Stripe to EventBridge

Create an EventBridge inbound webhook for Stripe.

This stack deploys an inbound webhook that subscribes to events from Stripe and receives them on an Amazon EventBridge event bus for further processing.

EventBridge is a serverless event bus that enables you to build scalable event-driven applications by routing events between your own applications, third-party SaaS applications, and other AWS services.

This pattern deploys one Lambda function with a function URL, one Secrets Manager secret, and a CloudWatch alarm.

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: >
  Stripe-EventBridge

#Amazon EventBridge Inbound webhooks using lambda fURLs CFNs Template.

Parameters:
  StripeWebhookSecret:
    Type: String
    Description: Stripe webhook secret
    NoEcho: true
    AllowedPattern: ".+"

  EventBusName:
    Type: String
    Description: EventBridge event bus name
    Default: default

  LambdaInvocationThreshold:
    Type: String
    Description: Innovation Alarm Threshold for number of events in a 5 minute period. 
    Default: 2000

Resources:
  WebhookSecretsManager:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub WebhookSecret-${AWS::StackName}
      Description: Secrets Manager for storing Webhook Secret
      SecretString: !Ref StripeWebhookSecret

  LambdaInvocationsAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmDescription: !Sub Alarm for ${AWS::StackName} - InboundWebhook Lambda for traffic spikes
      AlarmName: !Sub InboundWebhook-Lambda-Invocation-Alarm-${AWS::StackName}
      MetricName: Invocations
      Namespace: AWS/Lambda
      Statistic: Sum
      Period: "300"
      EvaluationPeriods: "2"
      Threshold: !Ref LambdaInvocationThreshold
      Dimensions:
        - Name: FunctionName
          Value: !Ref WebhookFunction
      ComparisonOperator: GreaterThanThreshold

  WebhookFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    DependsOn: WebhookSecretsManager
    Properties:
      FunctionName: !Sub [
          "InboundWebhook-Lambda-${ID}",
          ID: !Select [2, !Split ["/", !Ref AWS::StackId]],
        ] # Append the stack UUID
      CodeUri:
        Bucket: !Sub 'eventbridge-inbound-webhook-templates-prod-${AWS::Region}'
        Key: 'lambda-templates/stripe-lambdasrc.zip'
      Handler: app.lambda_handler
      Runtime: python3.8
      ReservedConcurrentExecutions: 10
      Environment:
        Variables:
          STRIPE_WEBHOOK_SECRET_ARN: !Ref WebhookSecretsManager
          EVENT_BUS_NAME: !Ref EventBusName
      MemorySize: 128
      Timeout: 100
      FunctionUrlConfig:
        AuthType: NONE
      Policies:
        - EventBridgePutEventsPolicy:
            EventBusName: !Ref EventBusName
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - secretsmanager:DescribeSecret
                - secretsmanager:GetSecretValue
              Resource: !Ref WebhookSecretsManager

Outputs:
  FunctionUrlEndpoint:
    Description: "Webhhook Function URL Endpoint"
    Value: !GetAtt WebhookFunctionUrl.FunctionUrl

  LambdaFunctionName:
    Value: !Ref WebhookFunction

  LambdaFunctionARN:
    Description: Lambda function ARN.
    Value: !GetAtt WebhookFunction.Arn