-
Notifications
You must be signed in to change notification settings - Fork 2
/
template.yaml
99 lines (91 loc) · 3.43 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: |
A Kubernetes ValidatingWebhookConfiguration and serverless backend:
Deny Pods with container images that don't meet your compliance requirements.
Metadata:
AWS::ServerlessRepo::Application:
Name: amazon-ecr-repository-compliance-webhook
Description: "A Kubernetes ValidatingWebhookConfiguration and serverless backend: Deny Pods with container images that don't meet your compliance requirements"
Author: Simon Woldemichael
SpdxLicenseId: Apache-2.0
LicenseUrl: LICENSE
ReadmeUrl: README.md
Labels: ["kubernetes", "validating", "admission", "webhook", "eks", "ecr"]
HomePageUrl: https://github.com/aws-samples/amazon-ecr-repository-compliance-webhook
SemanticVersion: 1.5.0
SourceCodeUrl: https://github.com/aws-samples/amazon-ecr-repository-compliance-webhook
Parameters:
RegistryRegion:
Type: String
Description: Optional. What AWS region should this Lambda function interact with ECR in?
Default: ""
LogLevel:
Type: String
Description: Optional. The log level to set. DEBUG, INFO, WARN, or ERROR. Default's to INFO.
AllowedValues: ["DEBUG", "INFO", "WARN", "ERROR"]
Default: INFO
Conditions:
HasRegistryRegion: !Not [!Equals [!Ref RegistryRegion, ""]]
Resources:
ECRRepositoryComplianceWebhookExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyDocument:
Statement:
- Action:
- ecr:DescribeRepositories
- xray:PutTraceSegments
- ecr:DescribeImageScanFindings
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: ECRRepositoryComplianceWebhookLambdaPolicy
ECRRepositoryComplianceWebhookAPIGateway:
Type: AWS::Serverless::HttpApi
Properties:
StageName: Prod
ECRRepositoryComplianceWebhookFunction:
Type: AWS::Serverless::Function
Description: Lambda handler for amazon-ecr-repository-compliance-webhook
Properties:
FunctionName: amazon-ecr-repository-compliance-webhook
Handler: main
Runtime: go1.x
Tracing: Active
MemorySize: 128
Role: !GetAtt ECRRepositoryComplianceWebhookExecutionRole.Arn
Timeout: 15
Environment:
Variables:
REGISTRY_REGION: !If [HasRegistryRegion, !Ref RegistryRegion, !Ref "AWS::NoValue"]
LOG_LEVEL: !Ref LogLevel
Events:
ValidationEvent:
Type: HttpApi
Properties:
Path: /check-image-compliance
Method: post
ApiId: !Ref ECRRepositoryComplianceWebhookAPIGateway
ConfigAPIGatewayLambdaInvoke:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref ECRRepositoryComplianceWebhookFunction
Principal: apigateway.amazonaws.com
Outputs:
WebhookURL:
Description: "ValidatingWebhookConfiguration invocation URL"
Value: !Sub "https://${ECRRepositoryComplianceWebhookAPIGateway}.execute-api.${AWS::Region}.amazonaws.com/Prod/check-image-compliance"