{ "Description": "(SO0005-TA) - quota-monitor-for-aws version:v6.2.1 - Trusted Advisor Template", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Monitoring Account Configuration" }, "Parameters": [ "EventBusArn" ] } ], "ParameterLabels": { "EventBusArn": { "default": "Arn for the EventBridge bus in the monitoring account" } } } }, "Parameters": { "EventBusArn": { "Type": "String" } }, "Mappings": { "QuotaMonitorMap": { "RefreshRate": { "Default": "rate(1 day)" } } }, "Resources": { "TAOkRule3B6A3866": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Quota Monitor Solution - Spoke - Rule for TA OK events", "EventPattern": { "account": [ { "Ref": "AWS::AccountId" } ], "detail": { "status": [ "OK" ], "check-item-detail": { "Service": [ "AutoScaling", "CloudFormation", "DynamoDB", "EBS", "EC2", "ELB", "IAM", "Kinesis", "RDS", "Route53", "SES", "VPC" ] } }, "detail-type": [ "Trusted Advisor Check Item Refresh Notification" ], "source": [ "aws.trustedadvisor" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "EventBusArn" }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "TAOkRuleEventsRole78AEFB32", "Arn" ] } } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAOkRule/Resource" } }, "TAOkRuleEventsRole78AEFB32": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAOkRule/EventsRole/Resource" } }, "TAOkRuleEventsRoleDefaultPolicyFAB70645": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Ref": "EventBusArn" } } ], "Version": "2012-10-17" }, "PolicyName": "TAOkRuleEventsRoleDefaultPolicyFAB70645", "Roles": [ { "Ref": "TAOkRuleEventsRole78AEFB32" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAOkRule/EventsRole/DefaultPolicy/Resource" } }, "TAWarnRule4E0A6126": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Quota Monitor Solution - Spoke - Rule for TA WARN events", "EventPattern": { "account": [ { "Ref": "AWS::AccountId" } ], "detail": { "status": [ "WARN" ], "check-item-detail": { "Service": [ "AutoScaling", "CloudFormation", "DynamoDB", "EBS", "EC2", "ELB", "IAM", "Kinesis", "RDS", "Route53", "SES", "VPC" ] } }, "detail-type": [ "Trusted Advisor Check Item Refresh Notification" ], "source": [ "aws.trustedadvisor" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "EventBusArn" }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "TAWarnRuleEventsRole92C70288", "Arn" ] } } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAWarnRule/Resource" } }, "TAWarnRuleEventsRole92C70288": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAWarnRule/EventsRole/Resource" } }, "TAWarnRuleEventsRoleDefaultPolicyB0AE7261": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Ref": "EventBusArn" } } ], "Version": "2012-10-17" }, "PolicyName": "TAWarnRuleEventsRoleDefaultPolicyB0AE7261", "Roles": [ { "Ref": "TAWarnRuleEventsRole92C70288" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAWarnRule/EventsRole/DefaultPolicy/Resource" } }, "TAErrorRule6720C8C4": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Quota Monitor Solution - Spoke - Rule for TA ERROR events", "EventPattern": { "account": [ { "Ref": "AWS::AccountId" } ], "detail": { "status": [ "ERROR" ], "check-item-detail": { "Service": [ "AutoScaling", "CloudFormation", "DynamoDB", "EBS", "EC2", "ELB", "IAM", "Kinesis", "RDS", "Route53", "SES", "VPC" ] } }, "detail-type": [ "Trusted Advisor Check Item Refresh Notification" ], "source": [ "aws.trustedadvisor" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "EventBusArn" }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "TAErrorRuleEventsRoleB879CF53", "Arn" ] } } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAErrorRule/Resource" } }, "TAErrorRuleEventsRoleB879CF53": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAErrorRule/EventsRole/Resource" } }, "TAErrorRuleEventsRoleDefaultPolicy270A14C5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "events:PutEvents", "Effect": "Allow", "Resource": { "Ref": "EventBusArn" } } ], "Version": "2012-10-17" }, "PolicyName": "TAErrorRuleEventsRoleDefaultPolicy270A14C5", "Roles": [ { "Ref": "TAErrorRuleEventsRoleB879CF53" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TAErrorRule/EventsRole/DefaultPolicy/Resource" } }, "QMUtilsLayerQMUtilsLayerLayer80D5D993": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/asset81614929e374f7931dfaaabf04bb969f72fcacc1ee083173711b38ce460307a9.zip" }, "CompatibleRuntimes": [ "nodejs16.x" ], "LayerName": "QM-UtilsLayer" }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-UtilsLayer/QM-UtilsLayer-Layer/Resource", "aws:asset:path": "asset.81614929e374f7931dfaaabf04bb969f72fcacc1ee083173711b38ce460307a9.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "QMTARefresherQMTARefresherEventsRuleDCF4B340": { "Type": "AWS::Events::Rule", "Properties": { "Description": "SO0005 quota-monitor-for-aws - QM-TA-Refresher-EventsRule", "ScheduleExpression": { "Fn::FindInMap": [ "QuotaMonitorMap", "RefreshRate", "Default" ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherLambdaEE100499", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-EventsRule/Resource" } }, "QMTARefresherQMTARefresherEventsRuleAllowEventRulequotamonitortaspokeQMTARefresherQMTARefresherLambda859D552E0BE87577": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherLambdaEE100499", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherEventsRuleDCF4B340", "Arn" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-EventsRule/AllowEventRulequotamonitortaspokeQMTARefresherQMTARefresherLambda859D552E" } }, "QMTARefresherQMTARefresherLambdaDeadLetterQueueC938ED3A": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-Lambda-Dead-Letter-Queue/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "Queue itself is dead-letter queue", "id": "AwsSolutions-SQS3" } ] } } }, "QMTARefresherQMTARefresherLambdaDeadLetterQueuePolicy61A9C7A5": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherLambdaDeadLetterQueueC938ED3A", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "QMTARefresherQMTARefresherLambdaDeadLetterQueueC938ED3A" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-Lambda-Dead-Letter-Queue/Policy/Resource" } }, "QMTARefresherQMTARefresherLambdaServiceRole95E5A974": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-Lambda/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMTARefresherQMTARefresherLambdaServiceRoleDefaultPolicyF0E3A261": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherLambdaDeadLetterQueueC938ED3A", "Arn" ] } }, { "Action": "support:RefreshTrustedAdvisorCheck", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "QMTARefresherQMTARefresherLambdaServiceRoleDefaultPolicyF0E3A261", "Roles": [ { "Ref": "QMTARefresherQMTARefresherLambdaServiceRole95E5A974" } ] }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-Lambda/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "AWSLambdaBasicExecutionRole added by cdk only gives write permissions for CW logs", "id": "AwsSolutions-IAM4" }, { "reason": "Actions restricted on kms key ARN. Only actions that do not support resource-level permissions have * in resource", "id": "AwsSolutions-IAM5" }, { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMTARefresherQMTARefresherLambdaEE100499": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "quota-monitor-for-aws/v6.2.1/asset2fcbfc08856e2f7e26b228f21666705927ba452a9f159f67230cfd7e9aa8ed96.zip" }, "Role": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherLambdaServiceRole95E5A974", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "QMTARefresherQMTARefresherLambdaDeadLetterQueueC938ED3A", "Arn" ] } }, "Description": "SO0005 quota-monitor-for-aws - QM-TA-Refresher-Lambda", "Environment": { "Variables": { "AWS_SERVICES": "AutoScaling,CloudFormation,DynamoDB,EBS,EC2,ELB,IAM,Kinesis,RDS,Route53,SES,VPC", "LOG_LEVEL": "info", "CUSTOM_SDK_USER_AGENT": "AwsSolution/SO0005/v6.2.1", "VERSION": "v6.2.1", "SOLUTION_ID": "SO0005" } }, "Handler": "index.handler", "Layers": [ { "Ref": "QMUtilsLayerQMUtilsLayerLayer80D5D993" } ], "MemorySize": 128, "Runtime": "nodejs16.x", "Timeout": 60 }, "DependsOn": [ "QMTARefresherQMTARefresherLambdaServiceRoleDefaultPolicyF0E3A261", "QMTARefresherQMTARefresherLambdaServiceRole95E5A974" ], "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-Lambda/Resource", "aws:asset:path": "asset.2fcbfc08856e2f7e26b228f21666705927ba452a9f159f67230cfd7e9aa8ed96.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "QMTARefresherQMTARefresherLambdaEventInvokeConfig4EDB1B2A": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "QMTARefresherQMTARefresherLambdaEE100499" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 14400 }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/QM-TA-Refresher/QM-TA-Refresher-Lambda/EventInvokeConfig/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "GovCloud regions support only up to nodejs 16, risk is tolerable", "id": "AwsSolutions-L1" } ] } } }, "TASpokeAppRegistryApplicationAEA2BFDF": { "Type": "AWS::ServiceCatalogAppRegistry::Application", "Properties": { "Name": { "Fn::Join": [ "-", [ "QM_TA", { "Ref": "AWS::Region" }, { "Ref": "AWS::AccountId" } ] ] }, "Description": "Service Catalog application to track and manage all your resources for the solution quota-monitor-for-aws", "Tags": { "ApplicationType": "AWS-Solutions", "SolutionID": "SO0005-TA", "SolutionName": "quota-monitor-for-aws", "SolutionVersion": "v6.2.1" } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TASpokeAppRegistryApplication/AppRegistryApplication/Resource" } }, "TASpokeAppRegistryApplicationApplicationAttributeGroupB178C1A6": { "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroup", "Properties": { "Attributes": { "solutionID": "SO0005-TA", "solutionName": "quota-monitor-for-aws", "version": "v6.2.1", "applicationType": "AWS-Solutions" }, "Name": { "Fn::Join": [ "-", [ "QM_TA", { "Ref": "AWS::Region" }, { "Ref": "AWS::AccountId" } ] ] }, "Description": "Attribute group for application information", "Tags": { "ApplicationType": "AWS-Solutions", "SolutionID": "SO0005-TA", "SolutionName": "quota-monitor-for-aws", "SolutionVersion": "v6.2.1" } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TASpokeAppRegistryApplication/AppRegistryApplication/ApplicationAttributeGroup/Resource" } }, "TASpokeAppRegistryApplicationAttributeGroupAssociation079da817458c741F36DC": { "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation", "Properties": { "Application": { "Fn::GetAtt": [ "TASpokeAppRegistryApplicationAEA2BFDF", "Id" ] }, "AttributeGroup": { "Fn::GetAtt": [ "TASpokeAppRegistryApplicationApplicationAttributeGroupB178C1A6", "Id" ] } }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/TASpokeAppRegistryApplication/AppRegistryApplication/AttributeGroupAssociation079da817458c" } }, "AppRegistryAssociation": { "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", "Properties": { "Application": { "Fn::GetAtt": [ "TASpokeAppRegistryApplicationAEA2BFDF", "Id" ] }, "Resource": { "Ref": "AWS::StackId" }, "ResourceType": "CFN_STACK" }, "Metadata": { "aws:cdk:path": "quota-monitor-ta-spoke/AppRegistryAssociation" } } }, "Outputs": { "ServiceChecks": { "Description": "service limit checks monitored in the account", "Value": "AutoScaling,CloudFormation,DynamoDB,EBS,EC2,ELB,IAM,Kinesis,RDS,Route53,SES,VPC" } } }