Skip to content

Commit

Permalink
update template to include policies rather than IAM roles
Browse files Browse the repository at this point in the history
  • Loading branch information
@cplee
cplee committed Dec 20, 2017
1 parent 45cc425 commit bc4e532
Show file tree
Hide file tree
Showing 3 changed files with 251 additions and 107 deletions.
64 changes: 64 additions & 0 deletions template-sar.yml
View file
@@ -0,0 +1,64 @@
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: 'Create pipeline-dashboard application.'
Resources:
PipelineDashboardEventHandler:
Type: 'AWS::Serverless::Function'
Properties:
Description: Create CloudWatch metrics from CodePipeline events
Handler: index.handlePipelineEvent
Runtime: nodejs6.10
CodeUri: s3://pipeline-dashboard-us-east-1/df9df41fcba07b5e5827f6474128c22f
Events:
PipelineEventRule:
Type: CloudWatchEvent
Properties:
Pattern:
source:
- "aws.codepipeline"
detail-type:
- "CodePipeline Pipeline Execution State Change"
- "CodePipeline Stage Execution State Change"
- "CodePipeline Action Execution State Change"
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- cloudwatch:PutMetricData
- codepipeline:ListPipelineExecutions
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
PipelineDashboardGenerator:
Type: 'AWS::Serverless::Function'
Properties:
Description: Build CloudWatch dashboard from CloudWatch metrics
Handler: index.generateDashboard
Runtime: nodejs6.10
CodeUri: s3://pipeline-dashboard-us-east-1/df9df41fcba07b5e5827f6474128c22f
Timeout: 60
Role: !GetAtt DashboardGeneratorRole.Arn
Events:
DashboardEventRule:
Type: Schedule
Properties:
Schedule: "cron(*/5 * * * ? *)"
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- cloudwatch:ListMetrics
- cloudwatch:GetDashboard
- cloudwatch:PutDashboard
- cloudwatch:DeleteDashboards
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
116 changes: 30 additions & 86 deletions template.yml
View file
Expand Up @@ -2,96 +2,13 @@ AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: 'Create pipeline-dashboard application.'
Resources:
EventHandlerRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub pipeline-dashboard-event-handler-role-${AWS::Region}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: 'cloudwatch-access'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- cloudwatch:PutMetricData
- PolicyName: 'codepipeline-access'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- codepipeline:ListPipelineExecutions
- PolicyName: 'logs-access'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
DashboardGeneratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub pipeline-dashboard-generator-role-${AWS::Region}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: 'cloudwatch-access'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- cloudwatch:ListMetrics
- cloudwatch:GetDashboard
- cloudwatch:PutDashboard
- cloudwatch:DeleteDashboards
- PolicyName: 'logs-access'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
EventHandlerFunction:
PipelineDashboardEventHandler:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: pipeline-dashboard-event-handler
Description: Create CloudWatch metrics from CodePipeline events
Handler: index.handlePipelineEvent
Runtime: nodejs6.10
CodeUri: .
Role: !GetAtt EventHandlerRole.Arn
Events:
PipelineEventRule:
Type: CloudWatchEvent
Expand All @@ -103,10 +20,22 @@ Resources:
- "CodePipeline Pipeline Execution State Change"
- "CodePipeline Stage Execution State Change"
- "CodePipeline Action Execution State Change"
DashboardGeneratorFunction:
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- cloudwatch:PutMetricData
- codepipeline:ListPipelineExecutions
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
PipelineDashboardGenerator:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: pipeline-dashboard-generator
Description: Build CloudWatch dashboard from CloudWatch metrics
Handler: index.generateDashboard
Runtime: nodejs6.10
Expand All @@ -118,3 +47,18 @@ Resources:
Type: Schedule
Properties:
Schedule: "cron(*/5 * * * ? *)"
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- cloudwatch:ListMetrics
- cloudwatch:GetDashboard
- cloudwatch:PutDashboard
- cloudwatch:DeleteDashboards
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents

0 comments on commit bc4e532

Please sign in to comment.