Template and script for Lambda function execution role

mwunderl · mwunderl · commit 938459ff94c1 · 2017-04-20T21:06:31.000Z
diff --git a/.ebextensions/lambda-function.config b/.ebextensions/lambda-function.config
@@ -11,7 +11,7 @@ Resources:
           TOPIC_ARN: {"Ref" : "NotificationTopic"}
       FunctionName: random-name
       Handler: index.handler
-      Role: { "Fn::Join": [ "", [ "arn:aws:iam::",{"Ref" : "AWS::AccountId"},":role/service-role/lambda-scorekeep" ] ] }
+      Role: { "Fn::Join": [ "", [ "arn:aws:iam::",{"Ref" : "AWS::AccountId"},":role/service-role/scorekeep-lambda" ] ] }
       Runtime: nodejs4.3
 
 commands:
diff --git a/README.md b/README.md
@@ -1,6 +1,25 @@
 # Lambda integration
 This branch uses a Node.js Lambda function to generate random names for new users, instead of calling a web API. The Scorekeep API uses the AWS SDK to invoke the Lambda by function name (`random-name`) with Bean classes to represent (and serialize to/from) the input and output JSON.
 
+
+## Configuration
+A CloudFormation template and [AWS CLI](http://docs.aws.amazon.com/cli/latest/userguide/installing.html) scripts to create and delete the function's execution role are included in the `_lambda` folder:
+- `_lambda/lambda-role.yml`       - Template that defines the role
+- `_lambda/create-lambda-role.sh` - Script to create the role
+- `_lambda/delete-lambda-role.sh` - Script to delete the role
+
+Run the script to create the role:
+    eb-java-scorekeep/_lambda$ ./create-lambda-role.sh
+
+If you don't have the AWS CLI, use the CloudFormation console to create a stack with the template.
+
+Next, add the following policy to your instance profile ([aws-elasticbeanstalk-ec2-role](https://console.aws.amazon.com/iam/home#/roles/aws-elasticbeanstalk-ec2-role)) to let the environment create the Lambda function:
+- AWSLambdaFullAccess
+
+Deploy this branch to your Elastic Beanstalk environment. No further configuration is required.
+If you don't have an environment, see below.
+
+## Implementation
 The Lambda function code is included in `_lambda/random-name/index.js`. On deploy, configuration files in the .ebextensions folder create a function with the following settings:
 - Name: `random-name`
 - Runtime: Node.js 4.3
@@ -9,14 +28,26 @@ The Lambda function code is included in `_lambda/random-name/index.js`. On deplo
 - Environment variables:
   - REGION_NAME: The region, e.g. `us-east-2`
   - TOPIC_ARN: The ARN of an [SNS Topic](https://console.aws.amazon.com/sns/v2/home)
-- Role named "lambda-scorekeep"
-
-Create a role named "lambda-scorekeep" in the IAM management console and add the following policies:
-- AWSLambdaBasicExecutionRole
-- AmazonSNSFullAccess
-
-While you are there, add the following policy to your instance profile (aws-elasticbeanstalk-ec2-role) to let the environment create the Lambda function:
-- AWSLambdaFullAccess
+- Role named "scorekeep-lambda"
+
+The role named "scorekeep-lambda" has the following policies:
+- Managed policy - AWSLambdaBasicExecutionRole
+- Managed policy - AmazonSNSFullAccess
+- Managed policy - AWSXrayWriteOnlyAccess (optional) for compatibility with the xray branch
+- Trust policy - 
+
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "lambda.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
 
 The Scorekeep API integration is implemented in the following files-
 `src/main/java/scorekeep/`
@@ -26,9 +57,6 @@ The Scorekeep API integration is implemented in the following files-
 - `UserFactory.java` - **UserFactory.randomNameLambda** Creates the Lambda Invoker with `com.amazonaws.services.lambda.invoke.LambdaInvokerFactory`. Calls the Lambda function to generate a random name.
 - `build.gradle` - Adds the Lambda module of the AWS SDK to the Gradle build.
 
-Deploy this branch to your Elastic Beanstalk environment. No further configuration is required.
-If you don't have an environment, see below.
-
 # Scorekeep
 Scorekeep is a RESTful web API implemented in Java that uses Spring to provide an HTTP interface for creating and managing game sessions and users. This project includes the scorekeep API and a frontend web app that consumes it. The frontend and API can run on the same server and domain or separately, with the API running in Elastic Beanstalk and the frontend served statically by a CDN.
 
diff --git a/_lambda/lambda-role.yml b/_lambda/lambda-role.yml
@@ -0,0 +1,22 @@
+Resources:
+  RandomNameRole:
+    Type: "AWS::IAM::Role"
+    Properties: 
+      AssumeRolePolicyDocument: {
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
+        - arn:aws:iam::aws:policy/AmazonSNSFullAccess
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Path: /service-role/
+      RoleName: scorekeep-lambda
