// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`InstanceSchedulerRemoteStack snapshot test 1`] = ` { "AWSTemplateFormatVersion": "2010-09-09", "Conditions": { "IsMemberOfOrganization": { "Fn::Equals": [ { "Ref": "UsingAWSOrganizations", }, "Yes", ], }, }, "Description": "", "Mappings": { "AppRegistryForInstanceSchedulerSolution25A90F05": { "Data": { "AppRegistryApplicationName": "instance-scheduler-on-aws", "ApplicationType": "AWS-Solutions", "ID": "SO0030", "SolutionName": "instance-scheduler-on-aws", "Version": "v1.5.0", }, }, "mappings": { "SchedulerEventBusName": { "Name": "scheduler-event-bus", }, "SchedulerRole": { "Name": "Scheduler-Role", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Namespace Configuration", }, "Parameters": [ "Namespace", ], }, { "Label": { "default": "Account Structure", }, "Parameters": [ "InstanceSchedulerAccount", "UsingAWSOrganizations", ], }, ], "ParameterLabels": { "InstanceSchedulerAccount": { "default": "Hub Account ID", }, "UsingAWSOrganizations": { "default": "Use AWS Organizations", }, }, }, }, "Outputs": { "CrossAccountRole": { "Description": "Arn for cross account role for Instance scheduler, add this arn to the list of crossaccount roles (CrossAccountRoles) parameter of the Instance Scheduler template.", "Value": { "Fn::GetAtt": [ "EC2SchedulerCrossAccountRole", "Arn", ], }, }, }, "Parameters": { "InstanceSchedulerAccount": { "AllowedPattern": "(^[0-9]{12}$)", "ConstraintDescription": "Account number is a 12 digit number", "Description": "AccountID of the Instance Scheduler Hub stack that should be allowed to schedule resources in this account.", "Type": "String", }, "Namespace": { "Description": "Unique identifier used to differentiate between multiple solution deployments. Must be set to the same value as the Hub stack", "Type": "String", }, "UsingAWSOrganizations": { "AllowedValues": [ "Yes", "No", ], "Default": "No", "Description": "Use AWS Organizations to automate spoke account registration. Must be set to the same value as the Hub stack", "Type": "String", }, }, "Resources": { "AppRegistry968496A3": { "Properties": { "Description": { "Fn::Join": [ "", [ "Service Catalog application to track and manage all your resources for the solution ", { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "SolutionName", ], }, ], ], }, "Name": { "Fn::Join": [ "-", [ { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "AppRegistryApplicationName", ], }, { "Ref": "AWS::Region", }, { "Ref": "AWS::AccountId", }, { "Ref": "AWS::StackName", }, ], ], }, "Tags": { "Solutions:ApplicationType": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "ApplicationType", ], }, "Solutions:SolutionID": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "ID", ], }, "Solutions:SolutionName": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "SolutionName", ], }, "Solutions:SolutionVersion": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "Version", ], }, }, }, "Type": "AWS::ServiceCatalogAppRegistry::Application", }, "AppRegistryAssociation": { "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "AWS::StackId", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryAttributeGroupAssociationf823ba38a843A987197E": { "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "AttributeGroup": { "Fn::GetAtt": [ "AppRegistryDefaultApplicationAttributes15279635", "Id", ], }, }, "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation", }, "AppRegistryDefaultApplicationAttributes15279635": { "Properties": { "Attributes": { "applicationType": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "ApplicationType", ], }, "solutionID": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "ID", ], }, "solutionName": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "SolutionName", ], }, "version": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "Version", ], }, }, "Description": "Attribute group for solution information", "Name": { "Fn::Join": [ "", [ "attgroup-", { "Fn::Join": [ "-", [ { "Ref": "AWS::Region", }, { "Ref": "AWS::StackName", }, ], ], }, ], ], }, "Tags": { "Solutions:ApplicationType": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "ApplicationType", ], }, "Solutions:SolutionID": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "ID", ], }, "Solutions:SolutionName": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "SolutionName", ], }, "Solutions:SolutionVersion": { "Fn::FindInMap": [ "AppRegistryForInstanceSchedulerSolution25A90F05", "Data", "Version", ], }, }, }, "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroup", }, "EC2SchedulerCrossAccountRole": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions.", }, { "id": "W28", "reason": "The role name is defined to allow cross account access from the hub account.", }, { "id": "W76", "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions.", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": [ "arn:\${AWS::Partition}:iam::\${accountId}:root", { "accountId": { "Ref": "InstanceSchedulerAccount", }, }, ], }, }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DeleteDBSnapshot", "rds:DescribeDBSnapshots", "rds:StopDBInstance", ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:rds:*:\${AWS::AccountId}:snapshot:*", }, }, { "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource", "rds:DescribeDBSnapshots", "rds:StartDBInstance", "rds:StopDBInstance", ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:rds:*:\${AWS::AccountId}:db:*", }, }, { "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource", "rds:StartDBCluster", "rds:StopDBCluster", ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:rds:*:\${AWS::AccountId}:cluster:*", }, }, { "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:CreateTags", "ec2:DeleteTags", ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:ec2:*:\${AWS::AccountId}:instance/*", }, }, { "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstances", "ec2:DescribeInstances", "ssm:DescribeMaintenanceWindows", "ssm:DescribeMaintenanceWindowExecutions", "tag:GetResources", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "EC2InstanceSchedulerRemote", }, ], "RoleName": { "Fn::Sub": [ "\${Namespace}-\${Name}", { "Name": { "Fn::FindInMap": [ "mappings", "SchedulerRole", "Name", ], }, }, ], }, }, "Type": "AWS::IAM::Role", }, "Ec2ModifyInstanceAttrPolicy4B693ACF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:ModifyInstanceAttribute", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:ec2:*:\${AWS::AccountId}:instance/*", }, }, ], "Version": "2012-10-17", }, "PolicyName": "Ec2ModifyInstanceAttrPolicy4B693ACF", "Roles": [ { "Ref": "EC2SchedulerCrossAccountRole", }, ], }, "Type": "AWS::IAM::Policy", }, "SSMParameterNamespace2002A907": { "Condition": "IsMemberOfOrganization", "DependsOn": [ "schedulerssmparameterstoreevent", ], "Properties": { "Description": "This parameter is for Instance Scheduler solution to support accounts in AWS Organizations.", "Name": "/instance-scheduler/do-not-delete-manually", "Type": "String", "Value": { "Ref": "Namespace", }, }, "Type": "AWS::SSM::Parameter", }, "SchedulerEventDeliveryPolicyD8B17948": { "Condition": "IsMemberOfOrganization", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:\${AWS::Partition}:events:\${AWS::Region}:\${InstanceSchedulerAccount}:event-bus/\${Namespace}-\${EventBusName}", { "EventBusName": { "Fn::FindInMap": [ "mappings", "SchedulerEventBusName", "Name", ], }, }, ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "SchedulerEventDeliveryPolicyD8B17948", "Roles": [ { "Ref": "SchedulerEventDeliveryRole5AE883C1", }, ], }, "Type": "AWS::IAM::Policy", }, "SchedulerEventDeliveryRole5AE883C1": { "Condition": "IsMemberOfOrganization", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Event Role to add the permissions necessary to migrate a sender-receiver relationship to Use AWS Organizations", }, "Type": "AWS::IAM::Role", }, "schedulerssmparameterstoreevent": { "Condition": "IsMemberOfOrganization", "DependsOn": [ "SchedulerEventDeliveryRole5AE883C1", ], "Properties": { "Description": "Event rule to invoke Instance Scheduler lambda function to store spoke account id in configuration.", "EventPattern": { "account": [ "111111111111", ], "detail": { "name": [ "/instance-scheduler/do-not-delete-manually", ], "operation": [ "Create", "Delete", ], "type": [ "String", ], }, "detail-type": [ "Parameter Store Change", ], "source": [ "aws.ssm", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Sub": [ "arn:\${AWS::Partition}:events:\${AWS::Region}:\${InstanceSchedulerAccount}:event-bus/\${Namespace}-\${EventBusName}", { "EventBusName": { "Fn::FindInMap": [ "mappings", "SchedulerEventBusName", "Name", ], }, }, ], }, "Id": "Spoke-SSM-Parameter-Event", "RoleArn": { "Fn::GetAtt": [ "SchedulerEventDeliveryRole5AE883C1", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, }, } `;