-
Notifications
You must be signed in to change notification settings - Fork 47
/
cloud_formation_template.yaml
130 lines (108 loc) · 3.76 KB
/
cloud_formation_template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Transform: 'AWS::Serverless-2016-10-31'
Parameters:
BucketName:
Type: "String"
SampleData:
Type: "String"
Default : "sample_data.csv"
LambdaCode:
Type: "String"
Default: "lambdaCode-1.0.0.jar"
Resources:
S3SelectLDemoLambdaFunction:
# This resource creates a Lambda function.
Type: 'AWS::Serverless::Function'
Properties:
Description: Lambda handler for S3 select Demo
# Time out value to 15 seconds
Timeout: 30
# Initial Memory size
MemorySize: 512
# The location of the Lambda function code.
# CloudFormation: When using with cloudformation, bucket must exists and code must be uploaded.
# Sam: Builds code using maven. Defaults to './' when used with sam. Same as CudeURI: ./
#CodeUri: ./
CodeUri:
#!Ref function allows you to fetch value
#of parameters and other resources at runtime
Bucket: !Ref BucketName
Key: !Ref LambdaCode
# This function uses Java8 runtime.
Runtime: java8
# This is the Lambda function's handler.
Handler: com.amazonaws.samples.s3select.s3_select_demo.S3SelectDemoLambdaHandler
#Lambda enviornment variables
Environment:
Variables:
BUCKET_NAME: !Ref BucketName
SAMPLE_DATA: !Ref SampleData
Policies:
- AWSLambdaExecute # Managed Policy
- Version: '2012-10-17' # Policy Document
Statement: #- Allow read only access to sample data file
- Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref BucketName, '/', !Ref SampleData ] ]
# Event sources to attach to this function. In this case, we are attaching
# one API Gateway endpoint to the Lambda function. The function is
# called when a HTTP request is made to the API Gateway endpoint.
Events:
S3SelectDemoApi:
# Define an API Gateway endpoint that responds to HTTP POST at /s3-select-demo
Type: Api
Properties:
RestApiId: !Ref ApiGatewayApi
Path: /s3-select-demo
Method: POST
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Variables:
LambdaFunctionName: !Ref S3SelectLDemoLambdaFunction
SqlInjDetection:
Type: "AWS::WAFRegional::SqlInjectionMatchSet"
Properties:
Name: "Find SQL injections in the message body"
SqlInjectionMatchTuples:
-
FieldToMatch:
Type: "BODY"
TextTransformation: "NONE"
SqlInjRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "SqlInjRule"
MetricName: "SqlInjRule"
Predicates:
-
DataId:
Ref: "SqlInjDetection"
Negated: false
Type: "SqlInjectionMatch"
S3SelectACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "S3SelectACL"
DefaultAction:
Type: "ALLOW"
MetricName: "S3SelectACL"
Rules:
-
Action:
Type: "BLOCK"
Priority: 3
RuleId:
Ref: "SqlInjRule"
MyWebACLAssociation:
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGatewayApi}/stages/Prod
WebACLId:
Ref: S3SelectACL
Outputs:
ProdDataEndpoint:
Description: "API Prod stage endpoint"
Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/s3-select-demo"