From 8dea9e86d1485e48b1b95133ca2b3e96a0d2a1b9 Mon Sep 17 00:00:00 2001 From: sshalabh Date: Mon, 16 May 2022 22:56:50 +0100 Subject: [PATCH 1/3] feat: add cfn template for lambda update Update your Lambda functions without zipping and uploading files to S3: SIM:V448302319 --- .../update_lambda.yaml | 280 ++++++++++++++++++ 1 file changed, 280 insertions(+) create mode 100644 blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml new file mode 100644 index 0000000..60e33a4 --- /dev/null +++ b/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml @@ -0,0 +1,280 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + pCodeCommitRepoName: + Description: The name of the CodeCommit Repository which stores the Lambda code + Type: String + pCodeCommitBranchName: + Description: The name of the CodeCommit branch in the repo which stores the lambda code + Type: String + pPipelineBucket: + Description: Enter the name of the pre-existing pipeline bucket + Type: String + pRegion: + Description: Region to deploy resources in + Type: String + Default: us-east-1 + + +Resources: + rBuildProjectRole: + Type: AWS::IAM::Role + Properties: + RoleName: CodeBuildUpdateLambdaRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - codebuild.amazonaws.com + Action: + - sts:AssumeRole + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser" + - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + Path: "/service-role/" + + + rBuildProjectPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: CodeBuildUpdateLambdaRolePolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - s3:Put* + - s3:Get* + - s3:List* + Resource: + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + "/*", + ], + ] + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + ], + ] + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: arn:aws:logs:*:*:* + - Effect: Allow + Action: + - lambda:Update* + Resource: !GetAtt rLambda.Arn + Roles: + - !Ref rBuildProjectRole + + rBuildProject: + Type: AWS::CodeBuild::Project + Properties: + Description: This stage runs the updating of the Lambda code + ServiceRole: !GetAtt rBuildProjectRole.Arn + Artifacts: + Type: NO_ARTIFACTS + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/amazonlinux2-x86_64-standard:2.0 + Type: LINUX_CONTAINER + PrivilegedMode: false + LogsConfig: + CloudWatchLogs: + Status: ENABLED + Source: + Type: CODECOMMIT + Location: !Join + - "" + - - "https://git-codecommit." + - !Ref "AWS::Region" + - ".amazonaws.com/v1/repos/" + - !Ref "pCodeCommitRepoName" + BuildSpec: !Sub + - | + version: 0.2 + env: + git-credential-helper: yes + phases: + install: + runtime-versions: + python: 3.8 + commands: + - pwd + - ls + build: + commands: + - zip index.zip index.py + - aws s3 cp index.zip s3://${artifactbucket}/index.zip + - sleep 3s + - aws lambda update-function-code --function-name ${rLambda} --s3-bucket ${artifactbucket} --s3-key index.zip + - artifactbucket: + !Ref pPipelineBucket + + + rCodePipelineRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: ["sts:AssumeRole"] + Effect: Allow + Principal: + Service: + - codepipeline.amazonaws.com + Version: "2012-10-17" + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/IAMFullAccess + - arn:aws:iam::aws:policy/AWSCodeCommitFullAccess + - arn:aws:iam::aws:policy/AWSCodeDeployFullAccess + Policies: + - PolicyName: IAM-PassRole + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "iam:PassRole" + Effect: Allow + Resource: + !Join [ + "", + ["arn:aws:iam:", ":", !Ref "AWS::AccountId", ":role/*"], + ] + - PolicyName: AllowS3Access + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "s3:PutObject" + - "s3:GetObject" + - "s3:GetObjectVersion" + - "s3:List*" + Effect: Allow + Resource: + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref pPipelineBucket, + ], + ] + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + "/*" + ], + ] + - PolicyName: AllowCodeBuildAccess + PolicyDocument: + Version: "2012-10-17" + Statement: + - Action: + - "codebuild:Start*" + - "codebuild:Batch*" + Effect: Allow + Resource: !GetAtt rBuildProject.Arn + + rCodePipeline: + Type: AWS::CodePipeline::Pipeline + Properties: + Name: UpdateLambdaCodePipeline + RestartExecutionOnUpdate: true + RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${rCodePipelineRole} + Stages: + - Name: Source + Actions: + - Name: Source + ActionTypeId: + Category: Source + Owner: AWS + Version: "1" + Provider: CodeCommit + OutputArtifacts: + - Name: SourceArtifact + Configuration: + RepositoryName: !Ref pCodeCommitRepoName + BranchName: !Ref pCodeCommitBranchName + PollForSourceChanges: "false" + RunOrder: 1 + Region: !Ref pRegion + - Name: Deploy + Actions: + - Name: UpdateQueryCreationLambdaCode + RunOrder: 1 + ActionTypeId: + Category: Build + Owner: AWS + Version: "1" + Provider: CodeBuild + InputArtifacts: + - Name: SourceArtifact + Configuration: + ProjectName: !Ref rBuildProject + ArtifactStore: + Type: S3 + Location: !Ref pPipelineBucket + + rLambdaRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - "sts:AssumeRole" + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole + Path: /service-role/ + Policies: + - PolicyName: S3PutObject + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - "s3:PutObject" + Resource: + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + "/*", + ], + ] + - !Join [ + "", + [ + "arn:aws:s3:::", + !Ref "pPipelineBucket", + ], + ] + + rLambda: + Type: AWS::Lambda::Function + Properties: + Handler: index.lambda_handler + Role: !GetAtt rLambdaRole.Arn + Runtime: python3.7 + Timeout: 120 + FunctionName: SampleLambda + Code: + S3Bucket: !Ref pPipelineBucket + S3Key: index.zip From 70f715104d0734177cd17adc4dac43529008cfff Mon Sep 17 00:00:00 2001 From: sshalabh <77447247+sshalabh@users.noreply.github.com> Date: Mon, 16 May 2022 23:56:10 +0100 Subject: [PATCH 2/3] Rename update_lambda.yaml to template.yaml --- .../{update_lambda.yaml => template.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-assets/upd-lmbda-wthout-zipping-V448302319/{update_lambda.yaml => template.yaml} (100%) diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml similarity index 100% rename from blog-assets/upd-lmbda-wthout-zipping-V448302319/update_lambda.yaml rename to blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml From df9bc70269f6a24165bedf7eb881057a54ca1ce1 Mon Sep 17 00:00:00 2001 From: shalabh-aws Date: Tue, 17 May 2022 21:25:16 +0100 Subject: [PATCH 3/3] added QS ID --- blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml index 60e33a4..6028d17 100644 --- a/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml +++ b/blog-assets/upd-lmbda-wthout-zipping-V448302319/template.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" - +Description: "Update your Lambda functions without zipping and uploading files to S3 (qs-1t29l4g74)" Parameters: pCodeCommitRepoName: Description: The name of the CodeCommit Repository which stores the Lambda code