Merge pull request #17 from a-khaledf/feat/add-base-cloudformation-stack

Feat/add base cloudformation stack
axiomhq · May 17, 2022 · 7769830 · 7769830
2 parents fccf82c + 37fbaa1
commit 7769830
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 5 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -15,10 +15,15 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - lint
+    strategy:
+      matrix:
+        template:
+          - axiom-cloudfront-lambda-cloudformation-stack
+          - axiom-cloudfront-lambda-base-cloudformation-stack
     steps:
       - uses: actions/checkout@v3
       - run: wget https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64.tar.gz -O - | tar xz && mv yq_linux_amd64 /usr/local/bin/yq
       - run: |-
           mkdir build
-          yq ".Resources.LogsLambda.Properties.Code.ZipFile = \"$(sed  's/\"/\\\"/g' handler.py)\""  axiom-cloudfront-lambda-cloudformation-stack.template.yaml > build/axiom-cloudfront-lambda-cloudformation-stack.yaml
-      - run: cat build/axiom-cloudfront-lambda-cloudformation-stack.yaml
+          yq ".Resources.LogsLambda.Properties.Code.ZipFile = \"$(sed  's/\"/\\\"/g' handler.py)\""  ${{ matrix.template }}.template.yaml > build/${{ matrix.template }}.yaml
+      - run: cat build/${{ matrix.template }}.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -22,4 +22,4 @@ jobs:
           SOURCE_DIR: build
           AWS_S3_BUCKET: "axiom-cloudformation-stacks"
           AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
diff --git a/README.md b/README.md
@@ -7,5 +7,6 @@ logs from your CloudFront to [Axiom](https://axiom.co).
 
 1. Create an account at [Axiom Cloud](https://cloud.axiom.co)
 2. Create a dataset and an API token with ingest permission for that dataset
-3. Launch the stack: [![Launch Stack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=CloudFront-Axiom&templateURL=https://axiom-cloudformation-stacks.s3.amazonaws.com/axiom-cloudfront-lambda-cloudformation-stack.yaml)
-4. Set up your CloudFront to store logs in the bucket you specified
+3. If S3 bucket exists, [![Launch Stack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=CloudFront-Axiom&templateURL=https://axiom-cloudformation-stacks.s3.amazonaws.com/axiom-cloudfront-lambda-base-cloudformation-stack.yaml)
+4. If S3 bucket doesn't exists, Launch the stack: [![Launch Stack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=CloudFront-Axiom&templateURL=https://axiom-cloudformation-stacks.s3.amazonaws.com/axiom-cloudfront-lambda-cloudformation-stack.yaml)
+5. Set up your CloudFront to store logs in the bucket you specified
diff --git a/axiom-cloudfront-lambda-base-cloudformation-stack.template.yaml b/axiom-cloudfront-lambda-base-cloudformation-stack.template.yaml
@@ -0,0 +1,80 @@
+Parameters:
+  BucketName:
+    Description: The Name of the S3 Bucket.
+    Type: String
+    MinLength: 1
+  AxiomToken:
+    Description: The Token of User in Axiom. Must start with xaat- or xait-.
+    Type: String
+    NoEcho: true
+    MinLength: 1
+    AllowedPattern: "^(xaat-|xait-).*"
+  AxiomURL:
+    Type: String
+    Default: "https://cloud.axiom.co"
+    Description: The URL of Axiom endpoint. Defaults to "https://cloud.axiom.co".
+  AxiomDataset:
+    Type: String
+    Description: The Name of the Dataset in Axiom.
+    MinLength: 1
+Resources:
+  LogsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action:
+              - 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+      ManagedPolicyArns:
+        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+  LogsPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action:
+              - 's3:GetObject'
+              - 's3:ListBucket'
+            Effect: Allow
+            Resource:
+              - !Sub
+                - 'arn:aws:s3:::${BucketSub}'
+                - BucketSub: !Ref 'BucketName'
+              - 'arn:aws:s3:::*/*'
+      PolicyName: axiom-cloudfront-lambda-policy
+      Roles:
+        - !Ref 'LogsRole'
+  LogsLambda:
+    Type: AWS::Lambda::Function
+    Properties:
+      Runtime: python3.9
+      FunctionName: axiom-cloudfront-lambda
+      Handler: index.lambda_handler
+      Code:
+        ZipFile: |
+          # DO NOT EDIT
+          # CI will replace these comments with the code from ./handler.py
+      Role: !GetAtt
+        - LogsRole
+        - Arn
+      Environment:
+        Variables:
+          AXIOM_TOKEN: !Ref 'AxiomToken'
+          AXIOM_DATASET: !Ref 'AxiomDataset'
+          AXIOM_URL: !Ref 'AxiomURL'
+  LogsLambdaPermission:
+    Type: AWS::Lambda::Permission
+    DependsOn:
+      - LogsLambda
+    Properties:
+      Action: lambda:InvokeFunction
+      FunctionName: !Ref 'LogsLambda'
+      Principal: s3.amazonaws.com
+      SourceAccount: !Ref 'AWS::AccountId'
+      SourceArn: !Sub
+        - 'arn:aws:s3:::${BucketSub}'
+        - BucketSub: !Ref 'BucketName'