CloudFormation Templates¶
Note
Pre-built versions of the CloudFormation templates are provided as part of a release on GitHub.
See also Building the CloudFormation Templates.
lava-common.cfn.json¶
This template builds components that are shared across all lava realms. There should be a very limited number of these.
Parameters¶
| Parameter | Type | Description |
|---|---|---|
| Version | String | Lava version (read only). |
Outputs¶
| Id | Export as | Description |
|---|---|---|
| Version | "lava:version" |
Lava common stack version |
Resources¶
Logs Resources¶
| Id | Type | Description |
|---|---|---|
| logsPolicyToLogEvents | ResourcePolicy | Allow EventBridge rules to write to log group aws/events/lava. This is generally not needed as EventBridge will have already added a broader permission but just in case. |
SSM Resources¶
| Id | Type | Description |
|---|---|---|
| ssmDocumentLavaReboot | Document | SSM command document to do controlled reboot on a lava instance. |
| ssmDocumentLavaStop | Document | SSM command document to stop lava daemons on a worker instance |
| ssmDocumentSecUpdate | Document | SSM command document to check if security updates are available for a lava worker instance and install and reboot if there are. |
Resource Details¶
logsPolicyToLogEvents¶
| Property | Value |
|---|---|
| Type | AWS::Logs::ResourcePolicy |
| Group | Logs Resources (Logs) |
| Description | Allow EventBridge rules to write to log group aws/events/lava. This is generally not needed as EventBridge will have already added a broader permission but just in case. |
{
"Properties": {
"PolicyDocument": {
"Fn::Sub": "{\"Statement\": [{\"Action\": [\"logs:CreateLogStream\", \"logs:PutLogEvents\"], \"Effect\": \"Allow\", \"Principal\": {\"Service\": [\"delivery.logs.amazonaws.com\", \"events.amazonaws.com\"]}, \"Resource\": \"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/events/lava:*\", \"Sid\": \"TrustEventsToStoreLavaLogEvent\"}], \"Version\": \"2012-10-17\"}"
},
"PolicyName": "TrustEventsToStoreLavaLogEvents"
},
"Type": "AWS::Logs::ResourcePolicy"
}
ssmDocumentLavaReboot¶
| Property | Value |
|---|---|
| Type | AWS::SSM::Document |
| Group | SSM Resources (SSM) |
| Description | SSM command document to do controlled reboot on a lava instance. |
{
"Properties": {
"Content": {
"description": "Controlled reboot of a lava instance (includes security updates).",
"mainSteps": [
{
"action": "aws:runShellScript",
"inputs": {
"runCommand": [
"LOG='logger -s -p local0.info -t lava-reboot'",
"[ -f /tmp/no-reboot ] && /bin/rm -f /tmp/no-reboot && $LOG Reboot complete && exit 0",
"$LOG Installing any available security updates",
"yum update --security -y",
"$LOG Stopping lava worker daemons",
"lava-stop --level '{{LogLevel}}' --log @local0 --signal '{{Signal}}' --wait '{{Wait}}'",
"touch /tmp/no-reboot || exit 1",
"$LOG Rebooting",
"exit 194"
],
"timeoutSeconds": "{{ExecutionTimeout}}"
},
"name": "rebootWorkerInstance"
}
],
"parameters": {
"ExecutionTimeout": {
"allowedPattern": "^\\d+$",
"default": "3600",
"description": "Execution timeout in seconds",
"type": "String"
},
"LogLevel": {
"allowedValues": [
"debug",
"info",
"warning"
],
"default": "info",
"description": "Logging level",
"type": "String"
},
"Signal": {
"allowedValues": [
"SIGHUP",
"SIGKILL"
],
"default": "SIGHUP",
"description": "SIGHUP for controlled shutdown. SIGKILL for hard kill.",
"type": "String"
},
"Wait": {
"allowedPattern": "^\\d+[hms]?$",
"default": "15m",
"description": "Wait for specified duration for lava workers to stop voluntarily before killing them.",
"type": "String"
}
},
"schemaVersion": "2.2"
},
"DocumentFormat": "JSON",
"DocumentType": "Command",
"Name": "lava-RebootWorkerInstance",
"TargetType": "/AWS::EC2::Instance"
},
"Type": "AWS::SSM::Document"
}
ssmDocumentLavaStop¶
| Property | Value |
|---|---|
| Type | AWS::SSM::Document |
| Group | SSM Resources (SSM) |
| Description | SSM command document to stop lava daemons on a worker instance |
{
"Properties": {
"Content": {
"description": "Signal lava daemons to stop and wait for them to finish.",
"mainSteps": [
{
"action": "aws:runShellScript",
"inputs": {
"runCommand": [
"LOG='logger -s -p local0.info -t lava-stop'",
"[ '{{StopDispatch}}' == 'yes' ] && STOP_DISPATCH=--no-dispatch",
"lava-stop --level '{{LogLevel}}' --log @local0 --signal '{{Signal}}' --wait '{{Wait}}' $STOP_DISPATCH",
"$LOG lava daemons stopped"
],
"timeoutSeconds": "{{ExecutionTimeout}}"
},
"name": "stopWorkerDaemons"
}
],
"parameters": {
"ExecutionTimeout": {
"allowedPattern": "^\\d+$",
"default": "3600",
"description": "Execution timeout in seconds",
"type": "String"
},
"LogLevel": {
"allowedValues": [
"debug",
"info",
"warning"
],
"default": "info",
"description": "Logging level",
"type": "String"
},
"Signal": {
"allowedValues": [
"SIGHUP",
"SIGKILL"
],
"default": "SIGHUP",
"description": "SIGHUP for controlled shutdown. SIGKILL for hard kill.",
"type": "String"
},
"StopDispatch": {
"allowedValues": [
"yes",
"no"
],
"default": "yes",
"description": "Prevent scheduled dispatches from this instance?",
"type": "String"
},
"Wait": {
"allowedPattern": "^[0-9]+[hms]?$",
"default": "15m",
"description": "Wait for specified duration for lava workers to stop voluntarily before killing them.",
"type": "String"
}
},
"schemaVersion": "2.2"
},
"DocumentFormat": "JSON",
"DocumentType": "Command",
"Name": "lava-StopWorkerDaemons",
"TargetType": "/AWS::EC2::Instance"
},
"Type": "AWS::SSM::Document"
}
ssmDocumentSecUpdate¶
| Property | Value |
|---|---|
| Type | AWS::SSM::Document |
| Group | SSM Resources (SSM) |
| Description | SSM command document to check if security updates are available for a lava worker instance and install and reboot if there are. |
{
"Properties": {
"Content": {
"description": "If security updates available for lava instance, apply them and reboot",
"mainSteps": [
{
"action": "aws:runShellScript",
"inputs": {
"runCommand": [
"LOG='logger -s -p local0.info -t lava-secupdate'",
"$LOG Starting",
"INSTANCE=$(ec2-metadata -i | cut -d' ' -f2)",
"export AWS_DEFAULT_REGION=$(ec2-metadata -z | cut -d' ' -f2 | sed -e 's/.$//')",
"NAME=$(aws ec2 describe-tags --filters \"Name=resource-id,Values=$INSTANCE\" \"Name=key,Values=Name\" --query 'Tags[0].Value' --output text)",
"EVENT_MSG='{\"Source\":\"lava\",\"DetailType\":\"Lava Worker Instance Patching Notification\",\"Detail\":\"{\\\"instance-id\\\":\\\"'$INSTANCE'\\\",\\\"instance-name\\\":\\\"'$NAME'\\\",\\\"info\\\":\\\"Reboot complete\\\"}\"}'",
"[ -f /tmp/no-reboot ] && aws events put-events --entries \"$EVENT_MSG\"",
"[ -f /tmp/no-reboot ] && /bin/rm -f /tmp/no-reboot && $LOG Reboot complete && exit 0",
"UPDAYS=$(awk '{ printf(\"%d\", $1/60/60/24); }' /proc/uptime)",
"[ $UPDAYS -lt {{MinUpDays}} ] && $LOG Instance has only been up $UPDAYS days - skip && exit 0",
"yum check-update --security --quiet",
"[ $? -ne 100 ] && $LOG No security updates available - skip && exit 0",
"$LOG Installing security updates",
"yum update --security --quiet -y",
"needs-restarting -r && $LOG No reboot required && exit 0",
"$LOG Stopping lava worker daemons",
"lava-stop --level '{{LogLevel}}' --log @local0 --signal '{{Signal}}' --wait '{{Wait}}'",
"touch /tmp/no-reboot || exit 1",
"EVENT_MSG='{\"Source\":\"lava\",\"DetailType\":\"Lava Worker Instance Patching Notification\",\"Detail\":\"{\\\"instance-id\\\":\\\"'$INSTANCE'\\\",\\\"instance-name\\\":\\\"'$NAME'\\\",\\\"info\\\":\\\"Rebooting after security patching\\\"}\"}'",
"aws events put-events --entries \"$EVENT_MSG\"",
"$LOG Rebooting",
"exit 194"
],
"timeoutSeconds": "{{ExecutionTimeout}}"
},
"name": "secUpdates"
}
],
"parameters": {
"ExecutionTimeout": {
"allowedPattern": "^\\d+$",
"default": "3600",
"description": "Execution timeout in seconds",
"type": "String"
},
"LogLevel": {
"allowedValues": [
"debug",
"info",
"warning"
],
"default": "info",
"description": "Logging level",
"type": "String"
},
"MinUpDays": {
"allowedPattern": "^\\d+$",
"default": "0",
"description": "Skip if instance hasn't been up for this many days.",
"type": "String"
},
"Signal": {
"allowedValues": [
"SIGHUP",
"SIGKILL"
],
"default": "SIGHUP",
"description": "SIGHUP for controlled shutdown of lava daemons. SIGKILL for hard kill.",
"type": "String"
},
"Wait": {
"allowedPattern": "^\\d+[hms]?$",
"default": "15m",
"description": "Wait for specified duration for lava workers to stop voluntarily before killing them.",
"type": "String"
}
},
"schemaVersion": "2.2"
},
"DocumentFormat": "JSON",
"DocumentType": "Command",
"Name": "lava-SecurityUpdate",
"TargetType": "/AWS::EC2::Instance"
},
"Type": "AWS::SSM::Document"
}
lava-realm.cfn.json¶
This template builds the core components for a new Lava realm. It does not create any Lava workers or add the required entry to the realms table.
Parameters¶
| Parameter | Type | Description |
|---|---|---|
| Version | String | Lava version (read only). |
| autoscalingHeartbeatMinutes | Number | Send auto scaling heartbeats at this frequency when workers are terminating. Must be between 1 and 30. |
| createRealmsTable | String | Should the realms table be created? |
| kmsKeyAdmin | String | IAM user name of KMS key administrator Must be specified. |
| lambdaArchitecture | String | Lambda machine architecture |
| lambdaMemory | Number | Memory for the lambdas (Mb) A minimum of 160Mb is recommended for py3.11. Py3.12/3.13 will use more. |
| lambdaMetricsSchedule | String | Enable the scheduler for the metrics lambda? |
| lambdaRuntime | String | Lambda runtime |
| lambdaTimeout | Number | Timeout for the lambdas (seconds) Must be between 15 and 900. |
| lambdaVersion | String | Code version of lambda bundles (e.g. 2.3.1). If blank, no lambdas are deployed. |
| lavaBucketName | String | Name of S3 bucket for the realm. Must be specified. |
| lavaGroupTag | String | Value for the lava:group tag on resources (e.g. prod). |
| logBucketName | String | Name of S3 bucket for S3 logs. Must be specified. |
| readCapacityDataTables | Number | Read capacity for the Dynamo DB data tables. Must be >= 1 |
| readCapacityEventTable | Number | Read capacity for the Dynamo DB event table. Must be >= 1 |
| readCapacityStateTable | Number | Read capacity for the Dynamo DB state table. Must be >= 1 |
| realm | String | Name of the realm |
| s3CodeBucket | String | S3 bucket containining Lava code. Must be specified. |
| s3CodePrefix | String | Prefix in S3 bucket containining Lava code. Must be specified. |
| tmpExpiryDays | Number | Expire temp area of lava bucket after this many days. Must be >=1 |
| workerStopMinutes | Number | Allow workers this many minutes to stop gracefully. Must be between 0 and 720 (12 hours). |
| writeCapacityDataTables | Number | Write capacity for the Dynamo DB data tables. Must be >= 1 |
| writeCapacityEventTable | Number | Write capacity for the Dynamo DB event table. Must be >= 1 |
| writeCapacityStateTable | Number | Write capacity for the Dynamo DB state table. Must be >= 1 |
Outputs¶
| Id | Export as | Description |
|---|---|---|
| Version | {"Fn::Sub": "lava:${realm}:version"} |
Lava version |
| iamLavaWorkerPolicy | {"Fn::Sub": "lava:${realm}:iamLavaWorkerPolicyArn"} |
ARN of the lava worker IAM policy. |
| kmsUserKeyAlias | {"Fn::Sub": "lava:${realm}:kmsUserKeyAlias"} |
Alias for the KMS user key for the realm. |
| lambdaLavaStop | {"Fn::Sub": "lava:${realm}:lambdaLavaStop"} |
ARN of the lava stop lambda for controlled worker shutdown |
| lavaGroupTag | {"Fn::Sub": "lava:${realm}:lavaGroupTag"} |
Value for the lava:group tag on resources. |
| s3CodeBucket | {"Fn::Sub": "lava:${realm}:s3CodeBucket"} |
S3 bucket where Lava base code resides. |
| s3CodePrefix | {"Fn::Sub": "lava:${realm}:s3CodePrefix"} |
S3 prefix where Lava base code resides. |
| s3LavaBucket | {"Fn::Sub": "lava:${realm}:s3LavaBucketName"} |
Name of lava realm bucket for payloads and tmp space. |
Resources¶
- DynamoDB Resources
- Events Resources
- IAM Resources
- KMS Resources
- Lambda Resources
- S3 Resources
- SNS Resources
DynamoDB Resources¶
| Id | Type | Description |
|---|---|---|
| dynTableConnections | Table | Lava connections table. There must be one of these per lava realm. |
| dynTableEvents | Table | Lava events table. There must be one of these per lava realm. |
| dynTableJobs | Table | Lava jobs table. There must be one of these per lava realm. |
| dynTableRealm | Table | Lava realms table. There must be one of these per AWS account. |
| dynTableS3Triggers | Table | Lava s3triggers table. There can be one of these per lava realm. |
| dynTableState | Table | Lava transient state table. There must be one of these per lava realm. |
Events Resources¶
| Id | Type | Description |
|---|---|---|
| eventsScheduleMetricsLambda | Rule | EventBridge rule for running metrics lambda function. |
IAM Resources¶
| Id | Type | Description |
|---|---|---|
| iamDispatchLambdaInstanceProfile | InstanceProfile | |
| iamLavaAdminGroup | Group | Admin group for lave realm. |
| iamLavaAdminPolicy | ManagedPolicy | Admin policy for lava realm - part 1. |
| iamLavaAdminPolicy2 | ManagedPolicy | Admin policy for lava realm - part 2. |
| iamLavaDispatchLambdaPolicy | ManagedPolicy | Policy for the dispatching lambdas for the lava realm. |
| iamLavaDispatchLambdaRole | Role | IAM role for dispatching Lambda functions. |
| iamLavaMetricsLambdaPolicy | ManagedPolicy | Policy for the metrics lambda for the lava realm. |
| iamLavaMetricsLambdaRole | Role | IAM role for metrics Lambda function. |
| iamLavaOperator | Group | Operator group for lave realm. |
| iamLavaOperatorPolicy | ManagedPolicy | Operator (incremental) access policy for lava realm. |
| iamLavaReaderGroup | Group | Reader group for lave realm. |
| iamLavaReaderPolicy | ManagedPolicy | Read access policy for lava realm. |
| iamLavaStopLambdaPolicy | ManagedPolicy | Policy for the node stopper lambda for the lava realm. |
| iamLavaStopLambdaRole | Role | IAM role for node stopper Lambda function. |
| iamLavaWorkerPolicy | ManagedPolicy | Worker policy for lava realm. |
KMS Resources¶
| Id | Type | Description |
|---|---|---|
| kmsSysAlias | Alias | System KMS key alias for lava realm. |
| kmsSysKey | Key | System KMS key for lava realm. |
| kmsUserAlias | Alias | User KMS key alias for lava realm. |
| kmsUserKey | Key | User KMS key for lava realm. |
Lambda Resources¶
| Id | Type | Description |
|---|---|---|
| lambdaDispatch | Function | Dispatch Lambda function for the realm. |
| lambdaLavaMetrics | Function | Lambda function to produce CloudWatch metrics. |
| lambdaLavaMetricsPermission | Permission | Allow EventBridge to run the schedule for the metrics lambda. |
| lambdaLavaStop | Function | Lambda function to stop daemons on a worker node |
| lambdaS3Trigger | Function | S3trigger Lambda function for the realm. |
| lambdaS3TriggerPermission | Permission | Allow EventBridge rules to invoke the s3trigger lambda. |
| lamdaDispatchPolicy | Permission |
S3 Resources¶
| Id | Type | Description |
|---|---|---|
| s3LavaBucket | Bucket | Lava realm bucket for payloads and tmp space. |
SNS Resources¶
| Id | Type | Description |
|---|---|---|
| snsDispatchHelper | Topic | SNS topic for the dispatch helper lambda to receive dispatch requests. |
| snsLavaNotices | Topic | SNS topic for lava notices. Whether or not it is used depends on lava jobs. |
| snsSubscribeDispatch | Subscription | Subscription for the dispatch helper Lambda to the dispatch helper SNS topic. |
Resource Details¶
dynTableConnections¶
| Property | Value |
|---|---|
| Type | AWS::DynamoDB::Table |
| Group | DynamoDB Resources (DynamoDB) |
| Description | Lava connections table. There must be one of these per lava realm. |
{
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "conn_id",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "conn_id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityDataTables"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityDataTables"
}
},
"TableName": {
"Fn::Sub": "lava.${realm}.connections"
},
"Tags": [
{
"Key": "lava:realm",
"Value": {
"Ref": "realm"
}
},
{
"Key": "lava:group",
"Value": {
"Ref": "lavaGroupTag"
}
}
]
},
"Type": "AWS::DynamoDB::Table"
}
dynTableEvents¶
| Property | Value |
|---|---|
| Type | AWS::DynamoDB::Table |
| Group | DynamoDB Resources (DynamoDB) |
| Description | Lava events table. There must be one of these per lava realm. |
{
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "job_id",
"AttributeType": "S"
},
{
"AttributeName": "run_id",
"AttributeType": "S"
},
{
"AttributeName": "tu_event",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "job_id",
"KeyType": "HASH"
},
{
"AttributeName": "run_id",
"KeyType": "RANGE"
}
],
"LocalSecondaryIndexes": [
{
"IndexName": "job_id-tu_event-index",
"KeySchema": [
{
"AttributeName": "job_id",
"KeyType": "HASH"
},
{
"AttributeName": "tu_event",
"KeyType": "RANGE"
}
],
"Projection": {
"ProjectionType": "ALL"
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityEventTable"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityEventTable"
}
},
"TableName": {
"Fn::Sub": "lava.${realm}.events"
},
"Tags": [
{
"Key": "lava:realm",
"Value": {
"Ref": "realm"
}
},
{
"Key": "lava:group",
"Value": {
"Ref": "lavaGroupTag"
}
}
],
"TimeToLiveSpecification": {
"AttributeName": "ttl",
"Enabled": true
}
},
"Type": "AWS::DynamoDB::Table"
}
dynTableJobs¶
| Property | Value |
|---|---|
| Type | AWS::DynamoDB::Table |
| Group | DynamoDB Resources (DynamoDB) |
| Description | Lava jobs table. There must be one of these per lava realm. |
{
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "dispatcher",
"AttributeType": "S"
},
{
"AttributeName": "job_id",
"AttributeType": "S"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "dispatcher-index",
"KeySchema": [
{
"AttributeName": "dispatcher",
"KeyType": "HASH"
},
{
"AttributeName": "job_id",
"KeyType": "RANGE"
}
],
"Projection": {
"NonKeyAttributes": [
"worker",
"schedule"
],
"ProjectionType": "INCLUDE"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityDataTables"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityDataTables"
}
}
}
],
"KeySchema": [
{
"AttributeName": "job_id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityDataTables"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityDataTables"
}
},
"TableName": {
"Fn::Sub": "lava.${realm}.jobs"
},
"Tags": [
{
"Key": "lava:realm",
"Value": {
"Ref": "realm"
}
},
{
"Key": "lava:group",
"Value": {
"Ref": "lavaGroupTag"
}
}
]
},
"Type": "AWS::DynamoDB::Table"
}
dynTableRealm¶
| Property | Value |
|---|---|
| Type | AWS::DynamoDB::Table |
| Group | DynamoDB Resources (DynamoDB) |
| Description | Lava realms table. There must be one of these per AWS account. |
{
"Condition": "ifCreateRealmsTable",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "realm",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "realm",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityDataTables"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityDataTables"
}
},
"TableName": "lava.realms",
"Tags": [
{
"Key": "lava:group",
"Value": "*"
}
]
},
"Type": "AWS::DynamoDB::Table"
}
dynTableS3Triggers¶
| Property | Value |
|---|---|
| Type | AWS::DynamoDB::Table |
| Group | DynamoDB Resources (DynamoDB) |
| Description | Lava s3triggers table. There can be one of these per lava realm. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "trigger_id",
"AttributeType": "S"
},
{
"AttributeName": "bucket",
"AttributeType": "S"
},
{
"AttributeName": "prefix",
"AttributeType": "S"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "s3trigger-index",
"KeySchema": [
{
"AttributeName": "bucket",
"KeyType": "HASH"
},
{
"AttributeName": "prefix",
"KeyType": "RANGE"
}
],
"Projection": {
"ProjectionType": "ALL"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityDataTables"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityDataTables"
}
}
}
],
"KeySchema": [
{
"AttributeName": "trigger_id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityDataTables"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityDataTables"
}
},
"TableName": {
"Fn::Sub": "lava.${realm}.s3triggers"
},
"Tags": [
{
"Key": "lava:realm",
"Value": {
"Ref": "realm"
}
},
{
"Key": "lava:group",
"Value": {
"Ref": "lavaGroupTag"
}
}
]
},
"Type": "AWS::DynamoDB::Table"
}
dynTableState¶
| Property | Value |
|---|---|
| Type | AWS::DynamoDB::Table |
| Group | DynamoDB Resources (DynamoDB) |
| Description | Lava transient state table. There must be one of these per lava realm. |
{
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "state_id",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "state_id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"ProvisionedThroughput": {
"ReadCapacityUnits": {
"Ref": "readCapacityStateTable"
},
"WriteCapacityUnits": {
"Ref": "writeCapacityStateTable"
}
},
"TableName": {
"Fn::Sub": "lava.${realm}.state"
},
"Tags": [
{
"Key": "lava:realm",
"Value": {
"Ref": "realm"
}
},
{
"Key": "lava:group",
"Value": {
"Ref": "lavaGroupTag"
}
}
],
"TimeToLiveSpecification": {
"AttributeName": "ttl",
"Enabled": true
}
},
"Type": "AWS::DynamoDB::Table"
}
eventsScheduleMetricsLambda¶
| Property | Value |
|---|---|
| Type | AWS::Events::Rule |
| Group | Events Resources (Events) |
| Description | EventBridge rule for running metrics lambda function. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Description": {
"Fn::Sub": "Schedule lava-${realm}-metrics lambda"
},
"EventBusName": "default",
"Name": {
"Fn::Sub": "lava-${realm}---metrics-schedule"
},
"ScheduleExpression": "rate(1 minute)",
"State": {
"Ref": "lambdaMetricsSchedule"
},
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"lambdaLavaMetrics",
"Arn"
]
},
"Id": {
"Fn::Sub": "lava-${realm}---metrics-lambda"
}
}
]
},
"Type": "AWS::Events::Rule"
}
iamDispatchLambdaInstanceProfile¶
| Property | Value |
|---|---|
| Type | AWS::IAM::InstanceProfile |
| Group | IAM Resources (IAM) |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Roles": [
{
"Ref": "iamLavaDispatchLambdaRole"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
}
iamLavaAdminGroup¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Group |
| Group | IAM Resources (IAM) |
| Description | Admin group for lave realm. |
{
"Properties": {
"GroupName": {
"Fn::Sub": "lava-${realm}-admin"
},
"ManagedPolicyArns": [
{
"Ref": "iamLavaAdminPolicy"
},
{
"Ref": "iamLavaAdminPolicy2"
}
],
"Path": "/"
},
"Type": "AWS::IAM::Group"
}
iamLavaAdminPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Admin policy for lava realm - part 1. |
{
"Properties": {
"Description": {
"Fn::Sub": "Admin policy for lava realm ${realm}"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-admin"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:ListAllMyBuckets",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListAllBuckets"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"s3LavaBucket",
"Arn"
]
}
],
"Sid": "GetLavaBucketInfo"
},
{
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${s3LavaBucket}/*"
}
],
"Sid": "ReadWriteLavaBucket"
},
{
"Action": "sqs:ListQueues",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSqsQueues"
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:lava-${realm}-*"
},
"Sid": "AccessSqsQueues"
},
{
"Action": "ssm:DescribeParameters",
"Effect": "Allow",
"Resource": "*",
"Sid": "DescribeSsmParams"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:DeleteParameters"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lava/${realm}/*"
},
"Sid": "ManageSsmParams"
},
{
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:GetRandomPassword"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSecrets"
},
{
"Action": [
"secretsmanager:CancelRotateSecret",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:PutResourcePolicy",
"secretsmanager:PutSecretValue",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:ValidateResourcePolicy"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/lava/${realm}/*"
},
"Sid": "ManageSecrets"
},
{
"Action": [
"dynamodb:ListTables",
"dynamodb:ListBackups"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListAllDynamoTables"
},
{
"Action": [
"dynamodb:ListTagsOfResource",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:DescribeContinuousBackups",
"dynamodb:Query",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.realms"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.jobs/index/*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.events/index/*"
}
],
"Sid": "AccessDynamoDBLavaTables"
},
{
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:PartiQLUpdate",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLDelete"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.*"
},
"Sid": "UpdateDynamoDBLavaTables"
},
{
"Action": [
"kms:ListKeys",
"kms:ListAliases"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListKMSkeys"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"kmsSysKey",
"Arn"
]
},
{
"Fn::GetAtt": [
"kmsUserKey",
"Arn"
]
}
],
"Sid": "UseKMSkeys"
},
{
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"kmsSysKey",
"Arn"
]
},
{
"Fn::GetAtt": [
"kmsUserKey",
"Arn"
]
}
],
"Sid": "KMSattachPersistentResources"
},
{
"Action": "sns:ListTopics",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSNStopics"
},
{
"Fn::If": [
"ifCreateLambdas",
{
"Action": [
"sns:Publish",
"sns:GetTopicAttributes"
],
"Effect": "Allow",
"Resource": {
"Ref": "snsDispatchHelper"
},
"Sid": "PublishToSNSdispatchHelper"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*",
"Sid": "getEcrAuthToken"
},
{
"Action": [
"ecr:DescribeRegistry",
"ecr:DescribeRepositories"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ecrDescribeRepos"
},
{
"Action": [
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/dist/lava/*"
},
{
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/lava/${realm}/*"
}
],
"Sid": "ReadEcrLavaRepos"
},
{
"Action": [
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:DeleteLifecyclePolicy",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:PutImageScanningConfiguration",
"ecr:PutImageTagMutability",
"ecr:PutLifecyclePolicy",
"ecr:StartImageScan",
"ecr:StartLifecyclePolicyPreview",
"ecr:TagResource",
"ecr:UntagResource",
"ecr:UploadLayerPart"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/lava/${realm}/*"
},
"Sid": "WriteEcrRealmRepo"
},
{
"Action": [
"events:List*",
"events:TestEventPattern"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "EventsListAll"
},
{
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:PutEvents",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:TagResource",
"events:UntagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/lava.${realm}.*"
},
"Sid": "EventsReadWriteRules"
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:GetLogRecord",
"logs:GetQueryResults",
"logs:StopQuery"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AccessLogGroups"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaAdminPolicy2¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Admin policy for lava realm - part 2. |
{
"Properties": {
"Description": {
"Fn::Sub": "Admin policy for lava realm ${realm} - part 2"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-admin2"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:GetLogGroupFields",
"logs:StartQuery"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/var/log/lava/${realm}"
},
{
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/var/log/lava/${realm}:*"
}
],
"Sid": "ReadLavaWorkerLogs"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaDispatchLambdaPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Policy for the dispatching lambdas for the lava realm. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Description": {
"Fn::Sub": "Policy for dispatching Lambdas for ${realm} realm"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-dispatch-lambdas"
},
"PolicyDocument": {
"Statement": [
{
"Action": "sqs:ListQueues",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSqsQueues"
},
{
"Action": [
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:lava-${realm}-*"
},
"Sid": "AccessSqsQueues"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Query"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.*"
}
],
"Sid": "AccessDynamoDBLavaTables"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "LogToCloudWatch"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"kmsUserKey",
"Arn"
]
},
"Sid": "UseKmsUserKey"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaDispatchLambdaRole¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Role |
| Group | IAM Resources (IAM) |
| Description | IAM role for dispatching Lambda functions. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "iamLavaDispatchLambdaPolicy"
}
],
"RoleName": {
"Fn::Sub": "lava-${realm}-dispatch-lambda"
}
},
"Type": "AWS::IAM::Role"
}
iamLavaMetricsLambdaPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Policy for the metrics lambda for the lava realm. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Description": {
"Fn::Sub": "Policy for metrics Lambda for ${realm} realm"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-metricslambda"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "LogToCloudWatch"
},
{
"Action": "autoscaling:DescribeAutoScalingGroups",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudwatch:PutMetricData",
"Effect": "Allow",
"Resource": "*",
"Sid": "PutCloudWatchMetricData"
},
{
"Action": "sqs:ListQueues",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSqsQueues"
},
{
"Action": [
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:lava-${realm}-*"
},
"Sid": "AccessSqsQueues"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaMetricsLambdaRole¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Role |
| Group | IAM Resources (IAM) |
| Description | IAM role for metrics Lambda function. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "iamLavaMetricsLambdaPolicy"
}
],
"RoleName": {
"Fn::Sub": "lava-${realm}-metrics-lambda"
}
},
"Type": "AWS::IAM::Role"
}
iamLavaOperator¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Group |
| Group | IAM Resources (IAM) |
| Description | Operator group for lave realm. |
{
"Properties": {
"GroupName": {
"Fn::Sub": "lava-${realm}-operator"
},
"ManagedPolicyArns": [
{
"Ref": "iamLavaReaderPolicy"
},
{
"Ref": "iamLavaOperatorPolicy"
}
],
"Path": "/"
},
"Type": "AWS::IAM::Group"
}
iamLavaOperatorPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Operator (incremental) access policy for lava realm. |
{
"Properties": {
"Description": {
"Fn::Sub": "Operator add-on policy for lava realm ${realm} : Operator = Reader + this policy"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-operator"
},
"PolicyDocument": {
"Statement": [
{
"Fn::If": [
"ifCreateLambdas",
{
"Action": [
"sns:Publish",
"sns:GetTopicAttributes"
],
"Effect": "Allow",
"Resource": {
"Ref": "snsDispatchHelper"
},
"Sid": "PublishToSNSdispatchHelper"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:GetLogRecord",
"logs:GetQueryResults",
"logs:StopQuery"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AccessLogGroups"
},
{
"Action": [
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:GetLogGroupFields",
"logs:StartQuery"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/var/log/lava/${realm}"
},
{
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/var/log/lava/${realm}:*"
}
],
"Sid": "ReadLavaWorkerLogs"
},
{
"Action": [
"sqs:ListQueues"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSqsQueues"
},
{
"Action": [
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:lava-${realm}-*"
},
"Sid": "ReadSqsQueues"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaReaderGroup¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Group |
| Group | IAM Resources (IAM) |
| Description | Reader group for lave realm. |
{
"Properties": {
"GroupName": {
"Fn::Sub": "lava-${realm}-reader"
},
"ManagedPolicyArns": [
{
"Ref": "iamLavaReaderPolicy"
}
],
"Path": "/"
},
"Type": "AWS::IAM::Group"
}
iamLavaReaderPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Read access policy for lava realm. |
{
"Properties": {
"Description": {
"Fn::Sub": "Reader policy for lava realm ${realm}"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-reader"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"s3LavaBucket",
"Arn"
]
}
],
"Sid": "GetLavaBucketInfo"
},
{
"Action": [
"s3:GetObject*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${s3LavaBucket}/*"
}
],
"Sid": "ReadLavaBucket"
},
{
"Action": [
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListAllDynamoTables"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:Query",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.realms"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.jobs/index/*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.events/index/*"
}
],
"Sid": "AccessDynamoDBLavaTables"
},
{
"Action": [
"kms:ListKeys",
"kms:ListAliases"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListKMSkeys"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"kmsUserKey",
"Arn"
]
}
],
"Sid": "UseKMSkeys"
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*",
"Sid": "getEcrAuthToken"
},
{
"Action": [
"ecr:DescribeRegistry",
"ecr:DescribeRepositories"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ecrDescribeRepos"
},
{
"Action": [
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/dist/lava/*"
},
{
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/lava/${realm}/*"
}
],
"Sid": "ReadEcrLavaRepos"
},
{
"Action": [
"events:List*",
"events:TestEventPattern"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "EventsListAll"
},
{
"Action": "events:DescribeRule",
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/lava.${realm}.*"
},
"Sid": "EventsReadRules"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaStopLambdaPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Policy for the node stopper lambda for the lava realm. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Description": {
"Fn::Sub": "Policy for node stopping Lambda for ${realm} realm"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-stop-lambda"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "LogToCloudWatch"
},
{
"Action": [
"ssm:SendCommand"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/LavaRealm": [
{
"Ref": "realm"
}
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Sid": "SsmSendCommandToInstance"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:ssm:${AWS::Region}::document/AWS-RunShellScript"
}
],
"Sid": "SsmSendCommandDocument"
},
{
"Action": "ec2:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
iamLavaStopLambdaRole¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Role |
| Group | IAM Resources (IAM) |
| Description | IAM role for node stopper Lambda function. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "iamLavaStopLambdaPolicy"
}
],
"RoleName": {
"Fn::Sub": "lava-${realm}-stop-lambda"
}
},
"Type": "AWS::IAM::Role"
}
iamLavaWorkerPolicy¶
| Property | Value |
|---|---|
| Type | AWS::IAM::ManagedPolicy |
| Group | IAM Resources (IAM) |
| Description | Worker policy for lava realm. |
{
"Properties": {
"Description": {
"Fn::Sub": "Worker policy for lava realm ${realm}"
},
"ManagedPolicyName": {
"Fn::Sub": "lava-${realm}-worker"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:ListAllMyBuckets",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListAllBuckets"
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"s3LavaBucket",
"Arn"
]
}
],
"Sid": "GetLavaBucketInfo"
},
{
"Action": [
"s3:GetObject*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${s3LavaBucket}/*"
}
],
"Sid": "ReadLavaBucket"
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${s3LavaBucket}/tmp/*"
},
"Sid": "WriteLavaBucketTmp"
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${s3CodeBucket}"
},
"Sid": "GetCodeBucketInfo"
},
{
"Action": "s3:GetObject*",
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${s3CodeBucket}/${s3CodePrefix}/*"
},
"Sid": "ReadCodeBucket"
},
{
"Action": "sqs:ListQueues",
"Effect": "Allow",
"Resource": "*",
"Sid": "ListSqsQueues"
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:lava-${realm}-*"
},
"Sid": "AccessSqsQueues"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lava/${realm}/*"
},
"Sid": "ReadSsmParams"
},
{
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/lava/${realm}/*"
},
"Sid": "ReadSecrets"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.realms"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.jobs/index/*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.events/index/*"
}
],
"Sid": "AccessDynamoDBLavaTables"
},
{
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.events"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.events/index/*"
},
{
"Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/lava.${realm}.state"
}
],
"Sid": "WriteDynamoDBLavaTables"
},
{
"Action": "cloudwatch:PutMetricData",
"Effect": "Allow",
"Resource": "*",
"Sid": "PutCloudWatchMetricData"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "LogToCloudWatch"
},
{
"Action": [
"iam:ListUsers",
"iam:GetGroup"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "iamLimitedRead"
},
{
"Action": [
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "iamGetSshPublicKeys"
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": [
{
"Ref": "snsLavaNotices"
},
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:mbot"
}
],
"Sid": "PublishSNS"
},
{
"Action": "ec2:Describe*",
"Effect": "Allow",
"Resource": "*",
"Sid": "DescribeEc2"
},
{
"Action": [
"ses:SendEmail",
"ses:SendRawEmail",
"ses:ListIdentities"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "SendSesEmail"
},
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"kmsSysKey",
"Arn"
]
},
"Sid": "UseKmsSysKey"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"kmsUserKey",
"Arn"
]
},
"Sid": "UseKmsUserKey"
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*",
"Sid": "getEcrAuthToken"
},
{
"Action": [
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:BatchCheckLayerAvailability",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/dist/lava/*"
},
{
"Fn::Sub": "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/lava/${realm}/*"
}
],
"Sid": "ReadEcrLavaRepos"
},
{
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:RecordLifecycleActionHeartbeat"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:autoscaling:${AWS::Region}:${AWS::AccountId}:autoScalingGroup:*:autoScalingGroupName/lava-${realm}-*"
},
"Sid": "AutoscalingLifecycleMgmt"
},
{
"Action": [
"events:PutEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default"
},
"Sid": "PutEvents"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::IAM::ManagedPolicy"
}
kmsSysAlias¶
| Property | Value |
|---|---|
| Type | AWS::KMS::Alias |
| Group | KMS Resources (KMS) |
| Description | System KMS key alias for lava realm. |
{
"Properties": {
"AliasName": {
"Fn::Sub": "alias/lava-${realm}-sys"
},
"TargetKeyId": {
"Ref": "kmsSysKey"
}
},
"Type": "AWS::KMS::Alias"
}
kmsSysKey¶
| Property | Value |
|---|---|
| Type | AWS::KMS::Key |
| Group | KMS Resources (KMS) |
| Description | System KMS key for lava realm. |
{
"Properties": {
"Description": {
"Fn::Sub": "System key for lava realm ${realm}"
},
"EnableKeyRotation": true,
"Enabled": true,
"KeyPolicy": {
"Id": "key-consolepolicy-3",
"Statement": [
{
"Action": "kms:*",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
}
},
"Resource": "*",
"Sid": "Enable IAM User Permissions"
},
{
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:user/${kmsKeyAdmin}"
}
},
"Resource": "*",
"Sid": "Allow access for Key Administrators"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::KMS::Key"
}
kmsUserAlias¶
| Property | Value |
|---|---|
| Type | AWS::KMS::Alias |
| Group | KMS Resources (KMS) |
| Description | User KMS key alias for lava realm. |
{
"Properties": {
"AliasName": {
"Fn::Sub": "alias/lava-${realm}-user"
},
"TargetKeyId": {
"Ref": "kmsUserKey"
}
},
"Type": "AWS::KMS::Alias"
}
kmsUserKey¶
| Property | Value |
|---|---|
| Type | AWS::KMS::Key |
| Group | KMS Resources (KMS) |
| Description | User KMS key for lava realm. |
{
"Properties": {
"Description": {
"Fn::Sub": "User key for lava realm ${realm}"
},
"EnableKeyRotation": true,
"Enabled": true,
"KeyPolicy": {
"Id": "key-consolepolicy-3",
"Statement": [
{
"Action": "kms:*",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
}
},
"Resource": "*",
"Sid": "Enable IAM User Permissions"
},
{
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:user/${kmsKeyAdmin}"
}
},
"Resource": "*",
"Sid": "Allow access for Key Administrators"
}
],
"Version": "2012-10-17"
}
},
"Type": "AWS::KMS::Key"
}
lambdaDispatch¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Function |
| Group | Lambda Resources (Lambda) |
| Description | Dispatch Lambda function for the realm. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Architectures": [
{
"Ref": "lambdaArchitecture"
}
],
"Code": {
"S3Bucket": {
"Ref": "s3CodeBucket"
},
"S3Key": {
"Fn::Sub": "${s3CodePrefix}/_dist_/lambda/dispatch-${lambdaVersion}.zip"
}
},
"Description": {
"Fn::Sub": "Dispatch Lambda function for the lava ${realm} realm."
},
"Environment": {
"Variables": {
"LAVA_REALM": {
"Ref": "realm"
},
"LOGLEVEL": "info"
}
},
"FunctionName": {
"Fn::Sub": "lava-${realm}-dispatch"
},
"Handler": "dispatch.lambda_handler",
"MemorySize": {
"Ref": "lambdaMemory"
},
"Role": {
"Fn::GetAtt": [
"iamLavaDispatchLambdaRole",
"Arn"
]
},
"Runtime": {
"Ref": "lambdaRuntime"
},
"Tags": [
{
"Key": "lava:function",
"Value": "realm.dispatch-helper"
}
],
"Timeout": {
"Ref": "lambdaTimeout"
}
},
"Type": "AWS::Lambda::Function"
}
lambdaLavaMetrics¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Function |
| Group | Lambda Resources (Lambda) |
| Description | Lambda function to produce CloudWatch metrics. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Architectures": [
{
"Ref": "lambdaArchitecture"
}
],
"Code": {
"S3Bucket": {
"Ref": "s3CodeBucket"
},
"S3Key": {
"Fn::Sub": "${s3CodePrefix}/_dist_/lambda/metrics-${lambdaVersion}.zip"
}
},
"Description": {
"Fn::Sub": "Lambda function to produce CloudWatch metrics for the lava ${realm} realm."
},
"Environment": {
"Variables": {
"LAVA_REALM": {
"Ref": "realm"
},
"LOGLEVEL": "info"
}
},
"FunctionName": {
"Fn::Sub": "lava-${realm}-metrics"
},
"Handler": "metrics.lambda_handler",
"MemorySize": {
"Ref": "lambdaMemory"
},
"Role": {
"Fn::GetAtt": [
"iamLavaMetricsLambdaRole",
"Arn"
]
},
"Runtime": {
"Ref": "lambdaRuntime"
},
"Tags": [
{
"Key": "lava:function",
"Value": "realm.metrics"
}
],
"Timeout": {
"Ref": "lambdaTimeout"
}
},
"Type": "AWS::Lambda::Function"
}
lambdaLavaMetricsPermission¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Permission |
| Group | Lambda Resources (Lambda) |
| Description | Allow EventBridge to run the schedule for the metrics lambda. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"lambdaLavaMetrics",
"Arn"
]
},
"Principal": "events.amazonaws.com",
"SourceArn": {
"Fn::GetAtt": [
"eventsScheduleMetricsLambda",
"Arn"
]
}
},
"Type": "AWS::Lambda::Permission"
}
lambdaLavaStop¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Function |
| Group | Lambda Resources (Lambda) |
| Description | Lambda function to stop daemons on a worker node |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Architectures": [
{
"Ref": "lambdaArchitecture"
}
],
"Code": {
"S3Bucket": {
"Ref": "s3CodeBucket"
},
"S3Key": {
"Fn::Sub": "${s3CodePrefix}/_dist_/lambda/stop-${lambdaVersion}.zip"
}
},
"Description": {
"Fn::Sub": "Worker node stop Lambda function for the lava ${realm} realm."
},
"Environment": {
"Variables": {
"LAVA_REALM": {
"Ref": "realm"
},
"LIFECYCLE_HEARTBEAT": {
"Fn::Sub": "${autoscalingHeartbeatMinutes}m"
},
"LOGLEVEL": "info",
"WAIT_TIME": {
"Fn::Sub": "${workerStopMinutes}m"
}
}
},
"FunctionName": {
"Fn::Sub": "lava-${realm}-stop"
},
"Handler": "stop.lambda_handler",
"MemorySize": {
"Ref": "lambdaMemory"
},
"Role": {
"Fn::GetAtt": [
"iamLavaStopLambdaRole",
"Arn"
]
},
"Runtime": {
"Ref": "lambdaRuntime"
},
"Tags": [
{
"Key": "lava:function",
"Value": "realm.worker-stop"
}
],
"Timeout": {
"Ref": "lambdaTimeout"
}
},
"Type": "AWS::Lambda::Function"
}
lambdaS3Trigger¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Function |
| Group | Lambda Resources (Lambda) |
| Description | S3trigger Lambda function for the realm. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Architectures": [
{
"Ref": "lambdaArchitecture"
}
],
"Code": {
"S3Bucket": {
"Ref": "s3CodeBucket"
},
"S3Key": {
"Fn::Sub": "${s3CodePrefix}/_dist_/lambda/s3trigger-${lambdaVersion}.zip"
}
},
"Description": {
"Fn::Sub": "S3trigger Lambda function for the lava ${realm} realm."
},
"Environment": {
"Variables": {
"LAVA_REALM": {
"Ref": "realm"
},
"LOGLEVEL": "info"
}
},
"FunctionName": {
"Fn::Sub": "lava-${realm}-s3trigger"
},
"Handler": "s3trigger.lambda_handler",
"MemorySize": {
"Ref": "lambdaMemory"
},
"Role": {
"Fn::GetAtt": [
"iamLavaDispatchLambdaRole",
"Arn"
]
},
"Runtime": {
"Ref": "lambdaRuntime"
},
"Tags": [
{
"Key": "lava:function",
"Value": "realm.s3trigger"
}
],
"Timeout": {
"Ref": "lambdaTimeout"
}
},
"Type": "AWS::Lambda::Function"
}
lambdaS3TriggerPermission¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Permission |
| Group | Lambda Resources (Lambda) |
| Description | Allow EventBridge rules to invoke the s3trigger lambda. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"lambdaS3Trigger",
"Arn"
]
},
"Principal": "events.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
},
"SourceArn": {
"Fn::Sub": "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/lava.${realm}.*"
}
},
"Type": "AWS::Lambda::Permission"
}
lamdaDispatchPolicy¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Permission |
| Group | Lambda Resources (Lambda) |
{
"Condition": "ifCreateLambdas",
"DependsOn": "lambdaDispatch",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::Sub": "lava-${realm}-dispatch"
},
"Principal": "sns.amazonaws.com",
"SourceArn": {
"Ref": "snsDispatchHelper"
}
},
"Type": "AWS::Lambda::Permission"
}
s3LavaBucket¶
| Property | Value |
|---|---|
| Type | AWS::S3::Bucket |
| Group | S3 Resources (S3) |
| Description | Lava realm bucket for payloads and tmp space. |
{
"Properties": {
"AccessControl": "Private",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"KMSMasterKeyID": {
"Ref": "kmsUserKey"
},
"SSEAlgorithm": "aws:kms"
}
}
]
},
"BucketName": {
"Ref": "lavaBucketName"
},
"LifecycleConfiguration": {
"Rules": [
{
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 1
},
"Id": "AbortIncompleteMultipartUpload",
"Status": "Enabled"
},
{
"ExpirationInDays": {
"Ref": "tmpExpiryDays"
},
"Id": "Expire tmp area",
"Prefix": "tmp/",
"Status": "Enabled"
}
]
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "logBucketName"
},
"LogFilePrefix": {
"Fn::Sub": "${lavaBucketName}/"
}
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
},
"Type": "AWS::S3::Bucket"
}
snsDispatchHelper¶
| Property | Value |
|---|---|
| Type | AWS::SNS::Topic |
| Group | SNS Resources (SNS) |
| Description | SNS topic for the dispatch helper lambda to receive dispatch requests. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"DisplayName": "LavaDsptch",
"KmsMasterKeyId": {
"Ref": "kmsUserAlias"
},
"Tags": [
{
"Key": "lava:function",
"Value": "realm.dispatch-helper"
}
],
"TopicName": {
"Fn::Sub": "lava-${realm}-dispatch"
}
},
"Type": "AWS::SNS::Topic"
}
snsLavaNotices¶
| Property | Value |
|---|---|
| Type | AWS::SNS::Topic |
| Group | SNS Resources (SNS) |
| Description | SNS topic for lava notices. Whether or not it is used depends on lava jobs. |
{
"Properties": {
"DisplayName": "LavaNotice",
"Tags": [
{
"Key": "lava:function",
"Value": "realm.notices"
}
],
"TopicName": {
"Fn::Sub": "lava-${realm}-notices"
}
},
"Type": "AWS::SNS::Topic"
}
snsSubscribeDispatch¶
| Property | Value |
|---|---|
| Type | AWS::SNS::Subscription |
| Group | SNS Resources (SNS) |
| Description | Subscription for the dispatch helper Lambda to the dispatch helper SNS topic. |
{
"Condition": "ifCreateLambdas",
"Properties": {
"Endpoint": {
"Fn::GetAtt": [
"lambdaDispatch",
"Arn"
]
},
"Protocol": "lambda",
"TopicArn": {
"Ref": "snsDispatchHelper"
}
},
"Type": "AWS::SNS::Subscription"
}
lava-worker.cfn.json¶
This template builds the core components for a new Lava worker. The realm must have been created previously.
Parameters¶
| Parameter | Type | Description |
|---|---|---|
| Version | String | Lava version (read only). |
| alarmTopic | String | Name of SNS topic for alarms. SNS topic name must be specified. |
| amiId | String | Image ID for the latest lava (preferred) or SAK AMI. |
| autoscalingActionTopic | String | Name of SNS topic for normal autoscaling activity. |
| autoscalingControlledTermination | String | Autoscaling controlled termination on worker nodes? |
| createHeartBeatAlarm | String | Should I create a worker heartbeat alarm? |
| createWorkerInstance | String | Should I create resources required for a worker compute instance? |
| dockerVolumeSize | Number | Size in GB of volume for docker. Set to 0 to remove. Volume size must be between 0 and 2000 GB. |
| keyPairName | AWS::EC2::KeyPair::KeyName | Key pair name for the instances. Key pair name must be specified. |
| maxAllowedQueueDepth | Number | Create an alarm if queue depth exceeds this value. 0 for no alarm. |
| messageRetentionPeriod | Number | Message retention period on the worker queue (seconds). Default 1 day. Must be >= 1800 (30 minutes). |
| queueDepthMinutes | Number | Minutes queue depth exceeds max before alarm (1..300). |
| realm | String | Name of the realm |
| realmLambdasDeployed | String | Are the realm lambda functions deployed? |
| rootVolumeSize | Number | Size in GB of root volume. Set to 0 for AMI default. Volume size must be >=0. |
| secGroups | List<AWS::EC2::SecurityGroup::Id> | Security groups for the worker. |
| subnets | List<AWS::EC2::Subnet::Id> | Subnets for worker instances. |
| swapSize | Number | Swap size in Gibibytes (0 = no swapping). Swap size must be >= 0. |
| tmpVolumeSize | Number | Size in GB of second volume mounted on /tmp. Set to 0 to remove. Volume size must be between 0 and 2000 GB. |
| visibilityTimeout | Number | Visibility timeout on the worker queue (seconds). Default 1 hour. Must be >= 300 (5 minutes). |
| worker | String | Name of the worker |
| workerAllowedInstances | CommaDelimitedList | Comma separated list of allowed instance types (GLOBs allowed) |
| workerBacklogScalingTarget | Number | Autoscaling worker backlog (0 == disable backlog scaling) |
| workerBurstable | String | Include burstable instance types (e.g. t-series) for workers (included / excluded / required) |
| workerInstanceType | String | EC2 instance type. Leave blank for capability based provisioning. |
| workerInstancesDesired | Number | How many worker nodes should I run now? Must be between 0 and 10. |
| workerInstancesMax | Number | Maximum number of worker instances (must be 1 for dispatcher nodes). Must be between 0 and 10. |
| workerInstancesMin | Number | Minimum number of worker instances. Must be between 0 and 5. |
| workerLocalStorage | String | Local (not EBS) storage for workers (included / excluded / required) |
| workerMemoryMax | Number | Maximum memory in MiB (0 == no limit) |
| workerMemoryMin | Number | Minimum memory in MiB for the worker |
| workerPublicIp | String | Assign public IP to workers. |
| workerVCpuMax | Number | Maximum number of vCPUs for the worker (0 == no limit) |
| workerVCpuMin | Number | Minimum number of vCPUs for the worker |
Outputs¶
| Id | Export as | Description |
|---|---|---|
| Version | {"Fn::Sub": "lava:${realm}:${worker}:version"} |
Lava version |
Resources¶
- CloudWatch Resources
- AutoScaling Resources
- Events Resources
- IAM Resources
- Lambda Resources
- EC2 Resources
- Logs Resources
- SQS Resources
CloudWatch Resources¶
| Id | Type | Description |
|---|---|---|
| alarmLavaHeartbeat | Alarm | Heartbeat alarm for Lava worker. |
| alarmLavaWorker | Alarm | Status check failed alarm for Lava worker. |
| alarmQueueDepth | Alarm | Queue depth alarm for Lava worker. |
AutoScaling Resources¶
| Id | Type | Description |
|---|---|---|
| asgLavaWorker | AutoScalingGroup | Auto scaling group for Lava worker |
| asgWorkerScalingPolicy | ScalingPolicy | Target tracking scaling policy for worker |
Events Resources¶
| Id | Type | Description |
|---|---|---|
| eventsWorkerTerminating | Rule | EventBridge rule for terminating worker. |
IAM Resources¶
| Id | Type | Description |
|---|---|---|
| iamLavaWorkerRole | Role | IAM role for worker instances. |
| iamWorkerInstanceProfile | InstanceProfile |
Lambda Resources¶
| Id | Type | Description |
|---|---|---|
| lambdaLavaStopPermission | Permission | Allow EventBridge to run the stop lambda. |
EC2 Resources¶
| Id | Type | Description |
|---|---|---|
| launchtemplateLavaWorker | LaunchTemplate | Launch template for Lava worker. |
Logs Resources¶
| Id | Type | Description |
|---|---|---|
| logFilterWorkerHeartbeat | MetricFilter | Metric filter on /var/log/lava/<REALM> log group to find heartbeat messages. |
SQS Resources¶
| Id | Type | Description |
|---|---|---|
| sqsWorkerQueue | Queue | SQS queue for the lava worker to receive dispatched jobs. |
Resource Details¶
alarmLavaHeartbeat¶
| Property | Value |
|---|---|
| Type | AWS::CloudWatch::Alarm |
| Group | CloudWatch Resources (CloudWatch) |
| Description | Heartbeat alarm for Lava worker. |
{
"Condition": "ifCreateHeatbeatAlarm",
"Properties": {
"ActionsEnabled": "true",
"AlarmActions": [
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
],
"AlarmDescription": {
"Fn::Sub": "No heartbeat for lava-${realm}-${worker}"
},
"AlarmName": {
"Fn::Sub": "lava-${realm}-${worker}-heartbeat"
},
"ComparisonOperator": "LessThanThreshold",
"DatapointsToAlarm": 5,
"Dimensions": [],
"EvaluationPeriods": 5,
"InsufficientDataActions": [],
"MetricName": {
"Fn::Sub": "lava-${realm}-${worker}-heartbeat"
},
"Namespace": "LogMetrics",
"OKActions": [
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
],
"Period": 60,
"Statistic": "SampleCount",
"Threshold": "1.0",
"TreatMissingData": "breaching"
},
"Type": "AWS::CloudWatch::Alarm"
}
alarmLavaWorker¶
| Property | Value |
|---|---|
| Type | AWS::CloudWatch::Alarm |
| Group | CloudWatch Resources (CloudWatch) |
| Description | Status check failed alarm for Lava worker. |
{
"Condition": "ifCreateInstance",
"Properties": {
"ActionsEnabled": "true",
"AlarmActions": [
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
],
"AlarmDescription": {
"Fn::Sub": "Lava realm ${realm}, worker ${worker} status check failed for 2 minutes"
},
"AlarmName": {
"Fn::Sub": "lava-${realm}-${worker} Status Check Failed"
},
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [
{
"Name": "AutoScalingGroupName",
"Value": {
"Ref": "asgLavaWorker"
}
}
],
"EvaluationPeriods": 2,
"InsufficientDataActions": [],
"MetricName": "StatusCheckFailed",
"Namespace": "AWS/EC2",
"OKActions": [
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
],
"Period": 60,
"Statistic": "Average",
"Threshold": "0.0",
"TreatMissingData": "notBreaching"
},
"Type": "AWS::CloudWatch::Alarm"
}
alarmQueueDepth¶
| Property | Value |
|---|---|
| Type | AWS::CloudWatch::Alarm |
| Group | CloudWatch Resources (CloudWatch) |
| Description | Queue depth alarm for Lava worker. |
{
"Condition": "ifCreateQueueDepthAlarm",
"Properties": {
"ActionsEnabled": "true",
"AlarmActions": [
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
],
"AlarmDescription": {
"Fn::Sub": "Too many messages queued for lava-${realm}-${worker}"
},
"AlarmName": {
"Fn::Sub": "lava-${realm}-${worker}-queue-depth"
},
"ComparisonOperator": "GreaterThanThreshold",
"DatapointsToAlarm": {
"Ref": "queueDepthMinutes"
},
"Dimensions": [
{
"Name": "QueueName",
"Value": {
"Fn::Sub": "lava-${realm}-${worker}"
}
}
],
"EvaluationPeriods": {
"Ref": "queueDepthMinutes"
},
"InsufficientDataActions": [],
"MetricName": "ApproximateNumberOfMessagesVisible",
"Namespace": "AWS/SQS",
"OKActions": [
{
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
],
"Period": 60,
"Statistic": "Maximum",
"Threshold": {
"Fn::Sub": "${maxAllowedQueueDepth}.0"
},
"TreatMissingData": "ignore"
},
"Type": "AWS::CloudWatch::Alarm"
}
asgLavaWorker¶
| Property | Value |
|---|---|
| Type | AWS::AutoScaling::AutoScalingGroup |
| Group | AutoScaling Resources (AutoScaling) |
| Description | Auto scaling group for Lava worker |
{
"Condition": "ifCreateInstance",
"Properties": {
"AutoScalingGroupName": {
"Fn::Sub": "lava-${realm}-${worker}"
},
"DesiredCapacity": {
"Ref": "workerInstancesDesired"
},
"HealthCheckGracePeriod": 300,
"LaunchTemplate": {
"Fn::If": [
"ifInstanceType",
{
"LaunchTemplateId": {
"Ref": "launchtemplateLavaWorker"
},
"Version": {
"Fn::GetAtt": [
"launchtemplateLavaWorker",
"LatestVersionNumber"
]
}
},
{
"Ref": "AWS::NoValue"
}
]
},
"LifecycleHookSpecificationList": [
{
"DefaultResult": "CONTINUE",
"HeartbeatTimeout": 1800,
"LifecycleHookName": "terminate",
"LifecycleTransition": "autoscaling:EC2_INSTANCE_TERMINATING",
"NotificationMetadata": {
"Fn::Sub": "{\"realm\": \"${realm}\",\"worker\":\"${worker}\"}"
}
}
],
"MaxSize": {
"Ref": "workerInstancesMax"
},
"MetricsCollection": [
{
"Granularity": "1Minute"
}
],
"MinSize": {
"Ref": "workerInstancesMin"
},
"MixedInstancesPolicy": {
"Fn::If": [
"ifInstanceType",
{
"Ref": "AWS::NoValue"
},
{
"InstancesDistribution": {
"OnDemandAllocationStrategy": "lowest-price",
"OnDemandBaseCapacity": 0,
"OnDemandPercentageAboveBaseCapacity": 100
},
"LaunchTemplate": {
"LaunchTemplateSpecification": {
"LaunchTemplateId": {
"Ref": "launchtemplateLavaWorker"
},
"Version": {
"Fn::GetAtt": [
"launchtemplateLavaWorker",
"LatestVersionNumber"
]
}
},
"Overrides": [
{
"InstanceRequirements": {
"AllowedInstanceTypes": {
"Ref": "workerAllowedInstances"
},
"BurstablePerformance": {
"Ref": "workerBurstable"
},
"InstanceGenerations": [
"current",
"previous"
],
"LocalStorage": {
"Ref": "workerLocalStorage"
},
"MemoryMiB": {
"Max": {
"Fn::If": [
"ifMaxMemory",
{
"Ref": "workerMemoryMax"
},
{
"Ref": "AWS::NoValue"
}
]
},
"Min": {
"Ref": "workerMemoryMin"
}
},
"VCpuCount": {
"Max": {
"Fn::If": [
"ifMaxVCpu",
{
"Ref": "workerVCpuMax"
},
{
"Ref": "AWS::NoValue"
}
]
},
"Min": {
"Ref": "workerVCpuMin"
}
}
}
}
]
}
}
]
},
"NotificationConfigurations": [
{
"NotificationTypes": [
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
"autoscaling:TEST_NOTIFICATION"
],
"TopicARN": {
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${alarmTopic}"
}
},
{
"NotificationTypes": [
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:TEST_NOTIFICATION"
],
"TopicARN": {
"Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${autoscalingActionTopic}"
}
}
],
"Tags": [
{
"Key": "Name",
"PropagateAtLaunch": "true",
"Value": {
"Fn::Sub": "lava-${realm}-${worker}"
}
},
{
"Key": "LavaRealm",
"PropagateAtLaunch": "true",
"Value": {
"Ref": "realm"
}
},
{
"Key": "LavaWorker",
"PropagateAtLaunch": "true",
"Value": {
"Ref": "worker"
}
}
],
"VPCZoneIdentifier": {
"Ref": "subnets"
}
},
"Type": "AWS::AutoScaling::AutoScalingGroup"
}
asgWorkerScalingPolicy¶
| Property | Value |
|---|---|
| Type | AWS::AutoScaling::ScalingPolicy |
| Group | AutoScaling Resources (AutoScaling) |
| Description | Target tracking scaling policy for worker |
{
"Condition": "ifWorkerBacklogScaling",
"Properties": {
"AutoScalingGroupName": {
"Ref": "asgLavaWorker"
},
"EstimatedInstanceWarmup": 240,
"PolicyType": "TargetTrackingScaling",
"TargetTrackingConfiguration": {
"CustomizedMetricSpecification": {
"Dimensions": [
{
"Name": "Realm",
"Value": {
"Ref": "realm"
}
},
{
"Name": "Worker",
"Value": {
"Ref": "worker"
}
}
],
"MetricName": "WorkerBacklog",
"Namespace": "Lava",
"Statistic": "Average"
},
"TargetValue": {
"Ref": "workerBacklogScalingTarget"
}
}
},
"Type": "AWS::AutoScaling::ScalingPolicy"
}
eventsWorkerTerminating¶
| Property | Value |
|---|---|
| Type | AWS::Events::Rule |
| Group | Events Resources (Events) |
| Description | EventBridge rule for terminating worker. |
{
"Condition": "ifRealmLambdasDeployed",
"Properties": {
"Description": {
"Fn::Sub": "lava-${realm}-${worker} worker node is terminating"
},
"EventBusName": "default",
"EventPattern": {
"Fn::Sub": "{\"source\": [\"aws.autoscaling\"], \"detail-type\": [\"EC2 Instance-terminate Lifecycle Action\"], \"detail\": {\"AutoScalingGroupName\": [\"lava-${realm}-${worker}\"] }}"
},
"Name": {
"Fn::Sub": "lava-${realm}-${worker}-terminating"
},
"State": {
"Ref": "autoscalingControlledTermination"
},
"Targets": [
{
"Arn": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:lambdaLavaStop"
}
},
"Id": {
"Fn::Sub": "lava-${realm}-${worker}-stop-lambda"
},
"InputPath": "$.detail"
},
{
"Arn": {
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/events/lava"
},
"Id": {
"Fn::Sub": "lava-${realm}-${worker}-log-events"
}
}
]
},
"Type": "AWS::Events::Rule"
}
iamLavaWorkerRole¶
| Property | Value |
|---|---|
| Type | AWS::IAM::Role |
| Group | IAM Resources (IAM) |
| Description | IAM role for worker instances. |
{
"Condition": "ifCreateInstance",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:iamLavaWorkerPolicyArn"
}
},
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
],
"RoleName": {
"Fn::Sub": "lava-${realm}-worker-${worker}"
}
},
"Type": "AWS::IAM::Role"
}
iamWorkerInstanceProfile¶
| Property | Value |
|---|---|
| Type | AWS::IAM::InstanceProfile |
| Group | IAM Resources (IAM) |
{
"Condition": "ifCreateInstance",
"Properties": {
"Roles": [
{
"Ref": "iamLavaWorkerRole"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
}
lambdaLavaStopPermission¶
| Property | Value |
|---|---|
| Type | AWS::Lambda::Permission |
| Group | Lambda Resources (Lambda) |
| Description | Allow EventBridge to run the stop lambda. |
{
"Condition": "ifRealmLambdasDeployed",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:lambdaLavaStop"
}
},
"Principal": "events.amazonaws.com",
"SourceArn": {
"Fn::GetAtt": [
"eventsWorkerTerminating",
"Arn"
]
}
},
"Type": "AWS::Lambda::Permission"
}
launchtemplateLavaWorker¶
| Property | Value |
|---|---|
| Type | AWS::EC2::LaunchTemplate |
| Group | EC2 Resources (EC2) |
| Description | Launch template for Lava worker. |
{
"Condition": "ifCreateInstance",
"Properties": {
"LaunchTemplateData": {
"BlockDeviceMappings": [
{
"Fn::If": [
"ifSetSizeRootVol",
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": "true",
"Encrypted": "true",
"VolumeSize": {
"Ref": "rootVolumeSize"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"ifCreateTmpVol",
{
"DeviceName": "/dev/xvdb",
"Ebs": {
"DeleteOnTermination": "true",
"Encrypted": "true",
"VolumeSize": {
"Ref": "tmpVolumeSize"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"ifCreateDockerVol",
{
"DeviceName": "/dev/xvdc",
"Ebs": {
"DeleteOnTermination": "true",
"Encrypted": "true",
"VolumeSize": {
"Ref": "dockerVolumeSize"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
}
],
"IamInstanceProfile": {
"Name": {
"Ref": "iamWorkerInstanceProfile"
}
},
"ImageId": {
"Ref": "amiId"
},
"InstanceType": {
"Fn::If": [
"ifInstanceType",
{
"Ref": "workerInstanceType"
},
{
"Ref": "AWS::NoValue"
}
]
},
"KeyName": {
"Fn::If": [
"ifKeyPair",
{
"Ref": "keyPairName"
},
{
"Ref": "AWS::NoValue"
}
]
},
"Monitoring": {
"Enabled": true
},
"NetworkInterfaces": [
{
"AssociatePublicIpAddress": {
"Ref": "workerPublicIp"
},
"Description": {
"Fn::Sub": "lava-${realm}-${worker} eth0"
},
"DeviceIndex": 0,
"Groups": {
"Ref": "secGroups"
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"{",
{
"Fn::Sub": [
"\"shell0\": \"/usr/local/bin/s3run s3://${s3CodeBucket}/${s3CodePrefix}/${realm}/${worker}/root.boot0.sh s3://${s3CodeBucket}/${s3CodePrefix} ${realm} ${worker}\"",
{
"s3CodeBucket": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:s3CodeBucket"
}
},
"s3CodePrefix": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:s3CodePrefix"
}
}
}
]
},
",",
{
"Fn::Sub": [
"\"shell\": \"/usr/local/bin/s3run s3://${s3CodeBucket}/${s3CodePrefix}/${realm}/${worker}/root.boot.sh s3://${s3CodeBucket}/${s3CodePrefix} ${realm} ${worker}\"",
{
"s3CodeBucket": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:s3CodeBucket"
}
},
"s3CodePrefix": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:s3CodePrefix"
}
}
}
]
},
",",
{
"Fn::Sub": "\"import-users\": { \"users\": \"lava-${realm}-admin\", \"sudoers\": \"lava-${realm}-admin\" }"
},
",",
{
"Fn::Sub": "\"swap\": { \"size\": ${swapSize} }"
},
"}"
]
]
}
}
},
"TagSpecifications": [
{
"ResourceType": "launch-template",
"Tags": [
{
"Key": "LavaRealm",
"Value": {
"Ref": "realm"
}
},
{
"Key": "LavaWorker",
"Value": {
"Ref": "worker"
}
}
]
}
]
},
"Type": "AWS::EC2::LaunchTemplate"
}
logFilterWorkerHeartbeat¶
| Property | Value |
|---|---|
| Type | AWS::Logs::MetricFilter |
| Group | Logs Resources (Logs) |
| Description | Metric filter on /var/log/lava/<REALM> log group to find heartbeat messages. |
{
"Condition": "ifCreateHeatbeatAlarm",
"Properties": {
"FilterPattern": {
"Fn::Sub": "{$.event_source=\"lava-worker\" && $.event_type=\"heartbeat\" && $.realm=\"${realm}\" && $.worker=\"${worker}\"}"
},
"LogGroupName": {
"Fn::Sub": "/var/log/lava/${realm}"
},
"MetricTransformations": [
{
"MetricName": {
"Fn::Sub": "lava-${realm}-${worker}-heartbeat"
},
"MetricNamespace": "LogMetrics",
"MetricValue": "1"
}
]
},
"Type": "AWS::Logs::MetricFilter"
}
sqsWorkerQueue¶
| Property | Value |
|---|---|
| Type | AWS::SQS::Queue |
| Group | SQS Resources (SQS) |
| Description | SQS queue for the lava worker to receive dispatched jobs. |
{
"Properties": {
"KmsMasterKeyId": {
"Fn::ImportValue": {
"Fn::Sub": "lava:${realm}:kmsUserKeyAlias"
}
},
"MessageRetentionPeriod": {
"Ref": "messageRetentionPeriod"
},
"QueueName": {
"Fn::Sub": "lava-${realm}-${worker}"
},
"Tags": [
{
"Key": "lava:function",
"Value": "worker.dispatch"
}
],
"VisibilityTimeout": {
"Ref": "visibilityTimeout"
}
},
"Type": "AWS::SQS::Queue"
}