forked from aws-samples/serverless-rds-proxy-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
145 lines (133 loc) · 4.56 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
serverless-rds-proxy-demo
Sample SAM Template for serverless-rds-proxy-demo
Parameters:
Vpc:
Type: AWS::EC2::VPC::Id
Description: "Vpc where function will be deployed"
Subnets:
Type: List<AWS::EC2::Subnet::Id>
Description: "Subnets where function will be deployed. Provide at least two"
RdsProxyEndpoint:
Type: String
Description: "RDS Proxy endpoint configured. This should be Read/Write endpoint."
RdsEndpoint:
Type: String
Description: "RDS Aurora Cluster Endpoint."
Port:
Type: Number
Description: "Database port. For Mysql 3306 is default."
Default: 4510
SecretArn:
Type: String
Description: "Secret ARN where database credentials are stored."
ProxyResourceId:
Type: String
Description: "RDS Proxy resource id. This is last part of RDS proxy ARN, ex: prx-<hash>. Its required to configure needed permission by the lambda functions."
CreateFunctionSecurityGroup:
Type: String
AllowedValues: ['True', 'False']
Default: 'True'
Description: "Should a security group for function be created? Set value as True only if you do not already have specified LambdaSecurityGroupId. Make sure traffic from this SG is allowed in database and proxy security group."
LambdaSecurityGroupId:
Type: String
Default: ""
Description: "Security group id for lambda function. Make sure traffic from this SG is allowed in database and proxy security group."
Conditions:
CreateLambdaSg: !Equals ["True", !Ref CreateFunctionSecurityGroup]
Globals:
Function:
Timeout: 30
Resources:
LambdaSg:
Type: AWS::EC2::SecurityGroup
Condition: CreateLambdaSg
Properties:
GroupDescription: Security Groups for the AWS Lambda for accessing RDS/Proxy
GroupName: 'lambda-sg-1'
SecurityGroupEgress:
- CidrIp: "0.0.0.0/0"
FromPort: 0
ToPort: 65535
IpProtocol: tcp
SecurityGroupIngress:
- CidrIp: "0.0.0.0/0"
FromPort: 0
ToPort: 65535
IpProtocol: tcp
VpcId: !Ref Vpc
SampleHttpApi:
Type: AWS::Serverless::HttpApi
RdsFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: rds/
Handler: app.lambda_handler
Runtime: python3.9
VpcConfig:
SecurityGroupIds:
- !If [CreateLambdaSg, !Ref LambdaSg, !Ref LambdaSecurityGroupId]
SubnetIds: !Ref Subnets
Policies:
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn:
!Ref SecretArn
Environment:
Variables:
region: !Ref AWS::Region
rds_endpoint: !Ref RdsEndpoint
port: !Ref Port
secret_arn: !Ref SecretArn
Events:
NoProxy:
Type: HttpApi
Properties:
Path: /no-proxy
Method: get
ApiId: !Ref SampleHttpApi
RdsProxyFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: rdsproxy/
Handler: app.lambda_handler
Runtime: python3.9
VpcConfig:
SecurityGroupIds:
- !If [CreateLambdaSg, !Ref LambdaSg, !Ref LambdaSecurityGroupId]
SubnetIds: !Ref Subnets
Policies:
- Statement:
- Sid: AllowDbConnect
Effect: Allow
Action:
- rds-db:connect
Resource:
- !Sub arn:aws:rds-db:${AWS::Region}:${AWS::AccountId}:dbuser:${ProxyResourceId}/*
Environment:
Variables:
region: !Ref AWS::Region
rds_endpoint: !Ref RdsProxyEndpoint
port: !Ref Port
username: !Sub "{{resolve:secretsmanager:${SecretArn}:SecretString:username}}"
Events:
Proxy:
Type: HttpApi
Properties:
Path: /proxy
Method: get
ApiId: !Ref SampleHttpApi
Outputs:
ApiBasePath:
Description: "API Gateway endpoint URL"
Value: !Sub "https://${SampleHttpApi}.execute-api.${AWS::Region}.amazonaws.com"
RdsProxyApiPath:
Description: "API Gateway endpoint URL for rds proxy function"
Value: !Sub "https://${SampleHttpApi}.execute-api.${AWS::Region}.amazonaws.com/proxy"
RdsApiPath:
Description: "API Gateway endpoint URL for rds function"
Value: !Sub "https://${SampleHttpApi}.execute-api.${AWS::Region}.amazonaws.com/no-proxy"
LambdaSecurityGroupId:
Description: "Security group id attached to lambda functions. Make sure traffic from this SG is allowed in database and proxy security group on db port"
Value: !GetAtt LambdaSg.GroupId