Last active
February 18, 2018 14:42
-
-
Save cagataygurturk/269a75f0f9c7a0da047ef71a5137f885 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Parameters: | |
ResourceRegion: | |
Type: String | |
Description: The region where the resource to be allowed is deployed | |
Default: eu-west-1 | |
ResourceVpcId: | |
Type: String | |
Description: The VPC ID where the resource to be allowed is deployed | |
Conditions: | |
CreateResources: !Equals [!Ref "AWS::Region", us-east-1] | |
Resources: | |
SecurityGroup: | |
DependsOn: PermissionForEventsToInvokeLambda | |
Type: Custom::SecurityGroup | |
Properties: | |
ServiceToken: !GetAtt CreateAndUpdateSecurityGroupFunction.Arn | |
Region: !Ref ResourceRegion | |
VpcId: !Ref ResourceVpcId | |
CreateAndUpdateSecurityGroupFunction: | |
Condition: CreateResources | |
Type: AWS::Lambda::Function | |
Properties: | |
Code: | |
S3Bucket: cloudfront-access-elb | |
S3Key: lambda.zip | |
Handler: index.handler | |
Runtime: nodejs6.10 | |
Timeout: 300 | |
Description: Used to update security groups for Route53 health check. Do not touch. | |
Role: !GetAtt CreateAndUpdateSecurityGroupExecutionRole.Arn | |
CreateAndUpdateSecurityGroupExecutionRole: | |
Condition: CreateResources | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- lambda.amazonaws.com | |
Action: | |
- sts:AssumeRole | |
Path: "/" | |
Policies: | |
- PolicyName: root | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Action: | |
- logs:CreateLogGroup | |
- logs:CreateLogStream | |
- logs:PutLogEvents | |
Resource: arn:aws:logs:*:*:* | |
- Effect: Allow | |
Action: | |
- ec2:AuthorizeSecurityGroupIngress | |
- ec2:RevokeSecurityGroupIngress | |
- ec2:DeleteSecurityGroup | |
- ec2:CreateSecurityGroup | |
- ec2:DescribeSecurityGroups | |
- sns:Subscribe | |
Resource: "*" | |
PermissionForEventsToInvokeLambda: | |
Condition: CreateResources | |
Type: AWS::Lambda::Permission | |
Properties: | |
FunctionName: !Ref CreateAndUpdateSecurityGroupFunction | |
Action: lambda:InvokeFunction | |
Principal: sns.amazonaws.com | |
SourceArn: arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment