-
Notifications
You must be signed in to change notification settings - Fork 99
/
Copy pathdeploy-non-vpc.yaml
136 lines (136 loc) · 4.15 KB
/
deploy-non-vpc.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Parameters:
ClusterName:
Default: my-redshift-cluster
Description: Cluster Name
Type: String
AllowedPattern: .*
DbUser:
Default: My DB User
Description: Name of the database user to connect to
Type: String
AllowedPattern: .*
EncryptedPassword:
Default: Base64 Encoded Encrypted Password
Description: Password encrypted with AWS KMS (leave blank to use IAM authentication token)
Type: String
AllowedPattern: .*
KmsKeyARN:
Default: arn:aws:kms:us-east-1:123456789012:key/MyKey
Description: KMS Key ARN used to decrypt the password (leave blank to use IAM authentication token)
Type: String
AllowedPattern: ^$|arn:aws:kms:[a-zA-Z0-9-]+:\d{12}:key\/.*
HostName:
Default: my-redshift-cluster.XXXXXXXXXXXX.<region>.redshift.amazonaws.com
Description: Cluster Endpoint Address
Type: String
AllowedPattern: .*\.redshift\.amazonaws\.com$
HostPort:
Default: 5439
Description: Database Port
Type: Number
MinValue: 1024
MaxValue: 65535
DatabaseName:
Default: mydb
Description: Database Name to connect to
Type: String
AllowedPattern: .*
AggregationInterval:
Default: 1 hour
Description: Interval for aggregating statistics
Type: String
AllowedValues:
- 1 hour
- 10 minutes
Conditions:
UseKms: !Not
- !Equals
- !Ref KmsKeyARN
- ''
Resources:
ScheduledFunction:
Type: AWS::Serverless::Function
Properties:
Handler: lambda_function.lambda_handler
Runtime: python3.9
CodeUri:
Bucket: !Sub awslabs-code-${AWS::Region}
Key: RedshiftAdvancedMonitoring/redshift-advanced-monitoring-1.8.zip
MemorySize: 192
Timeout: 900
Tags:
Name: RedshiftAdvancedMonitoring
Role: !GetAtt ScheduledServiceIAMRole.Arn
Events:
Timer:
Type: Schedule
Properties:
Schedule: rate(1 hour)
Input:
!Sub |
{
"DbUser":"${DbUser}",
"EncryptedPassword":"${EncryptedPassword}",
"ClusterName":"${ClusterName}",
"HostName":"${HostName}",
"HostPort":"${HostPort}",
"DatabaseName":"${DatabaseName}",
"AggregationInterval":"${AggregationInterval}"
}
ScheduledServiceIAMRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "LambdaRedshiftMonitoringRole"
Path: "/"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"
Policies:
-
PolicyName: "LambdaRedshiftMonitoringPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "cloudwatch:PutMetricData"
Resource: "*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !If [UseKms, !Ref KmsDecryptPolicy, !Ref GetClusterCredentialsPolicy]
KmsDecryptPolicy:
Condition: UseKms
Type: "AWS::IAM::ManagedPolicy"
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "kms:Decrypt"
Resource: !Ref KmsKeyARN
GetClusterCredentialsPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "redshift:GetClusterCredentials"
Resource:
- !Sub "arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:dbname:${ClusterName}/${DatabaseName}"
- !Sub "arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:dbuser:${ClusterName}/${DbUser}"