AWSTemplateFormatVersion: '2010-09-09' Parameters: POrgID: Type: String Description: The AWS Organizations ID for the organization that should be allowed to put events on the event bus. Resources: CimaDDBTable: Type: AWS::DynamoDB::Table Properties: TableName: !Sub "CimaDDBTable-${AWS::AccountId}" AttributeDefinitions: - AttributeName: caseId AttributeType: S KeySchema: - AttributeName: caseId KeyType: HASH BillingMode: PAY_PER_REQUEST CimaBus: Type: "AWS::Events::EventBus" Properties: Name: !Sub CimaBus-${AWS::AccountId} CimaBusPolicy: Type: AWS::Events::EventBusPolicy Properties: EventBusName: !Ref CimaBus StatementId: AllowAllAccountsFromOrganizationToPutEventsForCima Statement: Effect: "Allow" Principal: "*" Action: "events:PutEvents" Resource: !GetAtt "CimaBus.Arn" Condition: StringEquals: aws:PrincipalOrgID: !Ref POrgID CimaGetEventRule: Type: "AWS::Events::Rule" Properties: Name: !Sub CimaGetEventRule-${AWS::AccountId} Description: "Cima bus rule to pull event from Cima bus and put in DynamoDB" EventBusName: !Ref CimaBus EventPattern: source: - "Cima" Targets: - Arn: !GetAtt CimaputeventDDB.Arn Id: "LambaasTarget" CimaGetEventRuleBPermissions: Type: "AWS::Lambda::Permission" Properties: Action: lambda:InvokeFunction FunctionName: !GetAtt CimaputeventDDB.Arn Principal: events.amazonaws.com SourceArn: !GetAtt CimaGetEventRule.Arn CimaputeventDDBLambdaRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "CimaputeventDDBLambdaRole-${AWS::AccountId}" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: cloudwatch-logs-access PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" - PolicyName: CimaDDB-access PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:* Resource: !GetAtt CimaDDBTable.Arn CimaputeventDDB: Type: AWS::Lambda::Function Properties: FunctionName: !Sub "CimaputeventDDB-${AWS::AccountId}" Handler: index.lambda_handler Runtime: python3.8 Timeout: 900 Code: ZipFile: | import boto3 import json import os from datetime import datetime def lambda_handler(event, context): # Extract the 'detail' section from the event event_detail = event['detail'] # Add the current ingestion time to the event detail event_detail['ingestionTime'] = datetime.now().strftime('%m/%d/%Y %H:%M:%S') # Add the 'account' field from the event if available event_detail['account'] = event.get('account') # Create a DynamoDB resource dynamodb = boto3.resource('dynamodb') # Get the DynamoDB table table = dynamodb.Table(os.environ['DynamoDBName']) # Put the entire event payload into the DynamoDB table table.put_item(Item=event_detail) # Return a success response return { 'statusCode': 200, 'body': 'Event processed successfully.' } Role: !GetAtt CimaputeventDDBLambdaRole.Arn Environment: Variables: DynamoDBName: !Ref CimaDDBTable Outputs: CimaBusArn: Value: !GetAtt CimaBus.Arn Export: Name: CimaBusArn CimaDDBTableArn: Value: !GetAtt CimaDDBTable.Arn Export: Name: CimaDDBTableArn CimaDDBTableName: Value: !Ref CimaDDBTable Export: Name: CimaDDBTableName