From c3428a2e0d116da7f4790773f793e8a1826a21ce Mon Sep 17 00:00:00 2001 From: GlennChia Date: Wed, 6 Apr 2022 16:03:09 +0800 Subject: [PATCH 1/5] feat: add cfn template for cw agent config via tag --- .../template.yaml | 147 ++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 blog-assets/clwtch-cstm-matrix-wth-Tagging-V457384788/template.yaml diff --git a/blog-assets/clwtch-cstm-matrix-wth-Tagging-V457384788/template.yaml b/blog-assets/clwtch-cstm-matrix-wth-Tagging-V457384788/template.yaml new file mode 100644 index 0000000..9117a24 --- /dev/null +++ b/blog-assets/clwtch-cstm-matrix-wth-Tagging-V457384788/template.yaml @@ -0,0 +1,147 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "Deploys a solution to automate the CloudWatch agent configurations based on specific tags(qs-1st6kiobq)" + +Resources: + InstanceIAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AssumeRole + Action: + - sts:AssumeRole + Effect: Allow + Principal: + Service: "ec2.amazonaws.com" + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore + - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy + + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: + - !Ref InstanceIAMRole + + ApplicationAJsonConfig: + Type: AWS::SSM::Parameter + Properties: + Name: ApplicationAParameter + Type: String + Value: | + { + "metrics": { + "namespace": "ApplicationA", + "append_dimensions": { + "InstanceId": "${aws:InstanceId}" + }, + "metrics_collected": { + "disk": { + "measurement": [ + "used_percent" + ], + "metrics_collection_interval": 60 + } + } + } + } + Description: JSON config for CW Agent for Linux Application A + + ApplicationBJsonConfig: + Type: AWS::SSM::Parameter + Properties: + Name: ApplicationBParameter + Type: String + Value: | + { + "metrics": { + "namespace": "ApplicationB", + "append_dimensions": { + "InstanceId": "${aws:InstanceId}" + }, + "metrics_collected": { + "mem": { + "measurement": [ + "mem_used_percent" + ], + "metrics_collection_interval": 60 + } + } + } + } + Description: JSON config for CW Agent for Linux Application B + + InstallAndConfigureCloudWatchAgentDocument: + Type: AWS::SSM::Document + Properties: + Name: SSMDocumentInstallConfigureCWAgent + DocumentType: Command + Content: + schemaVersion: '2.2' + description: Configures the CloudWatch Agent on Windows and Linux instances + parameters: + ssmParameterStoreParameterName: + type: String + description: "(Required) The SSM parameter name that contains the JSON configuration" + mainSteps: + - action: aws:runDocument + precondition: + StringEquals: + - platformType + - Linux + name: InstallCWAgent + inputs: + documentType: SSMDocument + documentPath: AWS-ConfigureAWSPackage + documentParameters: + action: Install + name: AmazonCloudWatchAgent + - action: aws:runDocument + precondition: + StringEquals: + - platformType + - Linux + name: ConfigureCWAgent + inputs: + documentType: SSMDocument + documentPath: AmazonCloudWatch-ManageAgent + documentParameters: + action: configure + mode: ec2 + optionalConfigurationSource: ssm + optionalConfigurationLocation: '{{ ssmParameterStoreParameterName }}' + + SSMAssociationCwAgentApplicationA: + Type: AWS::SSM::Association + Properties: + AssociationName: ApplicationAAssociation + Name: !Ref InstallAndConfigureCloudWatchAgentDocument + Parameters: + ssmParameterStoreParameterName: + - !Ref ApplicationAJsonConfig + Targets: + - Key: tag:Application + Values: + - ApplicationA + WaitForSuccessTimeoutSeconds: 300 + + SSMAssociationCwAgentApplicationB: + Type: AWS::SSM::Association + Properties: + AssociationName: ApplicationBAssociation + Name: !Ref InstallAndConfigureCloudWatchAgentDocument + Parameters: + ssmParameterStoreParameterName: + - !Ref ApplicationBJsonConfig + Targets: + - Key: tag:Application + Values: + - ApplicationB + WaitForSuccessTimeoutSeconds: 300 + +Outputs: + InstanceProfileName: + Description: The name of the Instance Profile to assign to the EC2 instance + Value: !Ref InstanceProfile \ No newline at end of file From 8dea9e86d1485e48b1b95133ca2b3e96a0d2a1b9 Mon Sep 17 00:00:00 2001 From: sshalabh Date: Mon, 16 May 2022 22:56:50 +0100 Subject: [PATCH 2/5] feat: add cfn template for lambda update Update your Lambda functions without zipping and uploading files to S3: SIM:V448302319 --- .../update_lambda.yaml | 280 ++++++++++++++++++ 1 file changed, 280 insertions(+) create mode 100644 blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml new file mode 100644 index 0000000..60e33a4 --- /dev/null +++ b/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml @@ -0,0 +1,280 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + pCodeCommitRepoName: + Description: The name of the CodeCommit Repository which stores the Lambda code + Type: String + pCodeCommitBranchName: + Description: The name of the CodeCommit branch in the repo which stores the lambda code + Type: String + pPipelineBucket: + Description: Enter the name of the pre-existing pipeline bucket + Type: String + pRegion: + Description: Region to deploy resources in + Type: String + Default: us-east-1 + + +Resources: + rBuildProjectRole: + Type: AWS::IAM::Role + Properties: + RoleName: CodeBuildUpdateLambdaRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - codebuild.amazonaws.com + Action: + - sts:AssumeRole + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser" + - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + Path: "/service-role/" + + + rBuildProjectPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: CodeBuildUpdateLambdaRolePolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - s3:Put* + - s3:Get* + - s3:List* + Resource: + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + "/*", + ], + ] + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + ], + ] + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: arn:aws:logs:*:*:* + - Effect: Allow + Action: + - lambda:Update* + Resource: !GetAtt rLambda.Arn + Roles: + - !Ref rBuildProjectRole + + rBuildProject: + Type: AWS::CodeBuild::Project + Properties: + Description: This stage runs the updating of the Lambda code + ServiceRole: !GetAtt rBuildProjectRole.Arn + Artifacts: + Type: NO_ARTIFACTS + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/amazonlinux2-x86_64-standard:2.0 + Type: LINUX_CONTAINER + PrivilegedMode: false + LogsConfig: + CloudWatchLogs: + Status: ENABLED + Source: + Type: CODECOMMIT + Location: !Join + - "" + - - "https://git-codecommit." + - !Ref "AWS::Region" + - ".amazonaws.com/v1/repos/" + - !Ref "pCodeCommitRepoName" + BuildSpec: !Sub + - | + version: 0.2 + env: + git-credential-helper: yes + phases: + install: + runtime-versions: + python: 3.8 + commands: + - pwd + - ls + build: + commands: + - zip index.zip index.py + - aws s3 cp index.zip s3://${artifactbucket}/index.zip + - sleep 3s + - aws lambda update-function-code --function-name ${rLambda} --s3-bucket ${artifactbucket} --s3-key index.zip + - artifactbucket: + !Ref pPipelineBucket + + + rCodePipelineRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: ["sts:AssumeRole"] + Effect: Allow + Principal: + Service: + - codepipeline.amazonaws.com + Version: "2012-10-17" + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/IAMFullAccess + - arn:aws:iam::aws:policy/AWSCodeCommitFullAccess + - arn:aws:iam::aws:policy/AWSCodeDeployFullAccess + Policies: + - PolicyName: IAM-PassRole + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "iam:PassRole" + Effect: Allow + Resource: + !Join [ + "", + ["arn:aws:iam:", ":", !Ref "AWS::AccountId", ":role/*"], + ] + - PolicyName: AllowS3Access + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "s3:PutObject" + - "s3:GetObject" + - "s3:GetObjectVersion" + - "s3:List*" + Effect: Allow + Resource: + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref pPipelineBucket, + ], + ] + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + "/*" + ], + ] + - PolicyName: AllowCodeBuildAccess + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "codebuild:Start*" + - "codebuild:Batch*" + Effect: Allow + Resource: !GetAtt rBuildProject.Arn + + rCodePipeline: + Type: AWS::CodePipeline::Pipeline + Properties: + Name: UpdateLambdaCodePipeline + RestartExecutionOnUpdate: true + RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${rCodePipelineRole} + Stages: + - Name: Source + Actions: + - Name: Source + ActionTypeId: + Category: Source + Owner: AWS + Version: "1" + Provider: CodeCommit + OutputArtifacts: + - Name: SourceArtifact + Configuration: + RepositoryName: !Ref pCodeCommitRepoName + BranchName: !Ref pCodeCommitBranchName + PollForSourceChanges: "false" + RunOrder: 1 + Region: !Ref pRegion + - Name: Deploy + Actions: + - Name: UpdateQueryCreationLambdaCode + RunOrder: 1 + ActionTypeId: + Category: Build + Owner: AWS + Version: "1" + Provider: CodeBuild + InputArtifacts: + - Name: SourceArtifact + Configuration: + ProjectName: !Ref rBuildProject + ArtifactStore: + Type: S3 + Location: !Ref pPipelineBucket + + rLambdaRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - "sts:AssumeRole" + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole + Path: /service-role/ + Policies: + - PolicyName: S3PutObject + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - "s3:PutObject" + Resource: + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + "/*", + ], + ] + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + ], + ] + + rLambda: + Type: AWS::Lambda::Function + Properties: + Handler: index.lambda_handler + Role: !GetAtt rLambdaRole.Arn + Runtime: python3.7 + Timeout: 120 + FunctionName: SampleLambda + Code: + S3Bucket: !Ref pPipelineBucket + S3Key: index.zip From 70f715104d0734177cd17adc4dac43529008cfff Mon Sep 17 00:00:00 2001 From: sshalabh <77447247+sshalabh@users.noreply.github.com> Date: Mon, 16 May 2022 23:56:10 +0100 Subject: [PATCH 3/5] Rename update_lambda.yaml to template.yaml --- .../{update_lambda.yaml => template.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-assets/upd-lmbda-wthout-zipping-V448302319/{update_lambda.yaml => template.yaml} (100%) diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml similarity index 100% rename from blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml rename to blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml From df9bc70269f6a24165bedf7eb881057a54ca1ce1 Mon Sep 17 00:00:00 2001 From: shalabh-aws Date: Tue, 17 May 2022 21:25:16 +0100 Subject: [PATCH 4/5] added QS ID --- blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml index 60e33a4..6028d17 100644 --- a/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml +++ b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" - +Description: "Update your Lambda functions without zipping and uploading files to S3 (qs-1t29l4g74)" Parameters: pCodeCommitRepoName: Description: The name of the CodeCommit Repository which stores the Lambda code From f2ffb16b44038103b469b972b76a8457ce4da67e Mon Sep 17 00:00:00 2001 From: shalabh-aws Date: Tue, 31 May 2022 14:29:02 +0100 Subject: [PATCH 5/5] Updated CFN template to include Security changes --- .../template.yaml | 89 +++++++++++-------- 1 file changed, 50 insertions(+), 39 deletions(-) diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml index 6028d17..dd0795a 100644 --- a/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml +++ b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml @@ -1,23 +1,23 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "Update your Lambda functions without zipping and uploading files to S3 (qs-1t29l4g74)" Parameters: - pCodeCommitRepoName: + CodeCommitRepoName: Description: The name of the CodeCommit Repository which stores the Lambda code Type: String - pCodeCommitBranchName: + CodeCommitBranchName: Description: The name of the CodeCommit branch in the repo which stores the lambda code Type: String - pPipelineBucket: + PipelineBucket: Description: Enter the name of the pre-existing pipeline bucket Type: String - pRegion: + Region: Description: Region to deploy resources in Type: String Default: us-east-1 Resources: - rBuildProjectRole: + BuildProjectRole: Type: AWS::IAM::Role Properties: RoleName: CodeBuildUpdateLambdaRole @@ -36,7 +36,7 @@ Resources: Path: "/service-role/" - rBuildProjectPolicy: + BuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyName: CodeBuildUpdateLambdaRolePolicy @@ -53,7 +53,7 @@ Resources: "", [ "arn:aws:s3:::", - !Ref "pPipelineBucket", + !Ref "PipelineBucket", "/*", ], ] @@ -61,7 +61,7 @@ Resources: "", [ "arn:aws:s3:::", - !Ref "pPipelineBucket", + !Ref "PipelineBucket", ], ] - Effect: Allow @@ -73,15 +73,15 @@ Resources: - Effect: Allow Action: - lambda:Update* - Resource: !GetAtt rLambda.Arn + Resource: !GetAtt Lambda.Arn Roles: - - !Ref rBuildProjectRole + - !Ref BuildProjectRole - rBuildProject: + BuildProject: Type: AWS::CodeBuild::Project Properties: Description: This stage runs the updating of the Lambda code - ServiceRole: !GetAtt rBuildProjectRole.Arn + ServiceRole: !GetAtt BuildProjectRole.Arn Artifacts: Type: NO_ARTIFACTS Environment: @@ -89,6 +89,8 @@ Resources: Image: aws/codebuild/amazonlinux2-x86_64-standard:2.0 Type: LINUX_CONTAINER PrivilegedMode: false + EncryptionKey: + alias/aws/s3 LogsConfig: CloudWatchLogs: Status: ENABLED @@ -99,7 +101,7 @@ Resources: - - "https://git-codecommit." - !Ref "AWS::Region" - ".amazonaws.com/v1/repos/" - - !Ref "pCodeCommitRepoName" + - !Ref "CodeCommitRepoName" BuildSpec: !Sub - | version: 0.2 @@ -108,21 +110,24 @@ Resources: phases: install: runtime-versions: - python: 3.8 + python: 3.9 commands: - pwd - ls + pre_build: + commands: + - ACCOUNT_ID=$(echo $CODEBUILD_BUILD_ARN | cut -f5 -d ':') build: commands: - zip index.zip index.py - - aws s3 cp index.zip s3://${artifactbucket}/index.zip - - sleep 3s - - aws lambda update-function-code --function-name ${rLambda} --s3-bucket ${artifactbucket} --s3-key index.zip + - aws s3api put-object --bucket ${artifactbucket} --key index.zip --body index.zip --expected-bucket-owner $ACCOUNT_ID + - wait + - aws lambda update-function-code --function-name ${Lambda} --s3-bucket ${artifactbucket} --s3-key index.zip - artifactbucket: - !Ref pPipelineBucket + !Ref PipelineBucket - rCodePipelineRole: + CodePipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: @@ -135,9 +140,7 @@ Resources: Version: "2012-10-17" Path: / ManagedPolicyArns: - - arn:aws:iam::aws:policy/IAMFullAccess - - arn:aws:iam::aws:policy/AWSCodeCommitFullAccess - - arn:aws:iam::aws:policy/AWSCodeDeployFullAccess + - arn:aws:iam::aws:policy/AWSCodeCommitPowerUser Policies: - PolicyName: IAM-PassRole PolicyDocument: @@ -166,14 +169,14 @@ Resources: "", [ "arn:aws:s3:::", - !Ref pPipelineBucket, + !Ref PipelineBucket, ], ] - !Join [ "", [ "arn:aws:s3:::", - !Ref "pPipelineBucket", + !Ref "PipelineBucket", "/*" ], ] @@ -185,14 +188,22 @@ Resources: - "codebuild:Start*" - "codebuild:Batch*" Effect: Allow - Resource: !GetAtt rBuildProject.Arn + Resource: !GetAtt BuildProject.Arn + - PolicyName: AllowCodeCommitUploadArchive + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "codecommit:UploadArchive" + Effect: Allow + Resource: !Sub arn:aws:codecommit:${Region}:${AWS::AccountId}:${CodeCommitRepoName} - rCodePipeline: + CodePipeline: Type: AWS::CodePipeline::Pipeline Properties: Name: UpdateLambdaCodePipeline RestartExecutionOnUpdate: true - RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${rCodePipelineRole} + RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${CodePipelineRole} Stages: - Name: Source Actions: @@ -205,11 +216,11 @@ Resources: OutputArtifacts: - Name: SourceArtifact Configuration: - RepositoryName: !Ref pCodeCommitRepoName - BranchName: !Ref pCodeCommitBranchName + RepositoryName: !Ref CodeCommitRepoName + BranchName: !Ref CodeCommitBranchName PollForSourceChanges: "false" RunOrder: 1 - Region: !Ref pRegion + Region: !Ref Region - Name: Deploy Actions: - Name: UpdateQueryCreationLambdaCode @@ -222,12 +233,12 @@ Resources: InputArtifacts: - Name: SourceArtifact Configuration: - ProjectName: !Ref rBuildProject + ProjectName: !Ref BuildProject ArtifactStore: Type: S3 - Location: !Ref pPipelineBucket + Location: !Ref PipelineBucket - rLambdaRole: + LambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: @@ -255,7 +266,7 @@ Resources: "", [ "arn:aws:s3:::", - !Ref "pPipelineBucket", + !Ref "PipelineBucket", "/*", ], ] @@ -263,18 +274,18 @@ Resources: "", [ "arn:aws:s3:::", - !Ref "pPipelineBucket", + !Ref "PipelineBucket", ], ] - rLambda: + Lambda: Type: AWS::Lambda::Function Properties: Handler: index.lambda_handler - Role: !GetAtt rLambdaRole.Arn - Runtime: python3.7 + Role: !GetAtt LambdaRole.Arn + Runtime: python3.9 Timeout: 120 FunctionName: SampleLambda Code: - S3Bucket: !Ref pPipelineBucket + S3Bucket: !Ref PipelineBucket S3Key: index.zip