CloudWatchEvent: Type: AWS::Events::Rule Properties: Name: "event-%%TASK_ID%%" Description: "%%TASK_DESCRIPTION%%" EventPattern: %%EVENT_PATTERN%% State: "ENABLED" Targets: - Arn: !GetAtt EventForwarderLambda.Arn Id: "event-%%TASK_ID%%" InputTransformer: InputPathsMap: resources: $.resources InputTemplate: | "%%TASK%%" CloudWatchEventLambdaPermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt EventForwarderLambda.Arn Action: "lambda:InvokeFunction" Principal: "events.amazonaws.com" SourceArn: !GetAtt CloudWatchEvent.Arn EventForwarderRole: Type: AWS::IAM::Role Description: "Role for the Operations Conductor event forwarder Lambda function" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "lambda.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" EventForwarderPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: "Policy for the Operations Conductor event forwarder Lambda function" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogGroup" - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${EventForwarderLambda}:*" - Effect: "Allow" Action: - "sns:Publish" Resource: - "%%MASTER_SNS_ARN%%" - Effect: "Allow" Action: - kms:GenerateDataKey - kms:Decrypt Resource: - "%%MASTER_KMS_ARN%%" Roles: - !Ref EventForwarderRole Metadata: cfn_nag: rules_to_suppress: - id: W13 reason: "The * resource allows to create CloudWatch logs." EventForwarderLambda: Type: AWS::Lambda::Function Properties: Description: "The Operations Conductor event forwarder" Handler: index.handler Role: !GetAtt EventForwarderRole.Arn Runtime: nodejs16.x MemorySize: 128 Timeout: 15 Environment: Variables: MasterSnsArn: "%%MASTER_SNS_ARN%%" MasterRegion: "%%MASTER_REGION%%" Region: !Ref "AWS::Region" Account: !Ref "AWS::AccountId" Code: ZipFile: !Sub | /***************************************************************************** * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * * * Licensed under the Apache License, Version 2.0 (the "License"). * * You may not use this file except in compliance with the License. * * A copy of the License is located at * * * * http://www.apache.org/licenses/LICENSE-2.0 * * * * or in the "license" file accompanying this file. This file is distributed * * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * * express or implied. See the License for the specific language governing * * permissions and limitations under the License. * ****************************************************************************/ const AWS = require('aws-sdk'); const SNS = new AWS.SNS({ region: process.env.MasterRegion }); exports.handler = async (event) => { console.log('Event received:', event); let eventJson = JSON.parse(event); let resources = eventJson['resources']; eventJson['resources'] = JSON.parse(resources.replace('[', '[\"').replace(']','\"]').replace(',', '\",\"')); eventJson['resourceAccount'] = process.env.Account; eventJson['resourceRegion'] = process.env.Region; let params = { Message: JSON.stringify(eventJson), TargetArn: process.env.MasterSnsArn }; try { await SNS.publish(params).promise(); return 'Success'; } catch (error) { console.error('Error occurred while publishing SNS.', error); return 'Error'; } };