aws-lambda-efs-cloudformation-starter-template/template.yml at master · serverlesspub/aws-lambda-efs-cloudformation-starter-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
AWSTemplateFormatVersion: '2010-09-09'
Description: >
  Starter template for AWS Lambda EFS mounts.
  Creates the entire infrastructure and related IAM permissions
  required for a Lambda function to mount an EFS volume.
Parameters:
  MountPoint:
    Type: String
    Default: '/mnt/test'
    Description: Mount point inside the Lambda runtime
  EfsPath:
    Type: String
    Default: "/test"
    Description: EFS volume directory to mount

Mappings:
  SubnetConfig:
    VPC:
      CIDR: '10.0.0.0/16'
    SubnetOne:
      CIDR: '10.0.0.0/24'

Resources:

  FileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      PerformanceMode: generalPurpose
      ProvisionedThroughputInMibps: 10
      ThroughputMode: provisioned

  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR']


  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: 'Allows access to the file system'
      VpcId: !Ref 'VPC'

  SubnetOne:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone:
         Fn::Select:
         - 0
         - Fn::GetAZs: {Ref: 'AWS::Region'}
      VpcId: !Ref 'VPC'
      CidrBlock: !FindInMap ['SubnetConfig', 'SubnetOne', 'CIDR']

  SubnetOneMountTarget:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref FileSystem
      SecurityGroups:
        - !Ref SecurityGroup
      SubnetId: !Ref SubnetOne

  FileSystemAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !Ref FileSystem
      PosixUser:
        Uid: "1000"
        Gid: "1000"
      RootDirectory:
        CreationInfo:
          OwnerGid: "1000"
          OwnerUid: "1000"
          Permissions: "0777"
        Path: !Ref EfsPath


  LambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: 'sts:AssumeRole'
            Principal:
              Service: lambda.amazonaws.com
      Policies:
        - PolicyName: WriteCloudWatchLogs
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: 'arn:aws:logs:*:*:*'
        - PolicyName: VPC
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:DeleteNetworkInterface'
                  - 'ec2:DescribeNetworkInterfaces'
                Resource: '*'

  LambdaFunction:
    Type: 'AWS::Lambda::Function'
    DependsOn: SubnetOneMountTarget
    Properties:
      Handler: lambda.handler
      Runtime: nodejs12.x
      Timeout: 30
      Code: src/
      Role: !GetAtt LambdaRole.Arn
      Environment:
        Variables:
          MOUNT_POINT: !Ref MountPoint
      FileSystemConfigs:
        - Arn: !Sub 'arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${FileSystemAccessPoint}'
          LocalMountPath: !Ref MountPoint
      VpcConfig:
        SecurityGroupIds:
          - !Ref SecurityGroup
        SubnetIds:
          - !Ref SubnetOne