From 44214d9fc6f47071753f767c224dee5129c3af7d Mon Sep 17 00:00:00 2001 From: OliverForeman Date: Fri, 23 Aug 2019 16:09:36 +0100 Subject: [PATCH] SDE-139 Moved lambda IAM roles into separate files --- .../calculateUserDailyDigest.yml | 59 + iam-role-resources/createPost.yml | 47 + iam-role-resources/createPostRequest.yml | 54 + .../createRealTimeSubscription.yml | 47 + iam-role-resources/createSubscription.yml | 56 + .../deleteRealTimeSubscription.yml | 47 + iam-role-resources/deleteSubscription.yml | 56 + iam-role-resources/downloadRequest.yml | 66 + .../getUserRealTimeSubscriptions.yml | 47 + iam-role-resources/getUserSubscriptions.yml | 55 + iam-role-resources/graphicalReport.yml | 53 + iam-role-resources/hybridReport.yml | 53 + iam-role-resources/matchRealTimeDigests.yml | 47 + .../pushNotificationOpenConnection.yml | 59 + .../pushNotificationToClient.yml | 57 + .../realTimeDigestEmailIterator.yml | 42 + iam-role-resources/reportGenerator.yml | 53 + iam-role-resources/reportStatus.yml | 55 + iam-role-resources/scheduledDailyDigests.yml | 67 + iam-role-resources/search.yml | 47 + iam-role-resources/sendDigestEmail.yml | 51 + iam-role-resources/sendEmail.yml | 46 + serverless.yml | 1375 ++--------------- 23 files changed, 1292 insertions(+), 1247 deletions(-) create mode 100644 iam-role-resources/calculateUserDailyDigest.yml create mode 100644 iam-role-resources/createPost.yml create mode 100644 iam-role-resources/createPostRequest.yml create mode 100644 iam-role-resources/createRealTimeSubscription.yml create mode 100644 iam-role-resources/createSubscription.yml create mode 100644 iam-role-resources/deleteRealTimeSubscription.yml create mode 100644 iam-role-resources/deleteSubscription.yml create mode 100644 iam-role-resources/downloadRequest.yml create mode 100644 iam-role-resources/getUserRealTimeSubscriptions.yml create mode 100644 iam-role-resources/getUserSubscriptions.yml create mode 100644 iam-role-resources/graphicalReport.yml create mode 100644 iam-role-resources/hybridReport.yml create mode 100644 iam-role-resources/matchRealTimeDigests.yml create mode 100644 iam-role-resources/pushNotificationOpenConnection.yml create mode 100644 iam-role-resources/pushNotificationToClient.yml create mode 100644 iam-role-resources/realTimeDigestEmailIterator.yml create mode 100644 iam-role-resources/reportGenerator.yml create mode 100644 iam-role-resources/reportStatus.yml create mode 100644 iam-role-resources/scheduledDailyDigests.yml create mode 100644 iam-role-resources/search.yml create mode 100644 iam-role-resources/sendDigestEmail.yml create mode 100644 iam-role-resources/sendEmail.yml diff --git a/iam-role-resources/calculateUserDailyDigest.yml b/iam-role-resources/calculateUserDailyDigest.yml new file mode 100644 index 0000000..048ca99 --- /dev/null +++ b/iam-role-resources/calculateUserDailyDigest.yml @@ -0,0 +1,59 @@ +Resources: + calculateUserDailyDigestLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-calculateUserDailyDigestLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - lambda:InvokeFunction + Resource: + - !Join + - ':' + - + - 'arn:aws:lambda' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'function' + - '${self:service}-${self:custom.stage}-sendDigestEmail' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/createPost.yml b/iam-role-resources/createPost.yml new file mode 100644 index 0000000..0bb90f7 --- /dev/null +++ b/iam-role-resources/createPost.yml @@ -0,0 +1,47 @@ +Resources: + createPostLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-createPostLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/createPostRequest.yml b/iam-role-resources/createPostRequest.yml new file mode 100644 index 0000000..beea73a --- /dev/null +++ b/iam-role-resources/createPostRequest.yml @@ -0,0 +1,54 @@ +Resources: + createPostRequestLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-createPostRequestLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - states:StartExecution + Resource: + - !Join + - ':' + - + - 'arn:aws:states' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'stateMachine' + - '${self:service}-${self:custom.stage}-create-post-request-step-function' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/createRealTimeSubscription.yml b/iam-role-resources/createRealTimeSubscription.yml new file mode 100644 index 0000000..85f61e6 --- /dev/null +++ b/iam-role-resources/createRealTimeSubscription.yml @@ -0,0 +1,47 @@ +Resources: + createRealTimeSubscriptionLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-createRealTimeSubscriptionLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/createSubscription.yml b/iam-role-resources/createSubscription.yml new file mode 100644 index 0000000..f6435c9 --- /dev/null +++ b/iam-role-resources/createSubscription.yml @@ -0,0 +1,56 @@ +Resources: + createSubscriptionLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-createSubscriptionLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - dynamodb:GetItem + - dynamodb:PutItem + Resource: + - !Join + - '' + - + - 'arn:aws:dynamodb:' + - Ref: 'AWS::Region' + - ':' + - Ref: 'AWS::AccountId' + - ':table/' + - Ref: SubscriptionsTable + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/deleteRealTimeSubscription.yml b/iam-role-resources/deleteRealTimeSubscription.yml new file mode 100644 index 0000000..c1062f6 --- /dev/null +++ b/iam-role-resources/deleteRealTimeSubscription.yml @@ -0,0 +1,47 @@ +Resources: + deleteRealTimeSubscriptionLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-deleteRealTimeSubscriptionLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/deleteSubscription.yml b/iam-role-resources/deleteSubscription.yml new file mode 100644 index 0000000..fad7a29 --- /dev/null +++ b/iam-role-resources/deleteSubscription.yml @@ -0,0 +1,56 @@ +Resources: + deleteSubscriptionLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-deleteSubscriptionLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - dynamodb:GetItem + - dynamodb:PutItem + Resource: + - !Join + - '' + - + - 'arn:aws:dynamodb:' + - Ref: 'AWS::Region' + - ':' + - Ref: 'AWS::AccountId' + - ':table/' + - Ref: SubscriptionsTable + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/downloadRequest.yml b/iam-role-resources/downloadRequest.yml new file mode 100644 index 0000000..c5d5a86 --- /dev/null +++ b/iam-role-resources/downloadRequest.yml @@ -0,0 +1,66 @@ +Resources: + downloadRequestLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-downloadRequestLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - states:StartExecution + Resource: + - !Join + - ':' + - + - 'arn:aws:states' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'stateMachine' + - '${self:service}-${self:custom.stage}-csv-download-request' + - Effect: Allow + Action: + - states:GetActivityTask + Resource: + - !Join + - ':' + - + - 'arn:aws:states' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'activity' + - 'AwaitOpenConnectionFromClient' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/getUserRealTimeSubscriptions.yml b/iam-role-resources/getUserRealTimeSubscriptions.yml new file mode 100644 index 0000000..342a331 --- /dev/null +++ b/iam-role-resources/getUserRealTimeSubscriptions.yml @@ -0,0 +1,47 @@ +Resources: + getUserRealTimeSubscriptionsLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-getUserRealTimeSubscriptionsLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/getUserSubscriptions.yml b/iam-role-resources/getUserSubscriptions.yml new file mode 100644 index 0000000..570f4a7 --- /dev/null +++ b/iam-role-resources/getUserSubscriptions.yml @@ -0,0 +1,55 @@ +Resources: + getUserSubscriptionsLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-getUserSubscriptionsLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - dynamodb:GetItem + Resource: + - !Join + - '' + - + - 'arn:aws:dynamodb:' + - Ref: 'AWS::Region' + - ':' + - Ref: 'AWS::AccountId' + - ':table/' + - Ref: SubscriptionsTable + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/graphicalReport.yml b/iam-role-resources/graphicalReport.yml new file mode 100644 index 0000000..b70188c --- /dev/null +++ b/iam-role-resources/graphicalReport.yml @@ -0,0 +1,53 @@ +Resources: + graphicalReportLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-graphicalReportLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + Resource: + - '${self:custom.s3BucketArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/hybridReport.yml b/iam-role-resources/hybridReport.yml new file mode 100644 index 0000000..f3d323e --- /dev/null +++ b/iam-role-resources/hybridReport.yml @@ -0,0 +1,53 @@ +Resources: + hybridReportLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-hybridReportLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + Resource: + - '${self:custom.s3BucketArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/matchRealTimeDigests.yml b/iam-role-resources/matchRealTimeDigests.yml new file mode 100644 index 0000000..082f4fd --- /dev/null +++ b/iam-role-resources/matchRealTimeDigests.yml @@ -0,0 +1,47 @@ +Resources: + matchRealTimeDigestsLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-matchRealTimeDigestsLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/pushNotificationOpenConnection.yml b/iam-role-resources/pushNotificationOpenConnection.yml new file mode 100644 index 0000000..26b80f9 --- /dev/null +++ b/iam-role-resources/pushNotificationOpenConnection.yml @@ -0,0 +1,59 @@ +Resources: + pushNotificationOpenConnectionLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-pushNotificationOpenConnectionLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - states:DescribeExecution + Resource: + - !Join + - ':' + - + - 'arn:aws:states' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'execution' + - '${self:service}-${self:custom.stage}-csv-download-request' + - '*' + - Effect: Allow + Action: + - states:SendTaskSuccess + Resource: "*" + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/pushNotificationToClient.yml b/iam-role-resources/pushNotificationToClient.yml new file mode 100644 index 0000000..8fd5066 --- /dev/null +++ b/iam-role-resources/pushNotificationToClient.yml @@ -0,0 +1,57 @@ +Resources: + pushNotificationToClientLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-pushNotificationToClientLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - execute-api:Invoke + - execute-api:ManageConnections + Resource: + - !Join + - '' + - + - 'arn:aws:execute-api:' + - Ref: 'AWS::Region' + - ':' + - Ref: 'AWS::AccountId' + - ':' + - !Ref WebsocketsApi + - '/${self:custom.stage}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/realTimeDigestEmailIterator.yml b/iam-role-resources/realTimeDigestEmailIterator.yml new file mode 100644 index 0000000..918681b --- /dev/null +++ b/iam-role-resources/realTimeDigestEmailIterator.yml @@ -0,0 +1,42 @@ +Resources: + realTimeDigestEmailIteratorLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-realTimeDigestEmailIteratorLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/reportGenerator.yml b/iam-role-resources/reportGenerator.yml new file mode 100644 index 0000000..f7cca18 --- /dev/null +++ b/iam-role-resources/reportGenerator.yml @@ -0,0 +1,53 @@ +Resources: + reportGeneratorLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-reportGeneratorLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + Resource: + - '${self:custom.s3BucketArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/reportStatus.yml b/iam-role-resources/reportStatus.yml new file mode 100644 index 0000000..1ad717b --- /dev/null +++ b/iam-role-resources/reportStatus.yml @@ -0,0 +1,55 @@ +Resources: + reportStatusLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-reportStatusLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - states:DescribeExecution + Resource: + - !Join + - ':' + - + - 'arn:aws:states' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'execution' + - '${self:service}-${self:custom.stage}-csv-download-request' + - '*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/scheduledDailyDigests.yml b/iam-role-resources/scheduledDailyDigests.yml new file mode 100644 index 0000000..c7c2bc5 --- /dev/null +++ b/iam-role-resources/scheduledDailyDigests.yml @@ -0,0 +1,67 @@ +Resources: + scheduledDailyDigestsLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-scheduledDailyDigestsLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - dynamodb:Scan + Resource: + - !Join + - '' + - + - 'arn:aws:dynamodb:' + - Ref: 'AWS::Region' + - ':' + - Ref: 'AWS::AccountId' + - ':table/' + - Ref: SubscriptionsTable + - Effect: Allow + Action: + - lambda:InvokeFunction + Resource: + - !Join + - ':' + - + - 'arn:aws:lambda' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'function' + - '${self:service}-${self:custom.stage}-calculateUserDailyDigest' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/search.yml b/iam-role-resources/search.yml new file mode 100644 index 0000000..1946ea5 --- /dev/null +++ b/iam-role-resources/search.yml @@ -0,0 +1,47 @@ +Resources: + searchLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-searchLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - es:ESHttpPost + Resource: + - '${self:custom.esArn}/*' + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/sendDigestEmail.yml b/iam-role-resources/sendDigestEmail.yml new file mode 100644 index 0000000..e7f2417 --- /dev/null +++ b/iam-role-resources/sendDigestEmail.yml @@ -0,0 +1,51 @@ +Resources: + sendDigestEmailLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-sendDigestEmailLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - ses:SendEmail + Resource: "*" + - Effect: Allow + Action: + - cognito-idp:AdminGetUser + Resource: + - { Fn::GetAtt: [CognitoUserPool, Arn] } + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/iam-role-resources/sendEmail.yml b/iam-role-resources/sendEmail.yml new file mode 100644 index 0000000..7747867 --- /dev/null +++ b/iam-role-resources/sendEmail.yml @@ -0,0 +1,46 @@ +Resources: + sendEmailLambdaRole: + Type: AWS::IAM::Role + Properties: + RoleName: ${self:service}-${self:custom.stage}-sendEmailLambdaRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: inlinePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - ses:SendEmail + Resource: "*" + - Effect: Allow + Action: + - logs:CreateLogStream + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*' + - Effect: Allow + Action: + - logs:PutLogEvents + Resource: + - !Join + - ':' + - + - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - log-group + - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' diff --git a/serverless.yml b/serverless.yml index 15552ba..487a951 100644 --- a/serverless.yml +++ b/serverless.yml @@ -483,1250 +483,131 @@ stepFunctions: - AwaitOpenConnectionFromClient resources: - Resources: - CognitoUserPool: - Type: AWS::Cognito::UserPool # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html - Properties: - UserPoolName: ${self:custom.stage}-${self:service}-users-pool - UsernameAttributes: - - email - AutoVerifiedAttributes: - - email - CognitoUserPoolClient: - Type: AWS::Cognito::UserPoolClient # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html - Properties: - ClientName: ${self:custom.stage}-${self:service}-user-pool-client - UserPoolId: - Ref: CognitoUserPool - GenerateSecret: false - CognitoIdentityPool: - Type: AWS::Cognito::IdentityPool # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html - Properties: - IdentityPoolName: ${self:custom.stage}SdeIdentityPool - AllowUnauthenticatedIdentities: false - CognitoIdentityProviders: - - ClientId: - Ref: CognitoUserPoolClient - ProviderName: - Fn::GetAtt: [ "CognitoUserPool", "ProviderName" ] - ApiGatewayAuthorizer: # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html - DependsOn: - - ApiGatewayRestApi - Type: AWS::ApiGateway::Authorizer - Properties: - Name: ${self:custom.stage}-${self:service}-api-authorizer - IdentitySource: method.request.header.Authorization - RestApiId: - Ref: ApiGatewayRestApi - Type: COGNITO_USER_POOLS - ProviderARNs: - - Fn::GetAtt: [CognitoUserPool, Arn] - SubscriptionsTable: - Type: AWS::DynamoDB::Table # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html - Properties: - TableName: ${self:custom.subscriptionsTableName} - AttributeDefinitions: - - AttributeName: userId - AttributeType: S - KeySchema: - - AttributeName: userId - KeyType: HASH - ProvisionedThroughput: - ReadCapacityUnits: 1 - WriteCapacityUnits: 1 - CognitoIdentityPoolRoles: - Type: AWS::Cognito::IdentityPoolRoleAttachment - Properties: - IdentityPoolId: - Ref: CognitoIdentityPool - Roles: - authenticated: - Fn::GetAtt: [CognitoAuthRole, Arn] - CognitoAuthRole: - Type: AWS::IAM::Role - Properties: - Path: / - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: 'Allow' - Principal: - Federated: 'cognito-identity.amazonaws.com' - Action: - - 'sts:AssumeRoleWithWebIdentity' - Condition: - StringEquals: - 'cognito-identity.amazonaws.com:aud': - Ref: CognitoIdentityPool - 'ForAnyValue:StringLike': - 'cognito-identity.amazonaws.com:amr': authenticated - Policies: - - PolicyName: 'CognitoAuthorizedPolicy' - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: 'Allow' - Action: - - 'cognito-sync:*' - - 'cognito-identity:*' - Resource: '*' - GatewayResponseDefault4XX: - Type: 'AWS::ApiGateway::GatewayResponse' - Properties: - ResponseParameters: - gatewayresponse.header.Access-Control-Allow-Origin: "'*'" - gatewayresponse.header.Content-Type: "'application/json'" - ResponseType: DEFAULT_4XX - RestApiId: - Ref: 'ApiGatewayRestApi' - GatewayResponseDefault5XX: - Type: 'AWS::ApiGateway::GatewayResponse' - Properties: - ResponseParameters: - gatewayresponse.header.Access-Control-Allow-Origin: "'*'" - gatewayresponse.header.Content-Type: "'application/json'" - ResponseType: DEFAULT_5XX - RestApiId: - Ref: 'ApiGatewayRestApi' - pushNotificationOpenConnectionLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-pushNotificationOpenConnectionLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - states:DescribeExecution - Resource: - - !Join - - ':' - - - - 'arn:aws:states' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'execution' - - '${self:service}-${self:custom.stage}-csv-download-request' - - '*' - - Effect: Allow - Action: - - states:SendTaskSuccess - Resource: "*" - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - pushNotificationToClientLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-pushNotificationToClientLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - execute-api:Invoke - - execute-api:ManageConnections - Resource: - - !Join - - '' - - - - 'arn:aws:execute-api:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':' - - !Ref WebsocketsApi - - '/${self:custom.stage}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - downloadRequestLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-downloadRequestLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - states:StartExecution - Resource: - - !Join - - ':' - - - - 'arn:aws:states' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'stateMachine' - - '${self:service}-${self:custom.stage}-csv-download-request' - - Effect: Allow - Action: - - states:GetActivityTask - Resource: - - !Join - - ':' - - - - 'arn:aws:states' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'activity' - - 'AwaitOpenConnectionFromClient' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - createPostRequestLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-createPostRequestLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - states:StartExecution - Resource: - - !Join - - ':' - - - - 'arn:aws:states' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'stateMachine' - - '${self:service}-${self:custom.stage}-create-post-request-step-function' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - searchLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-searchLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - graphicalReportLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-graphicalReportLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - s3:GetObject - - s3:PutObject - Resource: - - '${self:custom.s3BucketArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - hybridReportLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-hybridReportLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - s3:GetObject - - s3:PutObject - Resource: - - '${self:custom.s3BucketArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - sendEmailLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-sendEmailLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - ses:SendEmail - Resource: "*" - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - reportStatusLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-reportStatusLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - states:DescribeExecution - Resource: - - !Join - - ':' - - - - 'arn:aws:states' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'execution' - - '${self:service}-${self:custom.stage}-csv-download-request' - - '*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - reportGeneratorLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-reportGeneratorLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - s3:GetObject - - s3:PutObject - Resource: - - '${self:custom.s3BucketArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - createPostLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-createPostLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - matchRealTimeDigestsLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-matchRealTimeDigestsLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - realTimeDigestEmailIteratorLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-realTimeDigestEmailIteratorLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - sendDigestEmailLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-sendDigestEmailLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - ses:SendEmail - Resource: "*" - - Effect: Allow - Action: - - cognito-idp:AdminGetUser - Resource: - - { Fn::GetAtt: [CognitoUserPool, Arn] } - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - createSubscriptionLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-createSubscriptionLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - dynamodb:GetItem - - dynamodb:PutItem - Resource: - - !Join - - '' - - - - 'arn:aws:dynamodb:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':table/' - - Ref: SubscriptionsTable - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - deleteSubscriptionLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-deleteSubscriptionLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - dynamodb:GetItem - - dynamodb:PutItem - Resource: - - !Join - - '' - - - - 'arn:aws:dynamodb:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':table/' - - Ref: SubscriptionsTable - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - getUserSubscriptionsLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-getUserSubscriptionsLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - dynamodb:GetItem - Resource: - - !Join - - '' - - - - 'arn:aws:dynamodb:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':table/' - - Ref: SubscriptionsTable - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - createRealTimeSubscriptionLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-createRealTimeSubscriptionLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - deleteRealTimeSubscriptionLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-deleteRealTimeSubscriptionLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - getUserRealTimeSubscriptionsLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-getUserRealTimeSubscriptionsLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - scheduledDailyDigestsLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-scheduledDailyDigestsLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - dynamodb:Scan - Resource: - - !Join - - '' - - - - 'arn:aws:dynamodb:' - - Ref: 'AWS::Region' - - ':' - - Ref: 'AWS::AccountId' - - ':table/' - - Ref: SubscriptionsTable - - Effect: Allow - Action: - - lambda:InvokeFunction - Resource: - - !Join - - ':' - - - - 'arn:aws:lambda' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'function' - - '${self:service}-${self:custom.stage}-calculateUserDailyDigest' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' - calculateUserDailyDigestLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: ${self:service}-${self:custom.stage}-calculateUserDailyDigestLambdaRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: inlinePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - es:ESHttpPost - Resource: - - '${self:custom.esArn}/*' - - Effect: Allow - Action: - - lambda:InvokeFunction - Resource: - - !Join - - ':' - - - - 'arn:aws:lambda' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - 'function' - - '${self:service}-${self:custom.stage}-sendDigestEmail' - - Effect: Allow - Action: - - logs:CreateLogStream - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*' - - Effect: Allow - Action: - - logs:PutLogEvents - Resource: - - !Join - - ':' - - - - 'arn:aws:logs' - - Ref: 'AWS::Region' - - Ref: 'AWS::AccountId' - - log-group - - '/aws/lambda/${self:service}-${self:custom.stage}*:*:*' + - Resources: + CognitoUserPool: + Type: AWS::Cognito::UserPool # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html + Properties: + UserPoolName: ${self:custom.stage}-${self:service}-users-pool + UsernameAttributes: + - email + AutoVerifiedAttributes: + - email + CognitoUserPoolClient: + Type: AWS::Cognito::UserPoolClient # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html + Properties: + ClientName: ${self:custom.stage}-${self:service}-user-pool-client + UserPoolId: + Ref: CognitoUserPool + GenerateSecret: false + CognitoIdentityPool: + Type: AWS::Cognito::IdentityPool # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html + Properties: + IdentityPoolName: ${self:custom.stage}SdeIdentityPool + AllowUnauthenticatedIdentities: false + CognitoIdentityProviders: + - ClientId: + Ref: CognitoUserPoolClient + ProviderName: + Fn::GetAtt: [ "CognitoUserPool", "ProviderName" ] + ApiGatewayAuthorizer: # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html + DependsOn: + - ApiGatewayRestApi + Type: AWS::ApiGateway::Authorizer + Properties: + Name: ${self:custom.stage}-${self:service}-api-authorizer + IdentitySource: method.request.header.Authorization + RestApiId: + Ref: ApiGatewayRestApi + Type: COGNITO_USER_POOLS + ProviderARNs: + - Fn::GetAtt: [CognitoUserPool, Arn] + SubscriptionsTable: + Type: AWS::DynamoDB::Table # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html + Properties: + TableName: ${self:custom.subscriptionsTableName} + AttributeDefinitions: + - AttributeName: userId + AttributeType: S + KeySchema: + - AttributeName: userId + KeyType: HASH + ProvisionedThroughput: + ReadCapacityUnits: 1 + WriteCapacityUnits: 1 + CognitoIdentityPoolRoles: + Type: AWS::Cognito::IdentityPoolRoleAttachment + Properties: + IdentityPoolId: + Ref: CognitoIdentityPool + Roles: + authenticated: + Fn::GetAtt: [CognitoAuthRole, Arn] + CognitoAuthRole: + Type: AWS::IAM::Role + Properties: + Path: / + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Principal: + Federated: 'cognito-identity.amazonaws.com' + Action: + - 'sts:AssumeRoleWithWebIdentity' + Condition: + StringEquals: + 'cognito-identity.amazonaws.com:aud': + Ref: CognitoIdentityPool + 'ForAnyValue:StringLike': + 'cognito-identity.amazonaws.com:amr': authenticated + Policies: + - PolicyName: 'CognitoAuthorizedPolicy' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Action: + - 'cognito-sync:*' + - 'cognito-identity:*' + Resource: '*' + GatewayResponseDefault4XX: + Type: 'AWS::ApiGateway::GatewayResponse' + Properties: + ResponseParameters: + gatewayresponse.header.Access-Control-Allow-Origin: "'*'" + gatewayresponse.header.Content-Type: "'application/json'" + ResponseType: DEFAULT_4XX + RestApiId: + Ref: 'ApiGatewayRestApi' + GatewayResponseDefault5XX: + Type: 'AWS::ApiGateway::GatewayResponse' + Properties: + ResponseParameters: + gatewayresponse.header.Access-Control-Allow-Origin: "'*'" + gatewayresponse.header.Content-Type: "'application/json'" + ResponseType: DEFAULT_5XX + RestApiId: + Ref: 'ApiGatewayRestApi' + + - ${file(iam-role-resources/pushNotificationOpenConnection.yml)} + - ${file(iam-role-resources/pushNotificationToClient.yml)} + - ${file(iam-role-resources/downloadRequest.yml)} + - ${file(iam-role-resources/createPostRequest.yml)} + - ${file(iam-role-resources/search.yml)} + - ${file(iam-role-resources/graphicalReport.yml)} + - ${file(iam-role-resources/hybridReport.yml)} + - ${file(iam-role-resources/sendEmail.yml)} + - ${file(iam-role-resources/reportStatus.yml)} + - ${file(iam-role-resources/reportGenerator.yml)} + - ${file(iam-role-resources/createPost.yml)} + - ${file(iam-role-resources/matchRealTimeDigests.yml)} + - ${file(iam-role-resources/realTimeDigestEmailIterator.yml)} + - ${file(iam-role-resources/sendDigestEmail.yml)} + - ${file(iam-role-resources/createSubscription.yml)} + - ${file(iam-role-resources/deleteSubscription.yml)} + - ${file(iam-role-resources/getUserSubscriptions.yml)} + - ${file(iam-role-resources/createRealTimeSubscription.yml)} + - ${file(iam-role-resources/deleteRealTimeSubscription.yml)} + - ${file(iam-role-resources/getUserRealTimeSubscriptions.yml)} + - ${file(iam-role-resources/scheduledDailyDigests.yml)} + - ${file(iam-role-resources/calculateUserDailyDigest.yml)}