AWSTemplateFormatVersion: 2010-09-09 Description: Consumes events produced by the notification service and sends notifications to individual devices Parameters: Stack: Description: Stack name Type: String Default: mobile-notifications App: Description: Application name Type: String Stage: Description: Stage name Type: String AllowedValues: - CODE - PROD Default: CODE BuildId: Description: Tag to be used for the image URL, e.g. riff raff build id Type: String Default: dev DeployBucket: Description: Bucket where RiffRaff uploads artifacts on deploy Type: String Default: mobile-notifications-dist VpcId: Description: ID of the Notification VPC Type: AWS::EC2::VPC::Id VpcSubnets: Description: Subnets to use in the VPC Type: List<AWS::EC2::Subnet::Id> VPCSecurityGroup: Type: AWS::EC2::SecurityGroup::Id Description: The default security group of the VPC FullyQualifiedHandler: Description: The full name of the handler, including path, class name and method Type: String Resources: Dlq: Type: AWS::SQS::Queue Sqs: Type: AWS::SQS::Queue Properties: VisibilityTimeout: 300 MessageRetentionPeriod: 3600 # 1 hour RedrivePolicy: deadLetterTargetArn: !GetAtt Dlq.Arn maxReceiveCount: 5 Tags: - Key: Stage Value: !Ref Stage - Key: Stack Value: !Ref Stack - Key: App Value: !Ref App ExecutionRole: Type: AWS::IAM::Role DependsOn: Sqs Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: logs PolicyDocument: Statement: - Effect: Allow Action: logs:CreateLogGroup Resource: !Sub "arn:aws:logs:eu-west-1:${AWS::AccountId}:*" - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub "arn:aws:logs:eu-west-1:${AWS::AccountId}:log-group:/aws/lambda/*:*" - PolicyName: SQS PolicyDocument: Statement: Effect: Allow Action: sqs:* Resource: !GetAtt Sqs.Arn - PolicyName: VPC PolicyDocument: Statement: Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: "*" - PolicyName: Conf PolicyDocument: Statement: - Action: ssm:GetParametersByPath Effect: Allow Resource: !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/notifications/${Stage}/workers/cleaner - PolicyName: Cloudwatch PolicyDocument: Statement: Effect: Allow Action: cloudwatch:PutMetricData Resource: "*" - PolicyName: connectRdsProxy PolicyDocument: Statement: - Action: - rds-db:connect Effect: Allow Resource: Fn::ImportValue: !Sub RegistrationsDbProxyId-${Stage} LambdaSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: !Sub Lambda to db in ${Stage} SecurityGroupEgress: - CidrIp: 0.0.0.0/0 FromPort: 443 IpProtocol: tcp ToPort: 443 VpcId: !Ref VpcId WorkerLambda: Type: AWS::Lambda::Function Properties: FunctionName: !Sub ${Stack}-${App}-ctr-${Stage} PackageType: Image Code: ImageUri: !Join [':', [!ImportValue NotificationLambdaRepositoryUri, !Ref BuildId]] Environment: Variables: Stage: !Ref Stage Stack: !Ref Stack App: !Ref App Description: Pick tokens that have been marked for deletion from an SQS queue, and deletes them from the database ImageConfig: Command: [!Ref FullyQualifiedHandler] MemorySize: 1024 Role: !GetAtt ExecutionRole.Arn Timeout: 300 ReservedConcurrentExecutions: 100 VpcConfig: SecurityGroupIds: - !GetAtt LambdaSecurityGroup.GroupId - !Ref VPCSecurityGroup SubnetIds: !Ref VpcSubnets Tags: - Key: Stage Value: !Ref Stage - Key: Stack Value: !Ref Stack - Key: App Value: !Ref App SqsEventSourceMapping: Type: AWS::Lambda::EventSourceMapping DependsOn: - Sqs - WorkerLambda Properties: BatchSize: 1 Enabled: True EventSourceArn: !GetAtt Sqs.Arn FunctionName: !Sub ${Stack}-${App}-ctr-${Stage} Outputs: SQSArn: Description: The arn of the sqs queue Value: !GetAtt Sqs.Arn