@aws-solutions-constructs/aws-apigatewayv2websocket-sqs

{ "Description": "Integration Test for aws-apigateway-sqs", "Resources": { "connectServiceRoleD6E70EFD": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "LambdaFunctionServiceRolePolicy" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "connectEB2081F1": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, "S3Key": "9da0e8bdfa0712cb47fc2d6c6bad128e2edc58ffe5a8af5a322914f5c63609d1.zip" }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1" } }, "Handler": "connect.handler", "Role": { "Fn::GetAtt": [ "connectServiceRoleD6E70EFD", "Arn" ] }, "Runtime": "nodejs20.x", "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "connectServiceRoleD6E70EFD" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions." }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries" }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients" } ] } } }, "connectinlinePolicyAddedToExecutionRole0FA4FAF92": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTelemetryRecords", "xray:PutTraceSegments" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "connectinlinePolicyAddedToExecutionRole0FA4FAF92", "Roles": [ { "Ref": "connectServiceRoleD6E70EFD" } ] } }, "disconnectServiceRole0B1E33D9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "LambdaFunctionServiceRolePolicy" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "disconnect829B70D0": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, "S3Key": "9da0e8bdfa0712cb47fc2d6c6bad128e2edc58ffe5a8af5a322914f5c63609d1.zip" }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1" } }, "Handler": "disconnect.handler", "Role": { "Fn::GetAtt": [ "disconnectServiceRole0B1E33D9", "Arn" ] }, "Runtime": "nodejs20.x", "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "disconnectServiceRole0B1E33D9" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions." }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries" }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients" } ] } } }, "disconnectinlinePolicyAddedToExecutionRole0CDB203CB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTelemetryRecords", "xray:PutTraceSegments" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "disconnectinlinePolicyAddedToExecutionRole0CDB203CB", "Roles": [ { "Ref": "disconnectServiceRole0B1E33D9" } ] } }, "TestWebSocketF281E1FE": { "Type": "AWS::ApiGatewayV2::Api", "Properties": { "Description": "Test WebSocket", "Name": "TestWebSocket", "ProtocolType": "WEBSOCKET", "RouteSelectionExpression": "$request.body.action" } }, "TestWebSocketconnectRouteConnectIntegrationPermissionB20E5F78": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "connectEB2081F1", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "TestWebSocketF281E1FE" }, "/*$connect" ] ] } } }, "TestWebSocketconnectRouteConnectIntegrationBE8763A8": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { "Ref": "TestWebSocketF281E1FE" }, "IntegrationType": "AWS_PROXY", "IntegrationUri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "connectEB2081F1", "Arn" ] }, "/invocations" ] ] } } }, "TestWebSocketconnectRoute202CFA90": { "Type": "AWS::ApiGatewayV2::Route", "Properties": { "ApiId": { "Ref": "TestWebSocketF281E1FE" }, "AuthorizationType": "AWS_IAM", "RouteKey": "$connect", "Target": { "Fn::Join": [ "", [ "integrations/", { "Ref": "TestWebSocketconnectRouteConnectIntegrationBE8763A8" } ] ] } } }, "TestWebSocketdisconnectRouteDisconnectIntegrationPermissionE56CE9E3": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "disconnect829B70D0", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "TestWebSocketF281E1FE" }, "/*$disconnect" ] ] } } }, "TestWebSocketdisconnectRouteDisconnectIntegrationFBA1CD5B": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { "Ref": "TestWebSocketF281E1FE" }, "IntegrationType": "AWS_PROXY", "IntegrationUri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "disconnect829B70D0", "Arn" ] }, "/invocations" ] ] } } }, "TestWebSocketdisconnectRouteF87564DB": { "Type": "AWS::ApiGatewayV2::Route", "Properties": { "ApiId": { "Ref": "TestWebSocketF281E1FE" }, "AuthorizationType": "NONE", "RouteKey": "$disconnect", "Target": { "Fn::Join": [ "", [ "integrations/", { "Ref": "TestWebSocketdisconnectRouteDisconnectIntegrationFBA1CD5B" } ] ] } } }, "ApiGatewayV2WebSocketToSqsqueuedlq875602DF": { "Type": "AWS::SQS::Queue", "Properties": { "DeduplicationScope": "messageGroup", "FifoQueue": true, "FifoThroughputLimit": "perMessageGroupId", "KmsMasterKeyId": "alias/aws/sqs" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "ApiGatewayV2WebSocketToSqsqueuedlqPolicy9E75C5D9": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:AddPermission", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:ReceiveMessage", "sqs:RemovePermission", "sqs:SendMessage", "sqs:SetQueueAttributes" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsqueuedlq875602DF", "Arn" ] }, "Sid": "QueueOwnerOnlyAccess" }, { "Action": "SQS:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsqueuedlq875602DF", "Arn" ] }, "Sid": "HttpsOnly" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "ApiGatewayV2WebSocketToSqsqueuedlq875602DF" } ] } }, "ApiGatewayV2WebSocketToSqsqueue6D26A944": { "Type": "AWS::SQS::Queue", "Properties": { "DeduplicationScope": "messageGroup", "FifoQueue": true, "FifoThroughputLimit": "perMessageGroupId", "KmsMasterKeyId": "alias/aws/sqs", "RedriveAllowPolicy": { "redrivePermission": "denyAll" }, "RedrivePolicy": { "deadLetterTargetArn": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsqueuedlq875602DF", "Arn" ] }, "maxReceiveCount": 15 }, "VisibilityTimeout": 900 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "ApiGatewayV2WebSocketToSqsqueuePolicyEFABA1AE": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:AddPermission", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:ReceiveMessage", "sqs:RemovePermission", "sqs:SendMessage", "sqs:SetQueueAttributes" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsqueue6D26A944", "Arn" ] }, "Sid": "QueueOwnerOnlyAccess" }, { "Action": "SQS:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsqueue6D26A944", "Arn" ] }, "Sid": "HttpsOnly" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "ApiGatewayV2WebSocketToSqsqueue6D26A944" } ] } }, "ApiGatewayV2WebSocketToSqsLambdaRestApiCloudWatchRole42C4E931": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" } } ], "Version": "2012-10-17" } } }, "ApiGatewayV2WebSocketToSqsLambdaRestApiCloudWatchRoleDefaultPolicy6D004FA5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:SendMessage" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsqueue6D26A944", "Arn" ] } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsLogGroupAD536311", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "ApiGatewayV2WebSocketToSqsLambdaRestApiCloudWatchRoleDefaultPolicy6D004FA5", "Roles": [ { "Ref": "ApiGatewayV2WebSocketToSqsLambdaRestApiCloudWatchRole42C4E931" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "The APIGateway requires permissions to KMS so that it can write to an encrypted SQS queue" } ] } } }, "ApiGatewayV2WebSocketToSqsStage5C419F9E": { "Type": "AWS::ApiGatewayV2::Stage", "Properties": { "AccessLogSettings": { "DestinationArn": { "Fn::GetAtt": [ "ApiGatewayV2WebSocketToSqsLogGroupAD536311", "Arn" ] }, "Format": "$context.identity.sourceIp $context.identity.caller $context.identity.user [$context.requestTime] \"$context.httpMethod $context.resourcePath $context.protocol\" $context.status $context.responseLength $context.requestId" }, "ApiId": { "Ref": "TestWebSocketF281E1FE" }, "AutoDeploy": true, "DefaultRouteSettings": { "DataTraceEnabled": false, "DetailedMetricsEnabled": true, "LoggingLevel": "ERROR" }, "StageName": "prod" }, "Metadata": { "guard": { "SuppressedRules": [ "API_GW_CACHE_ENABLED_AND_ENCRYPTED" ] }, "cfn_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-APIG1", "reason": "Access logging configuration has been provided as per ApiGateway v2 requirements" } ] } } }, "ApiGatewayV2WebSocketToSqsLogGroupAD536311": { "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W86", "reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely" }, { "id": "W84", "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" } ] } } } }, "Parameters": { "BootstrapVersion": { "Type": "AWS::SSM::Parameter::Value<String>", "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" } }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5" ], { "Ref": "BootstrapVersion" } ] } ] }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } ] } } }