-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
113 lines (107 loc) · 4.31 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Periodically backup each database individually in an RDS instance to S3 using lambda functions
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 3
Tracing: Active
Api:
TracingEnabled: True
Parameters:
CronExpression:
Type: String
# cron expression to run every 12 hours
Default: cron(* */12 * * *)
Description: Cron expression for PostgreSQL database backup
Resources:
Lambda:
Type: AWS::Lambda::Function
Properties:
Description: Python Lambda Function to PostgreSQL database backup
FunctionName: "backup-rds-single-database-lambda"
Environment:
Variables:
S3_BUCKET: !Ref S3BUCKET
PackageType: Image
Role: !GetAtt LambdaExecutionRole.Arn # references lambda execution role required
MemorySize: 512
Timeout: 360
Metadata:
DockerTag: latest
DockerContext: ./database-backup
Dockerfile: Dockerfile
LambdaExecutionRole:
# https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-api
Type: AWS::IAM::Role
Properties:
# Trust policies define which entities (lambda here) can assume the role
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
# adds a new inline policy associated with the role
Policies:
- PolicyName: S3Policy
PolicyDocument:
Statement:
- Action:
- s3:PutObject
Effect: Allow
Resource:
- !Join [
"",
["arn:aws:s3:::", !Ref S3BUCKET, "/*"],
]
# attaching managed aws policy - AWSLambdaBasicExecutionRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
S3BUCKET:
Type: AWS::S3::Bucket
Properties:
# S3 bucket name
BucketName:
!Join [
"-",
[!Ref AWS::StackName, "backup-rds-single-database-bucket"],
]
# One of Private, PublicRead, PublicReadWrite, etc
AccessControl: Private
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
# Used for Object lifecycle management
LifecycleConfiguration:
Rules:
- Id: GlacierRule
Status: Enabled
Transitions:
# transition to Glacier storage after 1 day, which is a more cost-efficient storage class
- TransitionInDays: 1
StorageClass: GLACIER
# delete objects after 2 day
ExpirationInDays: 2
Cron:
Type: AWS::Events::Rule
Properties:
Description: PostgreSQL database backup
Name: !Join ["-", [!Ref AWS::StackName, "backup-rds-single-cron"]]
ScheduleExpression: !Ref CronExpression
State: ENABLED
Targets:
- Arn: !GetAtt Lambda.Arn
Id: Lambda
# we are passing the list of databases to be backed up as input to the event
Input: >-
{
"DATABASES": [
"sharpsell-dev-postgresql-sharpsell",
"sharpsell-uat-postgresql-sharpsell"
]
}