-
Notifications
You must be signed in to change notification settings - Fork 2
/
serverless.yml
131 lines (126 loc) · 4.51 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
service: rabbitmq-topology-backup
useDotenv: true
provider:
name: aws
runtime: java11
memorySize: 3008
timeout: 900
region: us-west-2
deploymentBucket:
name: ${env:BUCKET}
serverSideEncryption: "AES256"
cfnRole: "arn:aws:iam::${env:ACCOUNT}:role/cloudformation/deployer/cloudformation-deployer"
iamRoleStatements:
- Effect: Allow
Action: kms:Decrypt
Resource:
Fn::GetAtt: [EncryptionKey, Arn]
- Effect: "Allow" # xray permissions (required)
Action:
- "xray:PutTraceSegments"
- "xray:PutTelemetryRecords"
Resource:
- "*"
tracing:
lambda: Active
logRetentionInDays: 7
stackTags:
Creator: serverless
Environment: ${self:custom.EnvironmentTag.${opt:stage}}
Project: ${self:service}
Team: platform
Visibility: internal
lambdaHashingVersion: "20201221"
package:
artifact: target/universal/rabbitmq-topology-backup.zip
functions:
backup:
handler: com.dwolla.rabbitmq.topology.LambdaHandler
vpc:
securityGroupIds:
- Ref: SourceMarkerSecurityGroup
subnetIds:
Fn::Split:
- ','
- !ImportValue ${self:custom.VpcImportPrefix.${opt:stage}}VpcInternalSubnets
events:
- schedule:
description: Hourly back up of RabbitMQ topology to CloudWatch
rate: rate(1 hour)
input:
baseUri: "http://rabbit.us-west-2.${opt:stage}.dwolla.net:15672"
username: guest
password: ${self:custom.Credentials.${opt:stage}}
resources:
Description: "A serverless app to regularly back up the topology of a given RabbitMQ cluster to CloudWatch Logs"
Resources:
EncryptionKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: 'Allow root access'
Effect: 'Allow'
Principal:
AWS:
!Join
- ''
- - "arn:aws:iam::"
- !Ref 'AWS::AccountId'
- ":root"
Action: 'kms:*'
Resource: '*'
- Sid: 'Allow DataEncrypter to encrypt'
Effect: 'Allow'
Principal:
AWS:
!Join
- ''
- - "arn:aws:iam::"
- !Ref 'AWS::AccountId'
- ":role/DataEncrypter"
Action:
- 'kms:Encrypt'
- 'kms:ReEncrypt*'
- 'kms:DescribeKey'
Resource: '*'
EncryptionKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/${self:service}-${opt:stage}-key
TargetKeyId:
Ref: EncryptionKey
SourceMarkerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Source security group marking an ENI as a legitimate source of traffic to the RabbitMQ cluster
VpcId:
Fn::ImportValue: ${self:custom.VpcImportPrefix.${opt:stage}}VpcId
Tags:
- Key: SecurityGroupType
Value: TrafficSource
Outputs:
SourceMarkerSecurityGroup:
Value:
Ref: SourceMarkerSecurityGroup
Description:
Source security group ID that can be imported to mark this lambda as a legitimate source of traffic to the RabbitMQ cluster
Export:
Name: ${self:service}:${self:custom.VpcImportPrefix.${opt:stage}}:TrafficSource
custom:
EnvironmentTag:
prod: production
uat: uat
devint: devint
sandbox: sandbox
VpcImportPrefix:
prod: Prod
uat: Uat
devint: DevInt
sandbox: Sandbox
Credentials:
prod: "AQICAHiDNht96T/IKQK0KfuZpG+Aw4vUrb9L8CpGZlT4k+zE4QFC4I43mcb1zz7FncDWMb+iAAAAYzBhBgkqhkiG9w0BBwagVDBSAgEAME0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM1SX6iQLislO11jSJAgEQgCDG1oxeWIyw+J1cWKSxT6hLuA+VZZ/eNFGCw5sztFv4qA=="
uat: "AQICAHiegsUSdl9tn+48V5sbA6PETCu1Wcyy31foqE323H1I5QH4ZJA7sKyo+WybFM+dadoOAAAAYzBhBgkqhkiG9w0BBwagVDBSAgEAME0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMOKQv6U6njHoZzIWxAgEQgCC2VCRrNF5O9VjIdJbANJ4uBLosUdqNm+gBuQ2igN3Kxw=="
devint: "AQICAHiJE+vM1VKEiQpXXtbfIKwjr5wCpmMhCdnS6y6/6difLQHWlWmvntNurE47Nj9yjiyxAAAAYzBhBgkqhkiG9w0BBwagVDBSAgEAME0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMUXdDbknkKI11IIJMAgEQgCCAseunTuVe7QYyZJUWqc7x9DfDOc0WHgaMqTnPzj1SZw=="
sandbox: "AQICAHgb9o3/IugdfQGA/kgXhS09JW4ZaWptMszqUXn+B15pnwGz0IJhY8rKr4gdAC33iAphAAAAYzBhBgkqhkiG9w0BBwagVDBSAgEAME0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMRbuM/bBBe6mqguEOAgEQgCBkJrGnRlZLxC1+AYVEY1R2YJW0rQSmIudSpkq9dESrmQ=="