-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDNSFWStack.cfn.yaml
158 lines (157 loc) · 4.4 KB
/
DNSFWStack.cfn.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Parameters:
ParamS3ArtifactBucket:
Type: String
Description: Please enter the bucketname <String> you created that contain the zipfile of your lambda and layer
ParamS3RpzBucket:
Type: String
Description: Please enter the bucketname <String> for the s3 bucket that will be used to temporarily store the list of domains that need to be filtered
ParamFirewallDomainListName:
Type: String
Description: Please enter the Firewall Domain List Name <String> that will be created and kept up-to-date
Resources:
LambdaRoleForLambdaRpz:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Description: Lambda-Role
RoleName: LambdaRoleForLambdaRpz
s3RpzBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName:
Ref: ParamS3RpzBucket
LifecycleConfiguration:
Rules:
- ExpirationInDays: 1
Id: 1 day expiration rule
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Route53ResolverDomainList:
Type: AWS::Route53Resolver::FirewallDomainList
Properties:
Name:
Ref: ParamFirewallDomainListName
AxiosLayer:
Type: AWS::Lambda::LayerVersion
Properties:
Content:
S3Bucket:
Ref: ParamS3ArtifactBucket
S3Key: node-axios-layer.zip
LayerName: node-axios-layer
LambdaRpz:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Ref: ParamS3ArtifactBucket
S3Key: LambdaRpz.js.zip
Role:
Fn::GetAtt:
- LambdaRoleForLambdaRpz
- Arn
Environment:
Variables:
s3Prefix:
Ref: ParamS3RpzBucket
FirewallDomainListId:
Fn::GetAtt:
- Route53ResolverDomainList
- Id
Region:
Ref: AWS::Region
FunctionName: LambdaRpz
Handler: LambdaRpz.handler
Layers:
- Ref: AxiosLayer
Runtime: nodejs14.x
LambdaLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/lambda/LambdaRpz
RetentionInDays: 30
RpzSchedule:
Type: AWS::Events::Rule
Properties:
Description: Scheduled rules to trigger lambdarpz to update dnsfirewall
Name: RpzSchedule
ScheduleExpression: rate(5 minutes)
State: ENABLED
Targets:
- Arn:
Fn::GetAtt:
- LambdaRpz
- Arn
Id: LambdaRpz
Input: '{"eventDetail":"Scheduled event"}'
LambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName:
Fn::GetAtt:
- LambdaRpz
- Arn
Principal: events.amazonaws.com
SourceArn:
Fn::GetAtt:
- RpzSchedule
- Arn
Policylambda:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
Fn::Join:
- ""
- - "arn:aws:logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :*
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
Resource:
Fn::Join:
- ""
- - Fn::GetAtt:
- s3RpzBucket
- Arn
- /*
- Effect: Allow
Action:
- route53resolver:ImportFirewallDomains
Resource:
Fn::Join:
- ""
- - "arn:aws:route53resolver:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :firewall-domain-list/
- Fn::GetAtt:
- Route53ResolverDomainList
- Id
PolicyName: LambdaPolicyforRpzAutomation
Roles:
- Ref: LambdaRoleForLambdaRpz