-
Notifications
You must be signed in to change notification settings - Fork 0
/
cdk-sysdig-lambda-stack.ts
48 lines (46 loc) · 1.96 KB
/
cdk-sysdig-lambda-stack.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import * as lambda from "aws-cdk-lib/aws-lambda";
import { SnsEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
import * as sns from "aws-cdk-lib/aws-sns";
import * as iam from "aws-cdk-lib/aws-iam";
export class CdkSysdigLambdaStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const sysdigAwsAccountID: string = "263844535661";
// ecsタスク停止するためのポリシー
const ecsTaskStopPolicyStatement = new iam.PolicyStatement({
sid: "allowECSTaskStop",
resources: ["arn:aws:ecs:*:*:task/*/*"],
actions: ["ecs:StopTask"],
});
// lambdaのIAMロール
const lambdaRole = new iam.Role(this, "MyLambdaRole", {
assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
});
lambdaRole.addManagedPolicy(
iam.ManagedPolicy.fromAwsManagedPolicyName(
"service-role/AWSLambdaBasicExecutionRole"
)
);
// lambdaのIAMロールにECSのタスク停止権限を付与
lambdaRole.addToPolicy(ecsTaskStopPolicyStatement);
// Lambda function
const myLambda = new lambda.Function(this, "MyLambda", {
runtime: lambda.Runtime.PYTHON_3_9,
handler: "index.lambda_handler",
code: lambda.Code.fromAsset("lambda_src"),
role: lambdaRole,
});
// sns topic
const topic = new sns.Topic(this, "MyTopic");
// sns topicに対するlambdaのサブスクリプション
myLambda.addEventSource(
new SnsEventSource(topic, {
filterPolicy: {},
})
);
// sysdigAwsAccountIDのアカウントに対して、sns topicに対するpublish権限を付与
topic.grantPublish(new iam.AccountPrincipal(sysdigAwsAccountID));
}
}