quickstart/lambda.yaml at master · vaultdbai/quickstart · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
AWSTemplateFormatVersion: 2010-09-09
Description: VaultDB Lambda function to execute Queries
Metadata:
  Author: VaultDB.ai
  Url: https://www.vaultdb.ai

Parameters:
  ApplicationName:
    Type: String
    AllowedPattern: "^[a-z][a-z0-9-]{0,48}[a-z0-9]$"
    Description: Enter the name of your application with no spaces.

Resources:
  ExecuteRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Join ["", [!Ref ApplicationName, "-execution-role"]]
      Tags:
        - Key: Purpose
          Value: "VaultDB"
        - Key: Project
          Value: !Ref ApplicationName
        - Key: createdBy
          Value: vaultdb.ai
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName:
            !Join ["", [!Ref ApplicationName, "-execution-service-policy"]]
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                Resource: "*"
              - Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: "*"
              - Effect: Allow
                Action:
                  - s3:ListMultipartUploadParts
                  - s3:*Object
                  - s3:ListBucket
                  - s3:GetBucketNotification
                  - s3:PutBucketNotification
                Resource: "*"
              - Effect: Allow
                Action:
                  - elasticfilesystem:ClientMount
                  - elasticfilesystem:ClientWrite
                Resource: "*"
              - Effect: Allow
                Action:
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                  - ec2:DescribeInstances
                  - ec2:AttachNetworkInterface
                Resource: "*"

  ExecuteQueryFunction:
    Type: AWS::Lambda::Function
    Properties:
      Tags:
        - Key: Purpose
          Value: "VaultDB"
        - Key: Project
          Value: !Ref ApplicationName
        - Key: createdBy
          Value: vaultdb.ai
      Description: Execute Vaultdb SQL Queries
      FunctionName: !Join ["", [!Ref ApplicationName, "-execute-query"]]
      Role: !GetAtt ExecuteRole.Arn
      Code:
        ImageUri: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/vaultdb:lambda"
      PackageType: Image
      ImageConfig:
        Command:
          - query.lambda_handler
      Architectures:
        - x86_64
      Timeout: 240
      MemorySize: 256
      Environment:
        Variables:
          application_name: !Sub "${ApplicationName}"
          AWS_STS_REGIONAL_ENDPOINTS: "regional"
          commitlog_directory: "/mnt/commitlog"
          HOME: "/mnt/commitlog"
          memory_limit: "200MB"
          public_bucket:
            Fn::ImportValue: !Sub "${ApplicationName}-PublicBucket"
          data_store:
            Fn::ImportValue: !Sub "${ApplicationName}-DataBucket"
          user_pool_id:
            Fn::ImportValue: !Sub "${ApplicationName}-UserPool"
          user_pool_client_id:
            Fn::ImportValue: !Sub "${ApplicationName}-UserPoolClient"
          identity_pool_id:
            Fn::ImportValue: !Sub "${ApplicationName}-IdentityPool"
      VpcConfig:
        SecurityGroupIds:
          - Fn::ImportValue: !Sub "${ApplicationName}-DataSecurityGroup"
        SubnetIds:
          - Fn::ImportValue: !Sub "${ApplicationName}-VPCPrivateSubnet"
      FileSystemConfigs:
        - Arn:
            Fn::ImportValue: !Sub "${ApplicationName}-EFSAccessPointResource"
          LocalMountPath: /mnt/commitlog

Outputs:
  ExecuteRole:
    Description: VaultDB Execution Role that works on behalf of user
    Value: !GetAtt ExecuteRole.Arn
    Export:
      Name: !Sub ${ApplicationName}-ExecuteRole
  ExecuteQueryFunction:
    Description: VaultDB Execute Query Function
    Value: !Ref ExecuteQueryFunction
    Export:
      Name: !Sub ${ApplicationName}-ExecuteQueryFunction

  CLI:
    Description: Use this command to invoke the Lambda function
    Value: !Sub |
      aws lambda invoke --function-name 'vaultdb-execute-query-${ApplicationName}' --payload 'SELECT CURRENT_CATALOG' lambda-output.txt --cli-binary-format raw-in-base64-out