/
template.yaml
397 lines (397 loc) · 13.6 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
---
AWSTemplateFormatVersion: '2010-09-09'
Description: >
AWS Pinpoint Interactive SMS with Reporting
**WARNING** This template creates resources which incur charges. You will be billed for the AWS resources used if you create a stack from this template.
Parameters:
LogLevel:
Type: String
Description: AWS Lambda function logging level
AllowedValues:
- CRITICAL
- ERROR
- WARNING
- INFO
- DEBUG
- TRACE
Default: DEBUG
Transform: AWS::Serverless-2016-10-31
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for the InteractiveSMS project
PendingWindowInDays: 7
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: kms:*
Resource: "*"
- Sid: Allow CloudWatch Logs KMS Access
Effect: Allow
Principal:
Service: !Sub 'logs.${AWS::Region}.amazonaws.com'
Action:
- kms:Encrypt*
- kms:Decrypt*
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:Describe*
Resource: "*"
Condition:
ArnLike:
kms:EncryptionContext:aws:logs:arn: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${AWS::StackName}-*'
- Sid: Allow Pinpoint to SNS
Effect: Allow
Principal:
Service: mobile.amazonaws.com
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: "*"
- Sid: Allow SNS to SQS
Effect: Allow
Principal:
Service: sns.amazonaws.com
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: "*"
Condition:
ArnLike:
kms:EncryptionContext:aws:sqs:arn: !Sub 'arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${AWS::StackName}-*'
PinApp:
Type: AWS::Pinpoint::App
Properties:
Name: InteractiveSMS
PinSMSChannel:
Type: AWS::Pinpoint::SMSChannel
Properties:
ApplicationId: !Ref PinApp
Enabled: true
PinSegment:
Type: AWS::Pinpoint::Segment
Properties:
ApplicationId: !Ref 'PinApp'
Name: InteractiveSMS-All
PinSegmentEN:
Type: AWS::Pinpoint::Segment
Properties:
ApplicationId: !Ref 'PinApp'
Name: InteractiveSMS-EN
SegmentGroups:
Groups:
- Dimensions:
- UserAttributes:
Language:
AttributeType: INCLUSIVE
Values:
- en
SourceSegments:
- Id: !GetAtt 'PinSegment.SegmentId'
Include: ALL
PinSegmentES:
Type: AWS::Pinpoint::Segment
Properties:
ApplicationId: !Ref 'PinApp'
Name: InteractiveSMS-ES
SegmentGroups:
Groups:
- Dimensions:
- UserAttributes:
Language:
AttributeType: INCLUSIVE
Values:
- es
SourceSegments:
- Id: !GetAtt 'PinSegment.SegmentId'
Include: ALL
PinSegmentVI:
Type: AWS::Pinpoint::Segment
Properties:
ApplicationId: !Ref 'PinApp'
Name: InteractiveSMS-VI
SegmentGroups:
Groups:
- Dimensions:
- UserAttributes:
Language:
AttributeType: INCLUSIVE
Values:
- vi
SourceSegments:
- Id: !GetAtt 'PinSegment.SegmentId'
Include: ALL
PinTemplateEN:
Type: AWS::Pinpoint::SmsTemplate
Properties:
TemplateName: InteractiveSMSGreeting_EN
Body: !Join
- "\n"
- - 'Hello {{User.UserAttributes.FirstName}} {{User.UserAttributes.LastName}}, this is Example Organization with an important message about your Medicaid coverage. To confirm this is a real government message, visit https://example.gov/medicaid/.'
- ''
- 'To keep your Medicaid benefits, you need to fill out a renewal form. We will send you this form in the mail. To confirm or update your mailing address, reply YES. Reply STOP to opt out at any time.'
PinTemplateES:
Type: AWS::Pinpoint::SmsTemplate
Properties:
TemplateName: InteractiveSMSGreeting_ES
Body: !Join
- "\n"
- - 'Hola {{User.UserAttributes.FirstName}} {{User.UserAttributes.LastName}}, esto es Example Organization con un mensaje importante sobre tu cobertura de Medicaid. Para confirmar que este es un verdadero mensaje del gobierno, visite https://example.gov/medicaid/.'
- ''
- 'Para conservar sus beneficios de Medicaid, necesita llenar un formulario de renovación. Te enviaremos este formulario por correo. Para confirmar o actualizar su dirección postal, conteste SÍ. Responder STOP para optar por no participar.'
PinTemplateVI:
Type: AWS::Pinpoint::SmsTemplate
Properties:
TemplateName: InteractiveSMSGreeting_VI
Body: !Join
- "\n"
- - 'Xin chào {{User.UserAttributes.FirstName}} {{User.UserAttributes.LastName}}, đây là Example Organization với một thông điệp quan trọng về bảo hiểm Medicaid của bạn. Để xác nhận đây là một thông điệp của chính phủ thực sự, hãy truy cập https://example.gov/medicaid/.'
- ''
- 'Để giữ quyền lợi Medicaid của bạn, bạn cần điền vào một mẫu đơn gia hạn. Chúng tôi sẽ gửi cho bạn mẫu đơn này qua thư. Để xác nhận hoặc cập nhật địa chỉ gửi thư của bạn, trả lời YES. Trả lời STOP để chọn không tham gia.'
Table:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
BillingMode: PAY_PER_REQUEST
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
SSESpecification:
SSEEnabled: true
SSEType: KMS
KMSMasterKeyId: !GetAtt KMSKey.Arn
ProcessDDBStreamLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub /aws/lambda/${ProcessDDBStream}
RetentionInDays: 7
KmsKeyId: !GetAtt KMSKey.Arn
ProcessDDBStream:
Type: AWS::Serverless::Function
Metadata:
cfn_nag:
rules_to_suppress:
- id: W89
reason: This does not increase the security of the solutions and greatly increases the cost and scope of the deployment.
- id: W92
reason: This is not necessary for this project. Customers can enable this once they understand their usage patterns.
Properties:
CodeUri: process_ddb_stream/
Handler: app.lambda_handler
Runtime: python3.9
Timeout: 5
Events:
ApiEvent:
Type: DynamoDB
Properties:
BatchSize: 1
StartingPosition: TRIM_HORIZON
Stream: !GetAtt 'Table.StreamArn'
Architectures:
- arm64
Environment:
Variables:
LOGURU_LEVEL: !Ref 'LogLevel'
TABLE: !Ref 'Table'
APP: !Ref 'PinApp'
SEGMENT: !GetAtt 'PinSegment.SegmentId'
Policies:
- AWSLambdaBasicExecutionRole
- DynamoDBStreamReadPolicy:
TableName: !Ref 'Table'
StreamName: !Select [3, !Split ["/", !GetAtt 'Table.StreamArn']]
- PinpointEndpointAccessPolicy:
PinpointApplicationId: !Ref 'PinApp'
- KMSDecryptPolicy:
KeyId: !Ref KMSKey
ReceiveSMSMessagesLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub /aws/lambda/${ReceiveSMSMessages}
RetentionInDays: 7
KmsKeyId: !GetAtt KMSKey.Arn
ReceiveSMSMessages:
Type: AWS::Serverless::Function
Metadata:
cfn_nag:
rules_to_suppress:
- id: W89
reason: This does not increase the security of the solutions and greatly increases the cost and scope of the deployment.
- id: W92
reason: This is not necessary for this project. Customers can enable this once they understand their usage patterns.
Properties:
CodeUri: receive_sms_messages/
Handler: app.lambda_handler
Runtime: python3.9
Timeout: 5
Events:
SQSEvent:
Type: SQS
Properties:
Queue: !GetAtt ReceiveSMSQueue.Arn
BatchSize: 1
Enabled: true
Architectures:
- arm64
Environment:
Variables:
LOGURU_LEVEL: !Ref 'LogLevel'
TABLE: !Ref 'Table'
APP: !Ref 'PinApp'
SEGMENT: !GetAtt 'PinSegment.SegmentId'
Policies:
- AWSLambdaBasicExecutionRole
- DynamoDBCrudPolicy:
TableName: !Ref 'Table'
- PinpointEndpointAccessPolicy:
PinpointApplicationId: !Ref 'PinApp'
- SQSPollerPolicy:
QueueName: !GetAtt ReceiveSMSQueue.QueueName
- Version: 2012-10-17
Statement:
- Sid: PinpointAccess
Effect: Allow
Action: 'mobiletargeting:SendMessages'
Resource: !Sub '${PinApp.Arn}/messages'
- KMSDecryptPolicy:
KeyId: !Ref KMSKey
- KMSEncryptPolicy:
KeyId: !Ref KMSKey
MarkConversationInitiatedLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub /aws/lambda/${MarkConversationInitiated}
RetentionInDays: 7
KmsKeyId: !GetAtt KMSKey.Arn
MarkConversationInitiated:
Type: AWS::Serverless::Function
Metadata:
cfn_nag:
rules_to_suppress:
- id: W89
reason: This does not increase the security of the solutions and greatly increases the cost and scope of the deployment.
- id: W92
reason: This is not necessary for this project. Customers can enable this once they understand their usage patterns.
Properties:
CodeUri: mark_conversation_initiated/
Handler: app.lambda_handler
Runtime: python3.9
Timeout: 5
Architectures:
- arm64
Environment:
Variables:
LOGURU_LEVEL: !Ref 'LogLevel'
TABLE: !Ref 'Table'
APP: !Ref 'PinApp'
SEGMENT: !GetAtt 'PinSegment.SegmentId'
Policies:
- AWSLambdaBasicExecutionRole
- DynamoDBCrudPolicy:
TableName: !Ref 'Table'
- PinpointEndpointAccessPolicy:
PinpointApplicationId: !Ref 'PinApp'
- KMSDecryptPolicy:
KeyId: !Ref KMSKey
- KMSEncryptPolicy:
KeyId: !Ref KMSKey
MarkConversationInitiatedPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref MarkConversationInitiated
Action: lambda:InvokeFunction
Principal: pinpoint.amazonaws.com
SourceArn: !GetAtt PinApp.Arn
MarkConversationInitiatedPermissionSub:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref MarkConversationInitiated
Action: lambda:InvokeFunction
Principal: pinpoint.amazonaws.com
SourceArn: !Sub "${PinApp.Arn}/*"
ProcessingSNSDLQ:
# This is the Dead Letter Queue for items SNS is unable to publish to SQS for
# such as a deleted destination SQS Queue or bad permissions.
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: !Ref KMSKey
ProcessingSNSDLQQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref ProcessingSNSDLQ
PolicyDocument:
Statement:
Effect: Allow
Principal:
Service: sns.amazonaws.com
Action: "sqs:SendMessage"
Resource: !GetAtt ProcessingSNSDLQ.Arn
Condition:
ArnEquals:
"aws:SourceArn": !Ref ReceiveSMSTopic
ProcessingSQSDLQ:
# This is the Dead Letter Queue for items SQS is unable to successfully execute a
# Lambda for such as a deleted destination Lambda, bad permissions, or general
# Lambda errors.
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: !Ref KMSKey
RedriveAllowPolicy:
redrivePermission: allowAll
ReceiveSMSQueue:
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: !Ref KMSKey
RedrivePolicy:
deadLetterTargetArn: !GetAtt 'ProcessingSQSDLQ.Arn'
maxReceiveCount: 10
ReceiveSMSQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref ReceiveSMSQueue
PolicyDocument:
Statement:
Effect: Allow
Principal:
Service: sns.amazonaws.com
Action: "sqs:SendMessage"
Resource: !GetAtt ReceiveSMSQueue.Arn
Condition:
ArnEquals:
"aws:SourceArn": !Ref ReceiveSMSTopic
ReceiveSMSTopic:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: !Ref KMSKey
SQS2SNSSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: !GetAtt ReceiveSMSQueue.Arn
Protocol: sqs
RawMessageDelivery: true
TopicArn: !Ref ReceiveSMSTopic
RedrivePolicy:
deadLetterTargetArn: !GetAtt 'ProcessingSNSDLQ.Arn'
Outputs:
KMSKeyArn:
Description: The unique identifier of the encryption key used to encrypt data in the Interactive SMS solution
Value: !GetAtt KMSKey.Arn