351. "Ref": "WebHookApiDeployment"
  1352. },
  1353. "RestApiId": {
  1354. "Ref": "WebHookApi"
  1355. },
  1356. "StageName": "Prod",
  1357. "Variables": {
  1358. "outputbucket": {
  1359. "Ref": "OutputBucket"
  1360. },
  1361. "allowedips": {
  1362. "Fn::If": [
  1363. "UseAllowedIps",
  1364. {
  1365. "Ref": "AllowedIps"
  1366. },
  1367. {
  1368. "Ref": "AWS::NoValue"
  1369. }
  1370. ]
  1371. },
  1372. "apisecrets": {
  1373. "Fn::If": [
  1374. "UseApiSecret",
  1375. {
  1376. "Ref": "ApiSecret"
  1377. },
  1378. {
  1379. "Ref": "AWS::NoValue"
  1380. }
  1381. ]
  1382. },
  1383. "gittoken": {
  1384. "Fn::If": [
  1385. "UseGitToken",
  1386. {
  1387. "Ref": "GitToken"
  1388. },
  1389. {
  1390. "Ref": "AWS::NoValue"
  1391. }
  1392. ]
  1393. },
  1394. "oauthkey": {
  1395. "Fn::If": [
  1396. "UseOauthKey",
  1397. {
  1398. "Ref": "OauthKey"
  1399. },
  1400. {
  1401. "Ref": "AWS::NoValue"
  1402. }
  1403. ]
  1404. },
  1405. "oauthsecret": {
  1406. "Fn::If": [
  1407. "UseOauthSecret",
  1408. {
  1409. "Ref": "OauthSecret"
  1410. },
  1411. {
  1412. "Ref": "AWS::NoValue"
  1413. }
  1414. ]
  1415. }
  1416. }
  1417. }
  1418. },
  1419. "CustomDomainCertificate": {
  1420. "Condition": "UseCustomDomain",
  1421. "Type": "AWS::CertificateManager::Certificate",
  1422. "Properties": {
  1423. "DomainName": {
  1424. "Ref": "CustomDomainName"
  1425. }
  1426. }
  1427. },
  1428. "WebHookApiCustomDomainName": {
  1429. "Condition": "UseCustomDomain",
  1430. "Type": "AWS::ApiGateway::DomainName",
  1431. "Properties": {
  1432. "CertificateArn": {
  1433. "Ref": "CustomDomainCertificate"
  1434. },
  1435. "DomainName": {
  1436. "Ref": "CustomDomainName"
  1437. }
  1438. }
  1439. },
  1440. "WebHookApiCustomDomainNameMapping": {
  1441. "Condition": "UseCustomDomain",
  1442. "Type": "AWS::ApiGateway::BasePathMapping",
  1443. "Properties": {
  1444. "DomainName": {
  1445. "Ref": "CustomDomainName"
  1446. },
  1447. "RestApiId": {
  1448. "Ref": "WebHookApi"
  1449. }
  1450. }
  1451. }
  1452. },
  1453. "Outputs": {
  1454. "CustomDomainNameCNAME": {
  1455. "Value": {
  1456. "Fn::If": [
  1457. "UseCustomDomain",
  1458. {
  1459. "Fn::GetAtt": [
  1460. "WebHookApiCustomDomainName",
  1461. "DistributionDomainName"
  1462. ]
  1463. },
  1464. ""
  1465. ]
  1466. }
  1467. },
  1468. "PublicSSHKey": {
  1469. "Value": {
  1470. "Ref": "CreateSSHKey"
  1471. }
  1472. },
  1473. "GitPullWebHookApi": {
  1474. "Value": {
  1475. "Fn::Join": [
  1476. "",
  1477. [
  1478. " https://",
  1479. {
  1480. "Fn::If": [
  1481. "UseCustomDomain",
  1482. {
  1483. "Ref": "CustomDomainName"
  1484. },
  1485. {
  1486. "Fn::Join": [
  1487. "",
  1488. [
  1489. {
  1490. "Ref": "WebHookApi"
  1491. },
  1492. ".execute-api.",
  1493. {
  1494. "Ref": "AWS::Region"
  1495. },
  1496. ".amazonaws.com"
  1497. ]
  1498. ]
  1499. }
  1500. ]
  1501. },
  1502. "/",
  1503. {
  1504. "Ref": "WebHookApiProdStage"
  1505. },
  1506. "/gitpull"
  1507. ]
  1508. ]
  1509. }
  1510. },
  1511. "ZipDownloadWebHookApi": {
  1512. "Value": {
  1513. "Fn::Join": [
  1514. "",
  1515. [
  1516. " https://",
  1517. {
  1518. "Fn::If": [
  1519. "UseCustomDomain",
  1520. {
  1521. "Ref": "CustomDomainName"
  1522. },
  1523. {
  1524. "Fn::Join": [
  1525. "",
  1526. [
  1527. {
  1528. "Ref": "WebHookApi"
  1529. },
  1530. ".execute-api.",
  1531. {
  1532. "Ref": "AWS::Region"
  1533. },
  1534. ".amazonaws.com"
  1535. ]
  1536. ]
  1537. }
  1538. ]
  1539. },
  1540. "/",
  1541. {
  1542. "Ref": "WebHookApiProdStage"
  1543. },
  1544. "/zipdl"
  1545. ]
  1546. ]
  1547. }
  1548. },
  1549. "OutputBucketName": {
  1550. "Value": {
  1551. "Ref": "OutputBucket"
  1552. }
  1553. }
  1554. }
  1555. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!