Правильное CloudFormation для Route53 RecordSet для API-шлюза - PullRequest
Новая
       37

Правильное CloudFormation для Route53 RecordSet для API-шлюза

1 голос
/ 29 апреля 2020

Я пытаюсь развернуть шаблон CloudFormation (через AWS CLI), который содержит DynamoDB и некоторые Lambdas, обслуживаемые через API Gateway. Ниже приведен шаблон: 

Resources:
  UTableArticle:
    Type: AWS::DynamoDB::Table
    Properties:
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      ProvisionedThroughput:
        ReadCapacityUnits: 1
        WriteCapacityUnits: 1
      TableName: !Sub ${AWS::StackName}-Article
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
  UIAMRoleFunctionServiceRoleArticle:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'

  UIAMRoleFunctionServiceRolePolicyArticle:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - dynamodb:BatchGetItem
              - dynamodb:GetRecords
              - dynamodb:GetShardIterator
              - dynamodb:Query
              - dynamodb:GetItem
              - dynamodb:Scan
              - dynamodb:BatchWriteItem
              - dynamodb:PutItem
              - dynamodb:UpdateItem
              - dynamodb:DeleteItem
            Effect: Allow
            Resource:
              - !GetAtt [ UTableArticle, Arn ]
              - !Ref AWS::NoValue
        Version: "2012-10-17"
      PolicyName: UIAMRoleFunctionServiceRolePolicyArticle
      Roles:
        - !Ref UIAMRoleFunctionServiceRoleArticle

  BFunctionSaveArticle:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtefactRepositoryBucket
        S3Key: !Join [ '', [!Ref ArtefactRepositoryKeyPrefix, '.zip' ] ]
      Handler: !Ref 'SaveArticleHandler'
      Role: !GetAtt [ UIAMRoleFunctionServiceRoleArticle, Arn ]
      Runtime: java11
      Environment:
        Variables:
          TABLE_NAME: !Ref UTableArticle
          PRIMARY_KEY: id
    DependsOn:
      - UIAMRoleFunctionServiceRolePolicyArticle
      - UIAMRoleFunctionServiceRoleArticle
  BFunctionGetArticle:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtefactRepositoryBucket
        S3Key: !Join [ '', [!Ref ArtefactRepositoryKeyPrefix, '.zip' ] ]
      Handler: !Ref 'GetArticleHandler'
      Role: !GetAtt [ UIAMRoleFunctionServiceRoleArticle, Arn ]
      Runtime: java11
      Environment:
        Variables:
          TABLE_NAME: !Ref UTableArticle
          PRIMARY_KEY: id
    DependsOn:
      - UIAMRoleFunctionServiceRolePolicyArticle
      - UIAMRoleFunctionServiceRoleArticle
  BFunctionListArticles:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtefactRepositoryBucket
        S3Key: !Join [ '', [!Ref ArtefactRepositoryKeyPrefix, '.zip' ] ]
      Handler: !Ref 'ListArticlesHandler'
      Role: !GetAtt [ UIAMRoleFunctionServiceRoleArticle, Arn ]
      Runtime: java11
      Environment:
        Variables:
          TABLE_NAME: !Ref UTableArticle
          PRIMARY_KEY: id
    DependsOn:
      - UIAMRoleFunctionServiceRolePolicyArticle
      - UIAMRoleFunctionServiceRoleArticle

  BFunctionGWPermissionGetArticle:
    Type: AWS::Lambda::Permission
    DependsOn:
      - BlogRestApi
      - BFunctionListArticles
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt [ BFunctionListArticles, Arn ]
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ['', ['arn:', !Ref 'AWS::Partition', ':execute-api:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref BlogRestApi, '/*/GET/article'] ]
  BFunctionGWPermissionPostArticle:
    Type: AWS::Lambda::Permission
    DependsOn:
      - BlogRestApi
      - BFunctionSaveArticle
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt [ BFunctionSaveArticle, Arn ]
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ['', ['arn:', !Ref 'AWS::Partition', ':execute-api:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref BlogRestApi, '/*/POST/article'] ]
  BFunctionGWPermissionGetIdArticle:
    Type: AWS::Lambda::Permission
    DependsOn:
      - BlogRestApi
      - BFunctionGetArticle
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt [ BFunctionGetArticle, Arn ]
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ['', ['arn:', !Ref 'AWS::Partition', ':execute-api:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref BlogRestApi, '/*/GET/article/{id}'] ]
  BFunctionGWPermissionPatchIdArticle:
    Type: AWS::Lambda::Permission
    DependsOn:
      - BlogRestApi
      - BFunctionSaveArticle
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt [ BFunctionSaveArticle, Arn ]
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ['', ['arn:', !Ref 'AWS::Partition', ':execute-api:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref BlogRestApi, '/*/PATCH/article/{id}'] ]
  BlogRestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Article
  UAGDeploymentArticle:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref BlogRestApi
      Description: Automatically created by the RestApi construct
    DependsOn:
      - UAGMethodArticleIdGet
      - UAGMethodArticleIdPatch
      - UAGResourceArticleId
      - UAGMethodArticleGet
      - UAGMethodArticlePost
      - UAGResourceArticle
  BAGDeploymentStageProdArticle:
    Type: AWS::ApiGateway::Stage
    Properties:
      RestApiId: !Ref BlogRestApi
      DeploymentId: !Ref UAGDeploymentArticle
      StageName: prod
  UAIMRoleCWPushArticle:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: !Join ["", ['apigateway.', !Ref "AWS::URLSuffix"] ]
        Version: "2012-10-17"
      ManagedPolicyArns:
        - !Join ['', ['arn:', !Ref 'AWS::Partition', ':iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'] ]
  UAGAccountArticle:
    Type: AWS::ApiGateway::Account
    Properties:
      CloudWatchRoleArn: !GetAtt [ UAIMRoleCWPushArticle, Arn ]
    DependsOn:
      - BlogRestApi
  UAGResourceArticle:
    Type: AWS::ApiGateway::Resource
    Properties:
      ParentId: !GetAtt [ BlogRestApi, RootResourceId ]
      PathPart: article
      RestApiId: !Ref BlogRestApi
  UAGMethodArticleGet:
    Type: AWS::ApiGateway::Method
    Properties:
      HttpMethod: GET
      ResourceId: !Ref UAGResourceArticle
      RestApiId: !Ref BlogRestApi
      AuthorizationType: NONE
      Integration:
        IntegrationHttpMethod: POST
        Type: AWS_PROXY
        Uri: !Join [ "", ['arn:', !Ref 'AWS::Partition', ':apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt [ BFunctionListArticles, Arn ], '/invocations' ] ]
  UAGMethodArticlePost:
    Type: AWS::ApiGateway::Method
    Properties:
      HttpMethod: POST
      ResourceId: !Ref UAGResourceArticle
      RestApiId: !Ref BlogRestApi
      AuthorizationType: NONE
      Integration:
        IntegrationHttpMethod: POST
        Type: AWS_PROXY
        Uri: !Join [ "", ['arn:', !Ref 'AWS::Partition', ':apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt [ BFunctionSaveArticle, Arn ], '/invocations' ] ]
  UAGResourceArticleId:
    Type: AWS::ApiGateway::Resource
    Properties:
      ParentId: !Ref UAGResourceArticle
      PathPart: "{id}"
      RestApiId: !Ref BlogRestApi
  UAGMethodArticleIdGet:
    Type: AWS::ApiGateway::Method
    Properties:
      HttpMethod: GET
      ResourceId: !Ref UAGResourceArticleId
      RestApiId: !Ref BlogRestApi
      AuthorizationType: NONE
      Integration:
        IntegrationHttpMethod: POST
        Type: AWS_PROXY
        Uri: !Join [ "", ['arn:', !Ref 'AWS::Partition', ':apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt [ BFunctionGetArticle, Arn ], '/invocations' ] ]
  UAGMethodArticleIdPatch:
    Type: AWS::ApiGateway::Method
    Properties:
      HttpMethod: PATCH
      ResourceId: !Ref UAGResourceArticleId
      RestApiId: !Ref BlogRestApi
      AuthorizationType: NONE
      Integration:
        IntegrationHttpMethod: POST
        Type: AWS_PROXY
        Uri: !Join [ "", ['arn:', !Ref 'AWS::Partition', ':apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt [ BFunctionSaveArticle, Arn ], '/invocations' ] ]
  # apparently the below already exists??
  BlogAPIDomainName:
    Type: AWS::ApiGateway::DomainName
    Properties:
      DomainName: blogapi.zenithwebfoundry.com
      EndpointConfiguration:
        Types:
          - EDGE
      CertificateArn: 'arn:aws:acm:us-east-1:499908792600:certificate/2983bc14-28d4-43ab-b1da-fe9618a926d1'
      SecurityPolicy: TLS_1_0
  BlogAPIHostedZone:
    Type: AWS::Route53::HostedZone
    Properties:
      Name: !Ref BlogAPIDomainName
  BlogAPIBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Properties:
      DomainName: !Ref BlogAPIDomainName
      RestApiId: !Ref BlogRestApi
      Stage: 'prod'
  Route53RecordSetGroup:
    Type: AWS::Route53::RecordSetGroup
    Properties:
      HostedZoneId: Z18TN67OCTIBE0 # zenithwebfoundry.com. HostedZoneId
      RecordSets:
        - Name: blog.zenithwebfoundry.com.
          Type: A
          TTL: '300'
          ResourceRecords:
            - 52.64.238.177
        - Name: blogapi.zenithwebfoundry.com
          Type: A
          AliasTarget:
            HostedZoneId: Z2FDTNDATAQYW2
            DNSName: !Ref BlogAPIDomainName

  AssetsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Join [ ".", [ !Ref 'AWS::StackName', 'assets' ] ]
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders: ['*']
            AllowedMethods: [GET,PUT,POST,DELETE,HEAD]
            AllowedOrigins: ['http://localhost*']
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  WebBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Join [ ".", [ !Ref 'AWS::StackName', 'web' ] ]
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      WebsiteConfiguration:
        IndexDocument: 'index.html'
        ErrorDocument: 'index.html'


Parameters:
  ArtefactRepositoryBucket:
    Type: String
    Description: 'S3 bucket for the blog artefact zip'
  ArtefactRepositoryKeyPrefix:
    Type: String
    Description: 'S3 key prefix for the blog artefact zip'
  CodeVersion:
    Type: String
    Description: 'Asset version (either just major.minor.patch, or  major.minor.patch-SNAPSHOT)'
  SaveArticleHandler:
    Type: String
    Default: 'com.zenithwebfoundry.blog.api.SaveArticleHandler'
  GetArticleHandler:
    Type: String
    Default: 'com.zenithwebfoundry.blog.api.GetArticleHandler'
  ListArticlesHandler:
    Type: String
    Default: 'com.zenithwebfoundry.blog.api.ListArticlesHandler'
  ParamDnsDomain:
    Description: "Public DNS Zone Name"
    Type: String
    Default: 'zenithwebfoundry.com'

Outputs:
  ArticleEndpoint:
    Value: !Join ["", ['https://', !Ref BlogRestApi, '.execute-api.ap-southeast-2.', !Ref 'AWS::URLSuffix', '/', !Ref BAGDeploymentStageProdArticle, '/'] ]

Часть, с которой у меня возникают трудности, - это AWS::Route53::RecordSetGroup, в частности запись для blogapi.zenithwebfoundry.com. По сути, создание стека происходит в RecordSetGroup с ошибкой: 

[RRSet with DNS name blogapi.zenithwebfoundry.com., type A contains an alias target that contains a hosted zone 108086391059049046 that is an invalid alias target., Tried to create an alias that targets z2fdtndataqyw2., type A in zone Z08366712O4E48ODE3XHX, but the alias target name does not lie within the target zone]

Я пробовал различные перестановки, в том числе пытался использовать установленную здесь HostedZone: 

  BlogAPIHostedZone:
    Type: AWS::Route53::HostedZone
    Properties:
      Name: !Ref BlogAPIDomainName

Надеясь, что это мог бы предоставить действительную ссылку, но он потерпел неудачу с другой ошибкой, по существу говоря, что запись не существует.

Поэтому мне интересно, как настроить набор записей с псевдонимом, который указывает на API-шлюз. Я видел много AWS doco, но, похоже, он направляется к конечным точкам Регионального API-шлюза (что, как мне кажется, немного особый случай) или к чисто консольным инструкциям, которые создают HostedZoneId до RecordSetGroup ( что позволяет жестко закодировать значение). Но как это сделать с помощью шаблона CloudFormation.

PS: пожалуйста, никаких ответов от serverless.com - это всего лишь AWS CloudFormation и развертывание стеков через AWS CLI. Меня интересуют только ответы, относящиеся к этому.

РЕДАКТИРОВАТЬ Следуя предложению, я изменил: 

DNSName: !Ref BlogAPIDomainName

на: 

DNSName: !GetAtt [BlogAPIDomainName, DistributionDomainName]

Развертывание фактически завершено. Так что спасибо.

Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.

Похожие темы

...