deploy-vpc.yaml

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Parameters:
  ClusterName:
    Default: my-redshift-cluster
    Description: Cluster Name
    Type: String
    AllowedPattern: .*
  DbUser:
    Default: My DB User
    Description: Name of the database user to connect to
    Type: String
    AllowedPattern: .*
  EncryptedPassword:
    Default: Base64 Encoded Encrypted Password
    Description: Password encrypted with AWS KMS (leave blank to use IAM authentication token)
    Type: String
    AllowedPattern: .*
  KmsKeyARN:
    Default: arn:aws:kms:us-east-1:123456789012:key/MyKey
    Description: KMS Key ARN used to decrypt the password (leave blank to use IAM authentication token)
    Type: String
    AllowedPattern: ^$|arn:aws:kms:[a-zA-Z0-9-]+:\d{12}:key\/.*
  HostName:
    Default: my-redshift-cluster.XXXXXXXXXXXX.<region>.redshift.amazonaws.com
    Description: Cluster Endpoint Address
    Type: String
    AllowedPattern: .*\.redshift\.amazonaws\.com$
  HostPort:
    Default: 5439
    Description: Database Port
    Type: Number
    MinValue: 1024
    MaxValue: 65535
  DatabaseName:
    Default: mydb
    Description: Database Name to connect to
    Type: String
    AllowedPattern: .*
  SecurityGroups:
    Default: mygroup1, mygroup2
    Description: Security Groups as CSV list to use for the deployed function (may be required for Redshift security policy)
    Type: CommaDelimitedList
  SubnetIds:
    Default: subnet1, subnet2, subnet3
    Description: List of private Subnets in VPC in which the function will egress network connections
    Type: CommaDelimitedList
  AggregationInterval:
    Default: 1 hour
    Description: Interval for aggregating statistics
    Type: String
    AllowedValues:
      - 1 hour
      - 10 minutes
Conditions:
  UseKms: !Not
   - !Equals
     - !Ref KmsKeyARN
     - ''
Resources:
  ScheduledFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: lambda_function.lambda_handler
      Runtime: python3.9
      CodeUri:         
        Bucket: !Sub awslabs-code-${AWS::Region}
        Key: RedshiftAdvancedMonitoring/redshift-advanced-monitoring-1.8.zip
      MemorySize: 192
      Timeout: 900
      Tags:
        Name: RedshiftAdvancedMonitoring
      Role: !GetAtt ScheduledServiceIAMRole.Arn
      VpcConfig:
        SecurityGroupIds:
          !Ref SecurityGroups
        SubnetIds:
          !Ref SubnetIds
      Events:
        Timer:
          Type: Schedule
          Properties:
            Schedule: rate(1 hour)
            Input: 
              !Sub | 
                {
                  "DbUser":"${DbUser}",
                  "EncryptedPassword":"${EncryptedPassword}",
                  "ClusterName":"${ClusterName}",
                  "HostName":"${HostName}",
                  "HostPort":"${HostPort}",
                  "DatabaseName":"${DatabaseName}",
                  "AggregationInterval":"${AggregationInterval}"
                }
  ScheduledServiceIAMRole:
    Type: "AWS::IAM::Role"
    Properties:
        RoleName: "LambdaRedshiftMonitoringRole"
        Path: "/"
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            -
              Sid: "AllowLambdaServiceToAssumeRole"
              Effect: "Allow"
              Action:
                - "sts:AssumeRole"
              Principal:
                Service:
                  - "lambda.amazonaws.com"
        Policies:
          -
            PolicyName: "LambdaRedshiftMonitoringPolicy"
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                -
                  Effect: "Allow"
                  Action:
                    - "cloudwatch:PutMetricData"
                  Resource: "*"
        ManagedPolicyArns:
          - "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
          - !If [UseKms, !Ref KmsDecryptPolicy, !Ref GetClusterCredentialsPolicy]
  KmsDecryptPolicy:
    Condition: UseKms
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Action:
              - "kms:Decrypt"
            Resource: !Ref KmsKeyARN
  GetClusterCredentialsPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Action:
              - "redshift:GetClusterCredentials"
            Resource: 
              - !Sub "arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:dbname:${ClusterName}/${DatabaseName}"
              - !Sub "arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:dbuser:${ClusterName}/${DbUser}"