-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_apollo_agent.yaml
459 lines (458 loc) · 16.6 KB
/
aws_apollo_agent.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
AWSTemplateFormatVersion: '2010-09-09'
Description: >
Monte Carlo's containerized agent. See details here: https://docs.getmontecarlo.com/docs/platform-architecture
Metadata:
License: >
Copyright 2023 Monte Carlo Data, Inc.
The Software contained herein (the “Software”) is the intellectual property of Monte Carlo Data, Inc. (“Licensor”),
and Licensor retains all intellectual property rights in the Software, including any and all derivatives, changes and
improvements thereto. Only customers who have entered into a commercial agreement with Licensor for use or
purchase of the Software (“Licensee”) are licensed or otherwise authorized to use the Software, and any Licensee
agrees that it obtains no copyright or other intellectual property rights to the Software, except for the license
expressly granted below or in accordance with the terms of their commercial agreement with Licensor (the
“Agreement”). Subject to the terms and conditions of the Agreement, Licensor grants Licensee a non-exclusive,
non-transferable, non-sublicensable, revocable, limited right and license to use the Software, in each case solely
internally within Licensee’s organization for non-commercial purposes and only in connection with the service
provided by Licensor pursuant to the Agreement, and in object code form only. Without Licensor’s express prior
written consent, Licensee may not, directly or indirectly, (i) distribute the Software, any portion thereof, or any
modifications, enhancements, or derivative works of any of the foregoing (collectively, the “Derivatives”) to any
third party, (ii) license, market, sell, offer for sale or otherwise attempt to commercialize any Software, Derivatives,
or portions thereof, (iii) use the Software, Derivatives, or any portion thereof for the benefit of any third party, (iv)
use the Software, Derivatives, or any portion thereof in any manner or with respect to any commercial activity
which competes, or is reasonably likely to compete, with any business that Licensor conducts, proposes to conduct
or demonstrably anticipates conducting, at any time; or (v) seek any patent or other intellectual property rights or
protections over or in connection with any Software of Derivatives.
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Connectivity Configuration
Parameters:
- CloudAccountId
- ExistingVpcId
- ExistingSubnetIds
- Label:
default: Advanced Configuration
Parameters:
- EnableRemoteUpdates
- ImageUri
- MemorySize
- ConcurrentExecutions
ParameterLabels:
CloudAccountId:
default: Select a Monte Carlo AWS Account ID
ConcurrentExecutions:
default: Set agent concurrency
EnableRemoteUpdates:
default: Enable remote code updates
ExistingSubnetIds:
default: Select VPC private subnets
ExistingVpcId:
default: Connect to a VPC
ImageUri:
default: Select the agent image source
MemorySize:
default: Set agent memory
Parameters:
CloudAccountId:
Description: >
For deployments on the V2 Platform, use 590183797493. Accounts created after April 24th, 2024,
will automatically be on the V2 platform or newer. If you are using an older version of the platform,
please contact your Monte Carlo representative for the ID.
Type: String
Default: '590183797493'
AllowedValues: [ '190812797848', '799135046351', '682816785079', '637423407294', '590183797493' ]
ConcurrentExecutions:
Default: 42
Description: The number of concurrent lambda executions for the agent.
MaxValue: 200
MinValue: 0
Type: Number
EnableRemoteUpdates:
AllowedValues:
- True
- False
Default: True
Description: Select True if you want to allow Monte Carlo to be able to update your agent remotely.
Type: String
ExistingSubnetIds:
Default: N/A
Description: >
Optionally specify a comma-delimited list of private subnet IDs (at least 2). Required if connecting to a VPC.
Type: CommaDelimitedList
ExistingVpcId:
AllowedPattern: '^(vpc[e]?-[0-9a-f]*)$|N/A'
Default: N/A
Description: Optionally specify a VPC ID to deploy the agent into.
Type: String
ImageUri:
Default: 590183797493.dkr.ecr.*.amazonaws.com/mcd-agent:latest
Description: >
URI of the Agent container image (ECR Repo). Note that the region automatically maps to where this stack
is deployed in.
Type: String
MemorySize:
Default: 512
Description: >
The amount of memory (MB) available to the agent at runtime; this value can be any multiple of
1 MB greater than 256MB.
MinValue: 256
MaxValue: 10240
Type: Number
Outputs:
FunctionArn:
Description: Agent Function ARN. To be used in registering.
Value: !GetAtt Function.Arn
InvocationRoleArn:
Description: Assumable role ARN. To be used in registering.
Value: !GetAtt InvocationRole.Arn
InvocationRoleExternalId:
Description: Assumable role External ID. To be used in registering.
Value: !Select [ 2, !Split [ '/', !Ref AWS::StackId ] ]
SecurityGroupId:
Condition: ShouldConnectVPC
Description: Security group ID.
Value: !Ref SecurityGroup
StorageArn:
Description: Storage bucket ARN.
Value: !GetAtt Storage.Arn
Conditions:
ShouldCreateUpdatePolicy: !Equals
- !Ref EnableRemoteUpdates
- True
ShouldConnectVPC: !And
- !Not [ !Equals [ !Ref ExistingVpcId, 'N/A' ] ]
- !Not [ !Equals [ !Join [ '', !Ref ExistingSubnetIds ], 'N/A' ] ]
- !Not [ !Equals [ !Ref ExistingVpcId, '' ] ]
- !Not [ !Equals [ !Join [ '', !Ref ExistingSubnetIds ], '' ] ]
ShouldSkipCloudAccountPolicy: !Equals
- !Ref 'CloudAccountId'
- '590183797493'
Resources:
Storage:
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- ExpirationInDays: 90
Prefix: 'mcd/'
Status: Enabled
- ExpirationInDays: 2
Prefix: 'mcd/responses/'
Status: Enabled
# CORS configuration required for access through pre-signed URLs from the browser
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
AllowedOrigins:
- 'https://getmontecarlo.com'
- 'https://*.getmontecarlo.com'
MaxAge: 3000
Type: AWS::S3::Bucket
StorageSSLPolicy:
Properties:
Bucket: !Ref Storage
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: DenyActionsWithoutSSL
Effect: Deny
Principal:
AWS: '*'
Action:
- '*'
Resource:
- !GetAtt Storage.Arn
- !Sub '${Storage.Arn}/*'
Condition:
Bool:
aws:SecureTransport:
- false
Type: AWS::S3::BucketPolicy
LogGroup:
Properties:
LogGroupName: !Sub '/aws/lambda/${AWS::StackName}-AgentLambda'
RetentionInDays: 14
Type: AWS::Logs::LogGroup
Function:
Properties:
Code:
ImageUri: !Join
- ''
- - !Select [ 0, !Split [ '*', !Ref ImageUri ] ]
- !Ref 'AWS::Region'
- !Select [ 1, !Split [ '*', !Ref ImageUri ] ]
ImageConfig:
Command:
- apollo.interfaces.lambda_function.handler.lambda_handler
PackageType: Image
Environment:
Variables:
MCD_AGENT_IMAGE_TAG: !Join
- ''
- - !Select [ 0, !Split [ '*', !Ref ImageUri ] ]
- !Ref 'AWS::Region'
- !Select [ 1, !Split [ '*', !Ref ImageUri ] ]
MCD_AGENT_CLOUD_PLATFORM: AWS
MCD_STORAGE_BUCKET_NAME: !Ref Storage
MCD_AGENT_IS_REMOTE_UPGRADABLE: !If [ ShouldCreateUpdatePolicy, True, False ]
MCD_AGENT_WRAPPER_TYPE: CLOUDFORMATION
MCD_AGENT_WRAPPER_VERSION: 1.0.0
MCD_STACK_ID: !Ref 'AWS::StackId'
MCD_LOG_GROUP_ID: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${AWS::Partition}/lambda/${AWS::StackName}-AgentLambda"
MCD_AGENT_CONNECTED_TO_A_VPC: !If [ ShouldConnectVPC, True, False ]
FunctionName: !Sub '${AWS::StackName}-AgentLambda'
MemorySize: !Ref MemorySize
ReservedConcurrentExecutions: !Ref ConcurrentExecutions
Role: !GetAtt ExecutionRole.Arn
Tags:
- Key: Name
Value: monte-carlo-agent
Timeout: 900
VpcConfig: !If
- ShouldConnectVPC
- SecurityGroupIds:
- !Ref SecurityGroup
SubnetIds: !Ref ExistingSubnetIds
- !Ref AWS::NoValue
Type: AWS::Lambda::Function
ExecutionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- !If
- ShouldConnectVPC
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- s3:PutObject
- s3:GetObject
- s3:DeleteObject
- s3:ListBucket
- s3:GetBucketPublicAccessBlock
- s3:GetBucketPolicyStatus
- s3:GetBucketAcl
Effect: Allow
Resource:
- !Sub 'arn:aws:s3:::${Storage}'
- !Sub 'arn:aws:s3:::${Storage}/*'
PolicyName: S3Policy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- cloudformation:DescribeStacks
- cloudformation:DescribeStackEvents
- cloudformation:GetTemplate
Effect: Allow
Resource:
- !Ref 'AWS::StackId'
PolicyName: StackReadPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- "logs:Describe*"
- "logs:Get*"
- "logs:List*"
- logs:StartQuery
- logs:FilterLogEvents
Effect: Allow
Resource:
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${AWS::Partition}/lambda/${AWS::StackName}-AgentLambda:*"
PolicyName: LogsPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- logs:StopQuery
Effect: Allow
Resource:
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"
PolicyName: LogsStopQueryPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- lambda:GetFunctionConfiguration
- lambda:ListTags
- lambda:GetFunction
Effect: Allow
Resource:
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-*'
PolicyName: LambdaInfoPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- sts:AssumeRole
Condition:
StringEquals:
iam:ResourceTag/MonteCarloData: ''
Effect: Allow
Resource:
- '*'
PolicyName: AssumeRolePolicy
- !If
- ShouldCreateUpdatePolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- cloudformation:UpdateStack
- cloudformation:UpdateStackInstances
Effect: Allow
Resource:
- !Ref 'AWS::StackId'
PolicyName: StackUpdatePolicy
- !Ref AWS::NoValue
- !If
- ShouldCreateUpdatePolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- iam:GetRole
- iam:PassRole
Condition:
ForAllValues:StringEquals:
iam:ResourceTag/RoleSource: monte-carlo-agent
Effect: Allow
Resource:
- '*'
PolicyName: RolePolicy
- !Ref AWS::NoValue
- !If
- ShouldCreateUpdatePolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- lambda:CreateFunction
- lambda:UpdateFunctionCode
- lambda:TagResource
- lambda:UntagResource
- lambda:UpdateFunctionConfiguration
- lambda:DeleteFunction
- lambda:DeleteFunctionConcurrency
- lambda:PutFunctionConcurrency
Effect: Allow
Resource:
- !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-*'
PolicyName: LambdaUpdatePolicy
- !Ref AWS::NoValue
- !If
- ShouldCreateUpdatePolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Effect: Allow
Resource:
- !Join
- ':'
- - !Sub 'arn:aws:ecr:${AWS::Region}'
- !Select [ 0, !Split [ '.', !Ref ImageUri ] ]
- 'repository/*'
PolicyName: RepoAccessPolicy
- !Ref AWS::NoValue
Tags:
- Key: RoleSource
Value: monte-carlo-agent
Type: AWS::IAM::Role
InvocationRole:
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !If
- ShouldSkipCloudAccountPolicy
- ['arn:aws:iam::590183797493:root']
- [!Sub 'arn:aws:iam::${CloudAccountId}:root', 'arn:aws:iam::590183797493:root']
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Select [ 2, !Split [ '/', !Ref AWS::StackId ] ]
Policies:
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- lambda:InvokeFunction
Resource:
- !GetAtt Function.Arn
Effect: Allow
PolicyName: InvokePolicy
Tags:
- Key: MonteCarloData
Value: ''
Type: AWS::IAM::Role
SecurityGroup:
Condition: ShouldConnectVPC
Properties:
GroupDescription: Agent SG
SecurityGroupEgress:
- CidrIp: '0.0.0.0/0'
IpProtocol: '-1'
SecurityGroupIngress: [ ]
VpcId: !Ref ExistingVpcId
Type: AWS::EC2::SecurityGroup
SecurityGroupIngress:
Condition: ShouldConnectVPC
Properties:
GroupId: !Ref SecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref SecurityGroup
Type: AWS::EC2::SecurityGroupIngress
Rules:
requireSubnet:
Assertions:
- Assert:
Fn::Not:
- Fn::EachMemberEquals:
- Ref: ExistingSubnetIds
- N/A
AssertDescription: Subnet IDs are required when using existing VPC
RuleCondition:
Fn::Not:
- Fn::Equals:
- Ref: ExistingVpcId
- N/A
requireVpc:
Assertions:
- Assert:
Fn::Not:
- Fn::Equals:
- Ref: ExistingVpcId
- N/A
AssertDescription: VPC ID is required when using existing VPC
RuleCondition:
Fn::Not:
- Fn::EachMemberEquals:
- Ref: ExistingSubnetIds
- N/A