AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Globals:
Api:
# Enable binary for zip file download
BinaryMediaTypes:
# This is equivalent to application/zip when deployed.
- application~1zip
Description: CDF Sample Tenant Module
Parameters:
Environment:
Description: Name of environment. Used to name the created resources.
Type: String
MinLength: 1
ControlPlaneAccount:
Description: Account where control plane services are deployed
Type: String
ControlPlaneBusName:
Description: Arn for Control Plane EventBridge bus
Type: String
MinLength: 1
Resources:
CDFTenantKmsKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: cdf-tenant-default
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
TenantArtifactBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "cdf-tenant-${AWS::AccountId}-artifacts-${AWS::Region}"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
TenantArtifactBucketSsmParameter:
Type: "AWS::SSM::Parameter"
Properties:
Description: Bucket to store provisioning artifacts
Name: !Sub "/cdf/facade-tenant/${Environment}/templates/bucket"
Type: String
Value: !Ref TenantArtifactBucket
TenantKmsKeySsmParameter:
Type: "AWS::SSM::Parameter"
Properties:
Description: Kms Key used in Tenant account
Name: !Sub "/cdf/facade-tenant/${Environment}/key"
Type: String
Value: !Ref CDFTenantKmsKey
TenantAccountBus:
Type: AWS::Events::EventBus
Properties:
Name: !Sub "TenantAccountBus-${Environment}"
ControlPlaneEventBusToTenantAccountBusRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action:
- "sts:AssumeRole"
Path: /
Policies:
- PolicyName: PutEventsOnTenantAccountBus
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: "events:PutEvents"
Resource: !GetAtt TenantAccountBus.Arn
TenantAccountBusDlqArn:
Type: AWS::SQS::Queue
ControlPlaneToTenantAccountBusSubscriptionRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub "TenantAccountBusSubscription-${AWS::AccountId}"
Description: !Sub "Cross account rule created by Account ${AWS::AccountId}"
EventBusName:
!Join [
":",
[
!Sub "arn:aws:events:${AWS::Region}",
!Select [4, !Split [":", !Ref ControlPlaneBusName]],
!Select [5, !Split [":", !Ref ControlPlaneBusName]],
],
]
EventPattern:
source:
- "com.aws.cdf.controlplane"
account:
- !Ref "ControlPlaneAccount"
detail-type:
- prefix: "CDF"
State: ENABLED
Targets:
- Id: SendToTenantEventBus
Arn: !GetAtt TenantAccountBus.Arn
RoleArn: !GetAtt ControlPlaneEventBusToTenantAccountBusRole.Arn
DeadLetterConfig:
Arn: !GetAtt TenantAccountBusDlqArn.Arn
TenantAccountBusToEventBridgeLambdaRule:
Type: AWS::Events::Rule
Properties:
Description: "Tenant Account Bus To CloudWatch log rule"
EventBusName: !GetAtt TenantAccountBus.Arn
EventPattern:
source:
- "com.aws.cdf.controlplane"
detail-type:
- prefix: "CDF events"
State: "ENABLED"
Targets:
- Arn: !GetAtt LogGroupForEvents.Arn
Id: LogTarget
LogGroupForEvents:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/cdflogs/events/cross-account-subscription-test
LogGroupForEventsPolicy:
Type: AWS::Logs::ResourcePolicy
Properties:
PolicyName: EventBridgeToCWLogsPolicy
PolicyDocument: !Sub >
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EventBridgetoCWLogsCreateLogStreamPolicy",
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"${LogGroupForEvents.Arn}"
]
},
{
"Sid": "EventBridgetoCWLogsPutLogEventsPolicy",
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com"
]
},
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"${LogGroupForEvents.Arn}"
],
"Condition": {
"ArnEquals": {"AWS:SourceArn": "${TenantAccountBusToEventBridgeLambdaRule.Arn}"}
}
}
]
}