Update

mrichman · mrichman · commit 03b6a470c4d0 · 2019-03-12T11:30:15.000-04:00
diff --git a/CloudFormation/Creating-Lambda-Backed-Custom-Resources/cf.yaml b/CloudFormation/Creating-Lambda-Backed-Custom-Resources/cf.yaml
@@ -0,0 +1,168 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: >-
+  Password validation with a Lambda-backed custom resource
+
+Parameters:
+  Password:
+    NoEcho: 'true'
+    Description: Enter Password
+    Type: String
+    MinLength: '6'
+    MaxLength: '10'
+    AllowedPattern: '[a-zA-Z0-9]*'
+    ConstraintDescription: alphanumeric characters.
+  ConfirmPassword:
+    NoEcho: 'true'
+    Description: Confirm Password
+    Type: String
+    MinLength: '6'
+    MaxLength: '10'
+    AllowedPattern: '[a-zA-Z0-9]*'
+    ConstraintDescription: alphanumeric characters.
+
+Metadata:
+  'AWS::CloudFormation::Interface':
+    ParameterGroups:
+      - Label:
+          default: Confirm the password
+        Parameters:
+          - Password
+          - ConfirmPassword
+
+Resources:
+  LambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action:
+              - 'sts:AssumeRole'
+      Policies:
+        - PolicyName: lambdalogtocloudwatch
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 'logs:CreateLogGroup'
+                  - 'logs:CreateLogStream'
+                  - 'logs:PutLogEvents'
+                Resource: 'arn:aws:logs:*:*:*'
+  
+  CheckPasswordsFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      Code:
+        ZipFile: |
+          import json
+
+          import cfnresponse
+
+
+          def lambda_handler(event, context):
+              print(json.dumps(event))
+              response_data = {}
+              response_data['Data'] = None
+
+              if event['RequestType'] != 'Create':
+                  cfnresponse.send(event, context, cfnresponse.SUCCESS,
+                                  response_data, "CustomResourcePhysicalID")
+                  return
+
+              password = event['ResourceProperties']['Password']
+              confirm_password = event['ResourceProperties']['ConfirmPassword']
+
+              if password == confirm_password:
+                  cfnresponse.send(event, context, cfnresponse.SUCCESS,
+                                  response_data, "CustomResourcePhysicalID")
+              else:
+                  print('Passwords do not match!')
+                  cfnresponse.send(event, context, cfnresponse.FAILED,
+                                  response_data, "CustomResourcePhysicalID")
+      
+      Description: CloudFormation custom resource
+      FunctionName: CheckPasswords
+      Handler: index.lambda_handler
+      Runtime: python3.7
+      Timeout: 3
+      Role: !GetAtt LambdaExecutionRole.Arn
+  
+  TestPasswords:
+    Type: Custom::LambdaCallout
+    Properties:
+      ServiceToken: !GetAtt 
+        - CheckPasswordsFunction
+        - Arn
+      Password: !Ref Password
+      ConfirmPassword: !Ref ConfirmPassword
+  
+  CFNUser:
+    Type: AWS::IAM::User
+    Properties:
+      LoginProfile:
+        Password: !Ref Password
+  
+  CFNUserGroup:
+    Type: 'AWS::IAM::Group'
+  
+  CFNAdminGroup:
+    Type: AWS::IAM::Group
+  
+  Users:
+    Type: AWS::IAM::UserToGroupAddition
+    Properties:
+      GroupName: !Ref CFNUserGroup
+      Users:
+        - !Ref CFNUser
+  
+  Admins:
+    Type: AWS::IAM::UserToGroupAddition
+    Properties:
+      GroupName: !Ref CFNAdminGroup
+      Users:
+        - !Ref CFNUser
+  
+  CFNUserPolicies:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: CFNUsers
+      PolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action:
+              - 'cloudformation:Describe*'
+              - 'cloudformation:List*'
+              - 'cloudformation:Get*'
+            Resource: '*'
+      Groups:
+        - !Ref CFNUserGroup
+  
+  CFNAdminPolicies:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: CFNAdmins
+      PolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: 'cloudformation:*'
+            Resource: '*'
+      Groups:
+        - !Ref CFNAdminGroup
+  
+  CFNKeys:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      UserName: !Ref CFNUser
+
+Outputs:
+  AccessKey:
+    Value: !Ref CFNKeys
+    Description: AWSAccessKeyId of new user
+  SecretKey:
+    Value: !GetAtt CFNKeys.SecretAccessKey
+    Description: AWSSecretKey of new user
diff --git a/CloudFormation/Creating-Lambda-Backed-Custom-Resources/index.py b/CloudFormation/Creating-Lambda-Backed-Custom-Resources/index.py
@@ -0,0 +1,25 @@
+import json
+
+import cfnresponse
+
+
+def lambda_handler(event, context):
+    print(json.dumps(event))
+    response_data = {}
+    response_data['Data'] = None
+
+    if event['RequestType'] != 'Create':
+        cfnresponse.send(event, context, cfnresponse.SUCCESS,
+                         response_data, "CustomResourcePhysicalID")
+        return
+
+    password = event['ResourceProperties']['Password']
+    confirm_password = event['ResourceProperties']['ConfirmPassword']
+
+    if password == confirm_password:
+        cfnresponse.send(event, context, cfnresponse.SUCCESS,
+                         response_data, "CustomResourcePhysicalID")
+    else:
+        print('Passwords do not match!')
+        cfnresponse.send(event, context, cfnresponse.FAILED,
+                         response_data, "CustomResourcePhysicalID")
