This code is for a Python 2.7 Lambda function that can be used with AWS CloudFormation templates as a Custom Resource in order to provide a mechanism to iterate via Jinja2 based templates.
It takes in a particular set of Paramaters these being:
TemplateS3Bucket: The bucket in which the Jinja2 template is located.TemplateS3Key: The key within the bucket where the Jinja2 template is located.S3Bucket: The bucket where the resulting file should be storedS3KeyPrefix: (Optional) The prefix to apply to the automatically generated keys. In most cases you'll want this to end with a/to indicate putting the file in a folder.S3Suffix: (Optional) Any extensions you wish to apply to the function, added with a trailing dot.HarnessLiterals: (Optional) A dictionary of strings that can be passed to the Template.CommaLists: (Optional) A dictionary of strings containing comma-delimted list that can be passed to the Template.
It is important to note that as HarnessLiterals and CommaLists are both optional it is entirely valid to not provide these and the function will still execute. While you would do this is a mystery to me, however you can.
Also note that at this time there is no way to escape the commas in CommaLists. I may add this functionality if it is requested.
Run ./setup.sh to create the zip code you will need to upload to S3 and reference using your LambdaFunction. Please see the example for further information.
I have done my best to minimise the permissions this library needs to function correctly. Below is an example IAM policy you can use for reference to work out the policy to apply to your LambdaFunction.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect":"Allow",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [ "s3:GetObject" ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::sourcebucket/template.j2"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::destbucket/prefix*"
}
]
}Note: I do not actually think s3:GetObject is needed on the destination bucket, however I have not actually tested this.
Please see the example code in example/.
You have a large selection of CIDR ranges you need to add to a Security Group to allow them to SSH to your instances, but due to the nature of your organisations IT these CIDR ranges are constantly changing both in number, and values. You would rather not have to modify your stack code to do this everytime, and would instead like to just pass this information as a parameter.
To try this example all you'll need is an S3 bucket in the AWS region you wish to test this, and to upload the example/child.json.j2 and a copy of the zip generated by ./setup in the same folder (e.g. example/). When you execute parent.json CloudFormation will automatically create an IAM policy, the LambdaFunction, and then execute the function and create a child stack based upon the created S3 Object.
Note: Always review templates throughly that involve Child Stacks or IAM policies before executing, regardless of source. While I am certain the template I uploaded is harmless, someone may have forked this library and provided a malcious copy.