VPC with private subnets using VPC Endpoint for access to S3 and Parameter Store
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: >- | |
VPC with private subnets using VPC Endpoint for access to S3 and Parameter Store | |
Resources: | |
Vpc: | |
Type: AWS::EC2::VPC | |
Properties: | |
CidrBlock: 10.0.0.0/16 | |
EnableDnsHostnames: true | |
RouteTable: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref Vpc | |
SubnetA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
AvailabilityZone: eu-west-1a | |
CidrBlock: 10.0.1.0/24 | |
VpcId: !Ref Vpc | |
SubnetATableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref RouteTable | |
SubnetId: !Ref SubnetA | |
SubnetB: | |
Type: AWS::EC2::Subnet | |
Properties: | |
AvailabilityZone: eu-west-1b | |
CidrBlock: 10.0.2.0/24 | |
VpcId: !Ref Vpc | |
SubnetBTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref RouteTable | |
SubnetId: !Ref SubnetB | |
SubnetC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
AvailabilityZone: eu-west-1c | |
CidrBlock: 10.0.3.0/24 | |
VpcId: !Ref Vpc | |
SubnetCTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref RouteTable | |
SubnetId: !Ref SubnetC | |
S3VpcEndpoint: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
VpcId: !Ref Vpc | |
VpcEndpointType: Gateway | |
RouteTableIds: | |
- !Ref RouteTable | |
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3 | |
LambdaSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: Security Group for Lambda | |
VpcId: !Ref Vpc | |
LambdaRole: | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Action: sts:AssumeRole | |
Principal: | |
Service: lambda.amazonaws.com | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole | |
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole | |
Policies: | |
- PolicyName: AccessSSMParameterStore | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Action: ssm:GetParameter | |
Resource: '*' | |
Lambda: | |
Type: AWS::Lambda::Function | |
Properties: | |
FunctionName: ReadingSSMParameterStoreLambda | |
Role: !GetAtt LambdaRole.Arn | |
Runtime: python3.7 | |
Timeout: 3 | |
MemorySize: 128 | |
Handler: index.lambda_handler | |
Code: | |
ZipFile: >- | |
import boto3 | |
def lambda_handler(event, context): | |
try: | |
ssm = boto3.client('ssm') | |
parameter = ssm.get_parameter(Name='/application/config/password', WithDecryption=True, ) | |
return parameter['Parameter']['Value'] | |
except Exception as e: | |
return 'Problem fetching parameter from parameter store' | |
VpcConfig: | |
SecurityGroupIds: | |
- !Ref LambdaSecurityGroup | |
SubnetIds: | |
- !Ref SubnetA | |
- !Ref SubnetB | |
- !Ref SubnetC | |
SSMVpcEndpointSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: Security Group for SSM VPC Endpoint | |
VpcId: !Ref Vpc | |
SSMVpcEndpointSecurityGroupSelfIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
SourceSecurityGroupId: !Ref SSMVpcEndpointSecurityGroup | |
FromPort: -1 | |
ToPort: -1 | |
IpProtocol: -1 | |
GroupId: !Ref SSMVpcEndpointSecurityGroup | |
SSMVpcEndpointSecurityGroupIngressLambda: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
SourceSecurityGroupId: !Ref LambdaSecurityGroup | |
FromPort: -1 | |
ToPort: -1 | |
IpProtocol: -1 | |
GroupId: !Ref SSMVpcEndpointSecurityGroup | |
SSMVpcEndpoint: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
VpcId: !Ref Vpc | |
VpcEndpointType: Interface | |
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SSMVpcEndpointSecurityGroup | |
SubnetIds: | |
- !Ref SubnetA | |
- !Ref SubnetB | |
- !Ref SubnetC |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment