-
Notifications
You must be signed in to change notification settings - Fork 1
/
__main__.py
144 lines (137 loc) · 4.84 KB
/
__main__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import os
import json
import pulumi
import pulumi_aws as aws
import pulumi_awsx as awsx
# used by the pulumi program in pulumi-lambda function
# ideally this should be the same backend/secrets provider that's used for deploying the current program
PULUMI_BACKEND_URL = os.environ["PULUMI_BACKEND_URL"]
PULUMI_SECRETS_PROVIDER = os.environ["PULUMI_SECRETS_PROVIDER"]
lambda_ecr_repository = aws.ecr.Repository(
"lambda-ecr-repository",
image_scanning_configuration=aws.ecr.RepositoryImageScanningConfigurationArgs(
scan_on_push=False,
),
image_tag_mutability="MUTABLE",
force_delete=True,
)
lambda_ecr_docker_image = awsx.ecr.Image(
"lambda-docker-image-ecr",
repository_url=lambda_ecr_repository.repository_url,
dockerfile="./pulumi-lambda/Dockerfile",
path="./pulumi-lambda",
)
# Note: if using S3 as a pulumi backend, the lambda would also require permissions for accessing the bucket
# Same goes for when using KMS key as a secrets provider
lambda_iam_role = aws.iam.Role(
"lambda-iam-role",
assume_role_policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": "lambda.amazonaws.com"},
}
],
}
),
inline_policies=[
aws.iam.RoleInlinePolicyArgs(
name="AllowCWLoggingAccess",
policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudwatchLogsAccess",
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:CreateLogGroup",
],
}
],
}
),
),
aws.iam.RoleInlinePolicyArgs(
# Note: update this policy if lambda needs more permissions for deploying pulumi program
name="AllowPulumiBackendAndStaticSiteS3Access",
policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "*",
}
],
}
),
),
# Note: remove this when not using KMS as a secrets provider
# allow access to pulumi kms key
aws.iam.RoleInlinePolicyArgs(
name="AllowPulumiSecretsProviderKmsAccess",
policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
],
# Would be better to specify key and restrict this policy
"Resource": "*",
}
],
}
),
),
],
)
lambda_function = aws.lambda_.Function(
"lambda-function",
package_type="Image",
image_uri=lambda_ecr_docker_image.image_uri,
role=lambda_iam_role.arn,
memory_size=2048,
# required when installing pulumi plugins in the lambda function
ephemeral_storage=aws.lambda_.FunctionEphemeralStorageArgs(size=1024),
timeout=900, # 15 minutes which is the max timeout
environment=aws.lambda_.FunctionEnvironmentArgs(
variables={
"LOG_LEVEL": "DEBUG",
"PULUMI_BACKEND_URL": PULUMI_BACKEND_URL,
"PULUMI_SECRETS_PROVIDER": PULUMI_SECRETS_PROVIDER,
},
),
)
lambda_function_url = aws.lambda_.FunctionUrl(
"lambda-function-url",
function_name=lambda_function.name,
authorization_type="NONE",
cors=aws.lambda_.FunctionUrlCorsArgs(
allow_credentials=True,
allow_origins=["*"],
allow_methods=["*"],
allow_headers=["*"],
expose_headers=["*"],
max_age=86400,
),
)
pulumi.export("url", lambda_function_url.function_url)