serverless-plugin-module-registry 1.0.12 → 1.0.13

package/src/internal-infrastructure/resources/iam.yml

@@ -0,0 +1,110 @@
+Resources:
+  # Stream Processor Lambda Role
+  StreamProcessorRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:provider.stackName}-${self:provider.region}-stream-processor
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Policies:
+        - PolicyName: StreamProcessorPolicy-${self:provider.region}
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - dynamodb:DescribeStream
+                  - dynamodb:GetRecords
+                  - dynamodb:GetShardIterator
+                  - dynamodb:ListStreams
+                Resource:
+                  - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${param:tableName}/stream/*'
+              - Effect: Allow
+                Action:
+                  - sqs:SendMessage
+                  - sqs:GetQueueUrl
+                Resource: !GetAtt RoleUpdateQueue.Arn
+              - Effect: Allow
+                Action:
+                  - events:PutEvents
+                Resource: !GetAtt ModuleRegistryEventBus.Arn
+
+  # Role Updater Lambda Role
+  RoleUpdaterRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:provider.stackName}-${self:provider.region}-role-updater
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Policies:
+        - PolicyName: RoleUpdaterPolicy-${self:provider.region}
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - sqs:ReceiveMessage
+                  - sqs:DeleteMessage
+                  - sqs:GetQueueAttributes
+                Resource: !GetAtt RoleUpdateQueue.Arn
+              - Effect: Allow
+                Action:
+                  - dynamodb:Query
+                  - dynamodb:GetItem
+                Resource:
+                  - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${param:tableName}'
+                  - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${param:tableName}/index/*'
+              - Effect: Allow
+                Action:
+                  - iam:ListRoles
+                  - iam:GetRole
+                  - iam:TagRole
+                  - iam:UntagRole
+                  - iam:AttachRolePolicy
+                  - iam:DetachRolePolicy
+                  - iam:ListAttachedRolePolicies
+                  - iam:ListPolicies
+                Resource: '*'
+              - Effect: Allow
+                Action:
+                  - cloudwatch:PutMetricData
+                Resource: '*'
+
+  # Stream Enabler Custom Resource Lambda Role
+  StreamEnablerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ${self:provider.stackName}-${self:provider.region}-stream-enabler
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Policies:
+        - PolicyName: StreamEnablerPolicy-${self:provider.region}
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - dynamodb:DescribeTable
+                  - dynamodb:UpdateTable
+                Resource: !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${param:tableName}'

package/src/internal-infrastructure/resources/outputs.yml

@@ -0,0 +1,13 @@
+# Additional Outputs (table outputs are in dynamodb.yml, queue outputs in sqs.yml)
+Outputs:
+  StreamProcessorRoleArn:
+    Description: Stream Processor Lambda Role ARN
+    Value: !GetAtt StreamProcessorRole.Arn
+    Export:
+      Name: ${self:provider.stackName}-StreamProcessorRoleArn
+
+  RoleUpdaterRoleArn:
+    Description: Role Updater Lambda Role ARN
+    Value: !GetAtt RoleUpdaterRole.Arn
+    Export:
+      Name: ${self:provider.stackName}-RoleUpdaterRoleArn

package/src/internal-infrastructure/resources/sqs.yml

@@ -0,0 +1,57 @@
+Resources:
+  # Dead Letter Queue
+  RoleUpdateDLQ:
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName: ${self:provider.stackName}-role-update-dlq
+      MessageRetentionPeriod: 1209600  # 14 days
+      Tags:
+        - Key: Purpose
+          Value: ModuleRegistryRoleUpdateDLQ
+        - Key: Service
+          Value: ${self:service}
+        - Key: Stage
+          Value: ${self:provider.stage}
+
+  # Main Queue with DLQ
+  RoleUpdateQueue:
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName: ${self:provider.stackName}-role-update-queue
+      MessageRetentionPeriod: 1209600  # 14 days
+      VisibilityTimeout: 900  # 15 minutes (matches Lambda max timeout)
+      RedrivePolicy:
+        deadLetterTargetArn: !GetAtt RoleUpdateDLQ.Arn
+        maxReceiveCount: 3
+      Tags:
+        - Key: Purpose
+          Value: ModuleRegistryRoleUpdate
+        - Key: Service
+          Value: ${self:service}
+        - Key: Stage
+          Value: ${self:provider.stage}
+
+Outputs:
+  RoleUpdateQueueArn:
+    Description: Role Update Queue ARN
+    Value: !GetAtt RoleUpdateQueue.Arn
+    Export:
+      Name: ${self:provider.stackName}-QueueArn
+
+  RoleUpdateQueueUrl:
+    Description: Role Update Queue URL
+    Value: !Ref RoleUpdateQueue
+    Export:
+      Name: ${self:provider.stackName}-QueueUrl
+
+  RoleUpdateDLQArn:
+    Description: Dead Letter Queue ARN
+    Value: !GetAtt RoleUpdateDLQ.Arn
+    Export:
+      Name: ${self:provider.stackName}-DLQArn
+
+  RoleUpdateDLQUrl:
+    Description: Dead Letter Queue URL
+    Value: !Ref RoleUpdateDLQ
+    Export:
+      Name: ${self:provider.stackName}-DLQUrl

package/src/internal-infrastructure/serverless.yml

@@ -0,0 +1,69 @@
+service: ${param:serviceName}-infra
+
+frameworkVersion: '4'
+
+provider:
+  name: aws
+  runtime: nodejs20.x
+  stage: ${opt:stage, 'dev'}
+  region: ${opt:region, 'us-east-1'}
+  stackName: ${param:stackName}
+  memorySize: 256
+  timeout: 30
+  logRetentionInDays: 14
+  deploymentMethod: direct # Use direct deployment to avoid change sets
+
+params:
+  live:
+    deletionPolicy: Retain
+  default:
+    serviceName: module-registry
+    stackName: ${self:service}-${self:provider.stage}
+    tableName: 'module-registry-${self:provider.stage}'
+    policyPrefix: ''
+    accountId: ''
+    deletionPolicy: Delete
+
+# plugins:
+#   - serverless-plugin-artifact-manager
+
+functions:
+  streamProcessor:
+    handler: handlers/stream-processor.handler
+    role: StreamProcessorRole
+    timeout: 60
+    memorySize: 512
+    environment:
+      QUEUE_URL: !Ref RoleUpdateQueue
+      EVENT_BUS_NAME: !Ref ModuleRegistryEventBus
+    events:
+      - stream:
+          type: dynamodb
+          arn: !GetAtt EnableTableStreams.StreamArn
+          batchSize: 10
+          startingPosition: LATEST
+          filterPatterns:
+            - eventName: [INSERT, MODIFY, REMOVE]
+
+  roleUpdater:
+    handler: handlers/role-updater.handler
+    role: RoleUpdaterRole
+    timeout: 900  # 15 min max
+    memorySize: 1024
+    environment:
+      DYNAMODB_TABLE_NAME: ${param:tableName}
+      POLICY_PREFIX: ${param:policyPrefix}
+      AWS_ACCOUNT_ID: ${param:accountId}
+    events:
+      - sqs:
+          arn: !GetAtt RoleUpdateQueue.Arn
+          batchSize: 10
+
+resources:
+  - ${file(resources/dynamodb.yml)}
+  - ${file(resources/custom-stream-enabler.yml)}
+  - ${file(resources/eventbridge.yml)}
+  - ${file(resources/iam.yml)}
+  - ${file(resources/sqs.yml)}
+  - ${file(resources/cloudwatch.yml)}
+  - ${file(resources/outputs.yml)}