Skip to content

Instantly share code, notes, and snippets.

@rubikill
Created November 1, 2022 02:28
Show Gist options
  • Save rubikill/29ebae58fca78ad58b9b0bdb9da88156 to your computer and use it in GitHub Desktop.
Save rubikill/29ebae58fca78ad58b9b0bdb9da88156 to your computer and use it in GitHub Desktop.
Description: (SO0062) - Distributed Load Testing on AWS is a reference architecture to perform application load testing at scale. Version v2.0.1
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Console access
Parameters:
- AdminName
- AdminEmail
- Label:
default: Enter values here to use your own existing VPC
Parameters:
- ExistingVPCId
- ExistingSubnetA
- ExistingSubnetB
- Label:
default: Or have the solution create a new AWS Fargate VPC
Parameters:
- VpcCidrBlock
- SubnetACidrBlock
- SubnetBCidrBlock
- EgressCidr
ParameterLabels:
AdminName:
default: "* Console Administrator Name"
AdminEmail:
default: "* Console Administrator Email"
ExistingVPCId:
default: "The ID of an existing VPC in this region. Ex: `vpc-1a2b3c4d5e6f`"
ExistingSubnetA:
default: "The ID of a subnet within the existing VPC. Ex: `subnet-7h8i9j0k`"
ExistingSubnetB:
default: "The ID of a subnet within the existing VPC. Ex: `subnet-1x2y3z`"
VpcCidrBlock:
default: AWS Fargate VPC CIDR Block
SubnetACidrBlock:
default: AWS Fargate Subnet A CIDR Block
SubnetBCidrBlock:
default: AWS Fargate Subnet A CIDR Block
EgressCidr:
default: AWS Fargate SecurityGroup CIDR Block
Parameters:
AdminName:
Type: String
AllowedPattern: "[a-zA-Z0-9-]+"
ConstraintDescription: Admin username must be a minimum of 4 characters and cannot include spaces
Description: Admin user name to access the Distributed Load Testing console
MaxLength: 20
MinLength: 4
AdminEmail:
Type: String
AllowedPattern: ^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$
ConstraintDescription: Admin email must be a valid email address
Description: Admin user email address to access the Distributed Load Testing Console
MinLength: 5
ExistingVPCId:
Type: String
AllowedPattern: (?:^$|^vpc-[a-zA-Z0-9-]+)
Description: Existing VPC ID
ExistingSubnetA:
Type: String
AllowedPattern: (?:^$|^subnet-[a-zA-Z0-9-]+)
Description: First existing subnet
ExistingSubnetB:
Type: String
AllowedPattern: (?:^$|^subnet-[a-zA-Z0-9-]+)
Description: Second existing subnet
VpcCidrBlock:
Type: String
Default: 192.168.0.0/16
AllowedPattern: (?:^$|(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))
ConstraintDescription: The VPC CIDR block must be a valid IP CIDR range of the form x.x.x.x/x.
Description: CIDR block of the new VPC where AWS Fargate will be placed
MaxLength: 18
MinLength: 9
SubnetACidrBlock:
Type: String
Default: 192.168.0.0/20
AllowedPattern: (?:^$|(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))
ConstraintDescription: The subnet CIDR block must be a valid IP CIDR range of the form x.x.x.x/x.
Description: CIDR block for subnet A of the AWS Fargate VPC
MaxLength: 18
MinLength: 9
SubnetBCidrBlock:
Type: String
Default: 192.168.16.0/20
AllowedPattern: (?:^$|(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))
ConstraintDescription: The subnet CIDR block must be a valid IP CIDR range of the form x.x.x.x/x.
Description: CIDR block for subnet B of the AWS Fargate VPC
EgressCidr:
Type: String
Default: 0.0.0.0/0
AllowedPattern: (?:^$|(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))
ConstraintDescription: The Egress CIDR block must be a valid IP CIDR range of the form x.x.x.x/x.
Description: CIDR Block to restrict the ECS container outbound access
MaxLength: 18
MinLength: 9
Mappings:
Solution:
Config:
CodeVersion: v2.0.1
KeyPrefix: distributed-load-testing-on-aws/v2.0.1
S3Bucket: solutions
SendAnonymousUsage: "Yes"
SolutionId: SO0062
URL: https://metrics.awssolutionsbuilder.com/generic
Conditions:
SendAnonymousUsage:
Fn::Equals:
- Fn::FindInMap:
- Solution
- Config
- SendAnonymousUsage
- "Yes"
CreateFargateVPCResources:
Fn::Equals:
- Ref: ExistingVPCId
- ""
BoolExistingVPC:
Fn::Not:
- Fn::Equals:
- Ref: ExistingVPCId
- ""
CDKMetadataAvailable:
Fn::Or:
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- af-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-east-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-2
- Fn::Equals:
- Ref: AWS::Region
- ap-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-2
- Fn::Equals:
- Ref: AWS::Region
- ca-central-1
- Fn::Equals:
- Ref: AWS::Region
- cn-north-1
- Fn::Equals:
- Ref: AWS::Region
- cn-northwest-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- eu-central-1
- Fn::Equals:
- Ref: AWS::Region
- eu-north-1
- Fn::Equals:
- Ref: AWS::Region
- eu-south-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-2
- Fn::Equals:
- Ref: AWS::Region
- eu-west-3
- Fn::Equals:
- Ref: AWS::Region
- me-south-1
- Fn::Equals:
- Ref: AWS::Region
- sa-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-2
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- us-west-1
- Fn::Equals:
- Ref: AWS::Region
- us-west-2
Resources:
DLTVpcDLTFargateVpc0E6FEAB7:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: VpcCidrBlock
EnableDnsHostnames: true
EnableDnsSupport: true
Tags:
- Key: Name
Value:
Ref: AWS::StackName
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Metadata:
cfn_nag:
rules_to_suppress:
- id: W60
reason: This VPC is used for the test runner Fargate tasks only, it does not require VPC flow logs.
Condition: CreateFargateVPCResources
DLTVpcDLTSubnetAAE7DDEE8:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: SubnetACidrBlock
VpcId:
Ref: DLTVpcDLTFargateVpc0E6FEAB7
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Condition: CreateFargateVPCResources
DLTVpcDLTSubnetB294F4ED2:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: SubnetBCidrBlock
VpcId:
Ref: DLTVpcDLTFargateVpc0E6FEAB7
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Condition: CreateFargateVPCResources
DLTVpcDLTFargateIG0E71BA5C:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Condition: CreateFargateVPCResources
DLTVpcDLTFargateRT86406464:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: DLTVpcDLTFargateVpc0E6FEAB7
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Condition: CreateFargateVPCResources
DLTVpcDLTGatewayattachment220D400F:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: DLTVpcDLTFargateVpc0E6FEAB7
InternetGatewayId:
Ref: DLTVpcDLTFargateIG0E71BA5C
Condition: CreateFargateVPCResources
DLTVpcDLTRouteF8F2A836:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: DLTVpcDLTFargateRT86406464
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: DLTVpcDLTFargateIG0E71BA5C
DependsOn:
- DLTVpcDLTGatewayattachment220D400F
Condition: CreateFargateVPCResources
DLTVpcDLTRouteTableAssociationAE94A08EA:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: DLTVpcDLTFargateRT86406464
SubnetId:
Ref: DLTVpcDLTSubnetAAE7DDEE8
Condition: CreateFargateVPCResources
DLTVpcDLTRouteTableAssociationBBED3E4B3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: DLTVpcDLTFargateRT86406464
SubnetId:
Ref: DLTVpcDLTSubnetB294F4ED2
Condition: CreateFargateVPCResources
DLTEcsDLTECR2419F66F:
Type: AWS::ECR::Repository
Properties:
ImageScanningConfiguration:
ScanOnPush: true
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
DLTEcsDLTEcsClusterBC5CE23B:
Type: AWS::ECS::Cluster
Properties:
ClusterName:
Ref: AWS::StackName
ClusterSettings:
- Name: containerInsights
Value: enabled
Tags:
- Key: CloudFormation Stack
Value:
Ref: AWS::StackName
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
DLTEcsDLTTaskExecutionRoleDE668717:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
DLTEcsDLTCloudWatchLogsGroupFE9EC144:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 365
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
cfn_nag:
rules_to_suppress:
- id: W84
reason: KMS encryption unnecessary for log group
DLTEcsDLTTaskDefinition6BFC2400:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Essential: true
Image: public.ecr.aws/aws-solutions/distributed-load-testing-on-aws-load-tester:v2.0.1
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: DLTEcsDLTCloudWatchLogsGroupFE9EC144
awslogs-stream-prefix: load-testing
awslogs-region:
Ref: AWS::Region
Memory: 4096
Name:
Fn::Join:
- ""
- - Ref: AWS::StackName
- -load-tester
Cpu: "2048"
ExecutionRoleArn:
Fn::GetAtt:
- DLTEcsDLTTaskExecutionRoleDE668717
- Arn
Memory: "4096"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- DLTEcsDLTTaskExecutionRoleDE668717
- Arn
DLTEcsDLTEcsSecurityGroup69E6743C:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: DLTS Tasks Security Group
VpcId:
Fn::If:
- CreateFargateVPCResources
- Ref: DLTVpcDLTFargateVpc0E6FEAB7
- Ref: ExistingVPCId
Metadata:
cfn_nag:
rules_to_suppress:
- id: W40
reason: IpProtocol set to -1 (any) as ports are not known prior to running tests
DLTEcsDLTSecGroupEgressE1DA93E8:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId:
Ref: DLTEcsDLTEcsSecurityGroup69E6743C
IpProtocol: "-1"
CidrIp:
Ref: EgressCidr
Description: Allow tasks to call out to external resources
DLTEcsDLTSecGroupIngressFA958E66:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: Allow tasks to communicate
FromPort: 50000
GroupId:
Ref: DLTEcsDLTEcsSecurityGroup69E6743C
SourceSecurityGroupId:
Ref: DLTEcsDLTEcsSecurityGroup69E6743C
ToPort: 50000
DLTCommonResourcesCloudWatchLogsPolicyB29337B0:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :log-group:/aws/lambda/*
Version: "2012-10-17"
PolicyName: DLTCommonResourcesCloudWatchLogsPolicyB29337B0
Roles:
- Ref: DLTEcsDLTTaskExecutionRoleDE668717
- Ref: DLTCommonResourcesCustomResourceLambdaRole0608CAD2
- Ref: DLTLambdaFunctionLambdaResultsRole2CF2D707
- Ref: DLTLambdaFunctionDLTTestLambdaTaskRole1FDBCEDD
- Ref: DLTLambdaFunctionLambdaTaskCancelerRoleAE2C84CF
- Ref: DLTLambdaFunctionTaskStatusRole9288E645
- Ref: DLTApiDLTAPIServicesLambdaRole4465EAA4
DLTCommonResourcesLogsBucket48A2774D:
Type: AWS::S3::Bucket
Properties:
AccessControl: LogDeliveryWrite
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: This is the logging bucket, it does not require logging.
- id: W51
reason: Since the bucket does not allow the public access, it does not require to have bucket policy.
DLTCommonResourcesCustomResourceLambdaRole0608CAD2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":s3:::"
- Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
- /*
Version: "2012-10-17"
PolicyName: CustomResourcePolicy
DLTCommonResourcesCustomResourceLambdaRoleDefaultPolicy7828F0D2:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: s3:PutObject
Effect: Allow
Resource:
- Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
- Arn
- /*
Version: "2012-10-17"
PolicyName: DLTCommonResourcesCustomResourceLambdaRoleDefaultPolicy7828F0D2
Roles:
- Ref: DLTCommonResourcesCustomResourceLambdaRole0608CAD2
DLTCommonResourcesCustomResourceLambda0D529C66:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
S3Key:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /custom-resource.zip
Role:
Fn::GetAtt:
- DLTCommonResourcesCustomResourceLambdaRole0608CAD2
- Arn
Description: CFN Lambda backed custom resource to deploy assets to s3
Environment:
Variables:
METRIC_URL:
Fn::FindInMap:
- Solution
- Config
- URL
SOLUTION_ID:
Fn::FindInMap:
- Solution
- Config
- SolutionId
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
Handler: index.handler
Runtime: nodejs14.x
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Timeout: 120
DependsOn:
- DLTCommonResourcesCustomResourceLambdaRoleDefaultPolicy7828F0D2
- DLTCommonResourcesCustomResourceLambdaRole0608CAD2
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
- id: W89
reason: VPC not needed for lambda
- id: W92
reason: Does not run concurrent executions
DLTCommonResourcesUUID2FD025A2:
Type: Custom::UUID
Properties:
ServiceToken:
Fn::GetAtt:
- DLTCommonResourcesCustomResourceLambda0D529C66
- Arn
Resource: UUID
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
DLTCommonResourcesAnonymousMetric33685222:
Type: Custom::AnonymousMetric
Properties:
ServiceToken:
Fn::GetAtt:
- DLTCommonResourcesCustomResourceLambda0D529C66
- Arn
Resource: AnonymousMetric
Region:
Ref: AWS::Region
SolutionId:
Fn::FindInMap:
- Solution
- Config
- SolutionId
UUID:
Fn::GetAtt:
- DLTCommonResourcesUUID2FD025A2
- UUID
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
existingVPC:
Fn::If:
- BoolExistingVPC
- true
- false
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Condition: SendAnonymousUsage
DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
LifecycleConfiguration:
Rules:
- NoncurrentVersionTransitions:
- StorageClass: GLACIER
TransitionInDays: 90
Status: Enabled
LoggingConfiguration:
DestinationBucketName:
Ref: DLTCommonResourcesLogsBucket48A2774D
LogFilePrefix: console-bucket-access/
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
VersioningConfiguration:
Status: Enabled
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
DLTConsoleResourcesDLTCloudFrontToS3S3BucketPolicyF90397AC:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
PolicyDocument:
Statement:
- Action: "*"
Condition:
Bool:
aws:SecureTransport: "false"
Effect: Deny
Principal:
AWS: "*"
Resource:
- Fn::Join:
- ""
- - Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
- Arn
- /*
- Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
- Arn
Sid: HttpsOnly
- Action: s3:GetObject
Effect: Allow
Principal:
CanonicalUser:
Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistributionOrigin1S3Origin5080EA34
- S3CanonicalUserId
Resource:
Fn::Join:
- ""
- - Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
- Arn
- /*
Version: "2012-10-17"
Metadata:
cfn_nag:
rules_to_suppress:
- id: F16
reason: Public website bucket policy requires a wildcard principal
DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistributionOrigin1S3Origin5080EA34:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: Identity for DLTStackDLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistributionOrigin1022BE4E8
DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistribution3EF384B4:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: Website distribution for the Distributed Load Testing solution
CustomErrorResponses:
- ErrorCode: 403
ResponseCode: 200
ResponsePagePath: /index.html
- ErrorCode: 404
ResponseCode: 200
ResponsePagePath: /index.html
DefaultCacheBehavior:
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
Compress: true
TargetOriginId: DLTStackDLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistributionOrigin1022BE4E8
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: true
HttpVersion: http2
IPV6Enabled: true
Logging:
Bucket:
Fn::GetAtt:
- DLTCommonResourcesLogsBucket48A2774D
- RegionalDomainName
Prefix: cloudfront-logs/
Origins:
- DomainName:
Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
- RegionalDomainName
Id: DLTStackDLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistributionOrigin1022BE4E8
S3OriginConfig:
OriginAccessIdentity:
Fn::Join:
- ""
- - origin-access-identity/cloudfront/
- Ref: DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistributionOrigin1S3Origin5080EA34
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Metadata:
cfn_nag:
rules_to_suppress:
- id: W70
reason: Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion
DLTTestRunnerStorageDLTScenariosBucketA9290D21:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- "*"
AllowedMethods:
- GET
- POST
- PUT
AllowedOrigins:
- Fn::Join:
- ""
- - https://
- Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistribution3EF384B4
- DomainName
ExposedHeaders:
- ETag
LoggingConfiguration:
DestinationBucketName:
Ref: DLTCommonResourcesLogsBucket48A2774D
LogFilePrefix: scenarios-bucket-access/
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
DLTTestRunnerStorageDLTScenariosBucketPolicy96221788:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: DLTTestRunnerStorageDLTScenariosBucketA9290D21
PolicyDocument:
Statement:
- Action: s3:*
Condition:
Bool:
aws:SecureTransport: false
Effect: Deny
Principal:
AWS: "*"
Resource:
- Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosBucketA9290D21
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosBucketA9290D21
- Arn
- /*
Version: "2012-10-17"
DLTTestRunnerStorageScenariosS3PolicyD20D3673:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:HeadObject
- s3:PutObject
- s3:GetObject
- s3:ListBucket
Effect: Allow
Resource:
- Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosBucketA9290D21
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosBucketA9290D21
- Arn
- /*
Version: "2012-10-17"
PolicyName: DLTTestRunnerStorageScenariosS3PolicyD20D3673
Roles:
- Ref: DLTEcsDLTTaskExecutionRoleDE668717
- Ref: DLTLambdaFunctionLambdaResultsRole2CF2D707
- Ref: DLTApiDLTAPIServicesLambdaRole4465EAA4
DLTTestRunnerStorageDLTScenariosTableAB6F5C2A:
Type: AWS::DynamoDB::Table
Properties:
KeySchema:
- AttributeName: testId
KeyType: HASH
AttributeDefinitions:
- AttributeName: testId
AttributeType: S
BillingMode: PAY_PER_REQUEST
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
SSESpecification:
SSEEnabled: true
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
DLTTestRunnerStorageDynamoDbPolicyC83287AF:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:Scan
- dynamodb:UpdateItem
Effect: Allow
Resource:
Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
- Arn
Version: "2012-10-17"
PolicyName: DLTTestRunnerStorageDynamoDbPolicyC83287AF
Roles:
- Ref: DLTLambdaFunctionLambdaResultsRole2CF2D707
- Ref: DLTLambdaFunctionDLTTestLambdaTaskRole1FDBCEDD
- Ref: DLTLambdaFunctionTaskStatusRole9288E645
- Ref: DLTApiDLTAPIServicesLambdaRole4465EAA4
DLTLambdaFunctionLambdaResultsRole2CF2D707:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
Metadata:
cfn_nag:
rules_to_suppress:
- id: W12
reason: The action does not support resource level permissions.
DLTLambdaFunctionLambdaResultsPolicyB191FC35:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: cloudwatch:GetMetricWidgetImage
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: DLTLambdaFunctionLambdaResultsPolicyB191FC35
Roles:
- Ref: DLTLambdaFunctionLambdaResultsRole2CF2D707
Metadata:
cfn_nag:
rules_to_suppress:
- id: W12
reason: The action does not support resource level permissions.
DLTLambdaFunctionResultsParserFF5CC920:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
S3Key:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /results-parser.zip
Role:
Fn::GetAtt:
- DLTLambdaFunctionLambdaResultsRole2CF2D707
- Arn
Description: Result parser for indexing xml test results to DynamoDB
Environment:
Variables:
SCENARIOS_BUCKET:
Ref: DLTTestRunnerStorageDLTScenariosBucketA9290D21
SCENARIOS_TABLE:
Ref: DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
SOLUTION_ID:
Fn::FindInMap:
- Solution
- Config
- SolutionId
UUID:
Fn::GetAtt:
- DLTCommonResourcesUUID2FD025A2
- UUID
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
SEND_METRIC:
Fn::FindInMap:
- Solution
- Config
- SendAnonymousUsage
METRIC_URL:
Fn::FindInMap:
- Solution
- Config
- URL
Handler: index.handler
Runtime: nodejs14.x
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Timeout: 120
DependsOn:
- DLTLambdaFunctionLambdaResultsRole2CF2D707
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
- id: W89
reason: This Lambda function does not require a VPC
- id: W92
reason: Does not run concurrent executions
DLTLambdaFunctionDLTTestLambdaTaskRole1FDBCEDD:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action: ecs:ListTasks
Effect: Allow
Resource: "*"
- Action:
- ecs:RunTask
- ecs:DescribeTasks
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task/*
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task-definition/*:*
- Action: iam:PassRole
Effect: Allow
Resource:
Fn::GetAtt:
- DLTEcsDLTTaskExecutionRoleDE668717
- Arn
- Action: logs:PutMetricFilter
Effect: Allow
Resource:
Fn::GetAtt:
- DLTEcsDLTCloudWatchLogsGroupFE9EC144
- Arn
- Action: cloudwatch:PutDashboard
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":cloudwatch::"
- Ref: AWS::AccountId
- :dashboard/EcsLoadTesting*
Version: "2012-10-17"
PolicyName: TaskLambdaPolicy
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: ecs:ListTasks does not support resource level permissions
DLTLambdaFunctionTaskRunnerAAAD9171:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
S3Key:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /task-runner.zip
Role:
Fn::GetAtt:
- DLTLambdaFunctionDLTTestLambdaTaskRole1FDBCEDD
- Arn
Description: Task runner for ECS task definitions
Environment:
Variables:
SCENARIOS_BUCKET:
Ref: DLTTestRunnerStorageDLTScenariosBucketA9290D21
SCENARIOS_TABLE:
Ref: DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
TASK_CLUSTER:
Ref: DLTEcsDLTEcsClusterBC5CE23B
TASK_DEFINITION:
Ref: DLTEcsDLTTaskDefinition6BFC2400
TASK_SECURITY_GROUP:
Ref: DLTEcsDLTEcsSecurityGroup69E6743C
TASK_IMAGE:
Fn::Join:
- ""
- - Ref: AWS::StackName
- -load-tester
SUBNET_A:
Fn::If:
- CreateFargateVPCResources
- Ref: DLTVpcDLTSubnetAAE7DDEE8
- Ref: ExistingSubnetA
SUBNET_B:
Fn::If:
- CreateFargateVPCResources
- Ref: DLTVpcDLTSubnetB294F4ED2
- Ref: ExistingSubnetB
API_INTERVAL: "10"
ECS_LOG_GROUP:
Ref: DLTEcsDLTCloudWatchLogsGroupFE9EC144
SOLUTION_ID:
Fn::FindInMap:
- Solution
- Config
- SolutionId
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
Handler: index.handler
Runtime: nodejs14.x
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Timeout: 900
DependsOn:
- DLTLambdaFunctionDLTTestLambdaTaskRole1FDBCEDD
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
- id: W89
reason: This Lambda function does not require a VPC
- id: W92
reason: Does not run concurrent executions
DLTLambdaFunctionLambdaTaskCancelerRoleAE2C84CF:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action: ecs:ListTasks
Effect: Allow
Resource: "*"
- Action: ecs:StopTask
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task/*
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task-definition/*:*
- Action: dynamodb:UpdateItem
Effect: Allow
Resource:
Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
- Arn
Version: "2012-10-17"
PolicyName: TaskCancelerPolicy
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: ecs:ListTasks does not support resource level permissions
DLTLambdaFunctionTaskCanceler4E12BDA6:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
S3Key:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /task-canceler.zip
Role:
Fn::GetAtt:
- DLTLambdaFunctionLambdaTaskCancelerRoleAE2C84CF
- Arn
Description: Stops ECS task
Environment:
Variables:
METRIC_URL:
Fn::FindInMap:
- Solution
- Config
- URL
SOLUTION_ID:
Fn::FindInMap:
- Solution
- Config
- SolutionId
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
SCENARIOS_TABLE:
Ref: DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
TASK_CLUSTER:
Ref: DLTEcsDLTEcsClusterBC5CE23B
Handler: index.handler
Runtime: nodejs14.x
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Timeout: 300
DependsOn:
- DLTLambdaFunctionLambdaTaskCancelerRoleAE2C84CF
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
- id: W89
reason: This Lambda function does not require a VPC
- id: W92
reason: Does not run concurrent executions
DLTLambdaFunctionTaskCancelerInvokePolicyA1C7562A:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
Fn::GetAtt:
- DLTLambdaFunctionTaskCanceler4E12BDA6
- Arn
Version: "2012-10-17"
PolicyName: DLTLambdaFunctionTaskCancelerInvokePolicyA1C7562A
Roles:
- Ref: DLTLambdaFunctionTaskStatusRole9288E645
- Ref: DLTApiDLTAPIServicesLambdaRole4465EAA4
DLTLambdaFunctionTaskStatusRole9288E645:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action: ecs:ListTasks
Effect: Allow
Resource: "*"
- Action: ecs:DescribeTasks
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task/*
Version: "2012-10-17"
PolicyName: TaskStatusPolicy
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: ecs:ListTasks does not support resource level permissions
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
DLTLambdaFunctionTaskStatusChecker1AA63EC9:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
S3Key:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /task-status-checker.zip
Role:
Fn::GetAtt:
- DLTLambdaFunctionTaskStatusRole9288E645
- Arn
Description: Task status checker
Environment:
Variables:
TASK_CLUSTER:
Ref: DLTEcsDLTEcsClusterBC5CE23B
SCENARIOS_TABLE:
Ref: DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
TASK_CANCELER_ARN:
Fn::GetAtt:
- DLTLambdaFunctionTaskCanceler4E12BDA6
- Arn
SOLUTION_ID:
Fn::FindInMap:
- Solution
- Config
- SolutionId
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
Handler: index.handler
Runtime: nodejs14.x
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Timeout: 180
DependsOn:
- DLTLambdaFunctionTaskStatusRole9288E645
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
- id: W89
reason: This Lambda function does not require a VPC
- id: W92
reason: Does not run concurrent executions
DLTStepFunctionStepFunctionsLogGroup8DABDAB7:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 365
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
cfn_nag:
rules_to_suppress:
- id: W84
reason: KMS encryption unnecessary for log group
DLTStepFunctionTaskRunnerStepFunctionsRoleC2237F06:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Fn::Join:
- ""
- - states.
- Ref: AWS::Region
- .amazonaws.com
Version: "2012-10-17"
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: CloudWatch logs actions do not support resource level permissions
- id: W12
reason: CloudWatch logs actions do not support resource level permissions
DLTStepFunctionTaskRunnerStepFunctionsRoleDefaultPolicy8F17B49F:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogDelivery
- logs:GetLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:PutResourcePolicy
- logs:DescribeResourcePolicies
- logs:DescribeLogGroups
Effect: Allow
Resource: "*"
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
Fn::GetAtt:
- DLTLambdaFunctionTaskStatusChecker1AA63EC9
- Arn
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
Fn::GetAtt:
- DLTLambdaFunctionTaskRunnerAAAD9171
- Arn
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
Fn::GetAtt:
- DLTLambdaFunctionTaskCanceler4E12BDA6
- Arn
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
Fn::GetAtt:
- DLTLambdaFunctionResultsParserFF5CC920
- Arn
Version: "2012-10-17"
PolicyName: DLTStepFunctionTaskRunnerStepFunctionsRoleDefaultPolicy8F17B49F
Roles:
- Ref: DLTStepFunctionTaskRunnerStepFunctionsRoleC2237F06
Metadata:
cfn_nag:
rules_to_suppress:
- id: W12
reason: CloudWatch logs actions do not support resource level permissions
DLTStepFunctionTaskRunnerStepFunctionsC295A535:
Type: AWS::StepFunctions::StateMachine
Properties:
RoleArn:
Fn::GetAtt:
- DLTStepFunctionTaskRunnerStepFunctionsRoleC2237F06
- Arn
DefinitionString:
Fn::Join:
- ""
- - '{"StartAt":"Check running tests","States":{"Check running tests":{"Next":"No running tests","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","InputPath":"$","OutputPath":"$.Payload","Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionTaskStatusChecker1AA63EC9
- Arn
- '","Payload.$":"$"}},"No running tests":{"Type":"Choice","Choices":[{"Variable":"$.isRunning","BooleanEquals":false,"Next":"Run workers"}],"Default":"Test is still running"},"Test is still running":{"Type":"Fail","Error":"TestAlreadyRunning","Cause":"The same test is already running."},"Run workers":{"Next":"Are all workers launched?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","InputPath":"$","OutputPath":"$.Payload","Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionTaskRunnerAAAD9171
- Arn
- '","Payload.$":"$"}},"Are all workers launched?":{"Type":"Choice","Choices":[{"Variable":"$.isRunning","BooleanEquals":false,"Next":"Cancel Test"},{"Variable":"$.taskRunner.runTaskCount","NumericEquals":1,"Next":"Wait 1 minute - worker status"},{"Variable":"$.taskRunner.runTaskCount","NumericEquals":0,"Next":"Wait 1 minute - task status"}],"Default":"Run workers"},"Cancel Test":{"Next":"Parse result","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","InputPath":"$","OutputPath":"$.Payload","ResultPath":null,"Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionTaskCanceler4E12BDA6
- Arn
- '","Payload.$":"$"}},"Parse result":{"Next":"Done","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionResultsParserFF5CC920
- Arn
- '","Payload.$":"$"}},"Are all tasks done?":{"Type":"Choice","Choices":[{"Variable":"$.isRunning","BooleanEquals":false,"Next":"Parse result"}],"Default":"Wait 1 minute - task status"},"Check task status":{"Next":"Are all tasks done?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","InputPath":"$","OutputPath":"$.Payload","Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionTaskStatusChecker1AA63EC9
- Arn
- '","Payload.$":"$"}},"Wait 1 minute - task status":{"Type":"Wait","Comment":"Wait 1 minute to check task status again","Seconds":60,"Next":"Check task status"},"Run leader task":{"Next":"Wait 1 minute - task status","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","InputPath":"$","OutputPath":"$.Payload","Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionTaskRunnerAAAD9171
- Arn
- '","Payload.$":"$"}},"Are all workers running?":{"Type":"Choice","Choices":[{"Variable":"$.numTasksRunning","NumericEqualsPath":"$.scenario.taskCount","Next":"Run leader task"},{"Variable":"$.isRunning","BooleanEquals":false,"Next":"Parse result"}],"Default":"Wait 1 minute - worker status"},"Check worker status":{"Next":"Are all workers running?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","InputPath":"$","OutputPath":"$.Payload","Resource":"arn:'
- Ref: AWS::Partition
- :states:::lambda:invoke","Parameters":{"FunctionName":"
- Fn::GetAtt:
- DLTLambdaFunctionTaskStatusChecker1AA63EC9
- Arn
- '","Payload.$":"$"}},"Wait 1 minute - worker status":{"Type":"Wait","Comment":"Wait 1 minute to check task status again","Seconds":60,"Next":"Check worker status"},"Done":{"Type":"Succeed"}}}'
LoggingConfiguration:
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn:
Fn::GetAtt:
- DLTStepFunctionStepFunctionsLogGroup8DABDAB7
- Arn
IncludeExecutionData: false
Level: ALL
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
DependsOn:
- DLTStepFunctionTaskRunnerStepFunctionsRoleDefaultPolicy8F17B49F
- DLTStepFunctionTaskRunnerStepFunctionsRoleC2237F06
DLTApiDLTAPIServicesLambdaRole4465EAA4:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action: ecs:ListTasks
Effect: Allow
Resource: "*"
- Action:
- ecs:RunTask
- ecs:DescribeTasks
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task/*
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :task-definition/
- Action: iam:PassRole
Effect: Allow
Resource:
Fn::GetAtt:
- DLTEcsDLTTaskExecutionRoleDE668717
- Arn
- Action: states:StartExecution
Effect: Allow
Resource:
Ref: DLTStepFunctionTaskRunnerStepFunctionsC295A535
- Action: logs:DeleteMetricFilter
Effect: Allow
Resource:
Fn::GetAtt:
- DLTEcsDLTCloudWatchLogsGroupFE9EC144
- Arn
- Action: cloudwatch:DeleteDashboards
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":cloudwatch::"
- Ref: AWS::AccountId
- :dashboard/EcsLoadTesting*
Version: "2012-10-17"
PolicyName: DLTAPIServicesLambdaPolicy
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: ecs:ListTasks does not support resource level permissions
DLTApiLambdaApiEventsPolicy63BB60C8:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- events:PutTargets
- events:PutRule
- events:DeleteRule
- events:RemoveTargets
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":events:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :rule/*Scheduled
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":events:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :rule/*Create
- Action: events:ListRules
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":events:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :rule/*
Version: "2012-10-17"
PolicyName: DLTApiLambdaApiEventsPolicy63BB60C8
Roles:
- Ref: DLTApiDLTAPIServicesLambdaRole4465EAA4
DLTApiDLTAPIServicesLambda9D76BA5C:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
S3Key:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /api-services.zip
Role:
Fn::GetAtt:
- DLTApiDLTAPIServicesLambdaRole4465EAA4
- Arn
Description: API microservices for creating, updating, listing and deleting test scenarios
Environment:
Variables:
SCENARIOS_BUCKET:
Ref: DLTTestRunnerStorageDLTScenariosBucketA9290D21
SCENARIOS_TABLE:
Ref: DLTTestRunnerStorageDLTScenariosTableAB6F5C2A
TASK_CLUSTER:
Ref: DLTEcsDLTEcsClusterBC5CE23B
STATE_MACHINE_ARN:
Ref: DLTStepFunctionTaskRunnerStepFunctionsC295A535
SOLUTION_ID:
Fn::FindInMap:
- Solution
- Config
- SolutionId
UUID:
Fn::GetAtt:
- DLTCommonResourcesUUID2FD025A2
- UUID
VERSION:
Fn::FindInMap:
- Solution
- Config
- CodeVersion
SEND_METRIC:
Fn::FindInMap:
- Solution
- Config
- SendAnonymousUsage
METRIC_URL:
Fn::FindInMap:
- Solution
- Config
- URL
ECS_LOG_GROUP:
Ref: DLTEcsDLTCloudWatchLogsGroupFE9EC144
TASK_CANCELER_ARN:
Fn::GetAtt:
- DLTLambdaFunctionTaskCanceler4E12BDA6
- Arn
Handler: index.handler
Runtime: nodejs14.x
Tags:
- Key: SolutionId
Value:
Fn::FindInMap:
- Solution
- Config
- SolutionId
Timeout: 120
DependsOn:
- DLTApiDLTAPIServicesLambdaRole4465EAA4
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: CloudWatchLogsPolicy covers a permission to write CloudWatch logs.
- id: W89
reason: VPC not needed for lambda
- id: W92
reason: Does not run concurrent executions
DLTApiDLTAPIServicesLambdaDLTApiInvokePermissionC6CBE43A:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName:
Fn::GetAtt:
- DLTApiDLTAPIServicesLambda9D76BA5C
- Arn
Principal: apigateway.amazonaws.com
SourceArn:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":execute-api:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- ":"
- Ref: DLTApi0C903EB5
- /*
DLTApiLambdaApiPermissionPolicyE12EEC7D:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- lambda:AddPermission
- lambda:RemovePermission
Effect: Allow
Resource:
Fn::GetAtt:
- DLTApiDLTAPIServicesLambda9D76BA5C
- Arn
Version: "2012-10-17"
PolicyName: DLTApiLambdaApiPermissionPolicyE12EEC7D
Roles:
- Ref: DLTApiDLTAPIServicesLambdaRole4465EAA4
DLTApiAPILogsF7751EF3:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 365
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
cfn_nag:
rules_to_suppress:
- id: W84
reason: KMS encryption unnecessary for log group
DLTApiAPILoggingRole119E64B1:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: apigateway.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:GetLogEvents
- logs:FilterLogEvent
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :*
Version: "2012-10-17"
PolicyName: apiLoggingPolicy
DLTApi0C903EB5:
Type: AWS::ApiGateway::RestApi
Properties:
Description:
Fn::Join:
- ""
- - "Distributed Load Testing API - version "
- Fn::FindInMap:
- Solution
- Config
- CodeVersion
EndpointConfiguration:
Types:
- EDGE
Name: DLTApi
DLTApiCloudWatchRoleD45E4DD6:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: apigateway.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
DLTApiAccount80CB63FF:
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn:
Fn::GetAtt:
- DLTApiCloudWatchRoleD45E4DD6
- Arn
DependsOn:
- DLTApi0C903EB5
DLTApiDeployment098FF8886f7513fc05d0ec41147a211bea1fef76:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId:
Ref: DLTApi0C903EB5
Description: Automatically created by the RestApi construct
DependsOn:
- DLTApiAPIAllRequestValidator02C9D47F
- DLTApiOPTIONS823B5F09
- DLTApiscenariostestIdANY993028D3
- DLTApiscenariostestIdOPTIONS0B339CE6
- DLTApiscenariostestId4C170989
- DLTApiscenariosANYDEF83622
- DLTApiscenariosOPTIONS6F514DA3
- DLTApiscenariosB6B76329
- DLTApitasksANY60403A44
- DLTApitasksOPTIONSDABED809
- DLTApitasks0A512C83
Metadata:
cfn_nag:
rules_to_suppress:
- id: W68
reason: The solution does not require the usage plan.
DLTApiDeploymentStageprodC81F8DCB:
Type: AWS::ApiGateway::Stage
Properties:
RestApiId:
Ref: DLTApi0C903EB5
AccessLogSetting:
DestinationArn:
Fn::GetAtt:
- DLTApiAPILogsF7751EF3
- Arn
Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","user":"$context.identity.user","caller":"$context.identity.caller","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","resourcePath":"$context.resourcePath","status":"$context.status","protocol":"$context.protocol","responseLength":"$context.responseLength"}'
DeploymentId:
Ref: DLTApiDeployment098FF8886f7513fc05d0ec41147a211bea1fef76
MethodSettings:
- HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: /*
StageName: prod
TracingEnabled: true
Metadata:
cfn_nag:
rules_to_suppress:
- id: W64
reason: The solution does not require the usage plan.
DLTApiOPTIONS823B5F09:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: OPTIONS
ResourceId:
Fn::GetAtt:
- DLTApi0C903EB5
- RootResourceId
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: NONE
Integration:
IntegrationResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key'"
method.response.header.Access-Control-Allow-Origin: "'*'"
method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
StatusCode: "200"
RequestTemplates:
application/json: "{ statusCode: 200 }"
Type: MOCK
MethodResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: true
method.response.header.Access-Control-Allow-Origin: true
method.response.header.Access-Control-Allow-Methods: true
StatusCode: "200"
DLTApiscenariosB6B76329:
Type: AWS::ApiGateway::Resource
Properties:
ParentId:
Fn::GetAtt:
- DLTApi0C903EB5
- RootResourceId
PathPart: scenarios
RestApiId:
Ref: DLTApi0C903EB5
DLTApiscenariosOPTIONS6F514DA3:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: OPTIONS
ResourceId:
Ref: DLTApiscenariosB6B76329
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: NONE
Integration:
IntegrationResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key'"
method.response.header.Access-Control-Allow-Origin: "'*'"
method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
StatusCode: "200"
RequestTemplates:
application/json: "{ statusCode: 200 }"
Type: MOCK
MethodResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: true
method.response.header.Access-Control-Allow-Origin: true
method.response.header.Access-Control-Allow-Methods: true
StatusCode: "200"
DLTApiscenariosANYDEF83622:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: ANY
ResourceId:
Ref: DLTApiscenariosB6B76329
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: AWS_IAM
Integration:
ContentHandling: CONVERT_TO_TEXT
IntegrationHttpMethod: POST
IntegrationResponses:
- StatusCode: "200"
PassthroughBehavior: WHEN_NO_MATCH
Type: AWS_PROXY
Uri:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":apigateway:"
- Ref: AWS::Region
- :lambda:path/2015-03-31/functions/
- Fn::GetAtt:
- DLTApiDLTAPIServicesLambda9D76BA5C
- Arn
- /invocations
MethodResponses:
- ResponseModels:
application/json: Empty
StatusCode: "200"
RequestValidatorId:
Ref: DLTApiAPIAllRequestValidator02C9D47F
DLTApiscenariostestId4C170989:
Type: AWS::ApiGateway::Resource
Properties:
ParentId:
Ref: DLTApiscenariosB6B76329
PathPart: "{testId}"
RestApiId:
Ref: DLTApi0C903EB5
DLTApiscenariostestIdOPTIONS0B339CE6:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: OPTIONS
ResourceId:
Ref: DLTApiscenariostestId4C170989
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: NONE
Integration:
IntegrationResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key'"
method.response.header.Access-Control-Allow-Origin: "'*'"
method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
StatusCode: "200"
RequestTemplates:
application/json: "{ statusCode: 200 }"
Type: MOCK
MethodResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: true
method.response.header.Access-Control-Allow-Origin: true
method.response.header.Access-Control-Allow-Methods: true
StatusCode: "200"
DLTApiscenariostestIdANY993028D3:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: ANY
ResourceId:
Ref: DLTApiscenariostestId4C170989
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: AWS_IAM
Integration:
ContentHandling: CONVERT_TO_TEXT
IntegrationHttpMethod: POST
IntegrationResponses:
- StatusCode: "200"
PassthroughBehavior: WHEN_NO_MATCH
Type: AWS_PROXY
Uri:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":apigateway:"
- Ref: AWS::Region
- :lambda:path/2015-03-31/functions/
- Fn::GetAtt:
- DLTApiDLTAPIServicesLambda9D76BA5C
- Arn
- /invocations
MethodResponses:
- ResponseModels:
application/json: Empty
StatusCode: "200"
RequestValidatorId:
Ref: DLTApiAPIAllRequestValidator02C9D47F
DLTApitasks0A512C83:
Type: AWS::ApiGateway::Resource
Properties:
ParentId:
Fn::GetAtt:
- DLTApi0C903EB5
- RootResourceId
PathPart: tasks
RestApiId:
Ref: DLTApi0C903EB5
DLTApitasksOPTIONSDABED809:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: OPTIONS
ResourceId:
Ref: DLTApitasks0A512C83
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: NONE
Integration:
IntegrationResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key'"
method.response.header.Access-Control-Allow-Origin: "'*'"
method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
StatusCode: "200"
RequestTemplates:
application/json: "{ statusCode: 200 }"
Type: MOCK
MethodResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: true
method.response.header.Access-Control-Allow-Origin: true
method.response.header.Access-Control-Allow-Methods: true
StatusCode: "200"
DLTApitasksANY60403A44:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: ANY
ResourceId:
Ref: DLTApitasks0A512C83
RestApiId:
Ref: DLTApi0C903EB5
AuthorizationType: AWS_IAM
Integration:
ContentHandling: CONVERT_TO_TEXT
IntegrationHttpMethod: POST
IntegrationResponses:
- StatusCode: "200"
PassthroughBehavior: WHEN_NO_MATCH
Type: AWS_PROXY
Uri:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":apigateway:"
- Ref: AWS::Region
- :lambda:path/2015-03-31/functions/
- Fn::GetAtt:
- DLTApiDLTAPIServicesLambda9D76BA5C
- Arn
- /invocations
MethodResponses:
- ResponseModels:
application/json: Empty
StatusCode: "200"
RequestValidatorId:
Ref: DLTApiAPIAllRequestValidator02C9D47F
DLTApiApiAccountConfigBF306CC3:
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn:
Fn::GetAtt:
- DLTApiAPILoggingRole119E64B1
- Arn
DependsOn:
- DLTApi0C903EB5
DLTApiAPIAllRequestValidator02C9D47F:
Type: AWS::ApiGateway::RequestValidator
Properties:
RestApiId:
Ref: DLTApi0C903EB5
ValidateRequestBody: true
ValidateRequestParameters: true
DLTCognitoAuthDLTUserPoolFA41A712:
Type: AWS::Cognito::UserPool
Properties:
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_phone_number
Priority: 1
- Name: verified_email
Priority: 2
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
InviteMessageTemplate:
EmailMessage:
Fn::Join:
- ""
- - |-2
<p>
Please use the credentials below to login to the Distributed Load Testing console.
</p>
<p>
Username: <strong>{username}</strong>
</p>
<p>
Password: <strong>{####}</strong>
</p>
<p>
Console: <strong>https://
- Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistribution3EF384B4
- DomainName
- "/</strong>
\ </p>
\ "
EmailSubject: Welcome to Distributed Load Testing
SMSMessage: Your username is {username} and temporary password is {####}.
AliasAttributes:
- email
AutoVerifiedAttributes:
- email
EmailVerificationMessage: The verification code to your new account is {####}
EmailVerificationSubject: Verify your new account
Policies:
PasswordPolicy:
MinimumLength: 12
RequireLowercase: true
RequireNumbers: true
RequireSymbols: true
RequireUppercase: true
Schema:
- Mutable: true
Name: email
Required: true
SmsVerificationMessage: The verification code to your new account is {####}
UserPoolAddOns:
AdvancedSecurityMode: ENFORCED
UserPoolName:
Fn::Join:
- ""
- - Ref: AWS::StackName
- -user-pool
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_CODE
EmailMessage: The verification code to your new account is {####}
EmailSubject: Verify your new account
SmsMessage: The verification code to your new account is {####}
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
DLTCognitoAuthDLTUserPoolClientA2F8B2DB:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId:
Ref: DLTCognitoAuthDLTUserPoolFA41A712
AllowedOAuthFlows:
- implicit
- code
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthScopes:
- profile
- phone
- email
- openid
- aws.cognito.signin.user.admin
CallbackURLs:
- https://example.com
ClientName:
Fn::Join:
- ""
- - Ref: AWS::StackName
- -userpool-client
GenerateSecret: false
RefreshTokenValidity: 1440
SupportedIdentityProviders:
- COGNITO
TokenValidityUnits:
RefreshToken: minutes
WriteAttributes:
- address
- email
- phone_number
DLTCognitoAuthDLTIdentityPoolE110578F:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
CognitoIdentityProviders:
- ClientId:
Ref: DLTCognitoAuthDLTUserPoolClientA2F8B2DB
ProviderName:
Fn::GetAtt:
- DLTCognitoAuthDLTUserPoolFA41A712
- ProviderName
DLTCognitoAuthDLTCognitoAuthorizedRole9977D4DC:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: DLTCognitoAuthDLTIdentityPoolE110578F
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: authenticated
Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Version: "2012-10-17"
Description:
Fn::Join:
- ""
- - Ref: AWS::StackName
- " Identity Pool authenticated role"
Policies:
- PolicyDocument:
Statement:
- Action: execute-api:Invoke
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":execute-api:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- ":"
- Ref: DLTApi0C903EB5
- /prod/*
- Action:
- s3:PutObject
- s3:GetObject
Effect: Allow
Resource:
- Fn::Join:
- ""
- - Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosBucketA9290D21
- Arn
- /public/*
- Fn::Join:
- ""
- - Fn::GetAtt:
- DLTTestRunnerStorageDLTScenariosBucketA9290D21
- Arn
- /cloudWatchImages/*
Version: "2012-10-17"
PolicyName: InvokeApiPolicy
DLTCognitoAuthDLTCognitoUnauthorizedRole6FC43D42:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: DLTCognitoAuthDLTIdentityPoolE110578F
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: unauthenticated
Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Version: "2012-10-17"
DLTCognitoAuthCognitoAttachRole8337C7A4:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: DLTCognitoAuthDLTIdentityPoolE110578F
Roles:
unauthenticated:
Fn::GetAtt:
- DLTCognitoAuthDLTCognitoUnauthorizedRole6FC43D42
- Arn
authenticated:
Fn::GetAtt:
- DLTCognitoAuthDLTCognitoAuthorizedRole9977D4DC
- Arn
DLTCognitoAuthCognitoUser8FAEDC59:
Type: AWS::Cognito::UserPoolUser
Properties:
UserPoolId:
Ref: DLTCognitoAuthDLTUserPoolFA41A712
DesiredDeliveryMediums:
- EMAIL
ForceAliasCreation: true
UserAttributes:
- Name: email
Value:
Ref: AdminEmail
- Name: nickname
Value:
Ref: AdminName
- Name: email_verified
Value: "true"
Username:
Ref: AdminName
DLTCustomResourcesCopyConsoleFiles2EBD447E:
Type: Custom::CopyConsoleFiles
Properties:
ServiceToken:
Fn::GetAtt:
- DLTCommonResourcesCustomResourceLambda0D529C66
- Arn
Resource: CopyAssets
SrcBucket:
Fn::Join:
- "-"
- - Fn::FindInMap:
- Solution
- Config
- S3Bucket
- Ref: AWS::Region
SrcPath:
Fn::Join:
- ""
- - Fn::FindInMap:
- Solution
- Config
- KeyPrefix
- /console
ManifestFile: console-manifest.json
DestBucket:
Ref: DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
DLTCustomResourcesConsoleConfig9F494EAB:
Type: Custom::CopyConfigFiles
Properties:
ServiceToken:
Fn::GetAtt:
- DLTCommonResourcesCustomResourceLambda0D529C66
- Arn
Resource: ConfigFile
DestBucket:
Ref: DLTConsoleResourcesDLTCloudFrontToS3S3Bucket4FED8B63
AwsExports:
Fn::Join:
- ""
- - |-
const awsConfig = {
cw_dashboard: 'https://console.aws.amazon.com/cloudwatch/home?region=
- Ref: AWS::Region
- |-
#dashboards:name=',
ecs_dashboard: 'https://
- Ref: AWS::Region
- .console.aws.amazon.com/ecs/home?region=
- Ref: AWS::Region
- "#/clusters/"
- Ref: AWS::StackName
- |-
/tasks',
aws_project_region: '
- Ref: AWS::Region
- |-
',
aws_cognito_region: '
- Ref: AWS::Region
- |-
',
aws_cognito_identity_pool_id: '
- Ref: DLTCognitoAuthDLTIdentityPoolE110578F
- |-
',
aws_user_pools_id: '
- Ref: DLTCognitoAuthDLTUserPoolFA41A712
- |-
',
aws_user_pools_web_client_id: '
- Ref: DLTCognitoAuthDLTUserPoolClientA2F8B2DB
- |-
',
oauth: {},
aws_cloud_logic_custom: [
{
name: 'dlts',
endpoint: 'https://
- Ref: DLTApi0C903EB5
- .execute-api.
- Ref: AWS::Region
- "."
- Ref: AWS::URLSuffix
- /
- Ref: DLTApiDeploymentStageprodC81F8DCB
- |-
',
region: '
- Ref: AWS::Region
- |-
'
}
],
aws_user_files_s3_bucket: '
- Ref: DLTTestRunnerStorageDLTScenariosBucketA9290D21
- |-
',
aws_user_files_s3_bucket_region: '
- Ref: AWS::Region
- |-
'
}
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/3VT7W7iMBB8lv435qD3AEfptUIqKgKu99s4S7ol8eb80QpFefdb2wTSokqRMrv2jtez44mcTH/KHze/1Icbtbo4jFtNFmS78UofxHxvVsqqGjzYGCxV06ApI5yTKdAjGcHIeRu0F/PgPNVrcBSshrjrjIfJ5+Cb4DuRzgQ9lS0nX1bzuLYJOwM+ooXhQxk/Kg8f6pjYKHjYql2VaLjitDbz3O1rDcafd124LkUz50ijyk3zMuhg0R8fLYXmKvG7tODcVXphUr4ToK1s19CQQ082t3eO4rJL15pXrEkWb6vc4R72aJJsnUBVMwPly6T/iirUiSqjTlRUMs8Tlecme9wJdyvbu6APWa4Tyr875eAEL5zDmJlVvSuUbB+C0b0iQ7wCW6NzqVNdUSj2loyX7T3ysHEX0r5niyWamdYsyaJg/VmmZI5Y8BALvtsxpOlEcTSqpmIn2/N0E+BLemj2p7ZYiU1gJijEX4V861dCdtSDwkqwXz0s2QVo8uwH8ReWkedBOPmUBFiYdzqAUA2W2UtxqM7PGjzZt4d8BQpssHtoKjr2XhtEfGLZH11eDJ9GsQT/SkV6QRl980b+BT7wRVVYKLZRXvyc42FQyQ4i2f5xYFdEVdx2xj2YV3hq8TrTz6EvHsbRh5+fU18f/13HWlIVso66f/huHJ/yxSUjtubFAlva3HbCUAHyzY3fJ1M55e/mzSGOLEuKNch1/v8HEKdI0o8EAAA=
Condition: CDKMetadataAvailable
Outputs:
DLTApiEndpointD98B09AC:
Value:
Fn::Join:
- ""
- - https://
- Ref: DLTApi0C903EB5
- .execute-api.
- Ref: AWS::Region
- "."
- Ref: AWS::URLSuffix
- /
- Ref: DLTApiDeploymentStageprodC81F8DCB
- /
Console:
Description: Console URL
Value:
Fn::GetAtt:
- DLTConsoleResourcesDLTCloudFrontToS3CloudFrontDistribution3EF384B4
- DomainName
SolutionUUID:
Description: Solution UUID
Value:
Fn::GetAtt:
- DLTCommonResourcesUUID2FD025A2
- UUID
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment