pandoc-lambda-python/template.yaml at main · Getting-Automated/pandoc-lambda-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Pandoc Lambda Function using Docker container'

Parameters:
  ECRRepositoryName:
    Type: String
    Default: pandoc-lambda
    Description: Name of the ECR repository for the Pandoc Lambda image

  LambdaFunctionName:
    Type: String
    Default: pandoc-lambda-function
    Description: Name of the Lambda function

Resources:
  LambdaLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/aws/lambda/${LambdaFunctionName}'
      RetentionInDays: 30

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: lambda-pandoc-execution-role
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: ECRAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                Resource: !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${ECRRepositoryName}'
        - PolicyName: CloudWatchLogsAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:*'

  ECRRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: !Ref ECRRepositoryName
      LifecyclePolicy:
        LifecyclePolicyText: |
          {
            "rules": [
              {
                "rulePriority": 1,
                "description": "Keep only the last 5 images",
                "selection": {
                  "tagStatus": "any",
                  "countType": "imageCountMoreThan",
                  "countNumber": 5
                },
                "action": {
                  "type": "expire"
                }
              }
            ]
          }

  # Only define the ECR Repository and IAM Role, we'll create the Lambda function with deploy.sh
  # We'll comment out the PandocLambdaFunction since it requires an existing image

  # PandocLambdaFunction:
  #   Type: AWS::Lambda::Function
  #   Properties:
  #     FunctionName: !Ref LambdaFunctionName
  #     PackageType: Image
  #     Code:
  #       ImageUri: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ECRRepositoryName}:latest"
  #     Role: !GetAtt LambdaExecutionRole.Arn
  #     Timeout: 30
  #     MemorySize: 512
  #   DependsOn:
  #     - ECRRepository

  # PandocLambdaPermission:
  #   Type: AWS::Lambda::Permission
  #   Properties:
  #     Action: lambda:InvokeFunction
  #     FunctionName: !Ref PandocLambdaFunction
  #     Principal: apigateway.amazonaws.com

Outputs:
  LambdaExecutionRoleArn:
    Description: Lambda Execution Role ARN
    Value: !GetAtt LambdaExecutionRole.Arn

  ECRRepository:
    Description: ECR Repository for the Pandoc Lambda image
    Value: !GetAtt ECRRepository.RepositoryUri

  LogGroupName:
    Description: CloudWatch Log Group for Lambda function
    Value: !Ref LambdaLogGroup