UNPKG

mira

Version:

NearForm Accelerator for Cloud Native Serverless AWS

99 lines 5.29 kB
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.Route53Manager = void 0; const core_1 = require("@aws-cdk/core"); const aws_sns_1 = require("@aws-cdk/aws-sns"); const aws_lambda_1 = require("@aws-cdk/aws-lambda"); const assets_1 = require("@aws-cdk/assets"); const aws_lambda_event_sources_1 = require("@aws-cdk/aws-lambda-event-sources"); const aws_iam_1 = require("@aws-cdk/aws-iam"); const mira_config_1 = require("../../../../config/mira-config"); const path_1 = __importDefault(require("path")); const stack_1 = require("../../../stack"); class Route53Manager extends stack_1.MiraStack { constructor(parent) { const id = mira_config_1.MiraConfig.getBaseStackName('Route53Manager'); super(parent, id); const account = mira_config_1.MiraConfig.getEnvironment(); const { hostedZoneId } = mira_config_1.MiraConfig.getDomainConfig(); if (!hostedZoneId) { throw new Error('Cannot find hostedZoneId in config.'); } const allowedPrincipals = mira_config_1.MiraConfig.getDomainAllowedPrincipals().map(account => new aws_iam_1.AccountPrincipal(account.env.account)); const domainSubscriptionTopic = new aws_sns_1.Topic(this, 'DomainSubscriptionTopic', { displayName: 'Domain Subscription Topic', topicName: mira_config_1.MiraConfig.getBaseStackName(`${account.name}-DomainSubscriptionTopic`) }); domainSubscriptionTopic.addToResourcePolicy(new aws_iam_1.PolicyStatement({ principals: allowedPrincipals, effect: aws_iam_1.Effect.ALLOW, resources: [domainSubscriptionTopic.topicArn], actions: ['sns:Publish'] })); const code = new aws_lambda_1.AssetCode(path_1.default.join(__dirname, '..', '..', '..', '..', 'lambdas'), { follow: assets_1.FollowMode.ALWAYS }); const permissionsBoundary = aws_iam_1.ManagedPolicy.fromManagedPolicyName(this, 'Route53PermissionsBoundary', mira_config_1.MiraConfig.calculateSharedResourceName('Route53ManagerPolicyBoundary')); const DomainManagerRole = new aws_iam_1.Role(this, 'Route53ManagerRole', { assumedBy: new aws_iam_1.ServicePrincipal('lambda.amazonaws.com'), permissionsBoundary }); DomainManagerRole.addToPolicy(new aws_iam_1.PolicyStatement({ effect: aws_iam_1.Effect.ALLOW, resources: [`arn:aws:route53:::hostedzone/${hostedZoneId}`], actions: ['route53:ChangeResourceRecordSets'] })); DomainManagerRole.addToPolicy(new aws_iam_1.PolicyStatement({ effect: aws_iam_1.Effect.ALLOW, resources: ['*'], actions: ['acm:RequestCertificate', 'acm:DescribeCertificate', 'acm:DeleteCertificate', 'acm:ListCertificates'] })); DomainManagerRole.addToPolicy(new aws_iam_1.PolicyStatement({ effect: aws_iam_1.Effect.ALLOW, resources: ['*'], actions: ['route53:GetChange', 'route53:ListResourceRecordSets'] })); DomainManagerRole.addManagedPolicy(aws_iam_1.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole')); const Route53ManagerLambda = new aws_lambda_1.SingletonFunction(this, 'Route53ManagerLambda', { code, handler: 'route53-manager.handler', runtime: aws_lambda_1.Runtime.NODEJS_10_X, timeout: core_1.Duration.minutes(5), uuid: '934dd096-1586-46c4-92a0-0dd1239e993f', environment: { HOSTED_ZONE: hostedZoneId }, role: DomainManagerRole }); Route53ManagerLambda.addEventSource(new aws_lambda_event_sources_1.SnsEventSource(domainSubscriptionTopic)); new core_1.CfnOutput(this, 'domainSubscriptionTopicArn', { value: domainSubscriptionTopic.topicArn }); const allowedCompositePrincipals = new aws_iam_1.CompositePrincipal(...mira_config_1.MiraConfig .getDomainAllowedPrincipals() .map(account => new aws_iam_1.AccountPrincipal(account.env.account))); const CrossAccountDomainManagerRole = new aws_iam_1.Role(this, 'CrossAccountDomainManagerRole', { assumedBy: allowedCompositePrincipals, roleName: mira_config_1.MiraConfig.getBaseStackName('DomainManager-Role'), permissionsBoundary }); CrossAccountDomainManagerRole.addToPolicy(new aws_iam_1.PolicyStatement({ effect: aws_iam_1.Effect.ALLOW, resources: [`arn:aws:route53:::hostedzone/${hostedZoneId}`], actions: ['route53:ChangeResourceRecordSets'] })); CrossAccountDomainManagerRole.addToPolicy(new aws_iam_1.PolicyStatement({ effect: aws_iam_1.Effect.ALLOW, resources: ['*'], actions: ['route53:GetChange'] })); new core_1.CfnOutput(this, 'CrossAccountDomainManagerRoleArn', { value: CrossAccountDomainManagerRole.roleArn }); } } exports.Route53Manager = Route53Manager; //# sourceMappingURL=index.js.map