forked from pulumi/examples
-
Notifications
You must be signed in to change notification settings - Fork 1
/
__main__.py
133 lines (117 loc) · 3.77 KB
/
__main__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Copyright 2016-2022, Pulumi Corporation. All rights reserved.
import json
import pulumi
import pulumi_aws as aws
# Create an HTTP API.
api = aws.apigatewayv2.Api("example",
protocol_type="HTTP"
)
# Create a stage and set it to deploy automatically.
stage = aws.apigatewayv2.Stage("stage",
api_id=api.id,
name=pulumi.get_stack(),
auto_deploy=True
)
# Create an event bus.
bus = aws.cloudwatch.EventBus("bus")
# Create an event rule to watch for events.
rule = aws.cloudwatch.EventRule("rule",
event_bus_name=bus.name,
event_pattern=json.dumps({"source": ["my-event-source"]})
)
# Define a policy granting API Gateway permission to publish to EventBridge.
api_gateway_role = aws.iam.Role("api-gateway-role",
assume_role_policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com",
},
},
],
}),
managed_policy_arns=[
"arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess",
],
)
# Create an API Gateway integration to forward requests to EventBridge.
integration = aws.apigatewayv2.Integration("integration",
api_id=api.id,
# The integration type and subtype.
integration_type="AWS_PROXY",
integration_subtype="EventBridge-PutEvents",
credentials_arn=api_gateway_role.arn,
# The body of the request to be sent to EventBridge. Note the
# event source matches pattern defined on the EventRule, and the
# Detail expression, which just forwards the body of the original
# API Gateway request (i.e., the uploaded document).
request_parameters={
"EventBusName": bus.name.apply(lambda name: name),
"Source": "my-event-source",
"DetailType": "my-detail-type",
"Detail": "$request.body",
},
)
# Finally, define the route.
route = aws.apigatewayv2.Route("route",
api_id=api.id,
route_key="POST /uploads",
target=integration.id.apply(lambda id: f"integrations/{id}"),
)
# Define a role and policy allowing Lambda functions to log to CloudWatch.
lambda_role = aws.iam.Role("lambda-role",
assume_role_policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow"
}
]
})
)
lambda_role_policy = aws.iam.RolePolicy("lambda-role-policy",
role=lambda_role.id,
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}]
})
)
# Create a Lambda function handler.
lambda_function = aws.lambda_.Function("lambda",
role=lambda_role.arn,
runtime="python3.7",
handler="handlers.capture_order",
code=pulumi.AssetArchive({
".": pulumi.FileArchive('./api')
})
)
# Create an EventBridge target associating the event rule with the function.
lambda_target = aws.cloudwatch.EventTarget("lambda-target",
arn=lambda_function.arn,
rule=rule.name,
event_bus_name=bus.name,
)
# Give EventBridge permission to invoke the function.
lambda_permission = aws.lambda_.Permission("lambda-permission",
action="lambda:InvokeFunction",
principal="events.amazonaws.com",
function=lambda_function.arn,
source_arn=rule.arn,
)
# Export the API Gateway URL to give us something to POST to.
pulumi.export("url", pulumi.Output.concat(api.api_endpoint, "/", stage.name))