// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`do not create SSM credential path entry 1`] = ` { "Parameters": { "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaArtifactHash8E6713FC": { "Description": "Artifact hash for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF": { "Description": "S3 bucket for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF": { "Description": "S3 key for asset version "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, }, "Resources": { "existingEventBus2F5875A1": { "Properties": { "Name": "testStackexistingEventBus7236155E", }, "Type": "AWS::Events::EventBus", }, "testCustomBusLambdaFunctionCAB66923": { "DependsOn": [ "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "testCustomBusLambdaFunctionServiceRoleCE76F238", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "EVENT_BUS_NAME": { "Ref": "existingEventBus2F5875A1", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusLambdaFunctionServiceRoleCE76F238", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusLambdaFunctionServiceRoleCE76F238": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "existingEventBus2F5875A1", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "Roles": [ { "Ref": "testCustomBusLambdaFunctionServiceRoleCE76F238", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusRuleTargetLambdaEventsRuleC328D765": { "Properties": { "EventBusName": { "Ref": "existingEventBus2F5875A1", }, "EventPattern": { "account": [ { "Ref": "AWS::AccountId", }, ], "region": [ { "Ref": "AWS::Region", }, ], "source": [ "test.fake.namespace", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "testCustomBusRuleTargetLambdaLambdaFunctionAwsEventsLambdaInvokePermission1C5E16365": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaEventsRuleC328D765", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6": { "DependsOn": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "Roles": [ { "Ref": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", }, ], }, "Type": "AWS::IAM::Policy", }, }, } `; exports[`do not create source dynamodb table 1`] = ` { "Parameters": { "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaArtifactHash8E6713FC": { "Description": "Artifact hash for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF": { "Description": "S3 bucket for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF": { "Description": "S3 key for asset version "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, }, "Resources": { "existingEventBus2F5875A1": { "Properties": { "Name": "testStackexistingEventBus7236155E", }, "Type": "AWS::Events::EventBus", }, "testCustomBusLambdaFunctionCAB66923": { "DependsOn": [ "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "testCustomBusLambdaFunctionServiceRoleCE76F238", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "EVENT_BUS_NAME": { "Ref": "existingEventBus2F5875A1", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusLambdaFunctionServiceRoleCE76F238", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusLambdaFunctionServiceRoleCE76F238": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "existingEventBus2F5875A1", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "Roles": [ { "Ref": "testCustomBusLambdaFunctionServiceRoleCE76F238", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusRuleTargetLambdaEventsRuleC328D765": { "Properties": { "EventBusName": { "Ref": "existingEventBus2F5875A1", }, "EventPattern": { "account": [ { "Ref": "AWS::AccountId", }, ], "region": [ { "Ref": "AWS::Region", }, ], "source": [ "test.fake.namespace", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "testCustomBusRuleTargetLambdaLambdaFunctionAwsEventsLambdaInvokePermission1C5E16365": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaEventsRuleC328D765", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6": { "DependsOn": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "TARGET_DDB_TABLE": { "Ref": "testCustomBusTargetDynamoTable4F158389", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":parametertest/fakekey/fakepath", ], ], }, }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "testCustomBusTargetDynamoTable4F158389", "Arn", ], }, { "Ref": "AWS::NoValue", }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "Roles": [ { "Ref": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusTargetDynamoTable4F158389": { "DeletionPolicy": "Retain", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "AttributeType": "S", }, { "AttributeName": "CREATED_TIMESTAMP", "AttributeType": "S", }, ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "KeyType": "HASH", }, { "AttributeName": "CREATED_TIMESTAMP", "KeyType": "RANGE", }, ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, }, "SSESpecification": { "SSEEnabled": true, }, "TimeToLiveSpecification": { "AttributeName": "EXP_DATE", "Enabled": true, }, }, "Type": "AWS::DynamoDB::Table", "UpdateReplacePolicy": "Retain", }, }, } `; exports[`do not create target dynamodb table 1`] = ` { "Parameters": { "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaArtifactHash8E6713FC": { "Description": "Artifact hash for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF": { "Description": "S3 bucket for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF": { "Description": "S3 key for asset version "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, }, "Resources": { "existingEventBus2F5875A1": { "Properties": { "Name": "testStackexistingEventBus7236155E", }, "Type": "AWS::Events::EventBus", }, "testCustomBusLambdaFunctionCAB66923": { "DependsOn": [ "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "testCustomBusLambdaFunctionServiceRoleCE76F238", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "EVENT_BUS_NAME": { "Ref": "existingEventBus2F5875A1", }, "SOURCE_DDB_TABLE": { "Ref": "testCustomBusSourceDynamoTableA58E4C27", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusLambdaFunctionServiceRoleCE76F238", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusLambdaFunctionServiceRoleCE76F238": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "testCustomBusSourceDynamoTableA58E4C27", "Arn", ], }, { "Ref": "AWS::NoValue", }, ], }, { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "existingEventBus2F5875A1", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "Roles": [ { "Ref": "testCustomBusLambdaFunctionServiceRoleCE76F238", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusRuleTargetLambdaEventsRuleC328D765": { "Properties": { "EventBusName": { "Ref": "existingEventBus2F5875A1", }, "EventPattern": { "account": [ { "Ref": "AWS::AccountId", }, ], "region": [ { "Ref": "AWS::Region", }, ], "source": [ "test.fake.namespace", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "testCustomBusRuleTargetLambdaLambdaFunctionAwsEventsLambdaInvokePermission1C5E16365": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaEventsRuleC328D765", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6": { "DependsOn": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":parametertest/fakekey/fakepath", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "Roles": [ { "Ref": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusSourceDynamoTableA58E4C27": { "DeletionPolicy": "Retain", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "AttributeType": "S", }, ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "KeyType": "HASH", }, ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, }, "SSESpecification": { "SSEEnabled": true, }, }, "Type": "AWS::DynamoDB::Table", "UpdateReplacePolicy": "Retain", }, }, } `; exports[`fail when neither existing bus nor event bus properties are provided 1`] = `{}`; exports[`test ingestion with all parameters and custom event bridge 1`] = ` { "Parameters": { "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaArtifactHash8E6713FC": { "Description": "Artifact hash for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF": { "Description": "S3 bucket for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF": { "Description": "S3 key for asset version "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, }, "Resources": { "testCustomBusIngestionBus2242DCDB": { "Properties": { "Name": "testBus", }, "Type": "AWS::Events::EventBus", }, "testCustomBusLambdaFunctionCAB66923": { "DependsOn": [ "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "testCustomBusLambdaFunctionServiceRoleCE76F238", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "EVENT_BUS_NAME": { "Ref": "testCustomBusIngestionBus2242DCDB", }, "SOURCE_DDB_TABLE": { "Ref": "testCustomBusSourceDynamoTableA58E4C27", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusLambdaFunctionServiceRoleCE76F238", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusLambdaFunctionServiceRoleCE76F238": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "testCustomBusSourceDynamoTableA58E4C27", "Arn", ], }, { "Ref": "AWS::NoValue", }, ], }, { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "testCustomBusIngestionBus2242DCDB", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "Roles": [ { "Ref": "testCustomBusLambdaFunctionServiceRoleCE76F238", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusRuleTargetLambdaEventsRuleC328D765": { "Properties": { "EventBusName": { "Ref": "testCustomBusIngestionBus2242DCDB", }, "EventPattern": { "account": [ { "Ref": "AWS::AccountId", }, ], "region": [ { "Ref": "AWS::Region", }, ], "source": [ "test.fake.namespace", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "testCustomBusRuleTargetLambdaLambdaFunctionAwsEventsLambdaInvokePermission1C5E16365": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaEventsRuleC328D765", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6": { "DependsOn": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "TARGET_DDB_TABLE": { "Ref": "testCustomBusTargetDynamoTable4F158389", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":parametertest/fakekey/fakepath", ], ], }, }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "testCustomBusTargetDynamoTable4F158389", "Arn", ], }, { "Ref": "AWS::NoValue", }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "Roles": [ { "Ref": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusSourceDynamoTableA58E4C27": { "DeletionPolicy": "Retain", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "AttributeType": "S", }, ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "KeyType": "HASH", }, ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, }, "SSESpecification": { "SSEEnabled": true, }, }, "Type": "AWS::DynamoDB::Table", "UpdateReplacePolicy": "Retain", }, "testCustomBusTargetDynamoTable4F158389": { "DeletionPolicy": "Retain", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "AttributeType": "S", }, { "AttributeName": "CREATED_TIMESTAMP", "AttributeType": "S", }, ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "KeyType": "HASH", }, { "AttributeName": "CREATED_TIMESTAMP", "KeyType": "RANGE", }, ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, }, "SSESpecification": { "SSEEnabled": true, }, "TimeToLiveSpecification": { "AttributeName": "EXP_DATE", "Enabled": true, }, }, "Type": "AWS::DynamoDB::Table", "UpdateReplacePolicy": "Retain", }, }, } `; exports[`test ingestion with existing event bus 1`] = ` { "Parameters": { "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaArtifactHash8E6713FC": { "Description": "Artifact hash for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF": { "Description": "S3 bucket for asset "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF": { "Description": "S3 key for asset version "9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caa"", "Type": "String", }, }, "Resources": { "existingEventBus2F5875A1": { "Properties": { "Name": "testStackexistingEventBus7236155E", }, "Type": "AWS::Events::EventBus", }, "testCustomBusLambdaFunctionCAB66923": { "DependsOn": [ "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "testCustomBusLambdaFunctionServiceRoleCE76F238", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "EVENT_BUS_NAME": { "Ref": "existingEventBus2F5875A1", }, "SOURCE_DDB_TABLE": { "Ref": "testCustomBusSourceDynamoTableA58E4C27", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusLambdaFunctionServiceRoleCE76F238", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusLambdaFunctionServiceRoleCE76F238": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "testCustomBusSourceDynamoTableA58E4C27", "Arn", ], }, { "Ref": "AWS::NoValue", }, ], }, { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "existingEventBus2F5875A1", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusLambdaFunctionServiceRoleDefaultPolicy9BAEE1C8", "Roles": [ { "Ref": "testCustomBusLambdaFunctionServiceRoleCE76F238", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusRuleTargetLambdaEventsRuleC328D765": { "Properties": { "EventBusName": { "Ref": "existingEventBus2F5875A1", }, "EventPattern": { "account": [ { "Ref": "AWS::AccountId", }, ], "region": [ { "Ref": "AWS::Region", }, ], "source": [ "test.fake.namespace", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "testCustomBusRuleTargetLambdaLambdaFunctionAwsEventsLambdaInvokePermission1C5E16365": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaEventsRuleC328D765", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "testCustomBusRuleTargetLambdaLambdaFunctionFD9658D6": { "DependsOn": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.", }, { "id": "W89", "reason": "This is not a rule for the general case, just for specific use cases/industries", }, { "id": "W92", "reason": "Impossible for us to define the correct concurrency for clients", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3Bucket476799AF", }, "S3Key": { "Fn::Join": [ "", [ { "Fn::Select": [ 0, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, { "Fn::Select": [ 1, { "Fn::Split": [ "||", { "Ref": "AssetParameters9a512a1198e54699fd9d427f29f91021458fda9d23601e31e4b76bf96d5d7caaS3VersionKey703E74DF", }, ], }, ], }, ], ], }, }, "Environment": { "Variables": { "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", "TARGET_DDB_TABLE": { "Ref": "testCustomBusTargetDynamoTable4F158389", }, }, }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", "Arn", ], }, "Runtime": "nodejs14.x", "TracingConfig": { "Mode": "Active", }, }, "Type": "AWS::Lambda::Function", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "LambdaFunctionServiceRolePolicy", }, ], }, "Type": "AWS::IAM::Role", }, "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", ], "Effect": "Allow", "Resource": "*", }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":parametertest/fakekey/fakepath", ], ], }, }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "testCustomBusTargetDynamoTable4F158389", "Arn", ], }, { "Ref": "AWS::NoValue", }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRoleDefaultPolicy2D469CEC", "Roles": [ { "Ref": "testCustomBusRuleTargetLambdaLambdaFunctionServiceRole6901AAAE", }, ], }, "Type": "AWS::IAM::Policy", }, "testCustomBusSourceDynamoTableA58E4C27": { "DeletionPolicy": "Retain", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "AttributeType": "S", }, ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "KeyType": "HASH", }, ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, }, "SSESpecification": { "SSEEnabled": true, }, }, "Type": "AWS::DynamoDB::Table", "UpdateReplacePolicy": "Retain", }, "testCustomBusTargetDynamoTable4F158389": { "DeletionPolicy": "Retain", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "AttributeType": "S", }, { "AttributeName": "CREATED_TIMESTAMP", "AttributeType": "S", }, ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "ACCOUNT_IDENTIFIER", "KeyType": "HASH", }, { "AttributeName": "CREATED_TIMESTAMP", "KeyType": "RANGE", }, ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, }, "SSESpecification": { "SSEEnabled": true, }, "TimeToLiveSpecification": { "AttributeName": "EXP_DATE", "Enabled": true, }, }, "Type": "AWS::DynamoDB::Table", "UpdateReplacePolicy": "Retain", }, }, } `;