{ "Description": "(SO0005-NoOU) - quota-monitor-for-aws version:v6.2.1 - Hub Template, use it when you are not using AWS Organizations", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Notification Configuration" }, "Parameters": [ "SNSEmail", "SlackNotification" ] } ], "ParameterLabels": { "SNSEmail": { "default": "Email address for notifications" }, "SlackNotification": { "default": "Do you want slack notifications?" } } } }, "Parameters": { "SNSEmail": { "Type": "String", "Default": "", "Description": "To disable email notifications, leave this blank." }, "SlackNotification": { "Type": "String", "Default": "No", "AllowedValues": [ "Yes", "No" ] } }, "Mappings": { "QuotaMonitorMap": { "Metrics": { "SendAnonymizedData": "Yes", "MetricsEndpoint": "https://metrics.awssolutionsbuilder.com/generic" }, "SSMParameters": { "SlackHook": "/QuotaMonitor/SlackHook", "Accounts": "/QuotaMonitor/Accounts", "NotificationMutingConfig": "/QuotaMonitor/NotificationConfiguration" } } }, "Conditions": { "EmailTrueCondition": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "SNSEmail" }, "" ] } ] }, "SlackTrueCondition": { "Fn::Equals": [ { "Ref": "SlackNotification" }, "Yes" ] }, "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } ] } }, "Resources": { "QMBusFF5C6C0C": { "Type": "AWS::Events::EventBus", "Properties": { "Name": "QuotaMonitorBus" }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Bus/Resource" } }, "KMSHubQMEncryptionKeyA80F8C05": { "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": "*" } ], "Version": "2012-10-17" }, "Description": "CMK for AWS resources provisioned by Quota Monitor in this account", "Enabled": true, "EnableKeyRotation": true }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/KMS-Hub/QM-EncryptionKey/Resource" } }, "KMSHubQMEncryptionKeyAlias6C248240": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/CMK-KMS-Hub", "TargetKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/KMS-Hub/QM-EncryptionKey/Alias/Resource" } }, "QMSlackHook4F1AD495": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "String", "Value": "NOP", "Description": "Slack Hook URL to send Quota Monitor events", "Name": { "Fn::FindInMap": [ "QuotaMonitorMap", "SSMParameters", "SlackHook" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackHook/Resource" }, "Condition": "SlackTrueCondition" }, "QMAccounts3D743F6B": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "StringList", "Value": "NOP", "Description": "List of target Accounts", "Name": { "Fn::FindInMap": [ "QuotaMonitorMap", "SSMParameters", "Accounts" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Accounts/Resource" } }, "QMNotificationMutingConfig3B7948BA": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "StringList", "Value": "NOP", "Description": "Muting configuration for services, limits e.g. ec2:L-1216C47A,ec2:Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances,dynamodb,logs:*,geo:L-05EFD12D", "Name": { "Fn::FindInMap": [ "QuotaMonitorMap", "SSMParameters", "NotificationMutingConfig" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-NotificationMutingConfig/Resource" } }, "QMUtilsLayerQMUtilsLayerLayer80D5D993": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/asset81614929e374f7931dfaaabf04bb969f72fcacc1ee083173711b38ce460307a9.zip" }, "CompatibleRuntimes": [ "nodejs16.x" ], "LayerName": "QM-UtilsLayer" }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-UtilsLayer/QM-UtilsLayer-Layer/Resource", "aws:asset:path": "asset.81614929e374f7931dfaaabf04bb969f72fcacc1ee083173711b38ce460307a9.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "QMSlackNotifierQMSlackNotifierEventsRuleC3528E53": { "Type": "AWS::Events::Rule", "Properties": { "Description": "SO0005 quota-monitor-for-aws - QM-SlackNotifier-EventsRule", "EventBusName": { "Ref": "QMBusFF5C6C0C" }, "EventPattern": { "detail": { "status": [ "WARN", "ERROR" ] }, "detail-type": [ "Trusted Advisor Check Item Refresh Notification", "Service Quotas Utilization Notification" ], "source": [ "aws.trustedadvisor", "aws-solutions.quota-monitor" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierLambda95713661", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-EventsRule/Resource" }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierEventsRuleAllowEventRulequotamonitorhubnoouQMSlackNotifierQMSlackNotifierLambda52C322580E2041A7": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierLambda95713661", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierEventsRuleC3528E53", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-EventsRule/AllowEventRulequotamonitorhubnoouQMSlackNotifierQMSlackNotifierLambda52C32258" }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierLambdaDeadLetterQueue74B865F7": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-Lambda-Dead-Letter-Queue/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "Queue itself is dead-letter queue", "id": "AwsSolutions-SQS3" } ] } }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierLambdaDeadLetterQueuePolicy719E4C6A": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierLambdaDeadLetterQueue74B865F7", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "QMSlackNotifierQMSlackNotifierLambdaDeadLetterQueue74B865F7" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-Lambda-Dead-Letter-Queue/Policy/Resource" }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierLambdaServiceRole6342FD1D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-Lambda/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierLambdaServiceRoleDefaultPolicy4C4D219B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierLambdaDeadLetterQueue74B865F7", "Arn" ] } }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, { "Action": "kms:ListAliases", "Effect": "Allow", "Resource": "*" }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "QMSlackHook4F1AD495" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "QMNotificationMutingConfig3B7948BA" } ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "QMSlackNotifierQMSlackNotifierLambdaServiceRoleDefaultPolicy4C4D219B", "Roles": [ { "Ref": "QMSlackNotifierQMSlackNotifierLambdaServiceRole6342FD1D" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-Lambda/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierLambda95713661": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/assete9f488d448f7734a99cdee3d53b04ef31aa86e92ddb7fced02dc862b28e575dc.zip" }, "Role": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierLambdaServiceRole6342FD1D", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "QMSlackNotifierQMSlackNotifierLambdaDeadLetterQueue74B865F7", "Arn" ] } }, "Description": "SO0005 quota-monitor-for-aws - QM-SlackNotifier-Lambda", "Environment": { "Variables": { "SLACK_HOOK": { "Fn::FindInMap": [ "QuotaMonitorMap", "SSMParameters", "SlackHook" ] }, "QM_NOTIFICATION_MUTING_CONFIG_PARAMETER": { "Ref": "QMNotificationMutingConfig3B7948BA" }, "LOG_LEVEL": "info", "CUSTOM_SDK_USER_AGENT": "AwsSolution/SO0005/v6.2.1", "VERSION": "v6.2.1", "SOLUTION_ID": "SO0005" } }, "Handler": "index.handler", "KmsKeyArn": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] }, "Layers": [ { "Ref": "QMUtilsLayerQMUtilsLayerLayer80D5D993" } ], "MemorySize": 128, "Runtime": "nodejs16.x", "Timeout": 60 }, "DependsOn": [ "QMSlackNotifierQMSlackNotifierLambdaServiceRoleDefaultPolicy4C4D219B", "QMSlackNotifierQMSlackNotifierLambdaServiceRole6342FD1D" ], "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-Lambda/Resource", "aws:asset:path": "asset.e9f488d448f7734a99cdee3d53b04ef31aa86e92ddb7fced02dc862b28e575dc.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } }, "Condition": "SlackTrueCondition" }, "QMSlackNotifierQMSlackNotifierLambdaEventInvokeConfig5340A982": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "QMSlackNotifierQMSlackNotifierLambda95713661" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 14400 }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SlackNotifier/QM-SlackNotifier-Lambda/EventInvokeConfig/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } }, "Condition": "SlackTrueCondition" }, "QMSNSPublisherQMSNSPublisherSNSTopic7EE2EBF4": { "Type": "AWS::SNS::Topic", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisher/QM-SNSPublisher-SNSTopic/Resource" } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionEventsRule5BDCD4FD": { "Type": "AWS::Events::Rule", "Properties": { "Description": "SO0005 quota-monitor-for-aws - QM-SNSPublisherFunction-EventsRule", "EventBusName": { "Ref": "QMBusFF5C6C0C" }, "EventPattern": { "detail": { "status": [ "WARN", "ERROR" ] }, "detail-type": [ "Trusted Advisor Check Item Refresh Notification", "Service Quotas Utilization Notification" ], "source": [ "aws.trustedadvisor", "aws-solutions.quota-monitor" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambda8BD2DBC1", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-EventsRule/Resource" } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionEventsRuleAllowEventRulequotamonitorhubnoouQMSNSPublisherFunctionQMSNSPublisherFunctionLambda76203A7F3F46BC24": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambda8BD2DBC1", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionEventsRule5BDCD4FD", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-EventsRule/AllowEventRulequotamonitorhubnoouQMSNSPublisherFunctionQMSNSPublisherFunctionLambda76203A7F" } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaDeadLetterQueue72FF519A": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-Lambda-Dead-Letter-Queue/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "Queue itself is dead-letter queue", "id": "AwsSolutions-SQS3" } ] } } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaDeadLetterQueuePolicyBA6A8707": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaDeadLetterQueue72FF519A", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaDeadLetterQueue72FF519A" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-Lambda-Dead-Letter-Queue/Policy/Resource" } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleA2F00B10": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-Lambda/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleDefaultPolicy1E6E152C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaDeadLetterQueue72FF519A", "Arn" ] } }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, { "Action": "kms:ListAliases", "Effect": "Allow", "Resource": "*" }, { "Action": "SNS:Publish", "Effect": "Allow", "Resource": { "Ref": "QMSNSPublisherQMSNSPublisherSNSTopic7EE2EBF4" } }, { "Action": "kms:GenerateDataKey", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "QMNotificationMutingConfig3B7948BA" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleDefaultPolicy1E6E152C", "Roles": [ { "Ref": "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleA2F00B10" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-Lambda/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionLambda8BD2DBC1": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/asset1bfa0e5f1118cfcb001d118fe35942ca947c2e6ae31671605111ebec0c712e72.zip" }, "Role": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleA2F00B10", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaDeadLetterQueue72FF519A", "Arn" ] } }, "Description": "SO0005 quota-monitor-for-aws - QM-SNSPublisherFunction-Lambda", "Environment": { "Variables": { "QM_NOTIFICATION_MUTING_CONFIG_PARAMETER": { "Ref": "QMNotificationMutingConfig3B7948BA" }, "TOPIC_ARN": { "Ref": "QMSNSPublisherQMSNSPublisherSNSTopic7EE2EBF4" }, "LOG_LEVEL": "info", "CUSTOM_SDK_USER_AGENT": "AwsSolution/SO0005/v6.2.1", "VERSION": "v6.2.1", "SOLUTION_ID": "SO0005" } }, "Handler": "index.handler", "KmsKeyArn": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] }, "Layers": [ { "Ref": "QMUtilsLayerQMUtilsLayerLayer80D5D993" } ], "MemorySize": 128, "Runtime": "nodejs16.x", "Timeout": 60 }, "DependsOn": [ "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleDefaultPolicy1E6E152C", "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaServiceRoleA2F00B10" ], "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-Lambda/Resource", "aws:asset:path": "asset.1bfa0e5f1118cfcb001d118fe35942ca947c2e6ae31671605111ebec0c712e72.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMSNSPublisherFunctionQMSNSPublisherFunctionLambdaEventInvokeConfig7A963AA0": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "QMSNSPublisherFunctionQMSNSPublisherFunctionLambda8BD2DBC1" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 14400 }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-SNSPublisherFunction/QM-SNSPublisherFunction-Lambda/EventInvokeConfig/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMEmailSubscription32E71F90": { "Type": "AWS::SNS::Subscription", "Properties": { "Protocol": "email", "TopicArn": { "Ref": "QMSNSPublisherQMSNSPublisherSNSTopic7EE2EBF4" }, "Endpoint": { "Ref": "SNSEmail" } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-EmailSubscription/Resource" }, "Condition": "EmailTrueCondition" }, "QMSummarizerEventQueueQMSummarizerEventQueueEventsRuleE50B8D7C": { "Type": "AWS::Events::Rule", "Properties": { "Description": "SO0005 quota-monitor-for-aws - QM-Summarizer-EventQueue-EventsRule", "EventBusName": { "Ref": "QMBusFF5C6C0C" }, "EventPattern": { "detail": { "status": [ "OK", "WARN", "ERROR" ] }, "detail-type": [ "Trusted Advisor Check Item Refresh Notification", "Service Quotas Utilization Notification" ], "source": [ "aws.trustedadvisor", "aws-solutions.quota-monitor" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Summarizer-EventQueue/QM-Summarizer-EventQueue-EventsRule/Resource" } }, "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] }, "VisibilityTimeout": 60 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Summarizer-EventQueue/QM-Summarizer-EventQueue-Queue/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "dlq not implemented on sqs, will evaluate in future if there is need", "id": "AwsSolutions-SQS3" } ] } } }, "QMSummarizerEventQueueQMSummarizerEventQueueQueuePolicyE7E1F6D8": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A", "Arn" ] } }, { "Action": [ "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": { "Fn::GetAtt": [ "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Summarizer-EventQueue/QM-Summarizer-EventQueue-Queue/Policy/Resource" } }, "QMTable336670B0": { "Type": "AWS::DynamoDB::Table", "Properties": { "KeySchema": [ { "AttributeName": "MessageId", "KeyType": "HASH" }, { "AttributeName": "TimeStamp", "KeyType": "RANGE" } ], "AttributeDefinitions": [ { "AttributeName": "MessageId", "AttributeType": "S" }, { "AttributeName": "TimeStamp", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "SSESpecification": { "KMSMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] }, "SSEEnabled": true, "SSEType": "KMS" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Table/Resource" } }, "QMReporterQMReporterEventsRule0BF77282": { "Type": "AWS::Events::Rule", "Properties": { "Description": "SO0005 quota-monitor-for-aws - QM-Reporter-EventsRule", "ScheduleExpression": "rate(5 minutes)", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "QMReporterQMReporterLambda7D98A6E4", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-EventsRule/Resource" } }, "QMReporterQMReporterEventsRuleAllowEventRulequotamonitorhubnoouQMReporterQMReporterLambda0CE086E3DDFD1F2A": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "QMReporterQMReporterLambda7D98A6E4", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "QMReporterQMReporterEventsRule0BF77282", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-EventsRule/AllowEventRulequotamonitorhubnoouQMReporterQMReporterLambda0CE086E3" } }, "QMReporterQMReporterLambdaDeadLetterQueueA0C464BC": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-Lambda-Dead-Letter-Queue/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "Queue itself is dead-letter queue", "id": "AwsSolutions-SQS3" } ] } } }, "QMReporterQMReporterLambdaDeadLetterQueuePolicyE714847D": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "QMReporterQMReporterLambdaDeadLetterQueueA0C464BC", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "QMReporterQMReporterLambdaDeadLetterQueueA0C464BC" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-Lambda-Dead-Letter-Queue/Policy/Resource" } }, "QMReporterQMReporterLambdaServiceRoleBA4CED84": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-Lambda/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMReporterQMReporterLambdaServiceRoleDefaultPolicyC6B87A76": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMReporterQMReporterLambdaDeadLetterQueueA0C464BC", "Arn" ] } }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, { "Action": "kms:ListAliases", "Effect": "Allow", "Resource": "*" }, { "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A", "Arn" ] } }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMTable336670B0", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "QMReporterQMReporterLambdaServiceRoleDefaultPolicyC6B87A76", "Roles": [ { "Ref": "QMReporterQMReporterLambdaServiceRoleBA4CED84" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-Lambda/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMReporterQMReporterLambda7D98A6E4": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/asset2138eaa657692b8299e14a5ca8dfc9d275d35daa5c2e9fbf2596ebb50bdd323a.zip" }, "Role": { "Fn::GetAtt": [ "QMReporterQMReporterLambdaServiceRoleBA4CED84", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "QMReporterQMReporterLambdaDeadLetterQueueA0C464BC", "Arn" ] } }, "Description": "SO0005 quota-monitor-for-aws - QM-Reporter-Lambda", "Environment": { "Variables": { "QUOTA_TABLE": { "Ref": "QMTable336670B0" }, "SQS_URL": { "Ref": "QMSummarizerEventQueueQMSummarizerEventQueueQueue95FCCD2A" }, "MAX_MESSAGES": "10", "MAX_LOOPS": "10", "LOG_LEVEL": "info", "CUSTOM_SDK_USER_AGENT": "AwsSolution/SO0005/v6.2.1", "VERSION": "v6.2.1", "SOLUTION_ID": "SO0005" } }, "Handler": "index.handler", "KmsKeyArn": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] }, "Layers": [ { "Ref": "QMUtilsLayerQMUtilsLayerLayer80D5D993" } ], "MemorySize": 512, "Runtime": "nodejs16.x", "Timeout": 10 }, "DependsOn": [ "QMReporterQMReporterLambdaServiceRoleDefaultPolicyC6B87A76", "QMReporterQMReporterLambdaServiceRoleBA4CED84" ], "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-Lambda/Resource", "aws:asset:path": "asset.2138eaa657692b8299e14a5ca8dfc9d275d35daa5c2e9fbf2596ebb50bdd323a.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMReporterQMReporterLambdaEventInvokeConfig07548BFA": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "QMReporterQMReporterLambda7D98A6E4" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 14400 }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Reporter/QM-Reporter-Lambda/EventInvokeConfig/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMDeploymentManagerQMDeploymentManagerEventsRule53DB2DA9": { "Type": "AWS::Events::Rule", "Properties": { "Description": "SO0005 quota-monitor-for-aws - QM-Deployment-Manager-EventsRule", "EventPattern": { "detail-type": [ "Parameter Store Change" ], "source": [ "aws.ssm" ], "resources": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "QMAccounts3D743F6B" } ] ] } ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerLambdaB36F1B21", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-EventsRule/Resource" } }, "QMDeploymentManagerQMDeploymentManagerEventsRuleAllowEventRulequotamonitorhubnoouQMDeploymentManagerQMDeploymentManagerLambda69BB20E9F676A8A9": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerLambdaB36F1B21", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerEventsRule53DB2DA9", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-EventsRule/AllowEventRulequotamonitorhubnoouQMDeploymentManagerQMDeploymentManagerLambda69BB20E9" } }, "QMDeploymentManagerQMDeploymentManagerLambdaDeadLetterQueue9B4636C2": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-Lambda-Dead-Letter-Queue/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "Queue itself is dead-letter queue", "id": "AwsSolutions-SQS3" } ] } } }, "QMDeploymentManagerQMDeploymentManagerLambdaDeadLetterQueuePolicy6B59E185": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerLambdaDeadLetterQueue9B4636C2", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "QMDeploymentManagerQMDeploymentManagerLambdaDeadLetterQueue9B4636C2" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-Lambda-Dead-Letter-Queue/Policy/Resource" } }, "QMDeploymentManagerQMDeploymentManagerLambdaServiceRole84304F72": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-Lambda/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMDeploymentManagerQMDeploymentManagerLambdaServiceRoleDefaultPolicy7E3D0777": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerLambdaDeadLetterQueue9B4636C2", "Arn" ] } }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] } }, { "Action": "kms:ListAliases", "Effect": "Allow", "Resource": "*" }, { "Action": [ "events:PutPermission", "events:RemovePermission" ], "Effect": "Allow", "Resource": "*" }, { "Action": "events:DescribeEventBus", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMBusFF5C6C0C", "Arn" ] } }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "QMAccounts3D743F6B" } ] ] } }, { "Action": "support:DescribeTrustedAdvisorChecks", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "QMDeploymentManagerQMDeploymentManagerLambdaServiceRoleDefaultPolicy7E3D0777", "Roles": [ { "Ref": "QMDeploymentManagerQMDeploymentManagerLambdaServiceRole84304F72" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-Lambda/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMDeploymentManagerQMDeploymentManagerLambdaB36F1B21": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/assete0f373e9ac52ab723ca1f33ddfa549e07e471bd43689db5224a8b484ae5b31f6.zip" }, "Role": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerLambdaServiceRole84304F72", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "QMDeploymentManagerQMDeploymentManagerLambdaDeadLetterQueue9B4636C2", "Arn" ] } }, "Description": "SO0005 quota-monitor-for-aws - QM-Deployment-Manager-Lambda", "Environment": { "Variables": { "EVENT_BUS_NAME": { "Ref": "QMBusFF5C6C0C" }, "EVENT_BUS_ARN": { "Fn::GetAtt": [ "QMBusFF5C6C0C", "Arn" ] }, "QM_ACCOUNT_PARAMETER": { "Ref": "QMAccounts3D743F6B" }, "DEPLOYMENT_MODEL": "Accounts", "LOG_LEVEL": "info", "CUSTOM_SDK_USER_AGENT": "AwsSolution/SO0005/v6.2.1", "VERSION": "v6.2.1", "SOLUTION_ID": "SO0005" } }, "Handler": "index.handler", "KmsKeyArn": { "Fn::GetAtt": [ "KMSHubQMEncryptionKeyA80F8C05", "Arn" ] }, "Layers": [ { "Ref": "QMUtilsLayerQMUtilsLayerLayer80D5D993" } ], "MemorySize": 512, "Runtime": "nodejs16.x", "Timeout": 60 }, "DependsOn": [ "QMDeploymentManagerQMDeploymentManagerLambdaServiceRoleDefaultPolicy7E3D0777", "QMDeploymentManagerQMDeploymentManagerLambdaServiceRole84304F72" ], "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-Lambda/Resource", "aws:asset:path": "asset.e0f373e9ac52ab723ca1f33ddfa549e07e471bd43689db5224a8b484ae5b31f6.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMDeploymentManagerQMDeploymentManagerLambdaEventInvokeConfig4C3821AB": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "QMDeploymentManagerQMDeploymentManagerLambdaB36F1B21" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 14400 }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Deployment-Manager/QM-Deployment-Manager-Lambda/EventInvokeConfig/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperQMHelperFunctionServiceRole0506622D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Function/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperQMHelperFunction91954E97": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/assetbafc67a78bd93e6b69f271fe9a700890ee1719988f867959a90914e0fd18d72c.zip" }, "Role": { "Fn::GetAtt": [ "QMHelperQMHelperFunctionServiceRole0506622D", "Arn" ] }, "Description": "SO0005 quota-monitor-for-aws - QM-Helper-Function", "Environment": { "Variables": { "METRICS_ENDPOINT": { "Fn::FindInMap": [ "QuotaMonitorMap", "Metrics", "MetricsEndpoint" ] }, "SEND_METRIC": { "Fn::FindInMap": [ "QuotaMonitorMap", "Metrics", "SendAnonymizedData" ] }, "QM_STACK_ID": "quota-monitor-hub-no-ou", "LOG_LEVEL": "info", "CUSTOM_SDK_USER_AGENT": "AwsSolution/SO0005/v6.2.1", "VERSION": "v6.2.1", "SOLUTION_ID": "SO0005" } }, "Handler": "index.handler", "Layers": [ { "Ref": "QMUtilsLayerQMUtilsLayerLayer80D5D993" } ], "MemorySize": 128, "Runtime": "nodejs16.x", "Timeout": 5 }, "DependsOn": [ "QMHelperQMHelperFunctionServiceRole0506622D" ], "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Function/Resource", "aws:asset:path": "asset.bafc67a78bd93e6b69f271fe9a700890ee1719988f867959a90914e0fd18d72c.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperQMHelperFunctionEventInvokeConfig580F9F5F": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "QMHelperQMHelperFunction91954E97" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 14400 }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Function/EventInvokeConfig/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperQMHelperProviderframeworkonEventServiceRole4A1EBBAB": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Provider/framework-onEvent/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "IAM policy is appropriated scoped, ARN is provided in policy resource, false warning", "id": "AwsSolutions-IAM5" }, { "reason": "Lambda function created by Provider L2 construct uses nodejs 14, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperQMHelperProviderframeworkonEventServiceRoleDefaultPolicy86C1FCC1": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "QMHelperQMHelperFunction91954E97", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "QMHelperQMHelperFunction91954E97", "Arn" ] }, ":*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "QMHelperQMHelperProviderframeworkonEventServiceRoleDefaultPolicy86C1FCC1", "Roles": [ { "Ref": "QMHelperQMHelperProviderframeworkonEventServiceRole4A1EBBAB" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Provider/framework-onEvent/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "IAM policy is appropriated scoped, ARN is provided in policy resource, false warning", "id": "AwsSolutions-IAM5" }, { "reason": "Lambda function created by Provider L2 construct uses nodejs 14, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperQMHelperProviderframeworkonEventB1DF6D3F": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/asset8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip" }, "Role": { "Fn::GetAtt": [ "QMHelperQMHelperProviderframeworkonEventServiceRole4A1EBBAB", "Arn" ] }, "Description": "AWS CDK resource provider framework - onEvent (quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Provider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "QMHelperQMHelperFunction91954E97", "Arn" ] } } }, "Handler": "framework.onEvent", "Runtime": "nodejs14.x", "Timeout": 900 }, "DependsOn": [ "QMHelperQMHelperProviderframeworkonEventServiceRoleDefaultPolicy86C1FCC1", "QMHelperQMHelperProviderframeworkonEventServiceRole4A1EBBAB" ], "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/QM-Helper-Provider/framework-onEvent/Resource", "aws:asset:path": "asset.8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "IAM policy is appropriated scoped, ARN is provided in policy resource, false warning", "id": "AwsSolutions-IAM5" }, { "reason": "Lambda function created by Provider L2 construct uses nodejs 14, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMHelperCreateUUIDE0D423E6": { "Type": "Custom::CreateUUID", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "QMHelperQMHelperProviderframeworkonEventB1DF6D3F", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/CreateUUID/Default" } }, "QMHelperLaunchData6F23B2C3": { "Type": "Custom::LaunchData", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "QMHelperQMHelperProviderframeworkonEventB1DF6D3F", "Arn" ] }, "SOLUTION_UUID": { "Fn::GetAtt": [ "QMHelperCreateUUIDE0D423E6", "UUID" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/QM-Helper/LaunchData/Default" } }, "HubNoOUAppRegistryApplication11687F81": { "Type": "AWS::ServiceCatalogAppRegistry::Application", "Properties": { "Name": { "Fn::Join": [ "-", [ "QM_Hub", { "Ref": "AWS::Region" }, { "Ref": "AWS::AccountId" } ] ] }, "Description": "Service Catalog application to track and manage all your resources for the solution quota-monitor-for-aws", "Tags": { "ApplicationType": "AWS-Solutions", "SolutionID": "SO0005-NoOU", "SolutionName": "quota-monitor-for-aws", "SolutionVersion": "v6.2.1" } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/HubNoOUAppRegistryApplication/AppRegistryApplication/Resource" } }, "HubNoOUAppRegistryApplicationApplicationAttributeGroup12D391FE": { "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroup", "Properties": { "Attributes": { "solutionID": "SO0005-NoOU", "solutionName": "quota-monitor-for-aws", "version": "v6.2.1", "applicationType": "AWS-Solutions" }, "Name": { "Fn::Join": [ "-", [ "QM_Hub", { "Ref": "AWS::Region" }, { "Ref": "AWS::AccountId" } ] ] }, "Description": "Attribute group for application information", "Tags": { "ApplicationType": "AWS-Solutions", "SolutionID": "SO0005-NoOU", "SolutionName": "quota-monitor-for-aws", "SolutionVersion": "v6.2.1" } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/HubNoOUAppRegistryApplication/AppRegistryApplication/ApplicationAttributeGroup/Resource" } }, "HubNoOUAppRegistryApplicationAttributeGroupAssociation876a8964c18aB3CF4B8A": { "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation", "Properties": { "Application": { "Fn::GetAtt": [ "HubNoOUAppRegistryApplication11687F81", "Id" ] }, "AttributeGroup": { "Fn::GetAtt": [ "HubNoOUAppRegistryApplicationApplicationAttributeGroup12D391FE", "Id" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/HubNoOUAppRegistryApplication/AppRegistryApplication/AttributeGroupAssociation876a8964c18a" } }, "AppRegistryAssociation": { "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", "Properties": { "Application": { "Fn::GetAtt": [ "HubNoOUAppRegistryApplication11687F81", "Id" ] }, "Resource": { "Ref": "AWS::StackId" }, "ResourceType": "CFN_STACK" }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/AppRegistryAssociation" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/3VSwW7UMBD9lr173W1BiCO7FSBEEcu24rqaONPgJrGNxw6Kovw7YyebpkVcMvNenmfmjX0j37+Vw24Df2irynrb6EIO9wFULW4fzRE8tBjQJ/ANnNOmSumtNaUO2hrB584DdmgCyeFjiodISbLkp9hgIlIcRd2y7iv2iUlh32jI+pyMgqhN/T03etH8GUw/7zSFhRtFA21RghzuoEf/Ez2l2fjYa3xE32rK6FM0Ksz0kuepv5jO1sgeH3W1WFmTPOabMxAhm96nwFgeoqoxHIBQ0G82+SNizManJH+PttGqX8gJjkIDmz7ZeU8pPgsvGjJc88E6rRI7JfexIOW1u9hY41GUvYHWlnyfD1BMtXPCtdB3WqGCAI2t+Fo9VrxP38sh3YRz3BIuRfeBF17EgJ+9je5fhhdglV7kJyQbvcIVPY4ib4mfVZUe0EUiVKRg27OfMcmjt50u043nP4twVTfl32NwMYxit4XG/QK523yY3+9Viv+1N8uHtcOXZnhUY0uUT3TVXb+TNzt5vXkirbc+mqBblKcp/gU8/9H4NwMAAA==" }, "Metadata": { "aws:cdk:path": "quota-monitor-hub-no-ou/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "SlackHookKey": { "Description": "SSM parameter for Slack Web Hook, change the value for your slack workspace", "Value": { "Fn::FindInMap": [ "QuotaMonitorMap", "SSMParameters", "SlackHook" ] }, "Condition": "SlackTrueCondition" }, "UUID": { "Description": "UUID for the deployment", "Value": { "Fn::GetAtt": [ "QMHelperCreateUUIDE0D423E6", "UUID" ] } }, "EventBus": { "Description": "Event Bus Arn in hub", "Value": { "Fn::GetAtt": [ "QMBusFF5C6C0C", "Arn" ] } }, "SNSTopic": { "Description": "The SNS Topic where notifications are published to", "Value": { "Ref": "QMSNSPublisherQMSNSPublisherSNSTopic7EE2EBF4" } } } }