diff --git a/functions/source/ZipDl/lambda_function.py b/functions/source/ZipDl/lambda_function.py index c978813..85a3698 100644 --- a/functions/source/ZipDl/lambda_function.py +++ b/functions/source/ZipDl/lambda_function.py @@ -140,7 +140,7 @@ def lambda_handler(event, context): name = event['body-json']['repository']['name'] archive_url = "{scheme}://{netloc}/rest/api/latest/projects/{project}/repos/{repo}/archive?at={hash}&format=zip".format( scheme=url_parts.scheme, - netloc=url_parts.netloc, + netloc=url_parts.netloc if os.environ.get("SCM_HOSTNAME_OVERRIDE", '') == '' else os.environ.get("SCM_HOSTNAME_OVERRIDE"), project=owner, repo=name, hash=change['toHash'], diff --git a/templates/git2s3.template b/templates/git2s3.template index 4bd79fa..0b8bdb1 100644 --- a/templates/git2s3.template +++ b/templates/git2s3.template @@ -98,14 +98,14 @@ "ConstraintDescription": "this token must be generated from the git server/provider" }, "OauthKey": { - "Description": "zipdl method only. OAuth2 Key needed for BitBucket", + "Description": "zipdl method only. OAuth2 Key needed for BitBucket. For bitbucket server this should be a username.", "Type": "String", "Default": "", "ConstraintDescription": "this key must be generated from the git server/provider" }, "OauthSecret": { "NoEcho": "true", - "Description": "zipdl method only. OAuth2 Secret needed for BitBucket", + "Description": "zipdl method only. OAuth2 Secret needed for BitBucket. For bitbucket server this should be a password.", "Type": "String", "Default": "", "ConstraintDescription": "this secret must be generated from the git server/provider" @@ -128,6 +128,26 @@ "Default": "quickstart-git2s3/", "Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Type": "String" + }, + "VPCId": { + "Description": "Id of the VPC the DL Zip lambda should run in", + "Type": "AWS::EC2::VPC::Id", + "Default": "" + }, + "VPCCidrRange": { + "Description": "CIDR range of the VPC", + "Type": "String", + "Default": "" + }, + "SubnetIds": { + "Description": "SubnetIds the DL Zip lambda should run in", + "Type": "List", + "Default": "" + }, + "ScmHostnameOverride": { + "Description": "Hostname to override the incoming json request with", + "Type": "String", + "Default": "" } }, "Conditions": { @@ -214,6 +234,11 @@ ] } ] + }, + "ShouldRunInVPC":{ + "Fn::Not": [{ + "Fn::Equals": [{"Ref": "VPCId"}, ""] + }] } }, "Resources": { @@ -906,7 +931,7 @@ "Runtime": "python2.7", "Timeout": "300", "Environment": { - "Variables": + "Variables": { "ExcludeGit":"True" } }, "Code": { @@ -922,6 +947,7 @@ "ZipDlRole": { "Type": "AWS::IAM::Role", "Properties": { + "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" ], "AssumeRolePolicyDocument": { "Statement": [ { @@ -991,8 +1017,28 @@ ] } }, + "ZipDlLambdaSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security Group to allow the lambda to access the git service", + "GroupName": "ZipDlLambdaSecurityGroup", + "SecurityGroupEgress": [ { + "CidrIp": {"Ref": "VPCCidrRange"}, + "FromPort": -1, + "IpProtocol": 'tcp', + "ToPort": -1 + } ], + "SecurityGroupIngress": [ { + "CidrIp": {"Ref": "VPCCidrRange"}, + "FromPort": -1, + "IpProtocol": 'tcp', + "ToPort": -1 + } ], + "VpcId": {"Ref": "VPCId"} + } + }, "ZipDlLambda": { - "DependsOn": "CopyZips", + "DependsOn": "CopyZips", "Type": "AWS::Lambda::Function", "Properties": { "Handler": "lambda_function.lambda_handler", @@ -1012,7 +1058,24 @@ }, "Runtime": "python2.7", "MemorySize": 128, - "Timeout": 30 + "Timeout": 30, + "VpcConfig": { + "Fn::If": [ + "ShouldRunInVPC", + { + "SecurityGroupIds": [ + { "Ref" : "ZipDlLambdaSecurityGroup"} + ], + "SubnetIds": { "Ref" : "SubnetIds"}, + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "Environment": { + "Variables": { "SCM_HOSTNAME_OVERRIDE": {"Ref": "ScmHostnameOverride" }} + } } }, "WebHookRole": {