Basic project resource templates provided by init

[jkeifer]

Stateful resources and those likely to be managed independently of cirrus should not be created by the default set of builtins. Rather, init should create a basic set of cloudformation resource templates in the project's cloudformation/ directory, and leave it to the user to remove/modify those resources as necessary.

Examples of such resources include:

• S3 data buckets
• VPC and all its related components
• Dynamodb database (maybe?)

For the S3 buckets, we should simply dump out the current built-in buckets configs to cloudformation/s3.yml and call it day.

For the VPC, things get a bit more complicated. The minimum set of VPC-related resources to create a functional cirrus deployment is not small. That said, AWS does provide a sample template that provides all these resources we can use with minimal tweaks: https://github.com/awsdocs/aws-lambda-developer-guide/blob/main/templates/vpc-privatepublic.yaml.

In fact, the only changes I found I needed to make to that template to be compatible with cirrus were confined to the VPC endpoint configs:

  s3Endpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "s3:*"
            Resource:
              - "*"
      RouteTableIds:
        - !Ref privateRouteTable
      ServiceName: com.amazonaws.#{AWS::Region}.s3
      VpcId: !Ref pubPrivateVPC
  dynamoDBEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "dynamodb:*"
            Resource:
              - "*"
      RouteTableIds:
        - !Ref privateRouteTable
      ServiceName: com.amazonaws.#{AWS::Region}.dynamodb
      VpcId: !Ref pubPrivateVPC

To make use of these resources, I made the following changes to my cirrus.yml:

provider:
  vpc:
    securityGroupIds:
      - !GetAtt pubPrivateVPC.DefaultSecurityGroup
    subnetIds:
      - !Ref privateSubnet1

custom:
  batch:
    SecurityGroupIds:
      - !GetAtt pubPrivateVPC.DefaultSecurityGroup
    Subnets:
      - !Ref privateSubnet2

I ran a test through using batch and it appeared all relevant services were accessible and everything worked as intended.