AWSTemplateFormatVersion: "2010-09-09" Description: This template describes AWS resources used to submit the AwsCommunity::Resource::Lookup resource type to the AWS CloudFormation Registry as a private extension. Parameters: Env: Description: Name of the environment you plan to use. Type: String AllowedValues: - dev - alpha - beta - prod Default: dev LogEncryptionWithKms: Description: Whether or not to use AWS Key Management Service (AWS KMS) to encrypt log data in the Amazon CloudWatch Logs LogGroup resource that this template describes; if you choose `yes`, a KMS key will be created as well. If you choose `no`, your Log group data will still be encrypted, because CloudWatch Logs uses server-side encryption by default to encrypt your log data at rest. Type: String AllowedValues: - false - true Default: false LogRetentionInDays: Description: Retain log events for these number of days. Type: String AllowedValues: - 1 - 3 - 5 - 7 - 14 - 30 - 60 - 90 - 120 - 150 - 180 - 365 - 400 - 545 - 731 - 1827 - 3653 Default: 365 SchemaHandlerPackage: Description: URL for the ZIP file for the resource type content you stored as an object in your Amazon S3 bucket. Type: String Conditions: LogEncryptionWithKmsCondition: !Equals - !Ref 'LogEncryptionWithKms' - true Resources: ExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Condition: StringEquals: aws:SourceAccount: !Ref 'AWS::AccountId' StringLike: aws:SourceArn: !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:type/resource/AwsCommunity-Resource-Lookup/*' Effect: Allow Principal: Service: resources.cloudformation.amazonaws.com Version: "2012-10-17" MaxSessionDuration: 8400 Path: / Policies: - PolicyDocument: Statement: - Action: - cloudformation:GetResource - cloudformation:ListResources - iam:PassRole - ssm:AddTagsToResource - ssm:DeleteParameter - ssm:DescribeParameters - ssm:GetParameter - ssm:GetParameters - ssm:ListTagsForResource - ssm:PutParameter - ssm:RemoveTagsFromResource Effect: Allow Resource: '*' Version: "2012-10-17" PolicyName: AwsCommunityResourceLookupResourceTypePolicy Tags: - Key: Name Value: AwsCommunityResourceLookup-ExecutionRole - Key: AppName Value: AwsCommunityResourceLookup - Key: Env Value: !Ref 'Env' LogAndMetricsDeliveryRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Condition: StringEquals: aws:SourceAccount: !Ref 'AWS::AccountId' Effect: Allow Principal: Service: - resources.cloudformation.amazonaws.com Version: "2012-10-17" MaxSessionDuration: 43200 Path: / Policies: - PolicyDocument: Statement: - Action: - cloudwatch:ListMetrics - cloudwatch:PutMetricData - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutLogEvents Effect: Allow Resource: '*' Version: "2012-10-17" PolicyName: LogAndMetricsDeliveryRole Tags: - Key: Name Value: AwsCommunityResourceLookup-LogAndMetricsDeliveryRole - Key: AppName Value: AwsCommunityResourceLookup - Key: Env Value: !Ref 'Env' LogGroup: Type: AWS::Logs::LogGroup Properties: KmsKeyId: !If - LogEncryptionWithKmsCondition - !GetAtt LogGroupKmsKey.Arn - !Ref 'AWS::NoValue' LogGroupName: AwsCommunityResourceLookupResourceType RetentionInDays: !Ref 'LogRetentionInDays' Tags: - Key: Name Value: AwsCommunityResourceLookup-LogGroup - Key: AppName Value: AwsCommunityResourceLookup - Key: Env Value: !Ref 'Env' LogGroupKmsKey: Type: AWS::KMS::Key Properties: EnableKeyRotation: true KeyPolicy: Id: key-default-1 Statement: - Action: kms:* Effect: Allow Principal: AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' Resource: '*' Sid: Enable IAM User Permissions - Action: - kms:Decrypt* - kms:Describe* - kms:Encrypt* - kms:GenerateDataKey* - kms:ReEncrypt* Condition: ArnEquals: kms:EncryptionContext:aws:logs:arn: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:AwsCommunityResourceLookupResourceType' Effect: Allow Principal: Service: !Sub 'logs.${AWS::Region}.amazonaws.com' Resource: '*' Version: "2012-10-17" Tags: - Key: Name Value: AwsCommunityResourceLookup-LogGroupKmsKey - Key: AppName Value: AwsCommunityResourceLookup - Key: Env Value: !Ref 'Env' Condition: LogEncryptionWithKmsCondition LogGroupKmsKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: alias/AwsCommunityResourceLookupResourceTypeLogs TargetKeyId: !Ref 'LogGroupKmsKey' Condition: LogEncryptionWithKmsCondition ResourceDefaultVersion: Type: AWS::CloudFormation::ResourceDefaultVersion Properties: TypeName: AwsCommunity::Resource::Lookup VersionId: !GetAtt ResourceVersion.VersionId ResourceVersion: Type: AWS::CloudFormation::ResourceVersion Properties: ExecutionRoleArn: !GetAtt ExecutionRole.Arn LoggingConfig: LogGroupName: !Ref 'LogGroup' LogRoleArn: !GetAtt LogAndMetricsDeliveryRole.Arn SchemaHandlerPackage: !Ref 'SchemaHandlerPackage' TypeName: AwsCommunity::Resource::Lookup Outputs: KmsKeyAlias: Description: The alias of the AWS KMS key you created to encrypt log data in the Amazon CloudWatch Logs LogGroup resource. Value: !Ref 'LogGroupKmsKeyAlias' Condition: LogEncryptionWithKmsCondition KmsKeyId: Description: The ID of the AWS KMS key you created to encrypt log data in the Amazon CloudWatch Logs LogGroup resource. Value: !Ref 'LogGroupKmsKey' Condition: LogEncryptionWithKmsCondition ResourceVersionId: Description: The ID of the resource type version you submitted to the registry. Value: !GetAtt ResourceVersion.VersionId