Added in CFN for populating the DDB (#919)

* Added in CFN for populating the DDB

* Added in permissions for KMS Decryption

* Move folders

* Added KMS Key Parameter

Co-authored-by: Muhammad Khas <mxk@amazon.com>
Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>
Co-authored-by: hickeydh-aws <hickeydh@amazon.com>

Author: 4 people

reference-artifacts/Add-ons/DDB-Update/README.md

@@ -0,0 +1,21 @@
+## CloudFormation template for DynamoDB table
+
+This CloudFormation script does the following:
+
+1. Create an Amazon S3 bucket for the JSON file containing CIDR ranges
+1. Create an AWS Lambda function that will populate the DynamoDB table
+1. Setup a trigger such that the Lambda function will run everytime a file is uploaded in the bucket
+
+Usage:
+
+1. Run the CloudFormation template in the "home" region
+1. Navigate to Outputs and note the Amazon S3 bucket's name
+1. Modify the attached sample JSON file, as appropriate
+1. Upload the JSON file in the S3 bucket
+1. The DynamoDB table will be populated with the CIDR ranges
+
+Precautions:
+
+1. The JSON file must follow the pattern in the sample file but any number of CIDRs can be added
+1. Uploading a second file will overwrite the DynamoDB with the new values
+1. The file must have a name of `cidr-update-list.json` for the IAM permissions to work correctly

reference-artifacts/Add-ons/DDB-Update/cidr-update-list.json

@@ -0,0 +1,16 @@
+{
+    "cidr-pools": [
+        {
+            "cidr": "10.0.0.0/18",
+            "pool": "prod_eu-west-2",
+            "description": "Production supernet for region eu-west-2",
+            "region": "eu-west-2"
+        },
+        {
+            "cidr": "10.0.64.0/16",
+            "pool": "dev_eu-west-2",
+            "description": "Development supernet for region eu-west-2",
+            "region": "eu-west-2"
+        }
+    ]
+}

reference-artifacts/Add-ons/DDB-Update/ddb-update.yaml

@@ -0,0 +1,112 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: CloudFormation to update DynamoDB with new CIDRs
+Parameters:
+  KMSKeyArn:
+    Description: 'The arn of the ASEA installer KMS key. Used to access the CIDR Pool DDB table'
+    Type: 'String'
+Resources:
+  CIDRS3Bucket:
+    Type: AWS::S3::Bucket
+    DeletionPolicy: Delete
+    Properties:
+      BucketName: !Sub 'ddb-cidr-${AWS::AccountId}'
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: 'AES256'
+      NotificationConfiguration:
+        LambdaConfigurations:
+          - Event: 's3:ObjectCreated:*'
+            Function: !GetAtt CIDRLambda.Arn
+  CIDRBucketInvoke:
+    Type: AWS::Lambda::Permission
+    Properties:
+      Action: 'lambda:InvokeFunction'
+      FunctionName: !GetAtt CIDRLambda.Arn
+      Principal: 's3.amazonaws.com'
+      SourceAccount: !Ref 'AWS::AccountId'
+      SourceArn: !Sub 'arn:aws:s3:::ddb-cidr-${AWS::AccountId}'
+  CIDRLambda:
+    Type: AWS::Lambda::Function
+    Properties:
+      Code:
+        ZipFile: |
+          import json
+          import boto3
+          import os
+          s3_client = boto3.client('s3')
+          ddb = boto3.resource('dynamodb')
+          ddb_client = boto3.client('dynamodb')
+          def handler(event, context):
+            # Define variables
+            bucket_name = event['Records'][0]['s3']['bucket']['name']
+            file_name = event['Records'][0]['s3']['object']['key']
+            try:
+              # Get CIDR allocation file from S3
+              s3_response = s3_client.get_object(Bucket=bucket_name, Key=file_name)
+              # Get CIDR list from S3
+              file_content = json.loads(s3_response["Body"].read().decode("utf-8"))
+              cidr_list = file_content["cidr-pools"]
+              # Get DynamoDB table name (ends in cidr-pool)
+              ddb_tables = (ddb_client.list_tables())['TableNames']
+              ddb_table = [table for table in ddb_tables if 'cidr-pool' in table][0]
+              # Initialise DynamoDB table resource for the table
+              table = ddb.Table(ddb_table)
+              # Write CIDRs to the DynamoDB table
+              for i, cidr in enumerate(cidr_list):
+                cidr['id'] = str(i+1)
+                ddb_response = table.put_item(
+                Item=cidr
+                )
+              print('DynamoDB was successfully updated with the CIDR ranges')
+            except Exception as e:
+              print(e)
+      Description: Lambda to update CIDR ranges in DynamoDB
+      Handler: index.handler
+      MemorySize: 128
+      Role: !GetAtt CIDRLambdaRole.Arn
+      Runtime: python3.9
+      Timeout: 60
+  CIDRLambdaRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: 'lambda.amazonaws.com'
+            Action:
+              - 'sts:AssumeRole'
+      Path: '/'
+      ManagedPolicyArns:
+        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+      Policies:
+        - PolicyName: RestrictedPermissions
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: Policy0
+                Effect: Allow
+                Action:
+                  - s3:GetObject
+                  - dynamodb:PutItem
+                  - kms:Decrypt
+                Resource:
+                  - !Sub 'arn:aws:s3:::ddb-cidr-${AWS::AccountId}/cidr-update-list.json'
+                  - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/*'
+                  - !Ref KMSKeyArn
+        - PolicyName: UnrestrictedPermissions
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: Policy1
+                Effect: Allow
+                Action:
+                  - dynamodb:ListTables
+                Resource:
+                  - '*'
+Outputs:
+  S3BucketName:
+    Description: S3 Bucket for uploading CIDR list
+    Value: !Ref CIDRS3Bucket