AWSTemplateFormatVersion: '2010-09-09' Description: Collects ECS Cluster and service data and places into a bucket in the management account Parameters: DestinationBucket: Type: String Description: Name of the S3 Bucket to that will be created by the management template AllowedPattern: (?=^.{3,63}$)(?!^(\d+\.)+\d+$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$) CFDataName: Type: String Description: The name of what this cf is doing. Default: 'ecs-services-clusters' DatabaseName: Type: String Description: Name of the Athena database to hold lambada information GlueRoleArn: Type: String Description: ARN of the IAM role deployed to use for glue. CodeBucket: Type: String Description: Name of the S3 Bucket that exists and holds the code for the nested cf and python for ecs zipped ECSRoleName: Type: String Description: Name of the IAM role deployed in all accounts which can retrieve AWS ECS Data. Outputs: LambdaRoleARN: Description: Role for Lambda execution of lambda data. Value: Fn::GetAtt: - LambdaRole - Arn LambdaFunctionARN: Description: ARN for lambdda function which account id wil be passed too Value: Fn::GetAtt: - LambdaFunction - Arn Resources: LambdaRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "Lambda-Role-${CFDataName}" AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSLambdaExecute Path: / Policies: - PolicyName: !Sub "Assume-Management-${CFDataName}-Account-Role" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "sts:AssumeRole" Resource: "*" #- !Sub "arn:aws:iam::${ManagmentAccountID}:role/Lambda-Assume-Role-${CFDataName}" #- !Sub "arn:aws:iam::${ManagmentAccountID}:role/ECS_Read_Only_Role" - PolicyName: !Sub "${CFDataName}-permissons" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "s3:PutObject" - "sqs:ReceiveMessage" - "sqs:DeleteMessage" - "sqs:GetQueueAttributes" Resource: "*" - Effect: "Allow" Action: - "ecs:ListAttributes" - "ecs:DescribeTaskSets" - "ecs:DescribeTaskDefinition" - "ecs:DescribeClusters" - "ecs:ListServices" - "ecs:ListAccountSettings" - "ecs:DescribeCapacityProviders" - "ecs:ListTagsForResource" - "ecs:ListTasks" - "ecs:ListTaskDefinitionFamilies" - "ecs:DescribeServices" - "ecs:ListContainerInstances" - "ecs:DescribeContainerInstances" - "ecs:DescribeTasks" - "ecs:ListTaskDefinitions" - "ecs:ListClusters" Resource: "*" LambdaFunction: Type: AWS::Lambda::Function Properties: FunctionName: !Sub "${CFDataName}-Lambda-Function" Description: !Sub "LambdaFunction to retreive ${CFDataName}" Runtime: python3.8 Code: S3Key: cloudformation/ecs.py.zip S3Bucket: !Ref CodeBucket Handler: 'ecs.lambda_handler' MemorySize: 2688 Timeout: 300 Role: Fn::GetAtt: - LambdaRole - Arn Environment: Variables: BUCKET_NAME: Ref: DestinationBucket PREFIX: Ref: CFDataName ROLENAME : !Ref ECSRoleName CloudWatchTrigger: Type: AWS::Events::Rule Properties: Description: Weekly Notificaton Event for lambda data Name: !Sub "${CFDataName}-Weekly-Scheduler" ScheduleExpression: "cron(30 12 L * ? *)" State: ENABLED Targets: - Arn: Fn::GetAtt: - LambdaFunction - Arn Id: WeeklyTriggerForEBSUtilization Crawler: Type: AWS::Glue::Crawler Properties: Name: !Sub "${CFDataName}Crawler" Role: !Ref GlueRoleArn DatabaseName: !Ref DatabaseName Schedule: ScheduleExpression: "cron(30 13 L * ? *)" Targets: S3Targets: - Path: !Sub "s3://${DestinationBucket}/${CFDataName}-data/"