# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASR-CreateLogMetricFilterAndAlarm
  ## What does this document do?
  Creates a metric filter for a given log group and also creates and alarm for the metric.

  ## Input Parameters
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
  * CloudWatch Log Group Name: Name of the CloudWatch log group to use to create metric filter
  * Alarm Value: Threshhold value for the creating an alarm for the CloudWatch Alarm

  ## Security Standards / Controls
  * CIS v1.2.0:     3.1-3.14
schemaVersion: '0.3'
assumeRole: "{{ AutomationAssumeRole }}"
parameters:
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  LogGroupName:
    type: String
    description: Name of the log group to be used to create metric filter
    allowedPattern: '.*'
  FilterName:
    type: String
    description: Name for the metric filter
    allowedPattern: '.*'
  FilterPattern:
    type: String
    description: Filter pattern to create metric filter
    allowedPattern: '.*'
  MetricName:
    type: String
    description: Name of the metric for metric filter
    allowedPattern: '.*'
  MetricValue:
    type: Integer
    description: Value of the metric for metric filter
  MetricNamespace:
    type: String
    description: Namespace where the metrics will be sent
    allowedPattern: '.*'
  AlarmName:
    type: String
    description: Name of the Alarm to be created for the metric filter
    allowedPattern: '.*'
  AlarmDesc:
    type: String
    description: Description of the Alarm to be created for the metric filter
    allowedPattern: '.*'
  AlarmThreshold:
    type: Integer
    description: Threshold value for the alarm
  KMSKeyArn:
    type: String
    description: The ARN of a KMS key to use for encryption of the SNS Topic and Config bucket
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias/[A-Za-z0-9/-_])|(?:key/(?i:[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})))$'
  SNSTopicName:
    type: String
    allowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-_]{0,255}$

mainSteps:
  -
    name: CreateTopic
    action: 'aws:executeScript'
    outputs:
      - Name: TopicArn
        Selector: $.Payload.topic_arn
        Type: String
    inputs:
      InputPayload:
        kms_key_arn: '{{KMSKeyArn}}'
        topic_name: '{{SNSTopicName}}'
      Runtime: python3.8
      Handler: create_encrypted_topic
      Script: |-
        %%SCRIPT=CreateLogMetricFilterAndAlarm_createtopic.py%%

  -
    name: CreateMetricFilerAndAlarm
    action: 'aws:executeScript'
    outputs:
      - Name: Output
        Selector: $.Payload.response
        Type: StringMap
    inputs:
      InputPayload:
        LogGroupName: '{{LogGroupName}}'
        FilterName: '{{FilterName}}'
        FilterPattern: '{{FilterPattern}}'
        MetricName: '{{MetricName}}'
        MetricNamespace: '{{MetricNamespace}}'
        MetricValue: '{{MetricValue}}'
        AlarmName: '{{AlarmName}}'
        AlarmDesc: '{{AlarmDesc}}'
        AlarmThreshold: '{{AlarmThreshold}}'
        TopicArn: '{{CreateTopic.TopicArn}}'
      Runtime: python3.8
      Handler: verify
      Script: |-
        %%SCRIPT=CreateLogMetricFilterAndAlarm.py%%