// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Snapshot test for primary SharingAccountStack 1`] = ` { "Conditions": { "TagQueryAnyTagConfigsCond060F5869": { "Fn::Not": [ { "Fn::And": [ { "Fn::Equals": [ { "Ref": "TagsConfigCodeCommit", }, "", ], }, { "Fn::Equals": [ { "Ref": "TagsConfigCodeBuild", }, "", ], }, { "Fn::Equals": [ { "Ref": "TagsConfigCodePipeline", }, "", ], }, ], }, ], }, }, "Description": "(SO0143)DevOps Monitoring Dashboard on AWS - Sharing Account Template. Version: v1.0.0", "Mappings": { "AnonymousData": { "SendAnonymousUsageData": { "Data": "Yes", "MetricsURL": "https://metrics.awssolutionsbuilder.com/generic", }, }, "UserAgentExtra": { "UserAgentExtra": { "Key": "AwsSolution/SO0143/v1.0.0", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Monitoring Account Configuration", }, "Parameters": [ "MonitorAcctCustomEventBusARN", "MonitorAcctMetricsBucketARN", "MonitorAcctNumber", "MonitorAcctRegion", "SolutionUUID", ], }, { "Label": { "default": "Tag Configuration", }, "Parameters": [ "TagsConfigCodeCommit", "TagsConfigCodeBuild", "TagsConfigCodePipeline", ], }, ], "ParameterLabels": { "MonitorAcctCustomEventBusARN": { "default": "ARN of the custom event bus in the monitoring account", }, "MonitorAcctMetricsBucketARN": { "default": "ARN of the DevOps metrics S3 bucket in the monitoring account", }, "MonitorAcctNumber": { "default": "AWS account number of the monitoring account", }, "MonitorAcctRegion": { "default": "AWS region of the monitoring account where the solution's main template is deployed", }, "SolutionUUID": { "default": "Solution UUID", }, "TagsConfigCodeBuild": { "default": "Tag Configuration for filtering on CodeBuild Projects", }, "TagsConfigCodeCommit": { "default": "Tag Configuration for filtering on CodeCommit Repositories", }, "TagsConfigCodePipeline": { "default": "Tag Configuration for filtering on CodePipeline Pipelines", }, }, }, }, "Outputs": { "SolutionVersion": { "Description": "Version for DevOps Monitoring Dashboard on AWS solution", "Value": "v1.0.0", }, }, "Parameters": { "MonitorAcctCustomEventBusARN": { "Default": "", "Description": "ARN of the custom Amazon EventBridge Event Bus in the monitoring account where the events are sent. To find the ARN, sign in the AWS CloudFormation console in the monitoring account, select the solution's main CloudFormation stack you deployed, open Outputs tab, then copy the value for CustomEventBusArn. E.g., arn:aws:events:Region:Account:event-bus/EventBusName", "Type": "String", }, "MonitorAcctMetricsBucketARN": { "Default": "", "Description": "Enter the ARN of the S3 bucket in the monitoring account where DevOps metrics are stored. To find the ARN, sign in the AWS CloudFormation console in the monitoring account, select the solution's main CloudFormation stack you deployed, open Outputs tab, then copy the value for DevOpsMetricsS3Bucket. E.g., arn:aws:s3:::aws-devops-metrics-xxxxxx.", "Type": "String", }, "MonitorAcctNumber": { "Default": "", "Description": "Enter the AWS account number of the monitoring account where the solution's main template is deployed to receive data from other accounts.", "Type": "String", }, "MonitorAcctRegion": { "Default": "", "Description": "Enter the AWS region of the monitoring account where the solution's main template is deployed to receive data from other accounts. E.g., us-east-1.", "Type": "String", }, "SolutionUUID": { "AllowedPattern": "^[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$", "Description": "The generated solution UUID from the monitoring stack. Used for anonymous usage metrics. To find the ARN, sign in the AWS CloudFormation console in the monitoring account, select the solution's main CloudFormation stack you deployed, open Outputs tab, then copy the value for SolutionUUID. E.g., 3089cafd-60ee-4b65-b368-1cb38060f3b1", "Type": "String", }, "TagsConfigCodeBuild": { "Description": "Enter a semicolon-separated list of tags, using a comma as a separator between the tag key and value (e.g. "env,prod;anotherKey,anotherValue"). Omitting a value will result in a filter that captures all values for that tag.", "Type": "String", }, "TagsConfigCodeCommit": { "Description": "Enter a semicolon-separated list of tags, using a comma as a separator between the tag key and value (e.g. "env,prod;anotherKey,anotherValue"). Omitting a value will result in a filter that captures all values for that tag.", "Type": "String", }, "TagsConfigCodePipeline": { "Description": "Enter a semicolon-separated list of tags, using a comma as a separator between the tag key and value (e.g. "env,prod;anotherKey,anotherValue"). Omitting a value will result in a filter that captures all values for that tag.", "Type": "String", }, }, "Resources": { "CanaryEventsCanaryEventsRule115776A2": { "Properties": { "Description": "DevOps Monitoring Dashboard on AWS solution - Event rule for Amazon CloudWatch Synthetics Canary Alarm", "EventPattern": { "detail": { "configuration": { "metrics": { "metricStat": { "metric": { "namespace": [ "CloudWatchSynthetics", ], }, }, }, }, "previousState": { "value": [ "ALARM", ], }, "state": { "value": [ "OK", ], }, }, "detail-type": [ "CloudWatch Alarm State Change", ], "source": [ "aws.cloudwatch", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "MonitorAcctCustomEventBusARN", }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "InvokeEventBusRole5C586143", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CodeBuildEventsCloudWatchMetricStreamB26149A1": { "Properties": { "FirehoseArn": { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildKinesisFirehose48AE2746", "Arn", ], }, "IncludeFilters": [ { "Namespace": "AWS/CodeBuild", }, ], "OutputFormat": "json", "RoleArn": { "Fn::GetAtt": [ "CodeBuildEventsCloudWatchMetricStreamRole047DA47A", "Arn", ], }, }, "Type": "AWS::CloudWatch::MetricStream", }, "CodeBuildEventsCloudWatchMetricStreamRole047DA47A": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "streams.metrics.cloudwatch.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildKinesisFirehose48AE2746", "Arn", ], }, "Sid": "FirehosePutRecordPS", }, ], "Version": "2012-10-17", }, "PolicyName": "FirehosePutRecord-SO0143", }, ], }, "Type": "AWS::IAM::Role", }, "CodeBuildEventsCodeBuildEventParserBA00AD10": { "DependsOn": [ "CodeBuildEventsCodeBuildEventParserLambdaRole6077AACD", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Node.js 16 is one of the latest lambda runtime versions supported by solution pipeline.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "b636deff91d9ee146f8394bf130e97730cc1bc6ee8169ec7b5a0d232f265a06c.zip", }, "Description": "DevOps Monitoring Dashboard on AWS solution - This function performs lambda transformation within kinesis firehose. It parses CloudWatch metrics for CodeBuild, sends relevant data to S3 for downstream operation", "Environment": { "Variables": { "LOG_LEVEL": "INFO", "UserAgentExtra": { "Fn::FindInMap": [ "UserAgentExtra", "UserAgentExtra", "Key", ], }, }, }, "Handler": "codebuild_index.handler", "Role": { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildEventParserLambdaRole6077AACD", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CodeBuildEventsCodeBuildEventParserLambdaRole6077AACD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "The policy is restricted to region, account and lambda resource.", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, "Sid": "CreateCWLogs", }, ], "Version": "2012-10-17", }, "PolicyName": "CodeBuildEventParserLambdaPolicy-SO0143", }, ], }, "Type": "AWS::IAM::Role", }, "CodeBuildEventsCodeBuildEventParserLogRetention28A35144": { "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "CodeBuildEventsCodeBuildEventParserBA00AD10", }, ], ], }, "RetentionInDays": 90, "ServiceToken": { "Fn::GetAtt": [ "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A", "Arn", ], }, }, "Type": "Custom::LogRetention", }, "CodeBuildEventsCodeBuildKinesisFirehose48AE2746": { "DependsOn": [ "CodeBuildEventsCodeBuildKinesisFirehosePolicy928AD09F", ], "Properties": { "DeliveryStreamEncryptionConfigurationInput": { "KeyType": "AWS_OWNED_CMK", }, "ExtendedS3DestinationConfiguration": { "BucketARN": { "Ref": "MonitorAcctMetricsBucketARN", }, "BufferingHints": { "IntervalInSeconds": 300, "SizeInMBs": 128, }, "CloudWatchLoggingOptions": { "Enabled": true, "LogGroupName": { "Ref": "CodeBuildEventsCodeBuildfirehoseloggroup37533DE5", }, "LogStreamName": { "Ref": "CodeBuildEventsCodeBuildfirehoseloggroupfirehoselogstreamEEA2FA4F", }, }, "CompressionFormat": "UNCOMPRESSED", "DataFormatConversionConfiguration": { "Enabled": true, "InputFormatConfiguration": { "Deserializer": { "OpenXJsonSerDe": { "CaseInsensitive": true, }, }, }, "OutputFormatConfiguration": { "Serializer": { "ParquetSerDe": { "Compression": "SNAPPY", }, }, }, "SchemaConfiguration": { "DatabaseName": "aws_devops_metrics_db_so0143", "RoleARN": { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildKinesisFirehoseRole28E73FBC", "Arn", ], }, "TableName": "aws_codebuild_metrics_table", }, }, "ErrorOutputPrefix": "CodeBuildEventsProcessingErrorlogs/result=!{firehose:error-output-type}/created_at=!{timestamp:yyyy-MM-dd}/", "Prefix": "CodeBuildEvents/created_at=!{timestamp:yyyy-MM-dd}/", "ProcessingConfiguration": { "Enabled": true, "Processors": [ { "Parameters": [ { "ParameterName": "LambdaArn", "ParameterValue": { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildEventParserBA00AD10", "Arn", ], }, }, ], "Type": "Lambda", }, ], }, "RoleARN": { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildKinesisFirehoseRole28E73FBC", "Arn", ], }, }, }, "Type": "AWS::KinesisFirehose::DeliveryStream", }, "CodeBuildEventsCodeBuildKinesisFirehosePolicy928AD09F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "The policy is restricted to S3 bucket or region, account and glue resource", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W76", "reason": "This role needs all required permissions", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject", ], "Effect": "Allow", "Resource": [ { "Ref": "MonitorAcctMetricsBucketARN", }, { "Fn::Join": [ "", [ { "Ref": "MonitorAcctMetricsBucketARN", }, "/*", ], ], }, ], }, { "Action": "logs:PutLogEvents", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:", { "Ref": "CodeBuildEventsCodeBuildfirehoseloggroup37533DE5", }, ":log-stream:", { "Ref": "CodeBuildEventsCodeBuildfirehoseloggroupfirehoselogstreamEEA2FA4F", }, ], ], }, }, { "Action": [ "lambda:InvokeFunction", "lambda:GetFunctionConfiguration", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildEventParserBA00AD10", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CodeBuildEventsCodeBuildEventParserBA00AD10", "Arn", ], }, ":$LATEST", ], ], }, ], "Sid": "InvokeLambda", }, { "Action": [ "glue:GetTable", "glue:GetTableVersion", "glue:GetTableVersions", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":glue:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":catalog", ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":glue:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":database/aws_devops_metrics_db_so0143", ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":glue:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":table/aws_devops_metrics_db_so0143/aws_codebuild_metrics_table", ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":glue:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":table/aws_devops_metrics_db_so0143/*", ], ], }, ], "Sid": "glueAccessPSForCodeBuildEventsFirehose", }, ], "Version": "2012-10-17", }, "PolicyName": "CodeBuildEventsCodeBuildKinesisFirehosePolicy928AD09F", "Roles": [ { "Ref": "CodeBuildEventsCodeBuildKinesisFirehoseRole28E73FBC", }, ], }, "Type": "AWS::IAM::Policy", }, "CodeBuildEventsCodeBuildKinesisFirehoseRole28E73FBC": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CodeBuildEventsCodeBuildfirehoseloggroup37533DE5": { "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W86", "reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely", }, { "id": "W84", "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)", }, ], }, }, "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", }, "CodeBuildEventsCodeBuildfirehoseloggroupfirehoselogstreamEEA2FA4F": { "DeletionPolicy": "Retain", "Properties": { "LogGroupName": { "Ref": "CodeBuildEventsCodeBuildfirehoseloggroup37533DE5", }, }, "Type": "AWS::Logs::LogStream", "UpdateReplacePolicy": "Retain", }, "CodeCommitEventsCodeCommitEventsRule16A31B6E": { "Properties": { "Description": "DevOps Monitoring Dashboard on AWS solution - Event rule for AWS CodeCommit", "EventPattern": { "detail": { "eventName": [ "PutFile", "DeleteFile", "UpdateFile", "GitPush", ], }, "detail-type": [ "AWS API Call via CloudTrail", ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "MonitorAcctCustomEventBusARN", }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "InvokeEventBusRole5C586143", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CodeDeployEventsCodeDeployEventsRule9A7B5DEA": { "Properties": { "Description": "DevOps Monitoring Dashboard on AWS solution - Event rule for AWS CodeDeploy", "EventPattern": { "detail-type": [ "CodeDeploy Deployment State-change Notification", ], "source": [ "aws.codedeploy", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "MonitorAcctCustomEventBusARN", }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "InvokeEventBusRole5C586143", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CodePipelineAlarmEventsCodePipelineAlarmEventsRule89554585": { "Properties": { "Description": "DevOps Monitoring Dashboard on AWS solution - Event rule for AWS CodePipeline Alarm", "EventPattern": { "detail": { "configuration": { "metrics": { "metricStat": { "metric": { "namespace": [ "CodePipeline/SO0143/Pipelines", ], }, }, }, }, "previousState": { "value": [ "ALARM", ], }, "state": { "value": [ "OK", ], }, }, "detail-type": [ "CloudWatch Alarm State Change", ], "source": [ "aws.cloudwatch", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "MonitorAcctCustomEventBusARN", }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "InvokeEventBusRole5C586143", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CodePipelineEventsCodePipelineEventsRuleB5CD4C2A": { "Properties": { "Description": "DevOps Monitoring Dashboard on AWS solution - Event rule for AWS CodePipeline", "EventPattern": { "detail-type": [ "CodePipeline Action Execution State Change", ], "source": [ "aws.codepipeline", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "MonitorAcctCustomEventBusARN", }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "InvokeEventBusRole5C586143", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "GlueAthenaDatabaseAWSDevopsMetricsGlueDatabaseB82980FF": { "Properties": { "CatalogId": { "Ref": "AWS::AccountId", }, "DatabaseInput": { "Name": "aws_devops_metrics_db_so0143", }, }, "Type": "AWS::Glue::Database", }, "GlueAthenaDatabaseCodeBuildMetricsGlueTableE0ED7BB0": { "Properties": { "CatalogId": { "Ref": "AWS::AccountId", }, "DatabaseName": { "Ref": "GlueAthenaDatabaseAWSDevopsMetricsGlueDatabaseB82980FF", }, "TableInput": { "Description": "DevOps Monitoring Dashboard on AWS solution - AWS CodeBuild Metrics Glue table", "Name": "aws_codebuild_metrics_table", "Parameters": { "classification": "parquet", "has_encrypted_data": false, }, "PartitionKeys": [ { "Name": "created_at", "Type": "timestamp", }, ], "StorageDescriptor": { "Columns": [ { "Name": "metric_stream_name", "Type": "string", }, { "Name": "account_id", "Type": "string", }, { "Name": "region", "Type": "string", }, { "Name": "namespace", "Type": "string", }, { "Name": "metric_name", "Type": "string", }, { "Name": "dimensions", "Type": "struct", }, { "Name": "timestamp", "Type": "bigint", }, { "Comment": "struct", "Name": "value", "Type": "struct", }, { "Name": "unit", "Type": "string", }, ], "Compressed": false, "InputFormat": "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat", "Location": { "Fn::Join": [ "", [ "s3://", { "Fn::Select": [ 0, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Ref": "MonitorAcctMetricsBucketARN", }, ], }, ], }, ], }, ], }, "/CodeBuildEvents/", ], ], }, "OutputFormat": "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat", "SerdeInfo": { "SerializationLibrary": "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe", }, "StoredAsSubDirectories": true, }, "TableType": "EXTERNAL_TABLE", }, }, "Type": "AWS::Glue::Table", }, "InvokeEventBusRole5C586143": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Ref": "MonitorAcctCustomEventBusARN", }, "Sid": "putEventsPS", }, ], "Version": "2012-10-17", }, "PolicyName": "InvokeEventBusPolicy", }, ], }, "Type": "AWS::IAM::Role", }, "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A": { "DependsOn": [ "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda has the required permission to write CloudWatch Logs through a custom policy.", }, { "id": "W89", "reason": "There is no need to deploy this Lambda to a VPC.", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency.", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "eb5b005c858404ea0c8f68098ed5dcdf5340e02461f149751d10f59c210d5ef8.zip", }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", "Arn", ], }, "Runtime": "nodejs14.x", }, "Type": "AWS::Lambda::Function", }, "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "The managed policy is automatically generated by CDK itself to enable log retention.", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource * is required by the Lambda Execution role, so that the Lambda can add ResourcePolicies to all required resources.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required by the Lambda Execution role, so that the Lambda can add ResourcePolicies to all required resources.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:PutRetentionPolicy", "logs:DeleteRetentionPolicy", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", "Roles": [ { "Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", }, ], }, "Type": "AWS::IAM::Policy", }, "TagQueryE8AE49BA": { "DependsOn": [ "TagQueryRoleDefaultPolicy7379AC5B", "TagQueryRoleA60A4D7B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Node.js 16 is one of the latest lambda runtime versions supported by solution pipeline.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda has the required permission to write CloudWatch Logs through a custom policy.", }, { "id": "W89", "reason": "This lambda does not need to be deployed inside a VPC", }, { "id": "W92", "reason": "This lambda does not need reserved concurrent executions", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "cf193ef1c25bd1b5697a3a741c4916d109577846dd69f1ccac4c5d47333782db.zip", }, "Description": "DevOps Monitoring Dashboard on AWS solution - This function queries CodeCommit, CodeBuild, and CodePipeline resources for tag information.", "Environment": { "Variables": { "LOG_LEVEL": "INFO", "METRICS_URL": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousUsageData", "MetricsURL", ], }, "SEND_ANONYMOUS_USAGE_METRICS": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousUsageData", "Data", ], }, "SOLUTION_ID": "SO0143", "SOLUTION_UUID": { "Ref": "SolutionUUID", }, "SOLUTION_VERSION": "v1.0.0", "STACK_TYPE": "sharing", "USER_AGENT_EXTRA": { "Fn::FindInMap": [ "UserAgentExtra", "UserAgentExtra", "Key", ], }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "TagQueryRoleA60A4D7B", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "TagQueryInvokeTagQuery42CA6DAC": { "DeletionPolicy": "Delete", "DependsOn": [ "TagQueryPolicyDFB4C0BD", ], "Properties": { "CodeBuildTagConfig": { "Ref": "TagsConfigCodeBuild", }, "CodeCommitTagConfig": { "Ref": "TagsConfigCodeCommit", }, "CodePipelineTagConfig": { "Ref": "TagsConfigCodePipeline", }, "ReportBucket": { "Fn::Select": [ 0, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Ref": "MonitorAcctMetricsBucketARN", }, ], }, ], }, ], }, ], }, "ServiceToken": { "Fn::GetAtt": [ "TagQueryE8AE49BA", "Arn", ], }, }, "Type": "Custom::InvokeTagQuery", "UpdateReplacePolicy": "Delete", }, "TagQueryPolicyDFB4C0BD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcard permissions required for logging, GetResources, and uploading to S3.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "This lambda requires wildcard permissions to write logs, query tag information, and upload reports", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, "Sid": "LogsStatement", }, { "Action": "tag:GetResources", "Effect": "Allow", "Resource": "*", "Sid": "TagStatement", }, { "Action": [ "s3:PutObject", "s3:DeleteObject", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Ref": "MonitorAcctMetricsBucketARN", }, "/TaggedResources/*", ], ], }, "Sid": "ReportStatement", }, ], "Version": "2012-10-17", }, "PolicyName": "TagQueryPolicyDFB4C0BD", "Roles": [ { "Ref": "TagQueryRoleA60A4D7B", }, ], }, "Type": "AWS::IAM::Policy", }, "TagQueryRoleA60A4D7B": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "TagQueryRoleDefaultPolicy7379AC5B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcard permissions required for xray.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Wildcard permissions required for xray.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "TagQueryRoleDefaultPolicy7379AC5B", "Roles": [ { "Ref": "TagQueryRoleA60A4D7B", }, ], }, "Type": "AWS::IAM::Policy", }, "TagQueryRule26FBA3FD": { "Properties": { "Description": "DevOps Monitoring Dashboard on AWS solution - Event rule for querying tag information", "ScheduleExpression": "rate(15 minutes)", "State": { "Fn::If": [ "TagQueryAnyTagConfigsCond060F5869", "ENABLED", "DISABLED", ], }, "Targets": [ { "Arn": { "Fn::GetAtt": [ "TagQueryE8AE49BA", "Arn", ], }, "Id": "Target0", "Input": { "Fn::Join": [ "", [ "{"ReportBucket":"", { "Fn::Select": [ 0, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Ref": "MonitorAcctMetricsBucketARN", }, ], }, ], }, ], }, ], }, "","CodeCommitTagConfig":"", { "Ref": "TagsConfigCodeCommit", }, "","CodeBuildTagConfig":"", { "Ref": "TagsConfigCodeBuild", }, "","CodePipelineTagConfig":"", { "Ref": "TagsConfigCodePipeline", }, ""}", ], ], }, "RetryPolicy": { "MaximumRetryAttempts": 0, }, }, ], }, "Type": "AWS::Events::Rule", }, "TagQueryRuleAllowEventRuleSharingAccountStackTagQuery521F1956A34B4495": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TagQueryE8AE49BA", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "TagQueryRule26FBA3FD", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, }, } `;