// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Agreement Stack Test 1`] = ` { "Conditions": { "EnableEmailNotifications": { "Fn::Equals": [ { "Ref": "EmailNotifications", }, "yes", ], }, }, "Description": "(SO0133) - Media Exchange on AWS __VERSION__ - setup publisher and subscriber shared resources for asset exchange.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", ], }, { "Label": { "default": "Agreement Configuration", }, "Parameters": [ "PublisherName", "SubscriberName", "ExpirationInDays", "EmailNotifications", ], }, ], }, }, "Outputs": { "ConsoleUrl": { "Description": "Use this url to directly access the shared bucket.", "Value": { "Fn::Join": [ "", [ "https://s3.console.aws.amazon.com/s3/buckets/", { "Ref": "ExchangeBucket913FA88D", }, "/?region=", { "Ref": "AWS::Region", }, "&tab=overview", ], ], }, }, "PublisherOnboardingSummary": { "Description": "Configuration information for publisher.", "Value": { "Fn::Join": [ "", [ "PUBLISHER_NAME=", { "Ref": "PublisherName", }, " SUBSCRIBER_NAME=", { "Ref": "SubscriberName", }, " AWS_REGION=", { "Ref": "AWS::Region", }, " MEDIAEXCHANGE_BUCKET_NAME=", { "Ref": "ExchangeBucket913FA88D", }, " KMS_KEY_ARN=", { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, " SNS_TOPIC_ARN=", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-notificationtopic", ], ], }, }, " EVENT_BUS_ARN=arn:", { "Ref": "AWS::Partition", }, ":events:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":event-bus/default LOG_BUCKET_NAME=", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-logs", ], ], }, }, " PUBLISHER_ROLE=", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-role", ], ], }, }, ], ], }, }, "SubscriberOnboardingSummary": { "Description": "Configuration information for subscriber.", "Value": { "Fn::Join": [ "", [ "PUBLISHER_NAME=", { "Ref": "PublisherName", }, " SUBSCRIBER_NAME=", { "Ref": "SubscriberName", }, " AWS_REGION=", { "Ref": "AWS::Region", }, " MEDIAEXCHANGE_BUCKET_NAME=", { "Ref": "ExchangeBucket913FA88D", }, " KMS_KEY_ARN=", { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, " SNS_TOPIC_ARN=", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationtopic", ], ], }, }, " EVENT_BUS_ARN=arn:", { "Ref": "AWS::Partition", }, ":events:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":event-bus/default SUBSCRIBER_ROLE=", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-role", ], ], }, }, ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "EmailNotifications": { "AllowedValues": [ "yes", "no", ], "Default": "no", "Description": "Select yes to forward all notifications to subscriber's email. If "no" (default) the notifications are available via EventBridge and SNS.", "Type": "String", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter MyParameter must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "ExpirationInDays": { "Default": 5, "Description": "The assets get lifecycle deleted after these many days from the MediaExchange bucket.", "MaxValue": 30, "MinValue": 1, "Type": "Number", }, "PublisherName": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter PublisherName must only contain uppercase and lowercase letters and numbers", "Description": "The name of the publisher, case sensitive, as registered in this Media Exchange deployment.", "MaxLength": 64, "MinLength": 3, "Type": "String", }, "SubscriberName": { "AllowedPattern": "[A-Za-z0-9-]+", "ConstraintDescription": "Malformed input-Parameter SubscriberName must only contain uppercase and lowercase letters and numbers", "Description": "The name of the subscriber, case sensitive, as registered in this Media Exchange deployment.", "MaxLength": 64, "MinLength": 3, "Type": "String", }, }, "Resources": { "BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": { "DependsOn": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", ], "Properties": { "Code": { "ZipFile": "import boto3 # type: ignore import json import logging import urllib.request s3 = boto3.client("s3") EVENTBRIDGE_CONFIGURATION = 'EventBridgeConfiguration' CONFIGURATION_TYPES = ["TopicConfigurations", "QueueConfigurations", "LambdaFunctionConfigurations"] def handler(event: dict, context): response_status = "SUCCESS" error_message = "" try: props = event["ResourceProperties"] bucket = props["BucketName"] notification_configuration = props["NotificationConfiguration"] request_type = event["RequestType"] managed = props.get('Managed', 'true').lower() == 'true' stack_id = event['StackId'] if managed: config = handle_managed(request_type, notification_configuration) else: config = handle_unmanaged(bucket, stack_id, request_type, notification_configuration) put_bucket_notification_configuration(bucket, config) except Exception as e: logging.exception("Failed to put bucket notification configuration") response_status = "FAILED" error_message = f"Error: {str(e)}. " finally: submit_response(event, context, response_status, error_message) def handle_managed(request_type, notification_configuration): if request_type == 'Delete': return {} return notification_configuration def handle_unmanaged(bucket, stack_id, request_type, notification_configuration): external_notifications = find_external_notifications(bucket, stack_id) if request_type == 'Delete': return external_notifications def with_id(notification): notification['Id'] = f"{stack_id}-{hash(json.dumps(notification, sort_keys=True))}" return notification notifications = {} for t in CONFIGURATION_TYPES: external = external_notifications.get(t, []) incoming = [with_id(n) for n in notification_configuration.get(t, [])] notifications[t] = external + incoming if EVENTBRIDGE_CONFIGURATION in notification_configuration: notifications[EVENTBRIDGE_CONFIGURATION] = notification_configuration[EVENTBRIDGE_CONFIGURATION] elif EVENTBRIDGE_CONFIGURATION in external_notifications: notifications[EVENTBRIDGE_CONFIGURATION] = external_notifications[EVENTBRIDGE_CONFIGURATION] return notifications def find_external_notifications(bucket, stack_id): existing_notifications = get_bucket_notification_configuration(bucket) external_notifications = {} for t in CONFIGURATION_TYPES: external_notifications[t] = [n for n in existing_notifications.get(t, []) if not n['Id'].startswith(f"{stack_id}-")] if EVENTBRIDGE_CONFIGURATION in existing_notifications: external_notifications[EVENTBRIDGE_CONFIGURATION] = existing_notifications[EVENTBRIDGE_CONFIGURATION] return external_notifications def get_bucket_notification_configuration(bucket): return s3.get_bucket_notification_configuration(Bucket=bucket) def put_bucket_notification_configuration(bucket, notification_configuration): s3.put_bucket_notification_configuration(Bucket=bucket, NotificationConfiguration=notification_configuration) def submit_response(event: dict, context, response_status: str, error_message: str): response_body = json.dumps( { "Status": response_status, "Reason": f"{error_message}See the details in CloudWatch Log Stream: {context.log_stream_name}", "PhysicalResourceId": event.get("PhysicalResourceId") or event["LogicalResourceId"], "StackId": event["StackId"], "RequestId": event["RequestId"], "LogicalResourceId": event["LogicalResourceId"], "NoEcho": False, } ).encode("utf-8") headers = {"content-type": "", "content-length": str(len(response_body))} try: req = urllib.request.Request(url=event["ResponseURL"], headers=headers, data=response_body, method="PUT") with urllib.request.urlopen(req) as response: print(response.read().decode("utf-8")) print("Status code: " + response.reason) except Exception as e: print("send(..) failed executing request.urlopen(..): " + str(e)) ", }, "Description": "AWS CloudFormation handler for "Custom::S3BucketNotifications" resources (@aws-cdk/aws-s3)", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", "Arn", ], }, "Runtime": "python3.9", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "s3:PutBucketNotification", "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36", "Roles": [ { "Ref": "BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC", }, ], }, "Type": "AWS::IAM::Policy", }, "CMK56817A4C": { "DeletionPolicy": "Retain", "Properties": { "Description": "Symetric Key for Encrypting Objects in Media Exchange", "EnableKeyRotation": true, "Enabled": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", "Sid": "KeyManagement", }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Condition": { "StringEquals": { "kms:ViaService": { "Fn::Join": [ "", [ "s3.", { "Ref": "AWS::Region", }, ".amazonaws.com", ], ], }, }, }, "Effect": "Allow", "Principal": { "AWS": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-role", ], ], }, }, }, "Resource": "*", "Sid": "SubscriberAccess", }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Condition": { "StringEquals": { "kms:ViaService": { "Fn::Join": [ "", [ "s3.", { "Ref": "AWS::Region", }, ".amazonaws.com", ], ], }, }, }, "Effect": "Allow", "Principal": { "AWS": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-role", ], ], }, }, }, "Resource": "*", "Sid": "PublisherAccess", }, ], "Version": "2012-10-17", }, "PendingWindowInDays": 10, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "ExchangeBucket913FA88D": { "DeletionPolicy": "Retain", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, "SSEAlgorithm": "aws:kms", }, }, ], }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": { "Ref": "ExpirationInDays", }, "Id": "Expire", "Status": "Enabled", }, { "Id": "AutoRemove", "NoncurrentVersionExpiration": { "NoncurrentDays": { "Ref": "ExpirationInDays", }, }, "Status": "Enabled", }, { "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 2, }, "Id": "CleanupIncompleteUploads", "Status": "Enabled", }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-logs", ], ], }, }, "LogFilePrefix": { "Fn::Join": [ "", [ "logs/", { "Ref": "SubscriberName", }, "/", ], ], }, }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "ExchangeBucketNotifications9D53FD72": { "Properties": { "BucketName": { "Ref": "ExchangeBucket913FA88D", }, "Managed": true, "NotificationConfiguration": { "EventBridgeConfiguration": {}, }, "ServiceToken": { "Fn::GetAtt": [ "BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691", "Arn", ], }, }, "Type": "Custom::S3BucketNotifications", }, "ExchangeBucketPolicyBCB4B3A3": { "Properties": { "Bucket": { "Ref": "ExchangeBucket913FA88D", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false, }, "StringNotEquals": { "s3:signatureversion": "AWS4-HMAC-SHA256", "s3:x-amz-content-sha256": "UNSIGNED-PAYLOAD", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, "/*", ], ], }, ], "Sid": "RequireTLSSigv4", }, { "Action": "s3:PutObject", "Condition": { "StringEqualsIfExists": { "s3:x-amz-server-side-encryption": "aws:kms", "s3:x-amz-server-side-encryption-aws-kms-key-id": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, "s3:x-amz-storage-class": "STANDARD", }, }, "Effect": "Allow", "Principal": { "AWS": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-role", ], ], }, }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, "/*", ], ], }, "Sid": "AllowCopyOpPublisher", }, { "Action": [ "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-role", ], ], }, }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, "/*", ], ], }, "Sid": "AllowPublisher", }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-role", ], ], }, }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, "/*", ], ], }, "Sid": "AllowCopyOpSubscriber", }, { "Action": [ "s3:Get*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": [ { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-role", ], ], }, }, { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-role", ], ], }, }, ], }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeBucket913FA88D", "Arn", ], }, "/*", ], ], }, "Sid": "AllowBasicConsole", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "NotifySubscriberRule15C60410": { "Properties": { "Description": "Notify Publisher Message", "EventPattern": { "detail-type": [ { "Fn::Join": [ "", [ "bucket=", { "Ref": "ExchangeBucket913FA88D", }, ], ], }, ], "source": [ "mxc.publisher", ], }, "Name": "NotifySubscriberRule", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationtopic", ], ], }, }, "DeadLetterConfig": { "Arn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationdlq", ], ], }, }, }, "Id": "Target0", "InputPath": "$.detail", }, ], }, "Type": "AWS::Events::Rule", }, "S3NotifyPublisherRuleFC3A44CA": { "Properties": { "Description": "Notify Content Published", "EventPattern": { "detail": { "bucket": { "name": [ { "Ref": "ExchangeBucket913FA88D", }, ], }, }, "detail-type": [ "Object Created", "Object Deleted", ], "source": [ "aws.s3", ], }, "Name": "S3NotifyPublisherRule", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-notificationtopic", ], ], }, }, "DeadLetterConfig": { "Arn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-notificationdlq", ], ], }, }, }, "Id": "Target0", "InputPath": "$.detail", }, ], }, "Type": "AWS::Events::Rule", }, "S3NotifySubscriberRule77D5640E": { "Properties": { "Description": "Notify Content Published", "EventPattern": { "detail": { "bucket": { "name": [ { "Ref": "ExchangeBucket913FA88D", }, ], }, }, "detail-type": [ "Object Created", "Object Deleted", ], "source": [ "aws.s3", ], }, "Name": "S3NotifySubscriberRule", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationtopic", ], ], }, }, "DeadLetterConfig": { "Arn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationdlq", ], ], }, }, }, "Id": "Target0", "InputPath": "$.detail", }, ], }, "Type": "AWS::Events::Rule", }, "SubscriberNotificationsTopicTokenSubscription1C2C58CB7": { "Condition": "EnableEmailNotifications", "Properties": { "Endpoint": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-email", ], ], }, }, "Protocol": "email", "TopicArn": { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationtopic", ], ], }, }, }, "Type": "AWS::SNS::Subscription", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`AutoIngest Stack Test 1`] = ` { "Description": "CDK template for AutoIngest.", "Mappings": { "AnonymizedData": { "SendAnonymizedData": { "Data": "Yes", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", ], }, { "Label": { "default": "Copy Configuration", }, "Parameters": [ "NotificationTopicArn", "MediaExchangeBucket", "DestinationBucket", "DestinationPrefix", ], }, ], }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "DestinationBucket": { "Description": "Destination S3 Bucket Name", "Type": "String", }, "DestinationPrefix": { "Default": "ingest", "Description": "Destination prefix for S3 Bucket ingestion", "Type": "String", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "MediaExchangeBucket": { "Description": " MediaExchange S3 Bucket Name", "Type": "String", }, "NotificationTopicArn": { "Description": "MediaExchange Notifications topic from SubscriberOnBoradingSummary", "Type": "String", }, }, "Resources": { "AWSLambdaBasicExecutionRole5C117F0B": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "AWSLambdaBasicExecutionRoleDefaultPolicy4109A968": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DLQ581697C4", "Arn", ], }, }, { "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:GetQueueUrl", "sqs:DeleteMessage", "sqs:GetQueueAttributes", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "NQ53EB41FA", "Arn", ], }, }, { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "AWSLambdaBasicExecutionRoleDefaultPolicy4109A968", "Roles": [ { "Ref": "AWSLambdaBasicExecutionRole5C117F0B", }, ], }, "Type": "AWS::IAM::Policy", }, "CMK56817A4C": { "DeletionPolicy": "Retain", "Properties": { "Description": "Symetric Key for Encrypting Objects in Media Exchange", "EnableKeyRotation": true, "Enabled": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", "Sid": "KeyManagement", }, { "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", ], "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com", }, "Resource": "*", "Sid": "Allow access for Key User (SNS Service Principal)", }, { "Action": "kms:Decrypt", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "AWSLambdaBasicExecutionRole5C117F0B", "Arn", ], }, }, "Resource": "*", "Sid": "Allow access for Key User (Lambda Function)", }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey", ], "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com", }, "Resource": "*", }, ], "Version": "2012-10-17", }, "PendingWindowInDays": 7, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "CustomResourcePolicy79526710": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:ListBucket", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Ref": "DestinationBucket", }, "/*", ], ], }, "Sid": "S3Read", }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Ref": "MediaExchangeBucket", }, "/*", ], ], }, "Sid": "S3Write", }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Effect": "Allow", "Resource": "*", "Sid": "kms", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomResourcePolicy79526710", "Roles": [ { "Ref": "AWSLambdaBasicExecutionRole5C117F0B", }, ], }, "Type": "AWS::IAM::Policy", }, "DLQ581697C4": { "DeletionPolicy": "Delete", "Properties": { "MessageRetentionPeriod": 1209600, "SqsManagedSseEnabled": true, }, "Type": "AWS::SQS::Queue", "UpdateReplacePolicy": "Delete", }, "DriverFunction5A795A9A": { "DependsOn": [ "AWSLambdaBasicExecutionRoleDefaultPolicy4109A968", "AWSLambdaBasicExecutionRole5C117F0B", "CustomResourcePolicy79526710", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8b6be34614b0c77300a19384f0d04672d19ce2b976e5a3a887bb8c166f42eb69.zip", }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "DLQ581697C4", "Arn", ], }, }, "Description": "Lambda function to be triggered by SNS notification", "Environment": { "Variables": { "DESTINATION_BUCKET_NAME": { "Ref": "DestinationBucket", }, "DESTINATION_PREFIX": { "Ref": "DestinationPrefix", }, "LogLevel": "INFO", "SOLUTION_IDENTIFIER": "AwsSolution/SO0133/__VERSION__-Autoingest", "SOURCE_BUCKET_NAME": { "Ref": "MediaExchangeBucket", }, "SendAnonymizedMetric": { "Fn::FindInMap": [ "AnonymizedData", "SendAnonymizedData", "Data", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-custom-resource", ], ], }, "Handler": "app.lambda_handler", "Role": { "Fn::GetAtt": [ "AWSLambdaBasicExecutionRole5C117F0B", "Arn", ], }, "Runtime": "python3.8", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "DriverFunctionSqsEventSourceAutoIngestNQ8EB4EA145BBBA9F2": { "DependsOn": [ "AWSLambdaBasicExecutionRoleDefaultPolicy4109A968", "AWSLambdaBasicExecutionRole5C117F0B", "CustomResourcePolicy79526710", ], "Properties": { "EventSourceArn": { "Fn::GetAtt": [ "NQ53EB41FA", "Arn", ], }, "FunctionName": { "Ref": "DriverFunction5A795A9A", }, }, "Type": "AWS::Lambda::EventSourceMapping", }, "NQ53EB41FA": { "DeletionPolicy": "Delete", "Properties": { "KmsDataKeyReusePeriodSeconds": 86400, "KmsMasterKeyId": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, "MessageRetentionPeriod": 86400, "VisibilityTimeout": 900, }, "Type": "AWS::SQS::Queue", "UpdateReplacePolicy": "Delete", }, "NQAutoIngestMXCEventCC065AE1FA597EBB": { "DependsOn": [ "NQPolicy9B0D4BAD", ], "Properties": { "Endpoint": { "Fn::GetAtt": [ "NQ53EB41FA", "Arn", ], }, "Protocol": "sqs", "Region": { "Fn::Select": [ 3, { "Fn::Split": [ ":", { "Ref": "NotificationTopicArn", }, ], }, ], }, "TopicArn": { "Ref": "NotificationTopicArn", }, }, "Type": "AWS::SNS::Subscription", }, "NQPolicy9B0D4BAD": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "NotificationTopicArn", }, }, }, "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com", }, "Resource": { "Fn::GetAtt": [ "NQ53EB41FA", "Arn", ], }, }, ], "Version": "2012-10-17", }, "Queues": [ { "Ref": "NQ53EB41FA", }, ], }, "Type": "AWS::SQS::QueuePolicy", }, "driverFunctionLogGroup3918A2DA": { "DeletionPolicy": "Retain", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "DriverFunction5A795A9A", }, ], ], }, "RetentionInDays": 30, }, "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Fixity Repo Stack Test 1`] = ` { "Description": "Cloudformation template for creating ECR Repository.", "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "RepositoryName": { "Description": "Repository Name", "Type": "String", }, }, "Resources": { "Repo02AC86CF": { "DeletionPolicy": "Retain", "Properties": { "LifecyclePolicy": { "LifecyclePolicyText": "{"rules":[{"rulePriority":1,"description":"keep only one image","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":1},"action":{"type":"expire"}}]}", }, "RepositoryName": { "Ref": "RepositoryName", }, }, "Type": "AWS::ECR::Repository", "UpdateReplacePolicy": "Retain", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Fixity Stack Test 1`] = ` { "Description": "Template for in-place checksum of objects in S3.", "Mappings": { "AnonymizedData": { "SendAnonymizedData": { "Data": "Yes", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", "ImageName", ], }, ], }, }, "Outputs": { "FixityApiEndpointE9404CE4": { "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "FixityApi395C9171", }, ".execute-api.", { "Ref": "AWS::Region", }, ".", { "Ref": "AWS::URLSuffix", }, "/", { "Ref": "FixityApiDeploymentStagedev01DCCAFA", }, "/", ], ], }, }, "FixtyAPIURL": { "Description": "Fixity endpoint URL", "Export": { "Name": "FixtyAPIURL", }, "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "FixityApi395C9171", }, ".execute-api.", { "Ref": "AWS::Region", }, ".", { "Ref": "AWS::URLSuffix", }, "/", { "Ref": "FixityApiDeploymentStagedev01DCCAFA", }, "/run", ], ], }, }, "FixtyDriverFunctionArn": { "Description": "Fixity Driver Function Arn", "Export": { "Name": "FixtyDriverFunctionArn", }, "Value": { "Fn::GetAtt": [ "DriverFunction5A795A9A", "Arn", ], }, }, "FixtyS3BatchIAMRoleArn": { "Description": "Fixity IAM Role to use with S3 Batch", "Export": { "Name": "FixtyS3BatchIAMRoleArn", }, "Value": { "Fn::GetAtt": [ "S3BatchRole8238262D", "Arn", ], }, }, "FlowLogBucketName": { "Description": "Flow log Bucket Name", "Export": { "Name": "FlowLogBucketName", }, "Value": { "Ref": "FlowLogBucket0863ACCA", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "ImageName": { "Description": "Image Name", "Type": "String", }, }, "Resources": { "ApiFunctionCE271BD4": { "DependsOn": [ "BatchAccessPolicyD8EDC463", "customLambdaRole0806FF97", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "fc69804c8d6623409700af88667911fbf030791fabac8d180324b438bb2d3161.zip", }, "Description": "Lambda function to be invoked by api", "Environment": { "Variables": { "JOB_QUEUE": { "Fn::GetAtt": [ "JobQueue", "JobQueueArn", ], }, "JOB_SIZE_LARGE": { "Ref": "HashJobDefinitionLarge", }, "JOB_SIZE_SMALL": { "Ref": "HashJobDefinitionSmall", }, "JOB_SIZE_THRESHOLD": "10737418240", "LogLevel": "INFO", "SOLUTION_IDENTIFIER": "AwsSolution/SO0133/__VERSION__-Fixity", "SendAnonymizedMetric": { "Fn::FindInMap": [ "AnonymizedData", "SendAnonymizedData", "Data", ], }, }, }, "Handler": "app.api_handler", "MemorySize": 128, "ReservedConcurrentExecutions": 1, "Role": { "Fn::GetAtt": [ "customLambdaRole0806FF97", "Arn", ], }, "Runtime": "python3.8", "Timeout": 10, }, "Type": "AWS::Lambda::Function", }, "ApiFunctionLogGroup00D1AC73": { "DeletionPolicy": "Retain", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "ApiFunctionCE271BD4", }, ], ], }, "RetentionInDays": 30, }, "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", }, "BatchAccessPolicyD8EDC463": { "Properties": { "Description": "", "ManagedPolicyName": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-fixity-lambda-access-policy", ], ], }, "Path": "/", "PolicyDocument": { "Statement": [ { "Action": [ "batch:ListJobs", "batch:TagResource", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "batch:SubmitJob", "batch:DescribeJobs", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:batch:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":job-definition/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:batch:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":job-queue/*", ], ], }, ], }, { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": "*", "Sid": "kms", }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion", ], "Effect": "Allow", "Resource": "*", "Sid": "s3get", }, ], "Version": "2012-10-17", }, "Roles": [ { "Ref": "customLambdaRole0806FF97", }, ], }, "Type": "AWS::IAM::ManagedPolicy", }, "BatchServiceRole57930367": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "batch.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for batch service.", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSBatchServiceRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "DriverFunction5A795A9A": { "DependsOn": [ "BatchAccessPolicyD8EDC463", "customLambdaRole0806FF97", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "fc69804c8d6623409700af88667911fbf030791fabac8d180324b438bb2d3161.zip", }, "Description": "Lambda function to be invoked by s3 batch", "Environment": { "Variables": { "JOB_QUEUE": { "Fn::GetAtt": [ "JobQueue", "JobQueueArn", ], }, "JOB_SIZE_LARGE": { "Ref": "HashJobDefinitionLarge", }, "JOB_SIZE_SMALL": { "Ref": "HashJobDefinitionSmall", }, "JOB_SIZE_THRESHOLD": "10737418240", "LogLevel": "INFO", "SOLUTION_IDENTIFIER": "AwsSolution/SO0133/__VERSION__-Fixity", "SendAnonymizedMetric": { "Fn::FindInMap": [ "AnonymizedData", "SendAnonymizedData", "Data", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-fixity", ], ], }, "Handler": "app.s3_batch_handler", "MemorySize": 128, "ReservedConcurrentExecutions": 256, "Role": { "Fn::GetAtt": [ "customLambdaRole0806FF97", "Arn", ], }, "Runtime": "python3.8", "Timeout": 30, }, "Type": "AWS::Lambda::Function", }, "DriverFunctionLogGroup25B662C7": { "DeletionPolicy": "Retain", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "DriverFunction5A795A9A", }, ], ], }, "RetentionInDays": 30, }, "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", }, "EC2SPOTComputeEnvironment": { "Properties": { "ComputeResources": { "AllocationStrategy": "SPOT_CAPACITY_OPTIMIZED", "DesiredvCpus": 0, "InstanceRole": { "Fn::GetAtt": [ "IAMInstanceProfile", "Arn", ], }, "InstanceTypes": [ "c5n", "m5zn", "m5n", "m5dn", "r5n", "r5dn", ], "MaxvCpus": 1024, "MinvCpus": 0, "SecurityGroupIds": [ { "Fn::GetAtt": [ "SecurityGroupDD263621", "GroupId", ], }, ], "SpotIamFleetRole": { "Fn::GetAtt": [ "SPOTFleetRole276A2D27", "Arn", ], }, "Subnets": [ { "Ref": "VpcSubnetOneSubnet1SubnetF56C8B02", }, { "Ref": "VpcSubnetOneSubnet2SubnetE9E15838", }, { "Ref": "VpcSubnetTwoSubnet1SubnetC66B3A49", }, { "Ref": "VpcSubnetTwoSubnet2Subnet381F1BB7", }, ], "Type": "SPOT", }, "ServiceRole": { "Fn::GetAtt": [ "BatchServiceRole57930367", "Arn", ], }, "Type": "MANAGED", }, "Type": "AWS::Batch::ComputeEnvironment", }, "ECSInstanceRole5196E36E": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for batch instance profile.", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "ExecutionRole605A040B": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for execution.", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FixityApi395C9171": { "Properties": { "EndpointConfiguration": { "Types": [ "REGIONAL", ], }, "Name": "FixityApi", }, "Type": "AWS::ApiGateway::RestApi", }, "FixityApiAccount87F0D157": { "DeletionPolicy": "Retain", "DependsOn": [ "FixityApi395C9171", ], "Properties": { "CloudWatchRoleArn": { "Fn::GetAtt": [ "FixityApiCloudWatchRole7A70D769", "Arn", ], }, }, "Type": "AWS::ApiGateway::Account", "UpdateReplacePolicy": "Retain", }, "FixityApiCloudWatchRole7A70D769": { "DeletionPolicy": "Retain", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs", ], ], }, ], }, "Type": "AWS::IAM::Role", "UpdateReplacePolicy": "Retain", }, "FixityApiDeployment5B361552e01113cff4f52c96bbac00fd437f8813": { "DependsOn": [ "FixityApiOPTIONS6D27A527", "FixityApirunOPTIONSAD15F5C4", "FixityApirunPOSTD61C8EA6", "FixityApirunD4C3014A", ], "Properties": { "Description": "Automatically created by the RestApi construct", "RestApiId": { "Ref": "FixityApi395C9171", }, }, "Type": "AWS::ApiGateway::Deployment", }, "FixityApiDeploymentStagedev01DCCAFA": { "DependsOn": [ "FixityApiAccount87F0D157", ], "Properties": { "DeploymentId": { "Ref": "FixityApiDeployment5B361552e01113cff4f52c96bbac00fd437f8813", }, "MethodSettings": [ { "DataTraceEnabled": true, "HttpMethod": "*", "ResourcePath": "/*", }, ], "RestApiId": { "Ref": "FixityApi395C9171", }, "StageName": "dev", }, "Type": "AWS::ApiGateway::Stage", }, "FixityApiOPTIONS6D27A527": { "Properties": { "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'X-Forwarded-For'", "method.response.header.Access-Control-Allow-Methods": "'POST'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Max-Age": "'1200'", }, "StatusCode": "204", }, ], "RequestTemplates": { "application/json": "{ statusCode: 200 }", }, "Type": "MOCK", }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Methods": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Max-Age": true, }, "StatusCode": "204", }, ], "ResourceId": { "Fn::GetAtt": [ "FixityApi395C9171", "RootResourceId", ], }, "RestApiId": { "Ref": "FixityApi395C9171", }, }, "Type": "AWS::ApiGateway::Method", }, "FixityApirunD4C3014A": { "Properties": { "ParentId": { "Fn::GetAtt": [ "FixityApi395C9171", "RootResourceId", ], }, "PathPart": "run", "RestApiId": { "Ref": "FixityApi395C9171", }, }, "Type": "AWS::ApiGateway::Resource", }, "FixityApirunOPTIONSAD15F5C4": { "Properties": { "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'X-Forwarded-For'", "method.response.header.Access-Control-Allow-Methods": "'POST'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Max-Age": "'1200'", }, "StatusCode": "204", }, ], "RequestTemplates": { "application/json": "{ statusCode: 200 }", }, "Type": "MOCK", }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Methods": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Max-Age": true, }, "StatusCode": "204", }, ], "ResourceId": { "Ref": "FixityApirunD4C3014A", }, "RestApiId": { "Ref": "FixityApi395C9171", }, }, "Type": "AWS::ApiGateway::Method", }, "FixityApirunPOSTApiPermissionFixityFixityApi01284BB9POSTrunE7EC24EE": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "ApiFunctionCE271BD4", "Arn", ], }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":execute-api:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FixityApi395C9171", }, "/", { "Ref": "FixityApiDeploymentStagedev01DCCAFA", }, "/POST/run", ], ], }, }, "Type": "AWS::Lambda::Permission", }, "FixityApirunPOSTApiPermissionTestFixityFixityApi01284BB9POSTrun21D8DA41": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "ApiFunctionCE271BD4", "Arn", ], }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":execute-api:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FixityApi395C9171", }, "/test-invoke-stage/POST/run", ], ], }, }, "Type": "AWS::Lambda::Permission", }, "FixityApirunPOSTD61C8EA6": { "Properties": { "AuthorizationType": "AWS_IAM", "HttpMethod": "POST", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":apigateway:", { "Ref": "AWS::Region", }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "ApiFunctionCE271BD4", "Arn", ], }, "/invocations", ], ], }, }, "ResourceId": { "Ref": "FixityApirunD4C3014A", }, "RestApiId": { "Ref": "FixityApi395C9171", }, }, "Type": "AWS::ApiGateway::Method", }, "FlowLogBucket0863ACCA": { "DeletionPolicy": "Retain", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LifecycleConfiguration": { "Rules": [ { "Id": "Expire", "Status": "Enabled", "Transitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90, }, ], }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "FlowLogBucketPolicyD22C263C": { "Properties": { "Bucket": { "Ref": "FlowLogBucket0863ACCA", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false, }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "/*", ], ], }, "Sid": "RequireTLS", }, { "Action": "s3:PutObject", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", }, }, "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "FlowLogBucket0863ACCA", }, "/flow-logs/AWSLogs/*", ], ], }, "Sid": "AWSLogDeliveryWrite", }, { "Action": "s3:GetBucketAcl", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com", }, "Resource": { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "Sid": "AWSLogDeliveryAclCheck", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "HashJobDefinitionLarge": { "Properties": { "ContainerProperties": { "Command": [ "Ref::Bucket", "Ref::Key", "32", ], "Image": { "Ref": "ImageName", }, "JobRoleArn": { "Fn::GetAtt": [ "JobRole014917C6", "Arn", ], }, "Memory": 16384, "Vcpus": 16, }, "RetryStrategy": { "Attempts": 3, }, "Type": "container", }, "Type": "AWS::Batch::JobDefinition", }, "HashJobDefinitionSmall": { "Properties": { "ContainerProperties": { "Command": [ "Ref::Bucket", "Ref::Key", "2", ], "Image": { "Ref": "ImageName", }, "JobRoleArn": { "Fn::GetAtt": [ "JobRole014917C6", "Arn", ], }, "Memory": 2048, "Vcpus": 1, }, "RetryStrategy": { "Attempts": 3, }, "Type": "container", }, "Type": "AWS::Batch::JobDefinition", }, "IAMInstanceProfile": { "Properties": { "Roles": [ { "Ref": "ECSInstanceRole5196E36E", }, ], }, "Type": "AWS::IAM::InstanceProfile", }, "JobQueue": { "Properties": { "ComputeEnvironmentOrder": [ { "ComputeEnvironment": { "Fn::GetAtt": [ "EC2SPOTComputeEnvironment", "ComputeEnvironmentArn", ], }, "Order": 1, }, ], "JobQueueName": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-fixity-ec2spot", ], ], }, "Priority": 1, }, "Type": "AWS::Batch::JobQueue", }, "JobRole014917C6": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for job", }, "Type": "AWS::IAM::Role", }, "KMSAndS3C30607E4": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:PutObjectTagging", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "KMSAndS3", "Roles": [ { "Ref": "JobRole014917C6", }, ], }, "Type": "AWS::IAM::Policy", }, "S3BatchRole8238262D": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "batchoperations.s3.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for s3 batch job", "RoleName": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-fixity-role", ], ], }, }, "Type": "AWS::IAM::Role", }, "S3BatchRolePolicyA37749C0": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObject", "lambda:InvokeFunction", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "S3BatchRolePolicy", "Roles": [ { "Ref": "S3BatchRole8238262D", }, ], }, "Type": "AWS::IAM::Policy", }, "SPOTFleetRole276A2D27": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "spotfleet.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for spot fleet.", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "SecurityGroupDD263621": { "Properties": { "GroupDescription": "Default/Fixity/SecurityGroup", "SecurityGroupEgress": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic by default", "IpProtocol": "-1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::SecurityGroup", }, "SecurityGroupIngress": { "Properties": { "GroupId": { "Fn::GetAtt": [ "SecurityGroupDD263621", "GroupId", ], }, "IpProtocol": "-1", "SourceSecurityGroupId": { "Fn::GetAtt": [ "SecurityGroupDD263621", "GroupId", ], }, }, "Type": "AWS::EC2::SecurityGroupIngress", }, "VPCLogDeliveringToS3FlowLogB09008BF": { "DependsOn": [ "FlowLogBucketPolicyD22C263C", ], "Properties": { "LogDestination": { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "LogDestinationType": "s3", "MaxAggregationInterval": 60, "ResourceId": { "Ref": "Vpc8378EB38", }, "ResourceType": "VPC", "TrafficType": "ALL", }, "Type": "AWS::EC2::FlowLog", }, "Vpc8378EB38": { "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", "Tags": [ { "Key": "Name", "Value": "MediaExchange Fixity", }, ], }, "Type": "AWS::EC2::VPC", }, "VpcIGWD7BA715C": { "Properties": { "Tags": [ { "Key": "Name", "Value": "MediaExchange Fixity", }, ], }, "Type": "AWS::EC2::InternetGateway", }, "VpcSubnetOneSubnet1DefaultRoute31FF3BC6": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetOneSubnet1RouteTableDD201DD2", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetOneSubnet1RouteTableAssociation4481E95A": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetOneSubnet1RouteTableDD201DD2", }, "SubnetId": { "Ref": "VpcSubnetOneSubnet1SubnetF56C8B02", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetOneSubnet1RouteTableDD201DD2": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetOneSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetOneSubnet1SubnetF56C8B02": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.0.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetOne", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetOneSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcSubnetOneSubnet2DefaultRouteED9346C1": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetOneSubnet2RouteTableA0E51D97", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetOneSubnet2RouteTableA0E51D97": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetOneSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetOneSubnet2RouteTableAssociation954B832E": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetOneSubnet2RouteTableA0E51D97", }, "SubnetId": { "Ref": "VpcSubnetOneSubnet2SubnetE9E15838", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetOneSubnet2SubnetE9E15838": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.1.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetOne", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetOneSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcSubnetTwoSubnet1DefaultRouteD3C8C373": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetTwoSubnet1RouteTableE8645C8B", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetTwoSubnet1RouteTableAssociation44558623": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetTwoSubnet1RouteTableE8645C8B", }, "SubnetId": { "Ref": "VpcSubnetTwoSubnet1SubnetC66B3A49", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetTwoSubnet1RouteTableE8645C8B": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetTwoSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetTwoSubnet1SubnetC66B3A49": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.2.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetTwo", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetTwoSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcSubnetTwoSubnet2DefaultRoute65025AE7": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetTwoSubnet2RouteTable87108024", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetTwoSubnet2RouteTable87108024": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetTwoSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetTwoSubnet2RouteTableAssociation4B7AFE93": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetTwoSubnet2RouteTable87108024", }, "SubnetId": { "Ref": "VpcSubnetTwoSubnet2Subnet381F1BB7", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetTwoSubnet2Subnet381F1BB7": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.3.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetTwo", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/Fixity/Vpc/SubnetTwoSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcVPCGWBF912B6E": { "Properties": { "InternetGatewayId": { "Ref": "VpcIGWD7BA715C", }, "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::VPCGatewayAttachment", }, "customLambdaRole0806FF97": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], "RoleName": "customLambdaRole", }, "Type": "AWS::IAM::Role", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`ME Stack Test 1`] = ` { "Description": "(SO0133) - Media Exchange on AWS __VERSION__ - mediaexchange service catalog setup", "Mappings": { "AnonymizedData": { "SendAnonymizedData": { "Data": "Yes", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", ], }, { "Label": { "default": "Support information", }, "Parameters": [ "Owner", "OwnerEmails", ], }, ], }, }, "Outputs": { "AgreementProductId": { "Description": "ProductId of the agreement product", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-sc-agreement-productid", ], ], }, }, "Value": { "Ref": "Agreement71CF0F8A", }, }, "CFNDeployerRole": { "Description": "Deployment Role", "Export": { "Name": "CFNDeployerRole", }, "Value": { "Fn::GetAtt": [ "CFNRole8221A0F7", "Arn", ], }, }, "ConsoleUrl": { "Description": "ServiceCatalog portfolio manager url.", "Value": { "Fn::Join": [ "", [ "https://signin.aws.amazon.com/switchrole?roleName=", { "Ref": "ServiceCatalogUserRoleDD7EA55E", }, "&account=", { "Ref": "AWS::AccountId", }, "®ion=", { "Ref": "AWS::Region", }, "&redirect_uri=https://console.aws.amazon.com/servicecatalog/home?region=", { "Ref": "AWS::Region", }, "&isSceuc=true#/products", ], ], }, }, "PublisherProductId": { "Description": "ProductId of the publisher product", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-sc-publisher-productid", ], ], }, }, "Value": { "Ref": "PublisherF0355618", }, }, "SubscriberProductId": { "Description": "ProductId of the subscriber product", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-sc-subscriber-productid", ], ], }, }, "Value": { "Ref": "Subscriber1956AC64", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "Owner": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Owner must only contain uppercase and lowercase letters and numbers", "Default": "mediaops", "Description": "Maintainer Group", "MaxLength": 64, "MinLength": 2, "Type": "String", }, "OwnerEmails": { "AllowedPattern": "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$", "Default": "mediaops@mycompany.com", "Description": "Maintainer Group Email", "Type": "String", }, }, "Resources": { "Agreement71CF0F8A": { "Properties": { "Description": "Template to setup shared S3 bucket between publisher and subscriber interchange.", "Distributor": "AWS Solutions Library / Media Exchange On AWS", "Name": "Transfer agreement", "Owner": { "Ref": "Owner", }, "ProvisioningArtifactParameters": [ { "DisableTemplateValidation": false, "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/__BUCKET_NAME__/__SOLUTION_NAME__/__VERSION__/agreement.template", }, "Name": "latest", }, { "DisableTemplateValidation": false, "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/__BUCKET_NAME__/__SOLUTION_NAME__/__VERSION__/agreement.template", }, "Name": "__VERSION__", }, ], "SupportDescription": "Please contact mediaops", "SupportEmail": { "Ref": "OwnerEmails", }, "SupportUrl": "https://mediaops.mycompany.com", "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::ServiceCatalog::CloudFormationProduct", }, "AnonymousMetric": { "DeletionPolicy": "Delete", "Properties": { "Resource": "AnonymousMetric", "SendAnonymizedMetric": { "Fn::FindInMap": [ "AnonymizedData", "SendAnonymizedData", "Data", ], }, "ServiceToken": { "Fn::GetAtt": [ "CustomResource8CDCD7A7", "Arn", ], }, "SolutionId": "SO0133", "UUID": { "Fn::GetAtt": [ "UUID", "UUID", ], }, "Version": "__VERSION__", }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "AppRegistryApp5349BE86": { "DependsOn": [ "DefaultApplicationAttributeGroup41AD7209", ], "Properties": { "Description": "Service Catalog application to track and manage all your resources. The SolutionId is SO0133 and SolutionVersion is __VERSION__.", "Name": { "Fn::Join": [ "", [ "media-exchange-on-aws-", { "Ref": "AWS::Region", }, "-", { "Ref": "AWS::AccountId", }, ], ], }, "Tags": { "SolutionId": "SO0133", "Solutions:ApplicationType": "AWS-Solutions", "Solutions:SolutionId": "SO0133", "Solutions:SolutionName": "Media Exchange on AWS", "Solutions:SolutionVersion": "__VERSION__", }, }, "Type": "AWS::ServiceCatalogAppRegistry::Application", }, "AppRegistryAppAttributeGroupAssociation4145785cc1bc6ECC45F4": { "DependsOn": [ "DefaultApplicationAttributeGroup41AD7209", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistryApp5349BE86", "Id", ], }, "AttributeGroup": { "Fn::GetAtt": [ "DefaultApplicationAttributeGroup41AD7209", "Id", ], }, }, "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation", }, "AppRegistryAppResourceAssociationc49dc6eb96805533F2F5": { "DependsOn": [ "DefaultApplicationAttributeGroup41AD7209", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistryApp5349BE86", "Id", ], }, "Resource": { "Ref": "AWS::StackId", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "CFNDeployRole29D10EDC": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F3", "reason": "(F3) IAM role should not allow * action on its permissions policy: Many of the resources created/updated/deleted by this role is created on the fly, as part of the normal usage ot the solution. So, the names are not known at the deployment time.", }, { "id": "F38", "reason": "(F38) IAM role should not allow * resource with PassRole action on its permissions policy: See #F3", }, { "id": "W11", "reason": "(W11) IAM role should not allow * resource on its permissions policy: See #F3", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for ServiceCatalog/Cloudformation.", "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::IAM::Role", }, "CFNRole8221A0F7": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "(W11) IAM role should not allow * resource on its permissions policy: Many of the resources created/updated/deleted by this role is created on the fly, as part of the normal usage ot the solution. So, the names are not known at the deployment time.", }, { "id": "W28", "reason": "(W28) Resource found with an explicit name, this disallows updates that require replacement of this resource", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Service role for Service Catalog portfolio deploy", "RoleName": { "Fn::Join": [ "", [ "mediaexchange-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-cfn-deploy", ], ], }, "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::IAM::Role", }, "CustomResource8CDCD7A7": { "DependsOn": [ "CustomResourcePolicy79526710", "CustomResourceRoleMetrics802C29BA", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Invalid warning: function has access to cloudwatch", }, { "id": "W89", "reason": "This CustomResource does not need to be deployed inside a VPC", }, { "id": "W92", "reason": "This CustomResource does not need to define ReservedConcurrentExecutions to reserve simultaneous executions", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "de8675a52f7c7aa58be306cf7cc856d32e65aef73b043b0e8cf83a27ec07f63a.zip", }, "Description": "Used to deploy resources not supported by CloudFormation", "Environment": { "Variables": { "SOLUTION_IDENTIFIER": "AwsSolution/SO0133/__VERSION__", }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-custom-resource", ], ], }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "CustomResourceRoleMetrics802C29BA", "Arn", ], }, "Runtime": "nodejs18.x", "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], "Timeout": 30, }, "Type": "AWS::Lambda::Function", }, "CustomResourcePolicy79526710": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource ARNs are not generated at the time of policy creation", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "(W11) IAM role should not allow * resource on its permissions policy: Many of the resources created/updated/deleted by this role is created on the fly, as part of the normal usage ot the solution. So, the names are not known at the deployment time.", }, { "id": "W28", "reason": "(W28) Resource found with an explicit name, this disallows updates that require replacement of this resource", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:DeleteChangeSet", "cloudformation:TagResource", "cloudformation:ListStacks", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:*:*:stack/*", ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:*:*:changeSet/*", ], ], }, ], }, { "Action": [ "cloudformation:GetTemplateSummary", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ListLaunchPaths", "servicecatalog:ProvisionProduct", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "servicecatalog:DescribeProvisionedProduct", "servicecatalog:DescribeRecord", "servicecatalog:ListRecordHistory", "servicecatalog:ListStackInstancesForProvisionedProduct", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:CreateProvisionedProductPlan", "servicecatalog:DescribeProvisionedProductPlan", "servicecatalog:ExecuteProvisionedProductPlan", "servicecatalog:DeleteProvisionedProductPlan", "servicecatalog:ListProvisionedProductPlans", ], "Condition": { "StringEquals": { "servicecatalog:accountLevel": "self", }, }, "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "mxc-servicecatalog-cfn", "Roles": [ { "Ref": "CFNRole8221A0F7", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomResourcePolicyMetricsAA460E9C": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "* is required to create CloudWatch logs and interact with metrics actions that do not support resource level permissions", }, { "id": "W76", "reason": "High complexity due to number of policy statements needed for creating all custom resources", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CustomResourcePolicyMetricsAA460E9C", "Roles": [ { "Ref": "CustomResourceRoleMetrics802C29BA", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomResourceRoleMetrics802C29BA": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "* is required to create CloudWatch logs and interact with metrics actions that do not support resource level permissions", }, { "id": "W76", "reason": "All policies are required by the custom resource.", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultApplicationAttributeGroup41AD7209": { "Properties": { "Attributes": { "ApplicationType": "AWS-Solutions", "SolutionID": "SO0133", "SolutionName": "Media Exchange on AWS", "Version": "__VERSION__", }, "Description": "Attribute group for solution information.", "Name": { "Fn::Join": [ "", [ "SO0133-", { "Ref": "AWS::Region", }, "-", { "Ref": "AWS::StackName", }, ], ], }, "Tags": { "SolutionId": "SO0133", }, }, "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroup", }, "LaunchRoleConstraintAgreement": { "DependsOn": [ "Agreement71CF0F8A", "CFNDeployRole29D10EDC", "PortfolioPortfolioProductAssociation2bf891e1ad387E78CFC0", "PortfolioPortfolioProductAssociation31b7c2e17ecb9B43E3EA", "PortfolioPortfolioProductAssociation746522ae61ef533D63EF", "Portfolio856A4190", ], "Properties": { "Description": "Administrative role for deploying publisher & subscriber agreement to Media Exchange", "LocalRoleName": { "Ref": "CFNDeployRole29D10EDC", }, "PortfolioId": { "Ref": "Portfolio856A4190", }, "ProductId": { "Ref": "Agreement71CF0F8A", }, }, "Type": "AWS::ServiceCatalog::LaunchRoleConstraint", }, "LaunchRoleConstraintPublisher": { "DependsOn": [ "CFNDeployRole29D10EDC", "PortfolioPortfolioProductAssociation2bf891e1ad387E78CFC0", "PortfolioPortfolioProductAssociation31b7c2e17ecb9B43E3EA", "PortfolioPortfolioProductAssociation746522ae61ef533D63EF", "Portfolio856A4190", "PublisherF0355618", ], "Properties": { "Description": "Administrative role for deploying publishers to Media Exchange", "LocalRoleName": { "Ref": "CFNDeployRole29D10EDC", }, "PortfolioId": { "Ref": "Portfolio856A4190", }, "ProductId": { "Ref": "PublisherF0355618", }, }, "Type": "AWS::ServiceCatalog::LaunchRoleConstraint", }, "LaunchRoleConstraintSubscriber": { "DependsOn": [ "CFNDeployRole29D10EDC", "PortfolioPortfolioProductAssociation2bf891e1ad387E78CFC0", "PortfolioPortfolioProductAssociation31b7c2e17ecb9B43E3EA", "PortfolioPortfolioProductAssociation746522ae61ef533D63EF", "Portfolio856A4190", "Subscriber1956AC64", ], "Properties": { "Description": "Administrative role for deploying subscribers to Media Exchange", "LocalRoleName": { "Ref": "CFNDeployRole29D10EDC", }, "PortfolioId": { "Ref": "Portfolio856A4190", }, "ProductId": { "Ref": "Subscriber1956AC64", }, }, "Type": "AWS::ServiceCatalog::LaunchRoleConstraint", }, "Portfolio856A4190": { "Properties": { "Description": "Group of products related to Media Exchange On AWS solution.", "DisplayName": "Media Exchange On AWS", "ProviderName": "AWS Solutions Library", "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::ServiceCatalog::Portfolio", }, "PortfolioAccessCliRole": { "Properties": { "PortfolioId": { "Ref": "Portfolio856A4190", }, "PrincipalARN": { "Fn::GetAtt": [ "CFNRole8221A0F7", "Arn", ], }, "PrincipalType": "IAM", }, "Type": "AWS::ServiceCatalog::PortfolioPrincipalAssociation", }, "PortfolioAccessUIRole": { "Properties": { "PortfolioId": { "Ref": "Portfolio856A4190", }, "PrincipalARN": { "Fn::GetAtt": [ "ServiceCatalogUserRoleDD7EA55E", "Arn", ], }, "PrincipalType": "IAM", }, "Type": "AWS::ServiceCatalog::PortfolioPrincipalAssociation", }, "PortfolioPortfolioProductAssociation2bf891e1ad387E78CFC0": { "Properties": { "PortfolioId": { "Ref": "Portfolio856A4190", }, "ProductId": { "Ref": "Agreement71CF0F8A", }, }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation", }, "PortfolioPortfolioProductAssociation31b7c2e17ecb9B43E3EA": { "Properties": { "PortfolioId": { "Ref": "Portfolio856A4190", }, "ProductId": { "Ref": "Subscriber1956AC64", }, }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation", }, "PortfolioPortfolioProductAssociation746522ae61ef533D63EF": { "Properties": { "PortfolioId": { "Ref": "Portfolio856A4190", }, "ProductId": { "Ref": "PublisherF0355618", }, }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation", }, "PublisherF0355618": { "Properties": { "Description": "Publisher onboarding template for Media Exchange On AWS Solution", "Distributor": "AWS Solutions Library / Media Exchange On AWS", "Name": "Publisher", "Owner": { "Ref": "Owner", }, "ProvisioningArtifactParameters": [ { "DisableTemplateValidation": false, "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/__BUCKET_NAME__/__SOLUTION_NAME__/__VERSION__/publisher.template", }, "Name": "latest", }, { "DisableTemplateValidation": false, "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/__BUCKET_NAME__/__SOLUTION_NAME__/__VERSION__/publisher.template", }, "Name": "__VERSION__", }, ], "SupportDescription": "Please contact mediaops", "SupportEmail": { "Ref": "OwnerEmails", }, "SupportUrl": "https://mediaops.mycompany.com", "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::ServiceCatalog::CloudFormationProduct", }, "ServiceCatalogUserPolicy29358D96": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource ARNs are not generated at the time of policy creation", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "(W11) IAM role should not allow * resource on its permissions policy: Many of the resources created/updated/deleted by this role is created on the fly, as part of the normal usage ot the solution. So, the names are not known at the deployment time.", }, { "id": "W28", "reason": "(W28) Resource found with an explicit name, this disallows updates that require replacement of this resource", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:DeleteChangeSet", "cloudformation:TagResource", "cloudformation:ListStacks", "cloudformation:CreateStackSet", "cloudformation:CreateStackInstances", "cloudformation:UpdateStackSet", "cloudformation:UpdateStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DeleteStackInstances", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:ListStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSetOperationResults", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:*:*:stack/*", ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:*:*:changeSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:*:*:stackset/*", ], ], }, ], }, { "Action": [ "cloudformation:GetTemplateSummary", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ListLaunchPaths", "servicecatalog:ProvisionProduct", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "servicecatalog:DescribeProductView", "servicecatalog:SearchProducts", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "servicecatalog:DescribeProvisionedProduct", "servicecatalog:DescribeRecord", "servicecatalog:ListRecordHistory", "servicecatalog:ListStackInstancesForProvisionedProduct", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:CreateProvisionedProductPlan", "servicecatalog:DescribeProvisionedProductPlan", "servicecatalog:ExecuteProvisionedProductPlan", "servicecatalog:DeleteProvisionedProductPlan", "servicecatalog:ListProvisionedProductPlans", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProvisionedProducts", "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteProvisionedProductServiceAction", "servicecatalog:DescribeServiceActionExecutionParameters", ], "Condition": { "StringEquals": { "servicecatalog:accountLevel": "self", }, }, "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "mxc-servicecatalog-cfn", "Roles": [ { "Ref": "ServiceCatalogUserRoleDD7EA55E", }, ], }, "Type": "AWS::IAM::Policy", }, "ServiceCatalogUserRoleDD7EA55E": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "(W11) IAM role should not allow * resource on its permissions policy: Many of the resources created/updated/deleted by this role is created on the fly, as part of the normal usage ot the solution. So, the names are not known at the deployment time.", }, { "id": "W28", "reason": "(W28) Resource found with an explicit name, this disallows updates that require replacement of this resource", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, "Description": "User role for Service Catalog access", "RoleName": { "Fn::Join": [ "", [ "mediaexchange-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-admin", ], ], }, "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::IAM::Role", }, "Subscriber1956AC64": { "Properties": { "Description": "Subscriber onboarding template for Media Exchange On AWS Solution", "Distributor": "AWS Solutions Library / Media Exchange On AWS", "Name": "Subscriber", "Owner": { "Ref": "Owner", }, "ProvisioningArtifactParameters": [ { "DisableTemplateValidation": false, "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/__BUCKET_NAME__/__SOLUTION_NAME__/__VERSION__/subscriber.template", }, "Name": "latest", }, { "DisableTemplateValidation": false, "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/__BUCKET_NAME__/__SOLUTION_NAME__/__VERSION__/subscriber.template", }, "Name": "__VERSION__", }, ], "SupportDescription": "Please contact mediaops", "SupportEmail": { "Ref": "OwnerEmails", }, "SupportUrl": "https://mediaops.mycompany.com", "Tags": [ { "Key": "SolutionId", "Value": "SO0133", }, ], }, "Type": "AWS::ServiceCatalog::CloudFormationProduct", }, "UUID": { "DeletionPolicy": "Delete", "Properties": { "Resource": "UUID", "ServiceToken": { "Fn::GetAtt": [ "CustomResource8CDCD7A7", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "mxcagreementdeploy5AF167CA": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F39", "reason": "Resource ARNs are not generated at the time of policy creation", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:List*", "s3:Get*", "s3:Describe*", "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutAccountPublicAccessBlock", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketOwnershipControls", "s3:DeleteBucketOwnershipControls", "lambda:List*", "lambda:Get*", "lambda:Describe*", "lambda:AddPermission", "lambda:RemovePermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:PublishVersion", "lambda:Update*", "lambda:InvokeFunction*", "lambda:TagResource", "lambda:UntagResource", "iam:CreateRole", "iam:DeleteRole", "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:DeleteRolePolicy", "iam:TagRole", "iam:UntagRole", "iam:GetRole", "iam:PassRole", "events:List*", "events:Get*", "events:Describe*", "events:EnableRule", "events:DisableRule", "events:DeleteRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:TagResource", "events:UntagResource", "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "mxc-agreement-deploy", "Roles": [ { "Ref": "CFNDeployRole29D10EDC", }, ], }, "Type": "AWS::IAM::Policy", }, "mxcpublisherdeployF0F48070": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource ARNs are not generated at the time of policy creation", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "events:PutPermission", "events:RemovePermission", "s3:List*", "s3:Get*", "s3:Describe*", "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutBucketAcl", "s3:PutAccountPublicAccessBlock", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "sns:Get*", "sns:Describe*", "sns:CreateTopic", "sns:DeleteTopic", "sns:List*", "sns:SetTopicAttributes", "sns:TagResource", "sns:UntagResource", "sns:ListTagsForResource", "sns:Subscribe", "sns:Unsubscribe", "sns:AddPermission", "sns:RemovePermission", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "sqs:RemovePermission", "sqs:AddPermission", "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:GetQueueAttributes", "sqs:SetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ListQueues", "sqs:ListQueueTags", "sqs:TagQueue", "sqs:UntagQueue", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "mxc-publisher-deploy", "Roles": [ { "Ref": "CFNDeployRole29D10EDC", }, ], }, "Type": "AWS::IAM::Policy", }, "mxcservicecatalogbase1383DD90": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "All service catalog actions are allowed", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "servicecatalog:*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "s3:GetObject", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "mxc-servicecatalog-base", "Roles": [ { "Ref": "CFNDeployRole29D10EDC", }, ], }, "Type": "AWS::IAM::Policy", }, "mxcsubscriberdeploy2C16AE3D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource ARNs are not generated at the time of policy creation", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sns:Get*", "sns:Describe*", "sns:CreateTopic", "sns:DeleteTopic", "sns:List*", "sns:SetTopicAttributes", "sns:TagResource", "sns:UntagResource", "sns:ListTagsForResource", "sns:Subscribe", "sns:Unsubscribe", "sns:AddPermission", "sns:RemovePermission", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "sqs:RemovePermission", "sqs:AddPermission", "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:GetQueueAttributes", "sqs:SetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ListQueues", "sqs:ListQueueTags", "sqs:TagQueue", "sqs:UntagQueue", "events:PutPermission", "events:RemovePermission", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "mxc-subscriber-deploy", "Roles": [ { "Ref": "CFNDeployRole29D10EDC", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`MediaSync Stack Test 1`] = ` { "Description": "Cloudformation template for MediaSync.", "Mappings": { "AnonymizedData": { "SendAnonymizedData": { "Data": "Yes", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", "ImageName", ], }, { "Label": { "default": "Copy Configuration", }, "Parameters": [ "DestinationBucketName", ], }, ], }, }, "Outputs": { "FlowLogBucketName": { "Description": "Flow log Bucket Name", "Export": { "Name": "FlowLogBucketName", }, "Value": { "Ref": "FlowLogBucket0863ACCA", }, }, "LambdaFunctionArn": { "Description": "LambdaFunctionArn to use with S3 batch", "Export": { "Name": "LambdaFunctionArn", }, "Value": { "Fn::GetAtt": [ "MediaSyncDriverFunction0A5D414A", "Arn", ], }, }, "S3BatchRoleArn": { "Description": "IAM Role for to use with S3 batch", "Export": { "Name": "S3BatchRoleArn", }, "Value": { "Fn::GetAtt": [ "MediaSyncS3BatchRole0470DBBD", "Arn", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "DestinationBucketName": { "Description": "Destination S3 Bucket Name", "Type": "String", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "ImageName": { "Default": "amazon/aws-cli", "Description": "Image Name", "Type": "String", }, }, "Resources": { "BatchAccessPolicyD8EDC463": { "Properties": { "Description": "", "Path": "/", "PolicyDocument": { "Statement": [ { "Action": [ "batch:ListJobs", "batch:TagResource", ], "Effect": "Allow", "Resource": "*", "Sid": "batchList", }, { "Action": [ "batch:SubmitJob", "batch:DescribeJobs", "batch:TerminateJob", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:batch:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":job-definition/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:batch:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":job-queue/*", ], ], }, ], "Sid": "batch", }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Effect": "Allow", "Resource": "*", "Sid": "kms", }, { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:GetBucketLocation", ], "Effect": "Allow", "Resource": "*", "Sid": "s3", }, ], "Version": "2012-10-17", }, "Roles": [ { "Ref": "customLambdaRole0806FF97", }, ], }, "Type": "AWS::IAM::ManagedPolicy", }, "BatchServiceRole57930367": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "batch.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for batch service.", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSBatchServiceRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CopyJobDefinition": { "Properties": { "ContainerProperties": { "Command": [ "/usr/local/bin/ssc.sh", "Ref::SourceS3Uri", "Ref::DestinationS3Uri", "Ref::Size", "Ref::SourceBucketRegion", ], "ExecutionRoleArn": { "Fn::GetAtt": [ "ExecutionRole605A040B", "Arn", ], }, "FargatePlatformConfiguration": { "PlatformVersion": "1.4.0", }, "Image": { "Ref": "ImageName", }, "JobRoleArn": { "Fn::GetAtt": [ "JobRole014917C6", "Arn", ], }, "NetworkConfiguration": { "AssignPublicIp": "ENABLED", }, "ResourceRequirements": [ { "Type": "VCPU", "Value": "1", }, { "Type": "MEMORY", "Value": "2048", }, ], }, "PlatformCapabilities": [ "FARGATE", ], "RetryStrategy": { "Attempts": 2, }, "Type": "container", }, "Type": "AWS::Batch::JobDefinition", }, "CopyJobDefinitionXRegion": { "Properties": { "ContainerProperties": { "Command": [ "/usr/local/bin/stream.sh", "Ref::SourceS3Uri", "Ref::DestinationS3Uri", "Ref::Size", "Ref::SourceBucketRegion", ], "ExecutionRoleArn": { "Fn::GetAtt": [ "ExecutionRole605A040B", "Arn", ], }, "FargatePlatformConfiguration": { "PlatformVersion": "1.4.0", }, "Image": { "Ref": "ImageName", }, "JobRoleArn": { "Fn::GetAtt": [ "JobRole014917C6", "Arn", ], }, "NetworkConfiguration": { "AssignPublicIp": "ENABLED", }, "ResourceRequirements": [ { "Type": "VCPU", "Value": "4", }, { "Type": "MEMORY", "Value": "8192", }, ], }, "PlatformCapabilities": [ "FARGATE", ], "RetryStrategy": { "Attempts": 1, }, "Type": "container", }, "Type": "AWS::Batch::JobDefinition", }, "DriverFunctionLogGroup25B662C7": { "DeletionPolicy": "Retain", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "MediaSyncDriverFunction0A5D414A", }, ], ], }, "RetentionInDays": 30, }, "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", }, "ExecutionRole605A040B": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for execution.", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FlowLogBucket0863ACCA": { "DeletionPolicy": "Retain", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LifecycleConfiguration": { "Rules": [ { "Id": "Expire", "Status": "Enabled", "Transitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90, }, ], }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "FlowLogBucketPolicyD22C263C": { "Properties": { "Bucket": { "Ref": "FlowLogBucket0863ACCA", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false, }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "/*", ], ], }, "Sid": "RequireTLS", }, { "Action": "s3:PutObject", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", }, }, "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "FlowLogBucket0863ACCA", }, "/flow-logs/AWSLogs/*", ], ], }, "Sid": "AWSLogDeliveryWrite", }, { "Action": "s3:GetBucketAcl", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com", }, "Resource": { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "Sid": "AWSLogDeliveryAclCheck", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "JobRole014917C6": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for job", }, "Type": "AWS::IAM::Role", }, "KMSAndS3C30607E4": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:ListBucket", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "DestinationBucketName", }, "/*", ], ], }, }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "KMSAndS3", "Roles": [ { "Ref": "JobRole014917C6", }, ], }, "Type": "AWS::IAM::Policy", }, "MediaSyncDriverFunction0A5D414A": { "DependsOn": [ "BatchAccessPolicyD8EDC463", "customLambdaRole0806FF97", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "7fc6d92d8e68b88be2bd038da238de6413d6ec97a9b452c75534fd747a562de0.zip", }, "Description": "Lambda function to be invoked by s3 batch", "Environment": { "Variables": { "DESTINATION_BUCKET_NAME": { "Ref": "DestinationBucketName", }, "DISABLE_PENDING_JOBS_CHECK": "true", "JOB_DEFINITION": { "Ref": "CopyJobDefinition", }, "JOB_DEFINITION_X_REGION": { "Ref": "CopyJobDefinitionXRegion", }, "JOB_QUEUE": { "Fn::GetAtt": [ "MediaSyncJobQueue", "JobQueueArn", ], }, "LogLevel": "INFO", "MAX_NUMBER_OF_PENDING_JOBS": "96", "MN_SIZE_FOR_BATCH_IN_BYTES": "524288000", "SOLUTION_IDENTIFIER": "AwsSolution/SO0133/__VERSION__-Mediasync", "SendAnonymizedMetric": { "Fn::FindInMap": [ "AnonymizedData", "SendAnonymizedData", "Data", ], }, }, }, "Handler": "app.lambda_handler", "MemorySize": 128, "ReservedConcurrentExecutions": 256, "Role": { "Fn::GetAtt": [ "customLambdaRole0806FF97", "Arn", ], }, "Runtime": "python3.8", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "MediaSyncJobQueue": { "Properties": { "ComputeEnvironmentOrder": [ { "ComputeEnvironment": { "Fn::GetAtt": [ "MediaSyncSPOTComputeEnvironment", "ComputeEnvironmentArn", ], }, "Order": 1, }, ], "Priority": 1, }, "Type": "AWS::Batch::JobQueue", }, "MediaSyncS3BatchRole0470DBBD": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "batchoperations.s3.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role for s3 batch job", "Path": "/", }, "Type": "AWS::IAM::Role", }, "MediaSyncSPOTComputeEnvironment": { "Properties": { "ComputeResources": { "MaxvCpus": 48, "SecurityGroupIds": [ { "Fn::GetAtt": [ "SecurityGroupDD263621", "GroupId", ], }, ], "Subnets": [ { "Ref": "VpcSubnetOneSubnet1SubnetF56C8B02", }, { "Ref": "VpcSubnetOneSubnet2SubnetE9E15838", }, { "Ref": "VpcSubnetTwoSubnet1SubnetC66B3A49", }, { "Ref": "VpcSubnetTwoSubnet2Subnet381F1BB7", }, ], "Type": "FARGATE_SPOT", }, "ServiceRole": { "Fn::GetAtt": [ "BatchServiceRole57930367", "Arn", ], }, "Type": "MANAGED", }, "Type": "AWS::Batch::ComputeEnvironment", }, "S3BatchRolePolicyA37749C0": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObject", "lambda:InvokeFunction", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "S3BatchRolePolicy", "Roles": [ { "Ref": "MediaSyncS3BatchRole0470DBBD", }, ], }, "Type": "AWS::IAM::Policy", }, "SecurityGroupDD263621": { "Properties": { "GroupDescription": "Security Group for the EC2 instances launched into the VPC by Batch", "SecurityGroupEgress": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic by default", "IpProtocol": "-1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::SecurityGroup", }, "SecurityGroupIngress": { "Properties": { "GroupId": { "Fn::GetAtt": [ "SecurityGroupDD263621", "GroupId", ], }, "IpProtocol": "-1", "SourceSecurityGroupId": { "Fn::GetAtt": [ "SecurityGroupDD263621", "GroupId", ], }, }, "Type": "AWS::EC2::SecurityGroupIngress", }, "VPCLogDeliveringToS3FlowLogB09008BF": { "DependsOn": [ "FlowLogBucketPolicyD22C263C", ], "Properties": { "LogDestination": { "Fn::GetAtt": [ "FlowLogBucket0863ACCA", "Arn", ], }, "LogDestinationType": "s3", "MaxAggregationInterval": 60, "ResourceId": { "Ref": "Vpc8378EB38", }, "ResourceType": "VPC", "TrafficType": "ALL", }, "Type": "AWS::EC2::FlowLog", }, "Vpc8378EB38": { "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", "Tags": [ { "Key": "Name", "Value": "mediasync", }, ], }, "Type": "AWS::EC2::VPC", }, "VpcIGWD7BA715C": { "Properties": { "Tags": [ { "Key": "Name", "Value": "mediasync", }, ], }, "Type": "AWS::EC2::InternetGateway", }, "VpcSubnetOneSubnet1DefaultRoute31FF3BC6": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetOneSubnet1RouteTableDD201DD2", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetOneSubnet1RouteTableAssociation4481E95A": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetOneSubnet1RouteTableDD201DD2", }, "SubnetId": { "Ref": "VpcSubnetOneSubnet1SubnetF56C8B02", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetOneSubnet1RouteTableDD201DD2": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetOneSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetOneSubnet1SubnetF56C8B02": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.0.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetOne", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetOneSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcSubnetOneSubnet2DefaultRouteED9346C1": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetOneSubnet2RouteTableA0E51D97", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetOneSubnet2RouteTableA0E51D97": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetOneSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetOneSubnet2RouteTableAssociation954B832E": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetOneSubnet2RouteTableA0E51D97", }, "SubnetId": { "Ref": "VpcSubnetOneSubnet2SubnetE9E15838", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetOneSubnet2SubnetE9E15838": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.1.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetOne", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetOneSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcSubnetTwoSubnet1DefaultRouteD3C8C373": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetTwoSubnet1RouteTableE8645C8B", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetTwoSubnet1RouteTableAssociation44558623": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetTwoSubnet1RouteTableE8645C8B", }, "SubnetId": { "Ref": "VpcSubnetTwoSubnet1SubnetC66B3A49", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetTwoSubnet1RouteTableE8645C8B": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetTwoSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetTwoSubnet1SubnetC66B3A49": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.2.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetTwo", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetTwoSubnet1", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcSubnetTwoSubnet2DefaultRoute65025AE7": { "DependsOn": [ "VpcVPCGWBF912B6E", ], "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C", }, "RouteTableId": { "Ref": "VpcSubnetTwoSubnet2RouteTable87108024", }, }, "Type": "AWS::EC2::Route", }, "VpcSubnetTwoSubnet2RouteTable87108024": { "Properties": { "Tags": [ { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetTwoSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::RouteTable", }, "VpcSubnetTwoSubnet2RouteTableAssociation4B7AFE93": { "Properties": { "RouteTableId": { "Ref": "VpcSubnetTwoSubnet2RouteTable87108024", }, "SubnetId": { "Ref": "VpcSubnetTwoSubnet2Subnet381F1BB7", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "VpcSubnetTwoSubnet2Subnet381F1BB7": { "Properties": { "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "", }, ], }, "CidrBlock": "10.0.3.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "SubnetTwo", }, { "Key": "aws-cdk:subnet-type", "Value": "Public", }, { "Key": "Name", "Value": "Default/MediaSync/Vpc/SubnetTwoSubnet2", }, ], "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::Subnet", }, "VpcVPCGWBF912B6E": { "Properties": { "InternetGatewayId": { "Ref": "VpcIGWD7BA715C", }, "VpcId": { "Ref": "Vpc8378EB38", }, }, "Type": "AWS::EC2::VPCGatewayAttachment", }, "customLambdaRole0806FF97": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], "RoleName": "customLambdaRole", }, "Type": "AWS::IAM::Role", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Mediasync Repo Stack Test 1`] = ` { "Description": "Cloudformation template for creating ECR Repository.", "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "RepositoryName": { "Description": "Repository Name", "Type": "String", }, }, "Resources": { "Repo02AC86CF": { "DeletionPolicy": "Retain", "Properties": { "LifecyclePolicy": { "LifecyclePolicyText": "{"rules":[{"rulePriority":1,"description":"keep only one image","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":1},"action":{"type":"expire"}}]}", }, "RepositoryName": { "Ref": "RepositoryName", }, }, "Type": "AWS::ECR::Repository", "UpdateReplacePolicy": "Retain", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Provision Stack Test 1`] = ` { "Description": "(SO0133) - Media Exchange on AWS __VERSION__ - media exchange publisher/subscriber/agreement provisioning.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", ], }, { "Label": { "default": "Configuration", }, "Parameters": [ "PublisherName", "SubscriberName", "PublisherAccountId", "SubscriberAccountId", ], }, ], }, }, "Outputs": { "AgreementStackArn": { "Description": "Agreement Stack Arn", "Value": { "Fn::GetAtt": [ "Agreement", "CloudformationStackArn", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "PublisherAccountId": { "AllowedPattern": "^\\d{12}$", "ConstraintDescription": "Malformed input-Parameter PublisherAccountId must be a 12 digit number", "Description": "The AWS accountId of the publisher. This parameter is ignored if you specify PublisherRole.", "Type": "String", }, "PublisherName": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter PublisherName must only contain uppercase and lowercase letters and numbers", "Description": "The name of the publisher", "MaxLength": 64, "MinLength": 3, "Type": "String", }, "SubscriberAccountId": { "AllowedPattern": "^\\d{12}$", "ConstraintDescription": "Malformed input-Parameter SubscriberAccountId must be a 12 digit number.", "Description": "The accountId of the Subscriber. This parameter is ignored if you specify SubscriberRole.", "Type": "String", }, "SubscriberName": { "AllowedPattern": "[A-Za-z0-9-]+", "ConstraintDescription": "Malformed input-Parameter SubscriberName must only contain uppercase and lowercase letters and numbers", "Description": "A name for subscriber account.", "MaxLength": 64, "MinLength": 3, "Type": "String", }, }, "Resources": { "Agreement": { "DependsOn": [ "Publisher", "Subscriber", ], "Properties": { "ProductId": { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-sc-agreement-productid", ], ], }, }, ], }, ], }, ], }, ], }, "ProvisionedProductName": { "Fn::Join": [ "", [ "mediaexchange-", { "Ref": "PublisherName", }, "-", { "Ref": "SubscriberName", }, "-transfer-agreement", ], ], }, "ProvisioningArtifactName": "latest", "ProvisioningParameters": [ { "Key": "Environment", "Value": { "Ref": "Environment", }, }, { "Key": "PublisherName", "Value": { "Ref": "PublisherName", }, }, { "Key": "SubscriberName", "Value": { "Ref": "SubscriberName", }, }, ], }, "Type": "AWS::ServiceCatalog::CloudFormationProvisionedProduct", }, "Publisher": { "Properties": { "ProductId": { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-sc-publisher-productid", ], ], }, }, ], }, ], }, ], }, ], }, "ProvisionedProductName": { "Fn::Join": [ "", [ "mediaexchange-", { "Ref": "PublisherName", }, "-publisher", ], ], }, "ProvisioningArtifactName": "latest", "ProvisioningParameters": [ { "Key": "Environment", "Value": { "Ref": "Environment", }, }, { "Key": "PublisherName", "Value": { "Ref": "PublisherName", }, }, { "Key": "PublisherAccountId", "Value": { "Ref": "PublisherAccountId", }, }, ], }, "Type": "AWS::ServiceCatalog::CloudFormationProvisionedProduct", }, "Subscriber": { "Properties": { "ProductId": { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::ImportValue": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-sc-subscriber-productid", ], ], }, }, ], }, ], }, ], }, ], }, "ProvisionedProductName": { "Fn::Join": [ "", [ "mediaexchange-", { "Ref": "SubscriberName", }, "-subscriber", ], ], }, "ProvisioningArtifactName": "latest", "ProvisioningParameters": [ { "Key": "Environment", "Value": { "Ref": "Environment", }, }, { "Key": "SubscriberName", "Value": { "Ref": "SubscriberName", }, }, { "Key": "SubscriberAccountId", "Value": { "Ref": "SubscriberAccountId", }, }, { "Key": "Email", "Value": "nomail@nomail.com", }, ], }, "Type": "AWS::ServiceCatalog::CloudFormationProvisionedProduct", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Publisher Stack Test 1`] = ` { "Conditions": { "HasRole": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "PublisherRole", }, "", ], }, ], }, }, "Description": "(SO0133) - Media Exchange on AWS __VERSION__ - setup a publisher", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", ], }, { "Label": { "default": "Publisher Configuration", }, "Parameters": [ "PublisherName", "PublisherRole", "PublisherAccountId", ], }, ], }, }, "Outputs": { "LogBucketName": { "Description": "Logging Bucket Name", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-logs", ], ], }, }, "Value": { "Ref": "ExchangeLogBucketE617C51D", }, }, "PublisherNotificationsDLQ": { "Description": "Subscriber's notifications dead letter queue Arn", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-notificationdlq", ], ], }, }, "Value": { "Fn::GetAtt": [ "DLQ581697C4", "Arn", ], }, }, "PublisherNotificationsTopic": { "Description": "Publisher's notifications topic name", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-notificationtopic", ], ], }, }, "Value": { "Ref": "NotificationTopicEB7A0DF1", }, }, "PublisherRoleOut": { "Description": "Publisher's S3 Access role", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-publisher-", { "Ref": "PublisherName", }, "-role", ], ], }, }, "Value": { "Fn::If": [ "HasRole", { "Ref": "PublisherRole", }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "PublisherAccountId", }, ":root", ], ], }, ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "PublisherAccountId": { "AllowedPattern": "^\\d{12}$", "ConstraintDescription": "Malformed input-Parameter PublisherAccountId must be a 12 digit number", "Description": "The AWS accountId of the publisher. This parameter is ignored if you specify PublisherRole.", "Type": "String", }, "PublisherName": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter PublisherName must only contain uppercase and lowercase letters and numbers", "Description": "The name of the publisher", "MaxLength": 64, "MinLength": 3, "Type": "String", }, "PublisherRole": { "AllowedPattern": "[A-Za-z0-9:/-]*", "Default": "", "Description": "Publisher's Role. Defaults to arn:aws:iam::$PublisherAccountId:root.", "Type": "String", }, }, "Resources": { "CMK56817A4C": { "DeletionPolicy": "Retain", "Properties": { "Description": "Symetric Key for Encrypting Objects in Media Exchange", "EnableKeyRotation": true, "Enabled": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey*", "kms:Decrypt", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", "Sid": "KeyManagement", }, { "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", ], "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com", }, "Resource": "*", "Sid": "Allow access for Key User (SNS Service Principal)", }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", ], "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": "*", "Sid": "Allow access for Key User (Events Service Principal)", }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "PublisherAccountId", }, ":root", ], ], }, }, "Resource": "*", "Sid": "Allow access for Key User (x-account permissions for subscriber)", }, ], "Version": "2012-10-17", }, "PendingWindowInDays": 7, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "DLQ581697C4": { "DeletionPolicy": "Delete", "Properties": { "KmsDataKeyReusePeriodSeconds": 86400, "KmsMasterKeyId": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, "MessageRetentionPeriod": 1209600, }, "Type": "AWS::SQS::Queue", "UpdateReplacePolicy": "Delete", }, "DLQPolicyC8FA9269": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": { "Fn::GetAtt": [ "DLQ581697C4", "Arn", ], }, }, ], "Version": "2012-10-17", }, "Queues": [ { "Ref": "DLQ581697C4", }, ], }, "Type": "AWS::SQS::QueuePolicy", }, "ExchangeLogBucketE617C51D": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-S10", "reason": "Bucket is private and is not using HTTP", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "(W35) S3 Bucket should have access logging configured: This is the logging bucket.", }, ], }, }, "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LifecycleConfiguration": { "Rules": [ { "Id": "Expire", "Status": "Enabled", "Transitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90, }, ], }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "Createdby", "Value": "__SOLUTION_NAME__/__VERSION__", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "ExchangeLogBucketPolicy07BF51B0": { "Properties": { "Bucket": { "Ref": "ExchangeLogBucketE617C51D", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "ExchangeLogBucketE617C51D", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeLogBucketE617C51D", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false, }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "ExchangeLogBucketE617C51D", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeLogBucketE617C51D", "Arn", ], }, "/*", ], ], }, ], "Sid": "RequireTLS", }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::If": [ "HasRole", { "Ref": "PublisherRole", }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "PublisherAccountId", }, ":root", ], ], }, ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ExchangeLogBucketE617C51D", "Arn", ], }, "/*", ], ], }, "Sid": "AllowGetOpPublisher", }, { "Action": [ "s3:Get*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::If": [ "HasRole", { "Ref": "PublisherRole", }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "PublisherAccountId", }, ":root", ], ], }, ], }, }, "Resource": { "Fn::GetAtt": [ "ExchangeLogBucketE617C51D", "Arn", ], }, "Sid": "AllowBasicConsole", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "NotificationTopicEB7A0DF1": { "Properties": { "DisplayName": "SNS Topic for MediaExchange Publisher Notifications", "KmsMasterKeyId": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, }, "Type": "AWS::SNS::Topic", }, "NotificationTopicPolicyF935982E": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": { "Ref": "NotificationTopicEB7A0DF1", }, "Sid": "Allow_Publish_Events", }, { "Action": "sns:Subscribe", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "PublisherAccountId", }, ":root", ], ], }, }, "Resource": { "Ref": "NotificationTopicEB7A0DF1", }, "Sid": "Allow_X_Account_Subscribe", }, ], "Version": "2012-10-17", }, "Topics": [ { "Ref": "NotificationTopicEB7A0DF1", }, ], }, "Type": "AWS::SNS::TopicPolicy", }, "PutEventsPermission": { "Properties": { "Action": "events:PutEvents", "Principal": { "Ref": "PublisherAccountId", }, "StatementId": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "Events", ], ], }, }, "Type": "AWS::Events::EventBusPolicy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Subscriber Stack Test 1`] = ` { "Conditions": { "HasRole": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "SubscriberRole", }, "", ], }, ], }, }, "Description": "(SO0133) - Media Exchange on AWS __VERSION__ - setup a subscriber", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Deployment Configuration", }, "Parameters": [ "Environment", ], }, { "Label": { "default": "Subscriber Configuration", }, "Parameters": [ "SubscriberName", "SubscriberRole", "SubscriberAccountId", "Email", ], }, ], }, }, "Outputs": { "SubscriberNotificationsDLQ": { "Description": "Subscriber's notifications dead letter queue Arn", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationdlq", ], ], }, }, "Value": { "Fn::GetAtt": [ "DLQ581697C4", "Arn", ], }, }, "SubscriberNotificationsEmail": { "Description": "Subscriber's notifications Email Address", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-email", ], ], }, }, "Value": { "Ref": "Email", }, }, "SubscriberNotificationsTopic": { "Description": "Subscriber's notifications topic name", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-notificationtopic", ], ], }, }, "Value": { "Ref": "NotificationTopicEB7A0DF1", }, }, "SubscriberRoleOut": { "Description": "Subscriber's S3 Access role", "Export": { "Name": { "Fn::Join": [ "", [ "mxc-", { "Ref": "AWS::Region", }, "-", { "Ref": "Environment", }, "-subscriber-", { "Ref": "SubscriberName", }, "-role", ], ], }, }, "Value": { "Fn::If": [ "HasRole", { "Ref": "SubscriberRole", }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "SubscriberAccountId", }, ":root", ], ], }, ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, "Email": { "AllowedPattern": "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$", "Description": "The email address for the transfer notifications.", "Type": "String", }, "Environment": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter Environment must only contain uppercase and lowercase letters and numbers", "Default": "dev", "Description": "Deployment Environment Name", "MaxLength": 10, "MinLength": 2, "Type": "String", }, "SubscriberAccountId": { "AllowedPattern": "^\\d{12}$", "ConstraintDescription": "Malformed input-Parameter SubscriberAccountId must be a 12 digit number", "Description": "The AWS accountId of the subscriber. This parameter is ignored if you specify SubscriberRole.", "Type": "String", }, "SubscriberName": { "AllowedPattern": "[A-Za-z0-9]+", "ConstraintDescription": "Malformed input-Parameter SubscriberName must only contain uppercase and lowercase letters and numbers", "Description": "A name for subscriber account", "MaxLength": 64, "MinLength": 3, "Type": "String", }, "SubscriberRole": { "AllowedPattern": "[A-Za-z0-9:/-]*", "Default": "", "Description": "Subscriber's Role. Defaults to arn:aws:iam::$SubscriberAccountId:root.", "Type": "String", }, }, "Resources": { "CMK56817A4C": { "DeletionPolicy": "Retain", "Properties": { "Description": "Symetric Key for Encrypting Objects in Media Exchange", "EnableKeyRotation": true, "Enabled": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey*", "kms:Decrypt", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", "Sid": "KeyManagement", }, { "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", ], "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com", }, "Resource": "*", "Sid": "Allow access for Key User (SNS Service Principal)", }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", ], "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": "*", "Sid": "Allow access for Key User (Events Service Principal)", }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "SubscriberAccountId", }, ":root", ], ], }, }, "Resource": "*", "Sid": "Allow access for Key User (x-account permissions for subscriber)", }, ], "Version": "2012-10-17", }, "PendingWindowInDays": 7, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "DLQ581697C4": { "DeletionPolicy": "Delete", "Properties": { "KmsDataKeyReusePeriodSeconds": 86400, "KmsMasterKeyId": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, "MessageRetentionPeriod": 1209600, }, "Type": "AWS::SQS::Queue", "UpdateReplacePolicy": "Delete", }, "DLQPolicyC8FA9269": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": { "Fn::GetAtt": [ "DLQ581697C4", "Arn", ], }, }, ], "Version": "2012-10-17", }, "Queues": [ { "Ref": "DLQ581697C4", }, ], }, "Type": "AWS::SQS::QueuePolicy", }, "NotificationTopicEB7A0DF1": { "Properties": { "DisplayName": "SNS Topic for MediaExchange Subscriber Notifications", "KmsMasterKeyId": { "Fn::GetAtt": [ "CMK56817A4C", "Arn", ], }, }, "Type": "AWS::SNS::Topic", }, "NotificationTopicPolicyF935982E": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": { "Ref": "NotificationTopicEB7A0DF1", }, "Sid": "Allow_Publish_Events", }, { "Action": "sns:Subscribe", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "SubscriberAccountId", }, ":root", ], ], }, }, "Resource": { "Ref": "NotificationTopicEB7A0DF1", }, "Sid": "Allow_X_Account_Subscribe", }, ], "Version": "2012-10-17", }, "Topics": [ { "Ref": "NotificationTopicEB7A0DF1", }, ], }, "Type": "AWS::SNS::TopicPolicy", }, "PutEventsPermission": { "Properties": { "Action": "events:PutEvents", "Principal": { "Ref": "SubscriberAccountId", }, "StatementId": { "Fn::Join": [ "", [ "Sid", { "Ref": "SubscriberName", }, { "Ref": "Environment", }, { "Ref": "AWS::Region", }, "Events", ], ], }, }, "Type": "AWS::Events::EventBusPolicy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `;