-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
68 lines (62 loc) · 2.24 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: |
A Kubernetes ValidatingWebhookConfiguration and serverless backend:
Deny Pods with container images that don't meet your compliance requirements.
Metadata:
AWS::ServerlessRepo::Application:
Name: amazon-ecr-repository-compliance-webhook
Description: "A Kubernetes ValidatingWebhookConfiguration and serverless backend: Deny Pods with container images that don't meet your compliance requirements"
Parameters:
ExecutionRole:
Type: AWS::SSM::Parameter::Value<String>
Description: IAM Role ARN
Default: /ECRCompliance/starfleet/SAM/ExecutionRoleArn
ApiGatewayVpcEndpointId:
Type: AWS::SSM::Parameter::Value<String>
Description: API Gateway VPC Endpoint ID
Default: /ECRCompliance/starfleet/SAM/ApiGwVpcEndpointId
Resources:
ECRRepositoryComplianceWebhookRestApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
ResourcePolicy:
IntrinsicVpceWhitelist:
- !Ref ApiGatewayVpcEndpointId
EndpointConfiguration:
Type: PRIVATE
VPCEndpointIds:
- !Ref ApiGatewayVpcEndpointId
ECRRepositoryComplianceWebhookFunction:
Type: AWS::Serverless::Function
Description: Lambda handler for amazon-ecr-repository-compliance-webhook
Metadata:
BuildMethod: go1.x
Properties:
FunctionName: amazon-ecr-repository-compliance-webhook
Handler: bootstrap
Runtime: provided.al2023
Architectures:
- arm64
MemorySize: 128
Role: !Ref ExecutionRole
Timeout: 15
Events:
ValidationEvent:
Type: Api
Properties:
Path: /check-image-compliance
Method: post
RestApiId: !Ref ECRRepositoryComplianceWebhookRestApi
ConfigAPIGatewayLambdaInvoke:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref ECRRepositoryComplianceWebhookFunction
Principal: apigateway.amazonaws.com
Outputs:
WebhookURL:
Description: "ValidatingWebhookConfiguration invocation URL"
Value: !Sub "https://${ECRRepositoryComplianceWebhookRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/check-image-compliance"