serverless-infrastructure-resources.yml

Resources:
  LambdaSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: 'Security Group for GraphQL Lambda functions'
      SecurityGroupEgress:
        - CidrIp: '0.0.0.0/0'
          IpProtocol: -1
          FromPort: 0
          ToPort: 65535
      VpcId: ${env:VPC_ID}

  ApplicationRole:
    Type: "AWS::IAM::Role"
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
      PermissionsBoundary:
        Fn::Join: [
          "", [
            "arn:aws:iam::",
            {
              "Ref": "AWS::AccountId"
            },
            ":policy/NGAPShRoleBoundary"
          ]
        ]
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: LambdaBase
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                Resource: '*'

# Output the following resources so that other stacks can access the values
Outputs:
  GraphQLLambdaSecurityGroup:
    Value:
      Ref: LambdaSecurityGroup
    Export:
      Name: ${self:provider.stage}-GraphQLLambdaSecurityGroup

  GraphQLApplicationRoleDev:
    Description: Role used to execute commands across the application
    Value:
      Fn::GetAtt:
        - ApplicationRole
        - Arn
    Export:
      Name: dev-GraphQLApplicationRole

  GraphQLApplicationRole:
    Description: Role used to execute commands across the application
    Value:
      Fn::GetAtt:
        - ApplicationRole
        - Arn
    Export:
      Name: ${self:provider.stage}-GraphQLApplicationRole