Skip to content

Commit 6cdb4ff

Browse files
anthony-nhsanthony-nhs
authored
Fix: [AEA-0000] - another stack needed to bootstrap (#1269)
## Summary - Routine Change ### Details - add a lambda_bootstrap stack definition
1 parent 40eb2bc commit 6cdb4ff

1 file changed

Lines changed: 388 additions & 0 deletions

File tree

SAMtemplates/lambda_resources_bootstrap.yaml

Lines changed: 388 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,388 @@
1+
AWSTemplateFormatVersion: "2010-09-09"
2+
Transform: AWS::Serverless-2016-10-31
3+
4+
Description: >
5+
Splunk Firehose Transformer, Certificate Checker, Slack Alerter, Lambda Janitor, Proxygen Lambdas
6+
7+
Globals:
8+
Function:
9+
Timeout: 60
10+
MemorySize: 256
11+
Architectures:
12+
- x86_64
13+
Runtime: nodejs20.x
14+
Environment:
15+
Variables:
16+
NODE_OPTIONS: "--enable-source-maps"
17+
ENV: !Ref Env
18+
19+
Parameters:
20+
SplunkHECEndpoint:
21+
Type: String
22+
Description: HEC Endpoint for Cloudformation to Splunk Firehose
23+
Default: none
24+
LogRetentionDays:
25+
Type: Number
26+
Description: How long to keep logs for
27+
AllowedValues:
28+
[
29+
1,
30+
3,
31+
5,
32+
7,
33+
14,
34+
30,
35+
60,
36+
90,
37+
120,
38+
150,
39+
180,
40+
365,
41+
400,
42+
545,
43+
731,
44+
1096,
45+
1827,
46+
2192,
47+
2557,
48+
2922,
49+
3288,
50+
3653,
51+
]
52+
LogLevel:
53+
Type: String
54+
Description: The log level to set in the lambda
55+
Default: "INFO"
56+
Env:
57+
Type: String
58+
Description: The environment the lambda is deployed to
59+
Default: "dev"
60+
LambdaInsightsLogGroupName:
61+
Type: String
62+
Description: The log level to set in the lambda
63+
64+
ConcurrencyThreshold:
65+
Type: Number
66+
Description: Threshold for the Lambda concurrency before triggering an alert.
67+
Default: 300
68+
69+
EnableAlerts:
70+
Type: String
71+
AllowedValues: [ 'true', 'false' ]
72+
Default: 'true'
73+
Description: Whether to enable or disable alarms and notifications.
74+
75+
Resources:
76+
##################################################
77+
#region Lambda Insights
78+
##################################################
79+
LambdaInsightsCloudwatchLogGroup:
80+
Type: AWS::Logs::LogGroup
81+
Metadata:
82+
guard:
83+
SuppressedRules:
84+
- CW_LOGGROUP_RETENTION_PERIOD_CHECK
85+
Properties:
86+
LogGroupName: !Ref LambdaInsightsLogGroupName
87+
RetentionInDays: !Ref LogRetentionDays
88+
KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
89+
90+
LambdaInsightsLogGroupPolicy:
91+
Type: AWS::IAM::ManagedPolicy
92+
Properties:
93+
PolicyDocument:
94+
Version: 2012-10-17
95+
Statement:
96+
- Effect: Allow
97+
Action:
98+
- logs:CreateLogStream
99+
- logs:PutLogEvents
100+
Resource: !GetAtt LambdaInsightsCloudwatchLogGroup.Arn
101+
- Effect: Allow
102+
Action:
103+
- kms:DescribeKey
104+
- kms:GenerateDataKey*
105+
- kms:Encrypt
106+
- kms:ReEncrypt*
107+
Resource: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
108+
#endregion
109+
110+
##################################################
111+
#region Splunk Subscription Filter
112+
##################################################
113+
SplunkSubscriptionFilterRole:
114+
Type: AWS::IAM::Role
115+
Properties:
116+
AssumeRolePolicyDocument:
117+
Version: 2012-10-17
118+
Statement:
119+
- Effect: Allow
120+
Principal:
121+
Service: logs.amazonaws.com
122+
Action:
123+
- sts:AssumeRole
124+
125+
SplunkSubscriptionFilterDeliveryStreamManagedPolicy:
126+
Type: AWS::IAM::ManagedPolicy
127+
Properties:
128+
Roles:
129+
- !Ref SplunkSubscriptionFilterRole
130+
PolicyDocument:
131+
Version: 2012-10-17
132+
Statement:
133+
- Effect: Allow
134+
Action:
135+
- firehose:PutRecord
136+
Resource:
137+
- !GetAtt SplunkDeliveryStream.Arn
138+
139+
SplunkSubscriptionFilterKMSManagedPolicy:
140+
Type: AWS::IAM::ManagedPolicy
141+
Properties:
142+
Roles:
143+
- !Ref SplunkSubscriptionFilterRole
144+
PolicyDocument:
145+
Version: 2012-10-17
146+
Statement:
147+
- Effect: Allow
148+
Action:
149+
- kms:GenerateDataKey
150+
Resource:
151+
- !ImportValue account-resources:CloudwatchLogsKmsKeyArn
152+
#endregion
153+
154+
##################################################
155+
#region Splunk Delivery Stream
156+
##################################################
157+
SplunkDeliveryStream:
158+
# Depends on policy as delivery streams require a role with correct policies to be build, and a role reference doesn't provide a dependency as Stream -> Role <- Policy, so Stream -!> Policy
159+
DependsOn:
160+
- SplunkDeliveryStreamProcessorInvokeManagedPolicy
161+
Type: AWS::KinesisFirehose::DeliveryStream
162+
Properties:
163+
DeliveryStreamType: DirectPut
164+
SplunkDestinationConfiguration:
165+
HECEndpoint: !Ref SplunkHECEndpoint
166+
HECEndpointType: "Event"
167+
HECToken: "{{resolve:secretsmanager:account-resources-SplunkHECToken:SecretString}}"
168+
ProcessingConfiguration:
169+
Enabled: true
170+
Processors:
171+
- Type: Lambda
172+
Parameters:
173+
- ParameterName: LambdaArn
174+
ParameterValue: !GetAtt SplunkDeliveryStreamProcessor.Arn
175+
- ParameterName: RoleArn
176+
ParameterValue: !GetAtt SplunkDeliveryStreamProcessorInvokeRole.Arn
177+
S3Configuration:
178+
BucketARN: !ImportValue account-resources:SplunkDeliveryStreamBackupBucket
179+
RoleARN: !ImportValue account-resources:SplunkDeliveryStreamBackupBucketRoleArn
180+
Prefix: !Ref "AWS::StackName"
181+
EncryptionConfiguration:
182+
KMSEncryptionConfig:
183+
AWSKMSKeyARN: !ImportValue account-resources:SplunkDeliveryStreamBackupKMSKey
184+
CloudWatchLoggingOptions:
185+
Enabled: true
186+
LogGroupName: !Ref SplunkDeliveryStreamLogGroup
187+
LogStreamName: !Ref SplunkDeliveryStreamLogStream
188+
189+
SplunkDeliveryStreamLogGroup:
190+
Type: AWS::Logs::LogGroup
191+
Metadata:
192+
guard:
193+
SuppressedRules:
194+
- CW_LOGGROUP_RETENTION_PERIOD_CHECK
195+
Properties:
196+
LogGroupName: !Sub "/aws/kinesisfirehose/${AWS::StackName}-SplunkDeliveryStream"
197+
RetentionInDays: !Ref LogRetentionDays
198+
KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
199+
200+
SplunkDeliveryStreamLogStream:
201+
Type: AWS::Logs::LogStream
202+
Properties:
203+
LogGroupName: !Ref SplunkDeliveryStreamLogGroup
204+
205+
SplunkDeliveryStreamLoggingManagedPolicy:
206+
Type: AWS::IAM::ManagedPolicy
207+
Properties:
208+
Roles:
209+
- !ImportValue account-resources:SplunkDeliveryStreamBackupBucketRole
210+
PolicyDocument:
211+
Version: 2012-10-17
212+
Statement:
213+
- Effect: Allow
214+
Action:
215+
- logs:CreateLogStream
216+
- logs:PutLogEvents
217+
Resource:
218+
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SplunkDeliveryStreamLogGroup}"
219+
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SplunkDeliveryStreamLogGroup}:log-stream:*"
220+
- Effect: Allow
221+
Action:
222+
- kms:DescribeKey
223+
- kms:GenerateDataKey*
224+
- kms:Encrypt
225+
- kms:ReEncrypt*
226+
Resource:
227+
- !ImportValue account-resources:CloudwatchLogsKmsKeyArn
228+
#endregion
229+
230+
##################################################
231+
#region Splunk Delivery Stream Processor
232+
##################################################
233+
SplunkDeliveryStreamProcessor:
234+
Type: AWS::Serverless::Function
235+
Properties:
236+
CodeUri: ../packages/
237+
Handler: splunkProcessor.handler
238+
Role: !GetAtt SplunkDeliveryStreamProcessorRole.Arn
239+
MemorySize: 512
240+
Environment:
241+
Variables:
242+
LOG_LEVEL: !Ref LogLevel
243+
Metadata: # Manage esbuild properties
244+
BuildMethod: esbuild
245+
guard:
246+
SuppressedRules:
247+
- LAMBDA_DLQ_CHECK
248+
- LAMBDA_INSIDE_VPC
249+
- LAMBDA_CONCURRENCY_CHECK
250+
BuildProperties:
251+
Minify: true
252+
Target: "es2020"
253+
Sourcemap: true
254+
packages: bundle
255+
EntryPoints:
256+
- splunkProcessor/src/splunkProcessor.js
257+
258+
SplunkDeliveryStreamProcessorRole:
259+
Type: AWS::IAM::Role
260+
Properties:
261+
AssumeRolePolicyDocument:
262+
Version: 2012-10-17
263+
Statement:
264+
- Effect: Allow
265+
Principal:
266+
Service: lambda.amazonaws.com
267+
Action:
268+
- sts:AssumeRole
269+
270+
SplunkDeliveryStreamProcessorLambdaManagedPolicy:
271+
Type: AWS::IAM::ManagedPolicy
272+
Properties:
273+
Roles:
274+
- !Ref SplunkDeliveryStreamProcessorRole
275+
PolicyDocument:
276+
Version: 2012-10-17
277+
Statement:
278+
- Effect: Allow
279+
Action:
280+
- logs:CreateLogStream
281+
- logs:PutLogEvents
282+
Resource:
283+
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SplunkDeliveryStreamProcessorLogGroup}"
284+
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SplunkDeliveryStreamProcessorLogGroup}:log-stream:*"
285+
286+
SplunkDeliveryStreamProcessorKMSManagedPolicy:
287+
Type: AWS::IAM::ManagedPolicy
288+
Properties:
289+
Roles:
290+
- !Ref SplunkDeliveryStreamProcessorRole
291+
PolicyDocument:
292+
Version: 2012-10-17
293+
Statement:
294+
- Effect: Allow
295+
Action:
296+
- kms:DescribeKey
297+
- kms:GenerateDataKey*
298+
- kms:Encrypt
299+
- kms:ReEncrypt*
300+
Resource:
301+
- !ImportValue account-resources:CloudwatchLogsKmsKeyArn
302+
303+
SplunkDeliveryStreamProcessorDeliveryStreamManagedPolicy:
304+
Type: AWS::IAM::ManagedPolicy
305+
Properties:
306+
Roles:
307+
- !Ref SplunkDeliveryStreamProcessorRole
308+
PolicyDocument:
309+
Version: 2012-10-17
310+
Statement:
311+
- Effect: Allow
312+
Action:
313+
- firehose:PutRecordBatch
314+
Resource:
315+
- !GetAtt SplunkDeliveryStream.Arn
316+
317+
SplunkDeliveryStreamProcessorLogGroup:
318+
Type: AWS::Logs::LogGroup
319+
Metadata:
320+
guard:
321+
SuppressedRules:
322+
- CW_LOGGROUP_RETENTION_PERIOD_CHECK
323+
Properties:
324+
LogGroupName: !Sub "/aws/lambda/${SplunkDeliveryStreamProcessor}"
325+
RetentionInDays: !Ref LogRetentionDays
326+
KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
327+
#endregion
328+
329+
##################################################
330+
#region Splunk Delivery Stream Processor Invoke
331+
##################################################
332+
SplunkDeliveryStreamProcessorInvokeRole:
333+
Type: AWS::IAM::Role
334+
Properties:
335+
AssumeRolePolicyDocument:
336+
Version: 2012-10-17
337+
Statement:
338+
- Effect: Allow
339+
Principal:
340+
Service: firehose.amazonaws.com
341+
Action:
342+
- sts:AssumeRole
343+
344+
SplunkDeliveryStreamProcessorInvokeManagedPolicy:
345+
Type: AWS::IAM::ManagedPolicy
346+
Properties:
347+
Roles:
348+
- !Ref SplunkDeliveryStreamProcessorInvokeRole
349+
PolicyDocument:
350+
Version: 2012-10-17
351+
Statement:
352+
- Effect: Allow
353+
Action:
354+
- lambda:InvokeFunction
355+
Resource:
356+
- !GetAtt SplunkDeliveryStreamProcessor.Arn
357+
#endregion
358+
359+
#region outputs
360+
Outputs:
361+
#################################################
362+
# Lambda Insights Outputs
363+
#################################################
364+
LambdaInsightsLogGroupPolicy:
365+
Description: "Lambda Insights Policy ARN"
366+
Value: !GetAtt LambdaInsightsLogGroupPolicy.PolicyArn
367+
Export:
368+
Name: !Join [":", [!Ref "AWS::StackName", "LambdaInsightsLogGroupPolicy"]]
369+
370+
##################################################
371+
# Splunk Subscription Filter Outputs
372+
##################################################
373+
SplunkSubscriptionFilterRole:
374+
Description: "SplunkSubscriptionFilterRole ARN"
375+
Value: !GetAtt SplunkSubscriptionFilterRole.Arn
376+
Export:
377+
Name: !Join [":", [!Ref "AWS::StackName", "SplunkSubscriptionFilterRole"]]
378+
379+
##################################################
380+
# Splunk Delivery Stream Outputs
381+
##################################################
382+
SplunkDeliveryStream:
383+
Description: "SplunkDeliveryStream ARN"
384+
Value: !GetAtt SplunkDeliveryStream.Arn
385+
Export:
386+
Name: !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStream"]]
387+
388+
#endregion

0 commit comments

Comments
 (0)