-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yml
168 lines (164 loc) · 6.69 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: A collection of utilities that integrate with CloudFormation
Resources:
# This is an _organization sink_ custom EventBridge event bus. It's intended
# to exist once within an AWS Organization (i.e., in a single region in a
# single account).
#
# All CloudFormation activity within the organization is expected to be sent
# to this event bus. Generally this is done by creating rules on all default
# event buses within the organization, which forward all CloudFormation
# service events to this bus.
#
# Any tooling that responds to CloudFormation service events can subscribe to
# the relevant events on this bus.
#
# This bus should always be called `CloudFormation-org-sink`, as that is what
# the rules on all default buses expect.
OrgSinkEventBus:
Type: AWS::Events::EventBus
Properties:
Name: CloudFormation-org-sink
OrgSinkEventBusPolicy:
# TODO Should have a Condition to limit this to events sent by events.amazonaws.com
# since it's only intended to get events from other event buses, not from
# any arbitrary sender
Type: AWS::Events::EventBusPolicy
Properties:
EventBusName: !Ref OrgSinkEventBus
StatementId: AllowEventsToCfnOrgSink
Statement:
Action: events:PutEvents
Condition:
StringEquals:
aws:ResourceOrgID: ${aws:PrincipalOrgID}
Effect: Allow
Principal: "*"
Resource: !GetAtt OrgSinkEventBus.Arn
# Sends notifications to Slack in response to certain CloudFormation status
# change events that are generated anywhere within the AWS Organization.
# See eventbridge.mjs for details on how decisions are made for which to send
# and where they should be sent.
StatusChangeSlackNotificationsFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/status-change-slack-notifications
Description: >-
Sends messages to Slack in response to CloudFormation stack event
notifications. Only certain notifications are forwarded to Slack, to
reduce the volume of messages.
Environment:
Variables:
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
Events:
StatusChanges:
Properties:
EventBusName: !Ref OrgSinkEventBus
Pattern:
detail-type:
- CloudFormation Resource Status Change
- CloudFormation Stack Status Change
- CloudFormation StackSet Status Change
- CloudFormation StackSet Operation Status Change
source:
- aws.cloudformation
Type: EventBridgeRule
Handler: index.handler
MemorySize: 192
Policies:
- Statement:
- Action: events:PutEvents
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default
Version: "2012-10-17"
Runtime: nodejs22.x
Tags:
prx:meta:tagging-version: "2021-04-07"
prx:cloudformation:stack-name: !Ref AWS::StackName
prx:cloudformation:stack-id: !Ref AWS::StackId
prx:ops:environment: Production
prx:dev:application: CloudFormation Toolkit
Timeout: 20
StatusChangeSlackNotificationsLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
LogGroupName: !Sub /aws/lambda/${StatusChangeSlackNotificationsFunction}
RetentionInDays: 14
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: CloudFormation Toolkit }
StatusChangeSlackNotificationsErrorAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Sub ERROR [Cfn Toolkit] Slack Notifications <prod> INVOCATION ERRORS (${AWS::StackName})
AlarmDescription: >-
The Lambda function that sends CloudFormation status change
notifications to Slack is experiencing errors, so some CloudFormation
activity may not be visible in Slack.
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
MetricName: Errors
Namespace: AWS/Lambda
Period: 60
Statistic: Sum
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: CloudFormation Toolkit }
Threshold: 0
TreatMissingData: notBreaching
Dimensions:
- Name: FunctionName
Value: !Ref StatusChangeSlackNotificationsFunction
# Creates Lambda functions that back CloudFormation macros. This does NOT
# create the macro; macros must be created in each account which reference this
# function. The Lambda functions created by this template only need to exist
# once globally within an organization.
PrxUtility20210622:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/marco-prx-utility-20210622
Description: >-
Backs a CloudFormation macro that is used as a whole-template
transformer.
# Environment:
# Variables:
# ORGANIZATION_ID: !Ref OrganizationId
Handler: index.handler
MemorySize: 128
Runtime: nodejs18.x
Tags:
prx:meta:tagging-version: "2021-04-07"
prx:cloudformation:stack-name: !Ref AWS::StackName
prx:cloudformation:stack-id: !Ref AWS::StackId
prx:ops:environment: Production
prx:dev:application: CloudFormation Toolkit
Timeout: 8
PrxUtility20210622LogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
LogGroupName: !Sub /aws/lambda/${PrxUtility20210622}
RetentionInDays: 30
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: CloudFormation Toolkit }
# PrxUtility20210622OrgPermission:
# Type: AWS::Lambda::Permission
# Properties:
# Action: lambda:InvokeFunction
# FunctionName: !GetAtt PrxUtility20210622.Arn
# Principal: "*"
# PrincipalOrgID: !Ref OrganizationId