amazon-s3-object-lambda-default-configuration/template/s3objectlambda_defaultconfig.yaml at main · aws-samples/amazon-s3-object-lambda-default-configuration · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#####################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
#####################################################################

Description: >
  Use this template to get started with Amazon S3 Object Lambda and automate the setup process.
  This template creates relevant resources, configures IAM roles, and sets up a Lambda function that handles requests
  through an S3 Object Lambda Access Point. You can implement best practices, improve your security posture,
  reduce errors caused by manual processes, and focus on innovation and implementing business logic
  instead of managing the setup process.

Mappings:
  LambdaRuntimeHandlerMapping:
    nodejs20.x:
      handler: s3objectlambda.handler
    python3.9:
      handler: s3objectlambda.handler
    java17:
      handler: com.example.s3objectlambda.Handler::handleRequest
Parameters:
  S3BucketName:
    Type: String
    Description: >
      An Amazon S3 bucket name to use with S3 Object Lambda. The bucket should exist in the same AWS account and
      AWS Region that will deploy this template. The bucket should also delegate access control to access points.

  ObjectLambdaAccessPointName:
    Type: String
    Description: Name of the Amazon S3 Object Lambda Access Point.

  CreateNewSupportingAccessPoint:
    Type: String
    Description: Flag that indicates a new supporting Access Point should be created.
    Default: false
    AllowedValues: [true, false]

  SupportingAccessPointName:
    Type: String
    Description: Name of the Amazon S3 Access Point associated with the S3 bucket passed in the S3BucketName parameter.

  LambdaFunctionS3BucketName:
    Type: String
    Description: >
      Name of the Amazon S3 bucket where you have uploaded the Lambda function deployment package. The bucket
      should be in the same AWS Region as your function, but can be in a different AWS account.

  LambdaFunctionS3Key:
    Type: String
    Description: The Amazon S3 key of the Lambda function deployment package.

  LambdaFunctionS3ObjectVersion:
    Type: String
    Description: The version id of the Lambda function deployment package object stored in Amazon S3.

  LambdaFunctionPayload:
    Type: String
    Default: ""
    Description: An optional static payload that provides supplemental data to the Lambda function used to transform objects.

  LambdaFunctionRuntime:
    Type: String
    AllowedValues: [ nodejs20.x, python3.9, java17 ]
    Description: Identifier for the Lambda function runtime

  EnableCloudWatchMonitoring:
    Type: String
    Description: >
      Flag to enable CloudWatch request metrics from S3 Object Lambda. This also creates CloudWatch alarms
      to monitor the request metrics.
    Default: false
    AllowedValues: [ true, false ]

Conditions:
  ShouldCreateNewSupportingAccessPoint: !Equals [!Ref CreateNewSupportingAccessPoint, true]
  ShouldEnableMonitoring: !Equals [!Ref EnableCloudWatchMonitoring, true]

Resources:
  ObjectLambdaAccessPoint:
    Type: AWS::S3ObjectLambda::AccessPoint
    Properties:
      Name:
        Ref: ObjectLambdaAccessPointName
      ObjectLambdaConfiguration:
        # If creating a new Supporting Access Point, get the Arn from the new resource.
        # Else construct the Arn using the SupportingAccessPointName input parameter.
        SupportingAccessPoint:
          !If
            - ShouldCreateNewSupportingAccessPoint
            - !GetAtt SupportingAccessPoint.Arn
            - !Sub "arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/${SupportingAccessPointName}"
        AllowedFeatures:
          - GetObject-Range
          - GetObject-PartNumber
          - HeadObject-Range
          - HeadObject-PartNumber
        CloudWatchMetricsEnabled:
          Ref: EnableCloudWatchMonitoring
        TransformationConfigurations:
          - Actions: [ GetObject, ListObjects, ListObjectsV2, HeadObject ]
            ContentTransformation:
              AwsLambda:
                FunctionArn: !GetAtt LambdaFunction.Arn
                FunctionPayload:
                  Ref: LambdaFunctionPayload

  SupportingAccessPoint:
    Type: AWS::S3::AccessPoint
    Condition: ShouldCreateNewSupportingAccessPoint
    Properties:
      Bucket:
        Ref: S3BucketName
      Name:
        Ref: SupportingAccessPointName

  LambdaExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      ManagedPolicyArns: ["arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy"]
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Tags:
        - Key: "CreatedBy"
          Value: "S3 Object Lambda Default Configuration"

  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket:
          Ref: LambdaFunctionS3BucketName
        S3Key:
          Ref: LambdaFunctionS3Key
        S3ObjectVersion:
          Ref: LambdaFunctionS3ObjectVersion
      Handler:
        Fn::FindInMap: [LambdaRuntimeHandlerMapping  , Ref: LambdaFunctionRuntime , handler ]
      MemorySize: 1024
      Timeout: 60
      PackageType: Zip
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime:
        Ref: LambdaFunctionRuntime
      Tags:
        - Key: "CreatedBy"
          Value: "S3 Object Lambda Default Configuration"

  ClientSideErrorsAlarm:
    Type: AWS::CloudWatch::Alarm
    Condition: ShouldEnableMonitoring
    Properties:
      AlarmDescription: Indicates that there are client-side errors (HTTP 4xx errors) returned by the S3 Object Lambda Access Point.
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Dimensions:
        - Name: AccessPointName
          Value: !Ref ObjectLambdaAccessPoint
        - Name: LambdaARN
          Value: !GetAtt LambdaFunction.Arn
      MetricName: 4xxErrors
      Namespace: "AWS/S3ObjectLambda"
      EvaluationPeriods: 5
      Period: 60 # 1 minute
      Statistic: Average
      Threshold: 0.01 # Goes into alarm when there are more than 1% of requests resulting in client-side errors
      TreatMissingData: notBreaching

  ServerSideErrorsAlarm:
    Type: AWS::CloudWatch::Alarm
    Condition: ShouldEnableMonitoring
    Properties:
      AlarmDescription: Indicates that there are server-side errors (HTTP 5xx errors) returned by the S3 Object Lambda Access Point.
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Dimensions:
        - Name: AccessPointName
          Value: !Ref ObjectLambdaAccessPoint
        - Name: LambdaARN
          Value: !GetAtt LambdaFunction.Arn
      MetricName: 5xxErrors
      Namespace: "AWS/S3ObjectLambda"
      EvaluationPeriods: 5
      Period: 60
      Statistic: Average
      Threshold: 0.01
      TreatMissingData: notBreaching

Outputs:
  ObjectLambdaAccessPoint:
    Description: The Amazon S3 Object Lambda Access Point created by this CloudFormation stack.
    Value: !Ref ObjectLambdaAccessPoint