Enterprise Framework

Software Solutions in the Enterprise

CloudFormation SAM Template: Give AWS::Serverless::Function role to access DynamoDB


DoSomethingFunction:
Type: AWS::Serverless::Function
Description: Do Something
Properties:
FunctionName: 'DoSomething'
Policies:
- AmazonDynamoDBFullAccess
Handler: 'do_something.lambda_handler'
Runtime: !Ref LambdaRunTimeVersion
MemorySize: !Ref LambdaMemorySize
Timeout: !Ref LambdaTimeout
Events:
MySQSEvent:
Type: SQS
Properties:
Queue: !GetAtt SqsQueue.Arn
BatchSize: 10
VpcConfig:
SecurityGroupIds: !Ref VpcSecurityGroupIds
SubnetIds: !Ref VpcSubnetIds
Environment:
Variables:
'dynamodb_table_name': !Ref DynamoDBTable
'sqs_url': !Ref SqsQueue
Tags:
Name: 'do_something.lambda_handler'
Role: !GetAtt LambdaExecutionRole.Arn

LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: allowLambdaLogs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
- PolicyName: AllowDynamoDb
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:*
Resource: !GetAtt DynamoDBTable.Arn
- PolicyName: AllowSqs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ChangeMessageVisibility
Resource: !GetAtt SqsQueue.Arn