{ "Description": "(SO0005) - limit-monitor, version v5.3.5", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Account Configuration" }, "Parameters": [ "AccountList" ] }, { "Label": { "default": "Notification Configuration" }, "Parameters": [ "SNSEvents", "SNSEmail", "SlackEvents", "SlackHookURL", "SlackChannel" ] } ], "ParameterLabels": { "SNSEmail": { "default": "Email Address" }, "AccountList": { "default": "Account List" }, "SNSEvents": { "default": "Email Notification Level" }, "SlackEvents": { "default": "Slack Notification Level" }, "SlackHookURL": { "default": "Slack Hook Url Key Name" }, "SlackChannel": { "default": "Slack Channel Key Name" } } } }, "Parameters": { "SNSEmail": { "Type": "String", "Description": "The email address to subscribe for SNS limit alert messages, leave blank if SNS alerts not needed." }, "AccountList": { "Type": "String", "AllowedPattern": "^\"\\d{12}\"(,\"\\d{12}\")*$|(^\\s*)$", "Description": "List of comma-separated and double-quoted account numbers to monitor. If you leave this parameter blank, the solution will only monitor limits in the primary account. If you enter multiple secondary account IDs, you must also provide the primary account ID in this parameter." }, "SNSEvents": { "Type": "String", "Default": "\"WARN\",\"ERROR\"", "Description": "List of alert levels to send email notifications. Must be double-quoted and comma separated. To disable email notifications, leave this blank." }, "SlackEvents": { "Type": "String", "Default": "\"WARN\",\"ERROR\"", "Description": "List of alert levels to send Slack notifications. Must be double-quoted and comma separated. To disable slack notifications, leave this blank." }, "SlackHookURL": { "Type": "String", "Description": "SSM parameter key for incoming Slack web hook URL. Leave blank if you do not wish to receive Slack notifications." }, "SlackChannel": { "Type": "String", "Description": "SSM parameter key for the Slack channel. Leave blank if you do not wish to receive Slack notifications." } }, "Mappings": { "MetricsMap": { "Send-Data": { "SendAnonymousData": "Yes" } }, "RefreshRate": { "CronSchedule": { "Default": "rate(1 day)" } }, "SourceCode": { "General": { "S3Bucket": "solutions", "KeyPrefix": "limit-monitor/v5.3.5", "TemplateBucket": "solutions-reference" } }, "EventsMap": { "Checks": { "Services": "\"AutoScaling\",\"CloudFormation\",\"DynamoDB\",\"EBS\",\"EC2\",\"ELB\",\"IAM\",\"Kinesis\",\"RDS\",\"Route53\",\"SES\",\"VPC\"" } } }, "Conditions": { "SingleAccnt": { "Fn::Equals": [ "", { "Ref": "AccountList" } ] }, "SNSTrue": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "SNSEvents" } ] } ] }, "SlackTrue": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "SlackEvents" } ] } ] }, "AnonymousMetric": { "Fn::Equals": [ "Yes", { "Fn::FindInMap": [ "MetricsMap", "Send-Data", "SendAnonymousData" ] } ] }, "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } ] } }, "Resources": { "SlackNotifierRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] }, "Sid": "default" }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": { "Fn::Join": [ "", [ "Limit-Monitor-Policy-", { "Ref": "AWS::StackName" }, "-", { "Ref": "AWS::Region" } ] ] } } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Override the IAM role to allow support:* for logs:PutLogEvents resource on its permissions policy" } ] } }, "Condition": "SlackTrue" }, "SlackNotifierRoleDefaultPolicy3F0FB2C2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SlackNotifierRoleDefaultPolicy3F0FB2C2", "Roles": [ { "Ref": "SlackNotifierRole" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC." } ] } } }, "TASlackEventRuleLambdaFunctionServiceRole010C3825": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "LambdaFunctionServiceRolePolicy" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TASlackEventRule/LambdaFunctionServiceRole/Resource" } }, "SlackNotifier": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-", { "Ref": "AWS::Region" } ] ] }, "S3Key": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/limtr-slack-service.zip" ] ] } }, "Role": { "Fn::GetAtt": [ "SlackNotifierRole", "Arn" ] }, "Description": "Serverless Limit Monitor - Lambda function to send notifications on slack", "Environment": { "Variables": { "SLACK_HOOK": { "Fn::Sub": "SlackHookURL" }, "SLACK_CHANNEL": { "Fn::Sub": "SlackChannel" }, "LOG_LEVEL": "INFO", "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1" } }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "SlackNotifierRoleDefaultPolicy3F0FB2C2", "SlackNotifierRole" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W89", "reason": "Not a valid use case to deploy in VPC" }, { "id": "W92", "reason": "ReservedConcurrentExecutions not needed" } ] } }, "Condition": "SlackTrue" }, "TASlackEventRuleLambdaFunctionAwsEventsLambdaInvokePermission168B6EF2C": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "SlackNotifier", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "TASlackRule", "Arn" ] } }, "Metadata": { "aws:cdk:path": "limit-monitor/TASlackEventRule/LambdaFunction/AwsEventsLambdaInvokePermission-1" } }, "TASlackRule": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Limit Monitor Solution - Rule for TA Slack events", "EventPattern": { "Fn::Join": [ "", [ "{\"account\":[", { "Fn::If": [ "SingleAccnt", { "Fn::Join": [ "", [ "\"", { "Ref": "AWS::AccountId" }, "\"" ] ] }, { "Ref": "AccountList" } ] }, "],", "\"source\":[\"aws.trustedadvisor\", \"limit-monitor-solution\"],", "\"detail-type\":[\"Trusted Advisor Check Item Refresh Notification\", \"Limit Monitor Checks\"],", "\"detail\":{", "\"status\":[", { "Ref": "SlackEvents" }, "],", "\"check-item-detail\":{", "\"Service\":[", { "Fn::FindInMap": [ "EventsMap", "Checks", "Services" ] }, "]", "}", "}", "}" ] ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "SlackNotifier", "Arn" ] }, "Id": "LimitMonitorSlackTarget" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TASlackEventRule/EventsRule/Resource" }, "Condition": "SlackTrue" }, "LimitMonitorEncryptionKey": { "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*", "Sid": "default" }, { "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey", "kms:TagResource", "kms:UntagResource" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": "*" } ], "Version": "2012-10-17" }, "Description": "Key for SNS and SQS", "Enabled": true, "EnableKeyRotation": true }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "limit-monitor/LimitMonitorEncryptionKey/Resource" } }, "DeadLetterQueue": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "LimitMonitorEncryptionKey", "Arn" ] }, "MessageRetentionPeriod": 604800 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "limit-monitor/TASQSRule/deadLetterQueue/Resource" } }, "TASQSRuledeadLetterQueuePolicyD9684898": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:RemovePermission", "sqs:AddPermission", "sqs:SetQueueAttributes" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": { "Fn::GetAtt": [ "DeadLetterQueue", "Arn" ] }, "Sid": "QueueOwnerOnlyAccess" }, { "Action": "SQS:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": "*", "Resource": { "Fn::GetAtt": [ "DeadLetterQueue", "Arn" ] }, "Sid": "HttpsOnly" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "DeadLetterQueue" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TASQSRule/deadLetterQueue/Policy/Resource" } }, "EventQueue": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "LimitMonitorEncryptionKey", "Arn" ] }, "MessageRetentionPeriod": 86400, "RedrivePolicy": { "deadLetterTargetArn": { "Fn::GetAtt": [ "DeadLetterQueue", "Arn" ] }, "maxReceiveCount": 3 }, "VisibilityTimeout": 60 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "limit-monitor/TASQSRule/queue/Resource" } }, "TASQSRulequeuePolicyF2CDE7D2": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:RemovePermission", "sqs:AddPermission", "sqs:SetQueueAttributes" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": { "Fn::GetAtt": [ "EventQueue", "Arn" ] }, "Sid": "QueueOwnerOnlyAccess" }, { "Action": "SQS:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": "*", "Resource": { "Fn::GetAtt": [ "EventQueue", "Arn" ] }, "Sid": "HttpsOnly" }, { "Action": [ "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": { "Fn::GetAtt": [ "EventQueue", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "EventQueue" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TASQSRule/queue/Policy/Resource" } }, "TASQSRule": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Limit Monitor Solution - Rule for TA SQS events", "EventPattern": { "Fn::Join": [ "", [ "{\"account\":[", { "Fn::If": [ "SingleAccnt", { "Fn::Join": [ "", [ "\"", { "Ref": "AWS::AccountId" }, "\"" ] ] }, { "Ref": "AccountList" } ] }, "],", "\"source\":[\"aws.trustedadvisor\", \"limit-monitor-solution\"],", "\"detail-type\":[\"Trusted Advisor Check Item Refresh Notification\", \"Limit Monitor Checks\"],", "\"detail\":{", "\"status\":[", "\"OK\",\"WARN\",\"ERROR\"", "],", "\"check-item-detail\":{", "\"Service\":[", { "Fn::FindInMap": [ "EventsMap", "Checks", "Services" ] }, "]", "}", "}", "}" ] ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "EventQueue", "Arn" ] }, "Id": "LimitMonitorSQSTarget" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TASQSRule/EventsRule/Resource" } }, "LimitSummarizerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] }, "Sid": "default" }, { "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "EventQueue", "Arn" ] } }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":dynamodb:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":table/*" ] ] } }, { "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", "kms:Encrypt" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "LimitMonitorEncryptionKey", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": { "Fn::Join": [ "", [ "Limit-Monitor-Policy-", { "Ref": "AWS::StackName" }, "-", { "Ref": "AWS::Region" } ] ] } } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Override the IAM role to allow support:* for logs:PutLogEvents resource on its permissions policy" } ] } } }, "LimitSummarizerRoleDefaultPolicy539F09EE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SummaryDDB", "Arn" ] }, { "Ref": "AWS::NoValue" } ] } ], "Version": "2012-10-17" }, "PolicyName": "LimitSummarizerRoleDefaultPolicy539F09EE", "Roles": [ { "Ref": "LimitSummarizerRole" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC." } ] } } }, "QueuePollScheduleLambdaFunctionServiceRole173B759B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "LambdaFunctionServiceRolePolicy" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/QueuePollSchedule/LambdaFunctionServiceRole/Resource" } }, "LimitSummarizer": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-", { "Ref": "AWS::Region" } ] ] }, "S3Key": { "Fn::Join": [ "/", [ { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "limtr-report-service.zip" ] ] } }, "Role": { "Fn::GetAtt": [ "LimitSummarizerRole", "Arn" ] }, "Description": "Serverless Limit Monitor - Lambda function to summarize service limit usage", "Environment": { "Variables": { "SQS_URL": { "Ref": "EventQueue" }, "MAX_MESSAGES": "10", "MAX_LOOPS": "10", "ANONYMOUS_DATA": { "Fn::FindInMap": [ "MetricsMap", "Send-Data", "SendAnonymousData" ] }, "SOLUTION": "SO0005", "LOG_LEVEL": "INFO", "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "DDB_TABLE_NAME": { "Ref": "SummaryDDB" }, "LIMIT_REPORT_TBL": { "Ref": "SummaryDDB" }, "UUID": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] } } }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "LimitSummarizerRoleDefaultPolicy539F09EE", "LimitSummarizerRole" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W89", "reason": "Not a valid use case to deploy in VPC" }, { "id": "W92", "reason": "ReservedConcurrentExecutions not needed" } ] } } }, "QueuePollScheduleLambdaFunctionAwsEventsLambdaInvokePermission1FFB9A285": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "LimitSummarizer", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "QueuePollSchedule", "Arn" ] } }, "Metadata": { "aws:cdk:path": "limit-monitor/QueuePollSchedule/LambdaFunction/AwsEventsLambdaInvokePermission-1" } }, "QueuePollSchedule": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Limit Monitor Solution - Schedule to poll SQS queue", "ScheduleExpression": "rate(5 minutes)", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "LimitSummarizer", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/QueuePollSchedule/EventsRule/Resource" } }, "TARefresherRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] }, "Sid": "default" }, { "Action": "support:*", "Effect": "Allow", "Resource": "*" }, { "Action": "servicequotas:GetAWSDefaultServiceQuota", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": { "Fn::Join": [ "", [ "Limit-Monitor-Refresher-Policy-", { "Ref": "AWS::StackName" } ] ] } } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F3", "reason": "Override the IAM role to allow support:* resource on its permissions policy" }, { "id": "W11", "reason": "Override the IAM role to allow Resource:* for logs:PutLogEvents, resource on its permissions policy" } ] } } }, "TARefresherRoleDefaultPolicy7FEE92D8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "TARefresherRoleDefaultPolicy7FEE92D8", "Roles": [ { "Ref": "TARefresherRole" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC." } ] } } }, "TARefreshScheduleLambdaFunctionServiceRole88DF7FDF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "LambdaFunctionServiceRolePolicy" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TARefreshSchedule/LambdaFunctionServiceRole/Resource" } }, "TARefresher": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-", { "Ref": "AWS::Region" } ] ] }, "S3Key": { "Fn::Join": [ "/", [ { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "limtr-refresh-service.zip" ] ] } }, "Role": { "Fn::GetAtt": [ "TARefresherRole", "Arn" ] }, "Description": "Serverless Limit Monitor - Lambda function to summarize service limits", "Environment": { "Variables": { "AWS_SERVICES": { "Fn::FindInMap": [ "EventsMap", "Checks", "Services" ] }, "LOG_LEVEL": "INFO", "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1" } }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "TARefresherRoleDefaultPolicy7FEE92D8", "TARefresherRole" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W89", "reason": "Not a valid use case to deploy in VPC" }, { "id": "W92", "reason": "ReservedConcurrentExecutions not needed" } ] } } }, "TARefreshScheduleLambdaFunctionAwsEventsLambdaInvokePermission1F8477682": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TARefresher", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "TARefreshSchedule", "Arn" ] } }, "Metadata": { "aws:cdk:path": "limit-monitor/TARefreshSchedule/LambdaFunction/AwsEventsLambdaInvokePermission-1" } }, "TARefreshSchedule": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Limit Monitor Solution - Schedule to refresh TA checks", "ScheduleExpression": { "Fn::FindInMap": [ "RefreshRate", "CronSchedule", "Default" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "TARefresher", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/TARefreshSchedule/EventsRule/Resource" } }, "SummaryDDB": { "Type": "AWS::DynamoDB::Table", "Properties": { "KeySchema": [ { "AttributeName": "MessageId", "KeyType": "HASH" }, { "AttributeName": "TimeStamp", "KeyType": "RANGE" } ], "AttributeDefinitions": [ { "AttributeName": "MessageId", "AttributeType": "S" }, { "AttributeName": "TimeStamp", "AttributeType": "S" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "ProvisionedThroughput": { "ReadCapacityUnits": 2, "WriteCapacityUnits": 2 }, "SSESpecification": { "SSEEnabled": true }, "TimeToLiveSpecification": { "AttributeName": "ExpiryTime", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W73", "reason": "PROVISIONED billing mode is a default and is not explicitly applied as a setting." } ] } } }, "LimtrHelperRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] }, "Sid": "default" }, { "Action": [ "events:PutPermission", "events:RemovePermission" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":events:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":event-bus/default" ] ] } }, { "Action": [ "ssm:GetParameters", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "Custom_Limtr_Helper_Permissions" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Override the IAM role to allow support:* for logs:PutLogEvents resource on its permissions policy" } ] } } }, "LimtrHelperFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-", { "Ref": "AWS::Region" } ] ] }, "S3Key": { "Fn::Join": [ "/", [ { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "limtr-helper-service.zip" ] ] } }, "Role": { "Fn::GetAtt": [ "LimtrHelperRole", "Arn" ] }, "Description": "This function generates UUID, establishes cross account trust on CloudWatch Event Bus and sends anonymous metric", "Environment": { "Variables": { "LOG_LEVEL": "INFO" } }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": 300 }, "DependsOn": [ "LimtrHelperRole" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W89", "reason": "Not a valid use case to deploy in VPC" }, { "id": "W92", "reason": "ReservedConcurrentExecutions not needed" } ] } } }, "LimitMonitorEncryptionKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/limit-monitor-encryption-key", "TargetKeyId": { "Fn::GetAtt": [ "LimitMonitorEncryptionKey", "Arn" ] } }, "Metadata": { "aws:cdk:path": "limit-monitor/LimitMonitorEncryptionKeyAlias/Resource" } }, "SNSTopic": { "Type": "AWS::SNS::Topic", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "LimitMonitorEncryptionKey", "Arn" ] }, "Subscription": [ { "Protocol": "email", "Endpoint": { "Fn::Sub": "${SNSEmail}" } } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/SNSTopic/Resource" }, "Condition": "SNSTrue" }, "SNSTopicPolicyE1168CD7": { "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": { "Ref": "SNSTopic" }, "Sid": "0" } ], "Version": "2012-10-17" }, "Topics": [ { "Ref": "SNSTopic" } ] }, "Metadata": { "aws:cdk:path": "limit-monitor/SNSTopic/Policy/Resource" } }, "TASNSRule": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Limit Monitor Solution - Rule for TA SNS events", "EventPattern": { "Fn::Join": [ "", [ "{\"account\":[", { "Fn::If": [ "SingleAccnt", { "Fn::Join": [ "", [ "\"", { "Ref": "AWS::AccountId" }, "\"" ] ] }, { "Ref": "AccountList" } ] }, "],", "\"source\":[\"aws.trustedadvisor\", \"limit-monitor-solution\"],", "\"detail-type\":[\"Trusted Advisor Check Item Refresh Notification\", \"Limit Monitor Checks\"],", "\"detail\":{", "\"status\":[", { "Ref": "SNSEvents" }, "],", "\"check-item-detail\":{", "\"Service\":[", { "Fn::FindInMap": [ "EventsMap", "Checks", "Services" ] }, "]", "}", "}", "}" ] ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SNSTopic" }, "Id": "LimitMonitorSNSTarget", "InputTransformer": { "InputPathsMap": { "limitdetails": "$.detail.check-item-detail", "time": "$.time", "account": "$.account" }, "InputTemplate": "\"AWS-Account : || Timestamp :