{
"Description": "(SO8025) - Centralized Logging with OpenSearch Solution. Template version v2.4.10",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Authentication"
},
"Parameters": [
"adminEmail"
]
}
],
"ParameterLabels": {
"adminEmail": {
"default": "Admin User Email"
}
}
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "some policies need to get dynamic resources",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policies is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "we do not need xray",
"id": "AwsSolutions-SF2"
},
{
"reason": "these buckets do not need access log",
"id": "AwsSolutions-S1"
},
{
"reason": "these buckets do not need SSL",
"id": "AwsSolutions-S10"
},
{
"reason": "not applicable to use the latest lambda runtime version",
"id": "AwsSolutions-L1"
}
]
}
},
"Parameters": {
"adminEmail": {
"Type": "String",
"AllowedPattern": "\\w[-\\w.+]*@([A-Za-z0-9][-A-Za-z0-9]+\\.)+[A-Za-z]{2,14}",
"Description": "The email address of Admin user"
}
},
"Mappings": {
"AnonymousData": {
"SendAnonymizedUsageData": {
"Data": "Yes"
}
},
"ELBRootAccountArnTable": {
"us-east-1": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"us-east-2": {
"elbRootAccountArn": "arn:aws:iam::033677994240:root"
},
"us-west-1": {
"elbRootAccountArn": "arn:aws:iam::027434742980:root"
},
"us-west-2": {
"elbRootAccountArn": "arn:aws:iam::797873946194:root"
},
"af-south-1": {
"elbRootAccountArn": "arn:aws:iam::098369216593:root"
},
"ca-central-1": {
"elbRootAccountArn": "arn:aws:iam::985666609251:root"
},
"eu-central-1": {
"elbRootAccountArn": "arn:aws:iam::054676820928:root"
},
"eu-west-1": {
"elbRootAccountArn": "arn:aws:iam::156460612806:root"
},
"eu-west-2": {
"elbRootAccountArn": "arn:aws:iam::652711504416:root"
},
"eu-south-1": {
"elbRootAccountArn": "arn:aws:iam::635631232127:root"
},
"eu-west-3": {
"elbRootAccountArn": "arn:aws:iam::009996457667:root"
},
"eu-north-1": {
"elbRootAccountArn": "arn:aws:iam::897822967062:root"
},
"ap-east-1": {
"elbRootAccountArn": "arn:aws:iam::754344448648:root"
},
"ap-northeast-1": {
"elbRootAccountArn": "arn:aws:iam::582318560864:root"
},
"ap-northeast-2": {
"elbRootAccountArn": "arn:aws:iam::600734575887:root"
},
"ap-northeast-3": {
"elbRootAccountArn": "arn:aws:iam::383597477331:root"
},
"ap-southeast-1": {
"elbRootAccountArn": "arn:aws:iam::114774131450:root"
},
"ap-southeast-2": {
"elbRootAccountArn": "arn:aws:iam::783225319266:root"
},
"ap-southeast-3": {
"elbRootAccountArn": "arn:aws:iam::589379963580:root"
},
"ap-south-1": {
"elbRootAccountArn": "arn:aws:iam::718504428378:root"
},
"me-south-1": {
"elbRootAccountArn": "arn:aws:iam::076674570225:root"
},
"sa-east-1": {
"elbRootAccountArn": "arn:aws:iam::507241528517:root"
},
"cn-north-1": {
"elbRootAccountArn": "arn:aws-cn:iam::638102146993:root"
},
"cn-northwest-1": {
"elbRootAccountArn": "arn:aws-cn:iam::037604701340:root"
},
"me-central-1": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"ap-south-2": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"ap-southeast-4": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"il-central-1": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"ca-west-1": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"eu-south-2": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
},
"eu-central-2": {
"elbRootAccountArn": "arn:aws:iam::127311923021:root"
}
}
},
"Conditions": {
"SolutionMetricsAnonymousDatatoAWS47FAA931": {
"Fn::Equals": [
{
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
},
"Yes"
]
},
"AnonymousDatatoAWS": {
"Fn::Equals": [
{
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
},
"Yes"
]
},
"IsChinaPartition": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"IsNewRegion": {
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-4"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"il-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-2"
]
}
]
},
"MicroBatchStackLambdaLambdaSendTemplateEmailStackSESStateCondition12506B59": {
"Fn::Equals": [
"DISABLED",
"ENABLED"
]
},
"MicroBatchStackDynamoDBDataisCNRegion6A8E9914": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"APIAppSyncStackisCN81A882C6": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"APISvcPipelineAPIisCNRegion77A09296": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"APIInstanceAPIisCN2C8F469A": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"APIClusterAPIEnableMetricsCondition3CA83FD4": {
"Fn::Equals": [
{
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
},
"Yes"
]
},
"APIAppPipelineAPIisCNRegion449D591B": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"APIAppLogIngestionAPIisCNRegion59A1FE54": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"WebConsoleisOpsInRegion82F77355": {
"Fn::Or": [
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"af-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-4"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"il-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-west-1"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-2"
]
}
]
}
]
},
"WebConsoleHasAcmCertificateArnFDCAE174": {
"Fn::Not": [
{
"Fn::Equals": [
"",
""
]
}
]
},
"WebConsoleHasIamCertificateArn534A17BC": {
"Fn::Not": [
{
"Fn::Equals": [
"",
""
]
}
]
},
"WebConsoleisNoCert9DAA5A6B": {
"Fn::And": [
{
"Fn::Not": [
{
"Condition": "WebConsoleHasAcmCertificateArnFDCAE174"
}
]
},
{
"Fn::Not": [
{
"Condition": "WebConsoleHasIamCertificateArn534A17BC"
}
]
}
]
},
"CRisCNEA125945": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"AWSCNCondition": {
"Fn::Equals": [
"aws-cn",
{
"Ref": "AWS::Partition"
}
]
},
"CDKMetadataAvailable": {
"Fn::Or": [
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"af-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-3"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-4"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-northwest-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-2"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"il-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"sa-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-1"
]
}
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-2"
]
}
]
}
},
"Resources": {
"SolutionMetricsSolutionMetricsRole977DE4A0": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": "cloudwatch:PutMetricData",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/lambda/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LambdaPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SolutionMetrics/SolutionMetricsRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"SolutionMetricsMetricsHelperACF977A6": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/242fd3cf39a8178897875e2c8e4b6b61ffd5d7afc28c1bd66a07db8fe9d58ab1.zip"
},
"Description": "This function generates UUID for each deployment and sends anonymous data to the AWS Solutions team",
"Environment": {
"Variables": {
"SOLUTION_ID": "SO8025",
"SOLUTION_VERSION": "v2.4.10",
"SEND_ANONYMIZED_USAGE_DATA": {
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
}
}
},
"Handler": "lambda_function.handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"Role": {
"Fn::GetAtt": [
"SolutionMetricsSolutionMetricsRole977DE4A0",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 120
},
"DependsOn": [
"SolutionMetricsSolutionMetricsRole977DE4A0"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SolutionMetrics/MetricsHelper/Resource",
"aws:asset:path": "asset.242fd3cf39a8178897875e2c8e4b6b61ffd5d7afc28c1bd66a07db8fe9d58ab1",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"SolutionMetricsCreateUniqueIDA4248A30": {
"Type": "Custom::CreateUUID",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"SolutionMetricsMetricsHelperACF977A6",
"Arn"
]
},
"Resource": "UUID"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SolutionMetrics/CreateUniqueID/Default"
},
"Condition": "SolutionMetricsAnonymousDatatoAWS47FAA931"
},
"SolutionMetricsSendAnonymousData5D6CBDBB": {
"Type": "Custom::AnonymousMetrics",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"SolutionMetricsMetricsHelperACF977A6",
"Arn"
]
},
"Resource": "AnonymousMetrics",
"Version": "v2.4.10",
"Region": {
"Ref": "AWS::Region"
},
"Template": "CentralizedLogging",
"DeploymentUuid": {
"Fn::GetAtt": [
"SolutionMetricsCreateUniqueIDA4248A30",
"UUID"
]
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SolutionMetrics/SendAnonymousData/Default"
},
"Condition": "SolutionMetricsAnonymousDatatoAWS47FAA931"
},
"SharedPythonLayer40DE0AAD": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleArchitectures": [
"x86_64"
],
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/7d496d348ec407fd35921460679af08665e998f3a6c2cfac7ae2df023920dac3.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Shared python layer"
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SharedPythonLayer/Resource",
"aws:asset:path": "asset.7d496d348ec407fd35921460679af08665e998f3a6c2cfac7ae2df023920dac3",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content"
}
},
"CLAuthUserPool7BDCEF8D": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"AccountRecoverySetting": {
"RecoveryMechanisms": [
{
"Name": "verified_phone_number",
"Priority": 1
},
{
"Name": "verified_email",
"Priority": 2
}
]
},
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": true,
"InviteMessageTemplate": {
"EmailMessage": "Hello,
Welcome to Centralized Logging with OpenSearch
Your username is {username}
Your temporary password is {####}",
"EmailSubject": "Welcome to Centralized Logging with OpenSearch"
}
},
"AutoVerifiedAttributes": [
"email"
],
"EmailVerificationMessage": "The verification code to your new account is {####}",
"EmailVerificationSubject": "Verify your new account",
"Policies": {
"PasswordPolicy": {
"MinimumLength": 8,
"RequireLowercase": true,
"RequireNumbers": true,
"RequireSymbols": true,
"RequireUppercase": true
}
},
"SmsVerificationMessage": "The verification code to your new account is {####}",
"UserPoolAddOns": {
"AdvancedSecurityMode": "ENFORCED"
},
"UsernameAttributes": [
"email"
],
"UsernameConfiguration": {
"CaseSensitive": false
},
"VerificationMessageTemplate": {
"DefaultEmailOption": "CONFIRM_WITH_CODE",
"EmailMessage": "The verification code to your new account is {####}",
"EmailSubject": "Verify your new account",
"SmsMessage": "The verification code to your new account is {####}"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLAuth/UserPool/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Cognito User Pool need this wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policy is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "customer can enable MFA by their own, we do not need to enable it",
"id": "AwsSolutions-COG2"
}
]
}
}
},
"CLAuthAPIClientABDADF79": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"AccessTokenValidity": 15,
"AllowedOAuthFlows": [
"implicit",
"code"
],
"AllowedOAuthFlowsUserPoolClient": true,
"AllowedOAuthScopes": [
"profile",
"phone",
"email",
"openid",
"aws.cognito.signin.user.admin"
],
"CallbackURLs": [
"https://example.com"
],
"IdTokenValidity": 15,
"PreventUserExistenceErrors": "ENABLED",
"RefreshTokenValidity": 1440,
"SupportedIdentityProviders": [
"COGNITO"
],
"TokenValidityUnits": {
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "minutes"
},
"UserPoolId": {
"Ref": "CLAuthUserPool7BDCEF8D"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLAuth/APIClient/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Cognito User Pool need this wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policy is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "customer can enable MFA by their own, we do not need to enable it",
"id": "AwsSolutions-COG2"
}
]
}
}
},
"CLAuthAdminUserF163D959": {
"Type": "AWS::Cognito::UserPoolUser",
"Properties": {
"UserAttributes": [
{
"Name": "email",
"Value": {
"Ref": "adminEmail"
}
}
],
"UserPoolId": {
"Ref": "CLAuthUserPool7BDCEF8D"
},
"Username": {
"Ref": "adminEmail"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLAuth/AdminUser",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Cognito User Pool need this wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policy is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "customer can enable MFA by their own, we do not need to enable it",
"id": "AwsSolutions-COG2"
}
]
}
}
},
"CLAuthUserPoolDomainED267B23": {
"Type": "AWS::Cognito::UserPoolDomain",
"Properties": {
"Domain": {
"Fn::Join": [
"",
[
"cl-portal-",
{
"Ref": "AWS::AccountId"
}
]
]
},
"UserPoolId": {
"Ref": "CLAuthUserPool7BDCEF8D"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLAuth/UserPoolDomain/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Cognito User Pool need this wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policy is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "customer can enable MFA by their own, we do not need to enable it",
"id": "AwsSolutions-COG2"
}
]
}
}
},
"CLAuthUserPoolDomainCloudFrontDomainName0F4911F1": {
"Type": "Custom::UserPoolCloudFrontDomainName",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"AWS679f53fac002430cb0da5b7982bd22872D164C4C",
"Arn"
]
},
"Create": {
"Fn::Join": [
"",
[
"{\"service\":\"CognitoIdentityServiceProvider\",\"action\":\"describeUserPoolDomain\",\"parameters\":{\"Domain\":\"",
{
"Ref": "CLAuthUserPoolDomainED267B23"
},
"\"},\"physicalResourceId\":{\"id\":\"",
{
"Ref": "CLAuthUserPoolDomainED267B23"
},
"\"}}"
]
]
},
"Update": {
"Fn::Join": [
"",
[
"{\"service\":\"CognitoIdentityServiceProvider\",\"action\":\"describeUserPoolDomain\",\"parameters\":{\"Domain\":\"",
{
"Ref": "CLAuthUserPoolDomainED267B23"
},
"\"},\"physicalResourceId\":{\"id\":\"",
{
"Ref": "CLAuthUserPoolDomainED267B23"
},
"\"}}"
]
]
},
"InstallLatestAwsSdk": false
},
"DependsOn": [
"CLAuthUserPoolDomainCloudFrontDomainNameCustomResourcePolicyFD29C3C4"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLAuth/UserPoolDomain/CloudFrontDomainName/Resource/Default",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Cognito User Pool need this wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policy is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "customer can enable MFA by their own, we do not need to enable it",
"id": "AwsSolutions-COG2"
}
]
}
}
},
"CLAuthUserPoolDomainCloudFrontDomainNameCustomResourcePolicyFD29C3C4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "cognito-idp:DescribeUserPoolDomain",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "CLAuthUserPoolDomainCloudFrontDomainNameCustomResourcePolicyFD29C3C4",
"Roles": [
{
"Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLAuth/UserPoolDomain/CloudFrontDomainName/CustomResourcePolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Cognito User Pool need this wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "these policy is used by CDK Customer Resource lambda",
"id": "AwsSolutions-IAM4"
},
{
"reason": "customer can enable MFA by their own, we do not need to enable it",
"id": "AwsSolutions-COG2"
}
]
}
}
},
"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"AWS679f53fac002430cb0da5b7982bd22872D164C4C": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/56f7467bbde8a5efebcf57ae9e460027607099bab9f844669dcf5d800172ee5a.zip"
},
"Handler": "index.handler",
"Role": {
"Fn::GetAtt": [
"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2",
"Arn"
]
},
"Runtime": "nodejs22.x",
"Timeout": 120
},
"DependsOn": [
"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/AWS679f53fac002430cb0da5b7982bd2287/Resource",
"aws:asset:path": "asset.56f7467bbde8a5efebcf57ae9e460027607099bab9f844669dcf5d800172ee5a",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"CLVpcVPCLogGroup3520D319": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 14
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/VPCLogGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W84",
"reason": "log group is encrypted with the default master key"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"CLVpcDefaultVPC866079B7": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.255.0.0/16",
"EnableDnsHostnames": true,
"EnableDnsSupport": true,
"InstanceTenancy": "default",
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/Resource"
}
},
"CLVpcDefaultVPCpublicSubnet1Subnet48A8A6B1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": "10.255.0.0/24",
"MapPublicIpOnLaunch": true,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "public"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Public"
},
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1/Subnet",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W33",
"reason": "Default for public subnets"
}
]
}
}
},
"CLVpcDefaultVPCpublicSubnet1RouteTable8E361619": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1/RouteTable"
}
},
"CLVpcDefaultVPCpublicSubnet1RouteTableAssociationBE55FD09": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "CLVpcDefaultVPCpublicSubnet1RouteTable8E361619"
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCpublicSubnet1Subnet48A8A6B1"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1/RouteTableAssociation"
}
},
"CLVpcDefaultVPCpublicSubnet1DefaultRoute1674FA02": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "CLVpcDefaultVPCIGW4A4129FF"
},
"RouteTableId": {
"Ref": "CLVpcDefaultVPCpublicSubnet1RouteTable8E361619"
}
},
"DependsOn": [
"CLVpcDefaultVPCVPCGWB7F556EA"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1/DefaultRoute"
}
},
"CLVpcDefaultVPCpublicSubnet1EIP45F1D707": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1/EIP"
}
},
"CLVpcDefaultVPCpublicSubnet1NATGateway228CC859": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"CLVpcDefaultVPCpublicSubnet1EIP45F1D707",
"AllocationId"
]
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCpublicSubnet1Subnet48A8A6B1"
},
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1"
}
]
},
"DependsOn": [
"CLVpcDefaultVPCpublicSubnet1DefaultRoute1674FA02",
"CLVpcDefaultVPCpublicSubnet1RouteTableAssociationBE55FD09"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet1/NATGateway"
}
},
"CLVpcDefaultVPCpublicSubnet2Subnet66EEC41E": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": "10.255.1.0/24",
"MapPublicIpOnLaunch": true,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "public"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Public"
},
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet2"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet2/Subnet",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W33",
"reason": "Default for public subnets"
}
]
}
}
},
"CLVpcDefaultVPCpublicSubnet2RouteTable2992B3F5": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet2"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet2/RouteTable"
}
},
"CLVpcDefaultVPCpublicSubnet2RouteTableAssociation03F95117": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "CLVpcDefaultVPCpublicSubnet2RouteTable2992B3F5"
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCpublicSubnet2Subnet66EEC41E"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet2/RouteTableAssociation"
}
},
"CLVpcDefaultVPCpublicSubnet2DefaultRoute347AC1E1": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "CLVpcDefaultVPCIGW4A4129FF"
},
"RouteTableId": {
"Ref": "CLVpcDefaultVPCpublicSubnet2RouteTable2992B3F5"
}
},
"DependsOn": [
"CLVpcDefaultVPCVPCGWB7F556EA"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/publicSubnet2/DefaultRoute"
}
},
"CLVpcDefaultVPCprivateSubnet1SubnetADE399B7": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": "10.255.2.0/24",
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "private"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Private"
},
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet1/Subnet"
}
},
"CLVpcDefaultVPCprivateSubnet1RouteTableCB0754A3": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet1/RouteTable"
}
},
"CLVpcDefaultVPCprivateSubnet1RouteTableAssociation584876D0": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "CLVpcDefaultVPCprivateSubnet1RouteTableCB0754A3"
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet1/RouteTableAssociation"
}
},
"CLVpcDefaultVPCprivateSubnet1DefaultRoute69028806": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "CLVpcDefaultVPCpublicSubnet1NATGateway228CC859"
},
"RouteTableId": {
"Ref": "CLVpcDefaultVPCprivateSubnet1RouteTableCB0754A3"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet1/DefaultRoute"
}
},
"CLVpcDefaultVPCprivateSubnet2Subnet54BADF74": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": "10.255.3.0/24",
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "private"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Private"
},
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet2"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet2/Subnet"
}
},
"CLVpcDefaultVPCprivateSubnet2RouteTableE0EC5767": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet2"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet2/RouteTable"
}
},
"CLVpcDefaultVPCprivateSubnet2RouteTableAssociation25D246AC": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "CLVpcDefaultVPCprivateSubnet2RouteTableE0EC5767"
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet2/RouteTableAssociation"
}
},
"CLVpcDefaultVPCprivateSubnet2DefaultRoute49D29374": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "CLVpcDefaultVPCpublicSubnet1NATGateway228CC859"
},
"RouteTableId": {
"Ref": "CLVpcDefaultVPCprivateSubnet2RouteTableE0EC5767"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/privateSubnet2/DefaultRoute"
}
},
"CLVpcDefaultVPCisolatedSubnet1Subnet251FE10A": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": "10.255.4.0/24",
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "isolated"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Isolated"
},
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet1/Subnet"
}
},
"CLVpcDefaultVPCisolatedSubnet1RouteTable92F0113C": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet1/RouteTable"
}
},
"CLVpcDefaultVPCisolatedSubnet1RouteTableAssociationD804CE6A": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "CLVpcDefaultVPCisolatedSubnet1RouteTable92F0113C"
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCisolatedSubnet1Subnet251FE10A"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet1/RouteTableAssociation"
}
},
"CLVpcDefaultVPCisolatedSubnet2Subnet9961324A": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": "10.255.5.0/24",
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "isolated"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Isolated"
},
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet2"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet2/Subnet"
}
},
"CLVpcDefaultVPCisolatedSubnet2RouteTableF150842C": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet2"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet2/RouteTable"
}
},
"CLVpcDefaultVPCisolatedSubnet2RouteTableAssociation68E013BB": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "CLVpcDefaultVPCisolatedSubnet2RouteTableF150842C"
},
"SubnetId": {
"Ref": "CLVpcDefaultVPCisolatedSubnet2Subnet9961324A"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/isolatedSubnet2/RouteTableAssociation"
}
},
"CLVpcDefaultVPCIGW4A4129FF": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/IGW"
}
},
"CLVpcDefaultVPCVPCGWB7F556EA": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {
"Ref": "CLVpcDefaultVPCIGW4A4129FF"
},
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/VPCGW"
}
},
"CLVpcDefaultVPCDefaultVPCFlowLogIAMRole72E975FA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/DefaultVPCFlowLog"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/DefaultVPCFlowLog/IAMRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"CLVpcDefaultVPCDefaultVPCFlowLogIAMRoleDefaultPolicy82B04363": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"CLVpcVPCLogGroup3520D319",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "CLVpcDefaultVPCDefaultVPCFlowLogIAMRoleDefaultPolicy82B04363",
"Roles": [
{
"Ref": "CLVpcDefaultVPCDefaultVPCFlowLogIAMRole72E975FA"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/DefaultVPCFlowLog/IAMRole/DefaultPolicy/Resource"
}
},
"CLVpcDefaultVPCDefaultVPCFlowLog56DB361E": {
"Type": "AWS::EC2::FlowLog",
"Properties": {
"DeliverLogsPermissionArn": {
"Fn::GetAtt": [
"CLVpcDefaultVPCDefaultVPCFlowLogIAMRole72E975FA",
"Arn"
]
},
"LogDestinationType": "cloud-watch-logs",
"LogGroupName": {
"Ref": "CLVpcVPCLogGroup3520D319"
},
"ResourceId": {
"Ref": "CLVpcDefaultVPC866079B7"
},
"ResourceType": "VPC",
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC/DefaultVPCFlowLog"
}
],
"TrafficType": "REJECT"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/DefaultVPCFlowLog/FlowLog"
}
},
"CLVpcDefaultVPCS3Endpoint08553F80": {
"Type": "AWS::EC2::VPCEndpoint",
"Properties": {
"RouteTableIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1RouteTableCB0754A3"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2RouteTableE0EC5767"
},
{
"Ref": "CLVpcDefaultVPCpublicSubnet1RouteTable8E361619"
},
{
"Ref": "CLVpcDefaultVPCpublicSubnet2RouteTable2992B3F5"
},
{
"Ref": "CLVpcDefaultVPCisolatedSubnet1RouteTable92F0113C"
},
{
"Ref": "CLVpcDefaultVPCisolatedSubnet2RouteTableF150842C"
}
],
"ServiceName": {
"Fn::Join": [
"",
[
"com.amazonaws.",
{
"Ref": "AWS::Region"
},
".s3"
]
]
},
"Tags": [
{
"Key": "Name",
"Value": "CentralizedLogging/CLVpc/DefaultVPC"
}
],
"VpcEndpointType": "Gateway",
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/DefaultVPC/S3Endpoint/Resource"
}
},
"ProxySecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Default Public Proxy Security group",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow outbound https traffic",
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow inbound https traffic",
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/ProxySecurityGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W9",
"reason": "This security group is open to allow public https access, e.g. for ELB"
},
{
"id": "W2",
"reason": "This security group is open to allow public https access, e.g. for ELB"
},
{
"id": "W5",
"reason": "This security group is restricted to https egress only"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "This security group is open to allow public https access, e.g. for ELB",
"id": "AwsSolutions-EC23"
}
]
}
}
},
"ProcessSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Default Log Processing Layer Security Group.",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow outbound https traffic",
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
},
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow outbound http traffic",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/ProcessSecurityGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W5",
"reason": "This security group is restricted to https egress only"
}
]
}
}
},
"CLVpcProcessSecurityGroupfromCentralizedLoggingCLVpcProxySecurityGroup57F61ECC443BB98FF12": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "Allow inbound https traffic from Proxy SG only",
"FromPort": 443,
"GroupId": {
"Fn::GetAtt": [
"ProcessSecurityGroup",
"GroupId"
]
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"ProxySecurityGroup",
"GroupId"
]
},
"ToPort": 443
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/ProcessSecurityGroup/from CentralizedLoggingCLVpcProxySecurityGroup57F61ECC:443"
}
},
"OpenSearchSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Default OpenSearch cluster Security Group",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow outbound https traffic",
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/OpenSearchSecurityGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W5",
"reason": "This security group is restricted to https egress only"
}
]
}
}
},
"CLVpcOpenSearchSecurityGroupfromCentralizedLoggingCLVpcProcessSecurityGroupE485CDB64435E55E820": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "Allow inbound https traffic from processing SG only",
"FromPort": 443,
"GroupId": {
"Fn::GetAtt": [
"OpenSearchSecurityGroup",
"GroupId"
]
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"ProcessSecurityGroup",
"GroupId"
]
},
"ToPort": 443
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLVpc/OpenSearchSecurityGroup/from CentralizedLoggingCLVpcProcessSecurityGroupE485CDB6:443"
}
},
"KMSCMK4146988D": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "KMS-CMK for encrypting the objects in the SQS",
"EnableKeyRotation": true,
"KeyPolicy": {
"Statement": [
{
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Get*",
"kms:ScheduleKeyDeletion",
"kms:GenerateDataKey",
"kms:TagResource",
"kms:UntagResource",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"lambda.amazonaws.com",
"sqs.amazonaws.com",
"sns.amazonaws.com",
"ec2.amazonaws.com",
"athena.amazonaws.com",
"dynamodb.amazonaws.com",
"cloudwatch.amazonaws.com",
"glue.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Resource": "*"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Resource": "*"
},
{
"Action": "kms:Decrypt",
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B",
"Arn"
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B",
"Arn"
]
}
},
"Resource": "*"
},
{
"Action": "kms:Decrypt",
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2",
"Arn"
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2",
"Arn"
]
}
},
"Resource": "*"
},
{
"Action": "kms:Decrypt",
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"Arn"
]
}
},
"Resource": "*"
},
{
"Action": [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Condition": {
"StringEquals": {
"kms:ViaService": {
"Fn::Join": [
"",
[
"secretsmanager.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"Arn"
]
}
},
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PendingWindowInDays": 7
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/KMSCMK/Resource"
}
},
"ECSClusterStackCLClusterBCB8AA1C": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterSettings": [
{
"Name": "containerInsights",
"Value": "enabled"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/ECSClusterStack/CLCluster/Resource"
}
},
"CLFlbConfUploadingEventDLQ2C003130": {
"Type": "AWS::SQS::Queue",
"Properties": {
"KmsMasterKeyId": "alias/aws/sqs",
"MessageRetentionPeriod": 604800,
"VisibilityTimeout": 900
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CL-FlbConfUploadingEventDLQ/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "it is a DLQ",
"id": "AwsSolutions-SQS3"
}
]
}
}
},
"CLFlbConfUploadingEventDLQPolicyE6BCC657": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sqs:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": {
"Fn::GetAtt": [
"CLFlbConfUploadingEventDLQ2C003130",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Queues": [
{
"Ref": "CLFlbConfUploadingEventDLQ2C003130"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CL-FlbConfUploadingEventDLQ/Policy/Resource"
}
},
"NotiRoleC2B7A7CC": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Description": "A role for s3 bucket notification lambda",
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
],
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "BucketNotification"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/NotiRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"NotiRoleDefaultPolicy14C2CB25": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutBucketNotification",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "NotiRoleDefaultPolicy14C2CB25",
"Roles": [
{
"Ref": "NotiRoleC2B7A7CC"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/NotiRole/DefaultPolicy/Resource"
}
},
"CLLoggingBucket5F34E4EB": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"LifecycleConfiguration": {
"Rules": [
{
"Status": "Enabled",
"Transitions": [
{
"StorageClass": "INTELLIGENT_TIERING",
"TransitionInDays": 0
}
]
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLLoggingBucket/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "this is a logging bucket hence no access logging required"
},
{
"id": "W51",
"reason": "Already have bucket policy for log delivery"
}
]
}
}
},
"CLLoggingBucketPolicyF6C76312": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Principal": {
"Fn::If": [
"IsNewRegion",
{
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
{
"AWS": {
"Fn::FindInMap": [
"ELBRootAccountArnTable",
{
"Ref": "AWS::Region"
},
"elbRootAccountArn"
]
}
}
]
},
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
},
"/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
}
]
]
}
]
},
{
"Action": "s3:PutObject",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
},
"/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
}
]
]
}
]
},
{
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
},
"/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
}
]
]
}
]
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLLoggingBucket/Policy/Resource"
}
},
"CLLoggingBucketNotifications5674D9EE": {
"Type": "Custom::S3BucketNotifications",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691",
"Arn"
]
},
"BucketName": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"NotificationConfiguration": {
"EventBridgeConfiguration": {}
},
"Managed": false,
"SkipDestinationValidation": false
},
"DependsOn": [
"CLLoggingBucketPolicyF6C76312"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CLLoggingBucket/Notifications/Resource"
}
},
"BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Description": "AWS CloudFormation handler for \"Custom::S3BucketNotifications\" resources (@aws-cdk/aws-s3)",
"Code": {
"ZipFile": "# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n# SPDX-License-Identifier: Apache-2.0\n\nimport boto3 # type: ignore\nimport json\nimport random\nimport logging\nimport urllib.request\nimport time\nfrom functools import partial, wraps\n\n\ns3 = boto3.client(\"s3\")\n\nEVENTBRIDGE_CONFIGURATION = \"EventBridgeConfiguration\"\n\nCONFIGURATION_TYPES = [\n \"TopicConfigurations\",\n \"QueueConfigurations\",\n \"LambdaFunctionConfigurations\",\n]\n\nclass ConfigurationInconsistencyError(Exception):\n pass\n\n\ndef retry(func=None, retries=3, delays=5, max_delay=None, backoff=2):\n \"\"\"Retry decorator.\"\"\"\n\n if func is None:\n return partial(retry, retries=retries, delays=delays, max_delay=max_delay, backoff=backoff)\n\n @wraps(func)\n def wrapper(*args, **kwargs):\n retry, delay = retries, delays\n\n while retry > 0:\n time.sleep(random.uniform(0.0, 10.0))\n try:\n return func(*args, **kwargs)\n except Exception as e:\n logging.error(\n \"Error Occured: %s, Sleep %d seconds and retry...\", str(e), delay\n )\n time.sleep(delay)\n retry -= 1\n delay *= backoff\n \n if max_delay is not None:\n delay = min(delay, max_delay)\n\n return func(*args, **kwargs)\n\n return wrapper\n\n\ndef handler(event: dict, context):\n response_status = \"SUCCESS\"\n error_message = \"\"\n try:\n put_bucket_notification(event=event)\n except Exception as e:\n logging.exception(\"Failed to put bucket notification configuration\")\n response_status = \"FAILED\"\n error_message = f\"Error: {str(e)}. \"\n finally:\n submit_response(event, context, response_status, error_message)\n\n\ndef handle_managed(request_type, notification_configuration):\n if request_type == \"Delete\":\n return {}\n return notification_configuration\n\n\ndef has_app_log_config_filter_rule(data):\n filter_rules = data.get(\"Filter\", {}).get(\"Key\", {}).get(\"FilterRules\", [])\n return any(rule.get(\"Value\") == \"app_log_config/\" for rule in filter_rules)\n\n\ndef exclude_existing_app_log_config(config):\n return not has_app_log_config_filter_rule(config)\n\n\ndef handle_unmanaged(bucket, stack_id, request_type, notification_configuration):\n # find external notifications\n external_notifications = find_external_notifications(bucket, stack_id)\n\n # if delete, that's all we need\n if request_type == \"Delete\":\n return external_notifications\n\n def with_id(notification):\n notification[\"Id\"] = (\n f\"{stack_id}-{hash(json.dumps(notification, sort_keys=True))}\"\n )\n return notification\n\n # otherwise, merge external with incoming config and augment with id\n notifications = {}\n for t in CONFIGURATION_TYPES:\n external = external_notifications.get(t, [])\n incoming = [with_id(n) for n in notification_configuration.get(t, [])]\n\n external_has_app_log_config_filter_rule = any(map(has_app_log_config_filter_rule, external))\n incoming_has_app_log_config_filter_rule = any(map(has_app_log_config_filter_rule, incoming))\n\n if external_has_app_log_config_filter_rule and incoming_has_app_log_config_filter_rule:\n external = list(filter(exclude_existing_app_log_config, external))\n\n notifications[t] = external + incoming\n\n # EventBridge configuration is a special case because it's just an empty object if it exists\n if EVENTBRIDGE_CONFIGURATION in notification_configuration:\n notifications[EVENTBRIDGE_CONFIGURATION] = notification_configuration[\n EVENTBRIDGE_CONFIGURATION\n ]\n elif EVENTBRIDGE_CONFIGURATION in external_notifications:\n notifications[EVENTBRIDGE_CONFIGURATION] = external_notifications[\n EVENTBRIDGE_CONFIGURATION\n ]\n\n return notifications\n\ndef find_notification_by_id(id, notification_configuration):\n notifications = {}\n for t in CONFIGURATION_TYPES:\n notifications[t] = [\n n\n for n in notification_configuration.get(t, [])\n if n.get(\"Id\", \"\").startswith(f\"{id}\")\n ]\n \n if EVENTBRIDGE_CONFIGURATION in notification_configuration:\n notifications[EVENTBRIDGE_CONFIGURATION] = notification_configuration[\n EVENTBRIDGE_CONFIGURATION\n ]\n \n return notifications\n\n\ndef find_external_notifications(bucket, stack_id):\n existing_notifications = get_bucket_notification_configuration(bucket)\n external_notifications = {}\n for t in CONFIGURATION_TYPES:\n # if the notification was created by us, we know what id to expect\n # so we can filter by it.\n external_notifications[t] = [\n n\n for n in existing_notifications.get(t, [])\n if not n[\"Id\"].startswith(f\"{stack_id}-\")\n ]\n\n # always treat EventBridge configuration as an external config if it already exists\n # as there is no way to determine whether it's managed by us or not\n if EVENTBRIDGE_CONFIGURATION in existing_notifications:\n external_notifications[EVENTBRIDGE_CONFIGURATION] = existing_notifications[\n EVENTBRIDGE_CONFIGURATION\n ]\n\n return external_notifications\n\n\ndef get_bucket_notification_configuration(bucket):\n return s3.get_bucket_notification_configuration(Bucket=bucket)\n\n\n@retry(retries=20, delays=3, max_delay=10, backoff=2)\ndef put_bucket_notification(event: dict):\n props = event[\"ResourceProperties\"]\n bucket = props[\"BucketName\"]\n notification_configuration = props[\"NotificationConfiguration\"]\n request_type = event[\"RequestType\"]\n managed = props.get(\"Managed\", \"true\").lower() == \"true\"\n stack_id = event[\"StackId\"]\n\n if managed:\n config = handle_managed(request_type, notification_configuration)\n else:\n config = handle_unmanaged(\n bucket, stack_id, request_type, notification_configuration\n )\n\n put_bucket_notification_configuration(bucket, config)\n \n time.sleep(random.uniform(1.0, 3.0))\n \n updated_notification_configuration = s3.get_bucket_notification_configuration(Bucket=bucket)\n for t in CONFIGURATION_TYPES:\n if sorted([x.get(\"Id\", \"\") for x in updated_notification_configuration.get(t, [])]) != sorted([x.get(\"Id\", \"\") for x in config.get(t, [])]):\n raise ConfigurationInconsistencyError(f\"Notification configuration update is inconsistent.\")\n\n\ndef put_bucket_notification_configuration(bucket, notification_configuration):\n s3.put_bucket_notification_configuration(\n Bucket=bucket, NotificationConfiguration=notification_configuration\n )\n\n\ndef submit_response(event: dict, context, response_status: str, error_message: str):\n response_body = json.dumps(\n {\n \"Status\": response_status,\n \"Reason\": f\"{error_message}See the details in CloudWatch Log Stream: {context.log_stream_name}\",\n \"PhysicalResourceId\": event.get(\"PhysicalResourceId\")\n or event[\"LogicalResourceId\"],\n \"StackId\": event[\"StackId\"],\n \"RequestId\": event[\"RequestId\"],\n \"LogicalResourceId\": event[\"LogicalResourceId\"],\n \"NoEcho\": False,\n }\n ).encode(\"utf-8\")\n headers = {\"content-type\": \"\", \"content-length\": str(len(response_body))}\n try:\n req = urllib.request.Request(\n url=event[\"ResponseURL\"], headers=headers, data=response_body, method=\"PUT\"\n )\n with urllib.request.urlopen(req) as response:\n print(response.read().decode(\"utf-8\"))\n print(\"Status code: \" + response.reason)\n except Exception as e:\n print(\"send(..) failed executing request.urlopen(..): \" + str(e))\n"
},
"Handler": "index.handler",
"Role": {
"Fn::GetAtt": [
"NotiRoleC2B7A7CC",
"Arn"
]
},
"Runtime": "python3.13",
"Timeout": 300
},
"DependsOn": [
"NotiRoleDefaultPolicy14C2CB25",
"NotiRoleC2B7A7CC"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Resource",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"PrivateSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Default Private Security Group.",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic by default",
"IpProtocol": "-1"
}
],
"VpcId": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"DependsOn": [
"APIGrafanaAPIGrafanaHandlerServiceRoleDefaultPolicyC7504B36",
"APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/VPC/PrivateSecurityGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W5",
"reason": "This Security Group need to open to world on egress."
}
]
},
"guard": {
"SuppressedRules": [
"SECURITY_GROUP_EGRESS_ALL_PROTOCOLS_RULE"
]
}
}
},
"SSMVpcId": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/VpcId",
"Type": "String",
"Value": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/VPC/SSMVpcId/Resource"
}
},
"SSMPrivateSubnetIds": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/PrivateSubnetIds",
"Type": "String",
"Value": {
"Fn::Join": [
",",
[
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/VPC/SSMPrivateSubnetIds/Resource"
}
},
"SSMCMKeyArn": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/CMKeyArn",
"Type": "String",
"Value": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/KMS/SSMCMKeyArn/Resource"
}
},
"StagingBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "BucketOwnerFullControl",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"KMSMasterKeyID": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEAlgorithm": "aws:kms"
}
}
]
},
"LifecycleConfiguration": {
"Rules": [
{
"Id": "Intelligent-Tiering",
"Status": "Enabled",
"Transitions": [
{
"StorageClass": "INTELLIGENT_TIERING",
"TransitionInDays": 0
}
]
},
{
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 1
},
"ExpiredObjectDeleteMarker": true,
"Id": "NonCurrent-Version-Expiration",
"NoncurrentVersionExpiration": {
"NewerNoncurrentVersions": 1,
"NoncurrentDays": 1
},
"Status": "Enabled"
},
{
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 1
},
"ExpirationInDays": 7,
"Id": "archive/",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Prefix": "archive/",
"Status": "Enabled"
},
{
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 1
},
"ExpirationInDays": 1,
"Id": "athena-results/",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Prefix": "athena-results/",
"Status": "Enabled"
}
]
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/S3/stagingBucket/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "Staging Bucket does not need enable access logging."
}
]
}
}
},
"MicroBatchStackS3stagingBucketPolicyE5A3E141": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "StagingBucket"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"StagingBucket",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"StagingBucket",
"Arn"
]
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/S3/stagingBucket/Policy/Resource"
}
},
"SSMCentralizedDatabaseArn": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/CentralizedDatabaseArn",
"Type": "String",
"Value": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_centralized"
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Glue/SSMCentralizedDatabaseArn/Resource"
}
},
"AthenaWorkGroup": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Description": "This is an Athena WorkGroup for CentralizedLoggingWithOpenSearch",
"Name": "CentralizedLoggingWithOpenSearch",
"RecursiveDeleteOption": true,
"State": "ENABLED",
"WorkGroupConfiguration": {
"EnforceWorkGroupConfiguration": true,
"EngineVersion": {
"EffectiveEngineVersion": "effectiveEngineVersion",
"SelectedEngineVersion": "Athena engine version 3"
},
"PublishCloudWatchMetricsEnabled": true,
"RequesterPaysEnabled": false,
"ResultConfiguration": {
"EncryptionConfiguration": {
"EncryptionOption": "SSE_KMS",
"KmsKey": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
"OutputLocation": {
"Fn::Join": [
"",
[
"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results/"
]
]
}
}
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Athena/AthenaWorkGroup"
}
},
"S3PublicAccessPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectTagging",
"s3:GetObjectTagging"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"StagingBucket",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"StagingBucket",
"Arn"
]
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/IAM/S3PublicAccessPolicy/Resource"
}
},
"GluePublicAccessPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"glue:BatchGetPartition",
"glue:GetPartitions",
"glue:GetPartition",
"glue:GetTables",
"glue:GetTable",
"glue:GetDatabases",
"glue:GetDatabase",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeleteTable",
"glue:DeletePartition",
"glue:CreateTable",
"glue:UpdatePartition",
"glue:BatchUpdatePartition",
"glue:BatchDeletePartition",
"glue:UpdateTable",
"glue:CreateDatabase",
"glue:DeleteDatabase"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_centralized"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_tmp"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":table/amazon_cl_centralized/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":table/amazon_cl_tmp/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":catalog"
]
]
}
]
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/IAM/GluePublicAccessPolicy/Resource"
}
},
"AthenaPublicAccessPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"athena:ListDatabases",
"athena:ListDataCatalogs",
"athena:ListWorkGroups",
"athena:GetDatabase",
"athena:GetDataCatalog",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetTableMetadata",
"athena:GetWorkGroup",
"athena:ListTableMetadata",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetNamedQuery",
"athena:CreateNamedQuery",
"athena:DeleteNamedQuery",
"athena:UpdateNamedQuery",
"athena:ListNamedQueries"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":athena:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":datacatalog/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":athena:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":workgroup/CentralizedLoggingWithOpenSearch"
]
]
}
]
},
{
"Action": [
"athena:ListDataCatalogs",
"athena:ListWorkGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/IAM/AthenaPublicAccessPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W13",
"reason": "This Policy need to list all of workgroup and data catalogs."
}
]
}
}
},
"KMSPublicAccessPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":kms:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":key/*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/IAM/KMSPublicAccessPolicy/Resource"
}
},
"AthenaPublicAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "S3PublicAccessPolicy"
},
{
"Ref": "GluePublicAccessPolicy"
},
{
"Ref": "AthenaPublicAccessPolicy"
},
{
"Ref": "KMSPublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/IAM/AthenaPublicAccessRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"SendTemplateEmailSNSPublicPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"sns:ListTopics",
"sns:Publish"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":sns:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/IAM/SendTemplateEmailSNSPublicPolicy/Resource"
}
},
"ETLLog": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "executionName",
"AttributeType": "S"
},
{
"AttributeName": "taskId",
"AttributeType": "S"
},
{
"AttributeName": "pipelineIndexKey",
"AttributeType": "S"
},
{
"AttributeName": "startTime",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"GlobalSecondaryIndexes": [
{
"IndexName": "IDX_PIPELINE",
"KeySchema": [
{
"AttributeName": "pipelineIndexKey",
"KeyType": "HASH"
},
{
"AttributeName": "startTime",
"KeyType": "RANGE"
}
],
"Projection": {
"NonKeyAttributes": [
"endTime",
"status"
],
"ProjectionType": "INCLUDE"
}
}
],
"KeySchema": [
{
"AttributeName": "executionName",
"KeyType": "HASH"
},
{
"AttributeName": "taskId",
"KeyType": "RANGE"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
},
"TimeToLiveSpecification": {
"AttributeName": "expirationTime",
"Enabled": true
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/DynamoDB/ETLLog/Resource"
}
},
"Metadata": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "metaName",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "metaName",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/DynamoDB/Metadata/Resource"
}
},
"S3ObjectMigrationDLQ": {
"Type": "AWS::SQS::Queue",
"Properties": {
"KmsMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"MessageRetentionPeriod": 604800,
"VisibilityTimeout": 900
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMigrationDLQ/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "SQS: S3ObjectMigrationDLQ is a DLQ.",
"id": "AwsSolutions-SQS3"
}
]
}
}
},
"S3ObjectMigrationDLQPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SQS:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": {
"Fn::GetAtt": [
"S3ObjectMigrationDLQ",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Queues": [
{
"Fn::GetAtt": [
"S3ObjectMigrationDLQ",
"QueueName"
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMigrationDLQPolicy"
}
},
"S3ObjectMigrationQ": {
"Type": "AWS::SQS::Queue",
"Properties": {
"KmsMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"MessageRetentionPeriod": 604800,
"RedrivePolicy": {
"deadLetterTargetArn": {
"Fn::GetAtt": [
"S3ObjectMigrationDLQ",
"Arn"
]
},
"maxReceiveCount": 3
},
"VisibilityTimeout": 900
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMigrationQ/Resource"
}
},
"S3ObjectMigrationQPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SQS:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": {
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Queues": [
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"QueueName"
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMigrationQPolicy"
}
},
"S3ObjectMergeDLQ": {
"Type": "AWS::SQS::Queue",
"Properties": {
"KmsMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"MessageRetentionPeriod": 604800,
"VisibilityTimeout": 900
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMergeDLQ/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "SQS: S3ObjectMigrationDLQ is a DLQ.",
"id": "AwsSolutions-SQS3"
}
]
}
}
},
"S3ObjectMergeDLQPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SQS:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": {
"Fn::GetAtt": [
"S3ObjectMergeDLQ",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Queues": [
{
"Fn::GetAtt": [
"S3ObjectMergeDLQ",
"QueueName"
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMergeDLQPolicy"
}
},
"S3ObjectMergeQ": {
"Type": "AWS::SQS::Queue",
"Properties": {
"KmsMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"MessageRetentionPeriod": 604800,
"RedrivePolicy": {
"deadLetterTargetArn": {
"Fn::GetAtt": [
"S3ObjectMigrationDLQ",
"Arn"
]
},
"maxReceiveCount": 3
},
"VisibilityTimeout": 900
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMergeQ/Resource"
}
},
"S3ObjectMergeQPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SQS:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": {
"Fn::GetAtt": [
"S3ObjectMergeQ",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Queues": [
{
"Fn::GetAtt": [
"S3ObjectMergeQ",
"QueueName"
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SQS/S3ObjectMergeQPolicy"
}
},
"ReceiveStatesFailedTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"KmsMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"TopicName": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"-ReceiveStatesFailedTopic"
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SNS/ReceiveStatesFailedTopic/Resource"
}
},
"SendEmailTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"KmsMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"TopicName": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"-SendEmailTopic"
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SNS/SendEmailTopic/Resource"
}
},
"MicroBatchStackSNSSendEmailTopicTokenSubscription17B0F84DB": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {
"Ref": "adminEmail"
},
"Protocol": "email",
"TopicArn": {
"Ref": "SendEmailTopic"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/SNS/SendEmailTopic/TokenSubscription:1/Resource"
}
},
"LambdaBoto3Layer": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/52145f2e7bf8e25e25e6f8bea6c03332798ac3635cc8ecc305fd8f2b6938f04e.zip"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaLayerStack/LambdaBoto3Layer/Resource",
"aws:asset:path": "asset.52145f2e7bf8e25e25e6f8bea6c03332798ac3635cc8ecc305fd8f2b6938f04e",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content"
}
},
"LambdaPyarrowLayer": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/0f8dcfd0a895d897500be7a070bb0e4616e01e24b5eff9614f36f15b11d6540c.zip"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaLayerStack/LambdaPyarrowLayer/Resource",
"aws:asset:path": "asset.0f8dcfd0a895d897500be7a070bb0e4616e01e24b5eff9614f36f15b11d6540c",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content"
}
},
"LambdaUtilsLayer": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/91f1d8f0dca4087fe877f39e699b8f7f5a1c4421e2a95dd71a13a366892cf551.zip"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaLayerStack/LambdaUtilsLayer/Resource",
"aws:asset:path": "asset.91f1d8f0dca4087fe877f39e699b8f7f5a1c4421e2a95dd71a13a366892cf551",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content"
}
},
"SSMLambdaUtilsLayerArn": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/LambdaUtilsLayerArn",
"Type": "String",
"Value": {
"Ref": "LambdaUtilsLayer"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaLayerStack/SSMLambdaUtilsLayerArn/Resource"
}
},
"LambdaEnrichmentLayer": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/7abf1119d6797d1f89fec7943a15c8d676d1c6bab50b3bf4b0fb16526397491a.zip"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaLayerStack/LambdaEnrichmentLayer/Resource",
"aws:asset:path": "asset.7abf1119d6797d1f89fec7943a15c8d676d1c6bab50b3bf4b0fb16526397491a",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content"
}
},
"SSMLambdaEnrichmentLayerArn": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/LambdaEnrichmentLayerArn",
"Type": "String",
"Value": {
"Ref": "LambdaEnrichmentLayer"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaLayerStack/SSMLambdaEnrichmentLayerArn/Resource"
}
},
"S3ObjectScanningRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
},
{
"Ref": "KMSPublicAccessPolicy"
},
{
"Ref": "S3PublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectScanningStack/S3ObjectScanningRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"S3ObjectScanningRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
},
{
"Action": "dynamodb:GetItem",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "S3ObjectScanningRWDDBPolicy",
"Roles": [
{
"Ref": "S3ObjectScanningRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectScanningStack/S3ObjectScanningRWDDBPolicy/Resource"
}
},
"S3ObjectScanningRWSQSPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:SendMessage",
"sqs:GetQueueUrl"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"S3ObjectMigrationDLQ",
"Arn"
]
},
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"Arn"
]
},
{
"Fn::GetAtt": [
"S3ObjectMergeDLQ",
"Arn"
]
},
{
"Fn::GetAtt": [
"S3ObjectMergeQ",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "S3ObjectScanningRWSQSPolicy",
"Roles": [
{
"Ref": "S3ObjectScanningRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectScanningStack/S3ObjectScanningRWSQSPolicy/Resource"
}
},
"S3ObjectScanning": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/6b0db0d67ffb1650a685154e352767179e00d9595f5f5ecd3c1ece48dc4825c3.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to scan objects on S3."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"ETL_LOG_TABLE_NAME": {
"Ref": "ETLLog"
},
"META_TABLE_NAME": {
"Ref": "Metadata"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
}
],
"MemorySize": 256,
"Role": {
"Fn::GetAtt": [
"S3ObjectScanningRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"S3ObjectScanningRole"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectScanningStack/S3ObjectScanning/Resource",
"aws:asset:path": "asset.6b0db0d67ffb1650a685154e352767179e00d9595f5f5ecd3c1ece48dc4825c3",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"S3ObjectMigrationRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
},
{
"Ref": "S3PublicAccessPolicy"
},
{
"Ref": "KMSPublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMigrationRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"S3ObjectMigrationRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "S3ObjectMigrationRWDDBPolicy",
"Roles": [
{
"Ref": "S3ObjectMigrationRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMigrationRWDDBPolicy/Resource"
}
},
"S3ObjectMigrationRWSQSPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"Arn"
]
},
{
"Fn::GetAtt": [
"S3ObjectMigrationDLQ",
"Arn"
]
},
{
"Fn::GetAtt": [
"S3ObjectMergeQ",
"Arn"
]
},
{
"Fn::GetAtt": [
"S3ObjectMergeDLQ",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "S3ObjectMigrationRWSQSPolicy",
"Roles": [
{
"Ref": "S3ObjectMigrationRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMigrationRWSQSPolicy/Resource"
}
},
"S3ObjectMigration": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/be191a39c7848c367dfc30bb7ed7125f2d31780c3eb61352bbad20411e4905d5.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to migration objects on S3."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"ETL_LOG_TABLE_NAME": {
"Ref": "ETLLog"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
}
],
"MemorySize": 256,
"Role": {
"Fn::GetAtt": [
"S3ObjectMigrationRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"S3ObjectMigrationRole",
"S3ObjectMigrationRWSQSPolicy"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMigration/Resource",
"aws:asset:path": "asset.be191a39c7848c367dfc30bb7ed7125f2d31780c3eb61352bbad20411e4905d5",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"MicroBatchStackLambdaLambdaS3ObjectMigrationStackS3ObjectMigrationSqsEventSourceCentralizedLoggingMicroBatchStackSQSS3ObjectMigrationQA76A9CA005B5F427": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 1,
"EventSourceArn": {
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"Arn"
]
},
"FunctionName": {
"Ref": "S3ObjectMigration"
}
},
"DependsOn": [
"S3ObjectMigrationRWSQSPolicy"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMigration/SqsEventSource:CentralizedLoggingMicroBatchStackSQSS3ObjectMigrationQA76A9CA0/Resource"
}
},
"S3ObjectMerge": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/be191a39c7848c367dfc30bb7ed7125f2d31780c3eb61352bbad20411e4905d5.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to merge objects on S3."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"ETL_LOG_TABLE_NAME": {
"Ref": "ETLLog"
}
}
},
"EphemeralStorage": {
"Size": 2048
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
},
{
"Ref": "LambdaPyarrowLayer"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"S3ObjectMigrationRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"S3ObjectMigrationRole",
"S3ObjectMigrationRWSQSPolicy"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMerge/Resource",
"aws:asset:path": "asset.be191a39c7848c367dfc30bb7ed7125f2d31780c3eb61352bbad20411e4905d5",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"MicroBatchStackLambdaLambdaS3ObjectMigrationStackS3ObjectMergeSqsEventSourceCentralizedLoggingMicroBatchStackSQSS3ObjectMergeQAF0CC6515CE5D7B9": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 1,
"EventSourceArn": {
"Fn::GetAtt": [
"S3ObjectMergeQ",
"Arn"
]
},
"FunctionName": {
"Ref": "S3ObjectMerge"
}
},
"DependsOn": [
"S3ObjectMigrationRWSQSPolicy"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaS3ObjectMigrationStack/S3ObjectMerge/SqsEventSource:CentralizedLoggingMicroBatchStackSQSS3ObjectMergeQAF0CC651/Resource"
}
},
"SendTemplateEmailRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
},
{
"Ref": "KMSPublicAccessPolicy"
},
{
"Ref": "SendTemplateEmailSNSPublicPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaSendTemplateEmailStack/SendTemplateEmailRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"SendTemplateEmailRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
},
{
"Action": "dynamodb:GetItem",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "SendTemplateEmailRWDDBPolicy",
"Roles": [
{
"Ref": "SendTemplateEmailRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaSendTemplateEmailStack/SendTemplateEmailRWDDBPolicy/Resource"
}
},
"SendTemplateEmailPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ses:SendTemplatedEmail",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ses:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":template/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ses:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":configuration-set/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ses:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":identity/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "SendTemplateEmailPolicy",
"Roles": [
{
"Ref": "SendTemplateEmailRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaSendTemplateEmailStack/SendTemplateEmailPolicy/Resource"
},
"Condition": "MicroBatchStackLambdaLambdaSendTemplateEmailStackSESStateCondition12506B59"
},
"SendTemplateEmail": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/94d03d403ec896d4659e838af1cdd5d3a3501383556bce74e324bc63d2a4598e.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to send email notification to customer via SES or SNS."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"ETL_LOG_TABLE_NAME": {
"Ref": "ETLLog"
},
"META_TABLE_NAME": {
"Ref": "Metadata"
},
"SOURCE": {
"Ref": "adminEmail"
},
"NOTIFICATION_PRIORITY": "Pipeline"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"SendTemplateEmailRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"SendTemplateEmailRole"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaSendTemplateEmailStack/SendTemplateEmail/Resource",
"aws:asset:path": "asset.94d03d403ec896d4659e838af1cdd5d3a3501383556bce74e324bc63d2a4598e",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"MicroBatchStackLambdaLambdaSendTemplateEmailStackSendTemplateEmailAllowInvokeCentralizedLoggingMicroBatchStackSNSReceiveStatesFailedTopic26D3D46CDDD2B2EB": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
"Principal": "sns.amazonaws.com",
"SourceArn": {
"Ref": "ReceiveStatesFailedTopic"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaSendTemplateEmailStack/SendTemplateEmail/AllowInvoke:CentralizedLoggingMicroBatchStackSNSReceiveStatesFailedTopic26D3D46C"
}
},
"MicroBatchStackLambdaLambdaSendTemplateEmailStackSendTemplateEmailReceiveStatesFailedTopic4383DDB7": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
"Protocol": "lambda",
"TopicArn": {
"Ref": "ReceiveStatesFailedTopic"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaSendTemplateEmailStack/SendTemplateEmail/ReceiveStatesFailedTopic/Resource"
}
},
"PipelineResourcesBuilderPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::*"
]
]
},
"Sid": "S3PutBucketNotification"
},
{
"Action": [
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":sqs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*LogEventQueue*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":sqs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*LogEventDLQ*"
]
]
}
],
"Sid": "SetSQSPolicy"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
},
"Sid": "DynamoDB"
},
{
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListPolicyVersions"
],
"Effect": "Allow",
"Resource": [
{
"Ref": "S3PublicAccessPolicy"
},
{
"Ref": "SendTemplateEmailSNSPublicPolicy"
}
],
"Sid": "UpdatePublicPolicy"
}
],
"Version": "2012-10-17"
},
"PolicyName": "PipelineResourcesBuilderPolicy",
"Roles": [
{
"Ref": "PipelineResourcesBuilderRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaPipelineResourcesBuilderStack/PipelineResourcesBuilderPolicy/Resource"
}
},
"PipelineResourcesBuilderSchedulePolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:ListRules",
"events:ListTargetsByRule",
"events:RemoveTargets"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":rule/*/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":rule/*"
]
]
}
],
"Sid": "EventBridge"
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaPipelineResourcesBuilderStack/PipelineResourcesBuilderSchedulePolicy/Resource"
}
},
"PipelineResourcesBuilderRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
},
{
"Ref": "GluePublicAccessPolicy"
},
{
"Ref": "KMSPublicAccessPolicy"
},
{
"Ref": "PipelineResourcesBuilderSchedulePolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaPipelineResourcesBuilderStack/PipelineResourcesBuilderRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"PipelineResourcesBuilder": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/0c2188b663167c19878b9de7cebd61bb4e2cd0dca4fdd2e7d29ea216642853eb.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to alter table to manage all pipeline resources."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"META_TABLE_NAME": {
"Ref": "Metadata"
},
"TAGS": "[{\"Key\": \"Application\", \"Value\": \"CentralizedLoggingWithOpenSearch\"}]"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
},
{
"Ref": "LambdaBoto3Layer"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"PipelineResourcesBuilderRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"PipelineResourcesBuilderRole"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaPipelineResourcesBuilderStack/PipelineResourcesBuilder/Resource",
"aws:asset:path": "asset.0c2188b663167c19878b9de7cebd61bb4e2cd0dca4fdd2e7d29ea216642853eb",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"ETLHelperRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
},
{
"Ref": "KMSPublicAccessPolicy"
},
{
"Ref": "AthenaPublicAccessPolicy"
},
{
"Ref": "GluePublicAccessPolicy"
},
{
"Ref": "S3PublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaETLHelperStack/ETLHelperRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"ETLHelperRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
},
{
"Action": "dynamodb:GetItem",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "ETLHelperRWDDBPolicy",
"Roles": [
{
"Ref": "ETLHelperRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaETLHelperStack/ETLHelperRWDDBPolicy/Resource"
}
},
"ETLHelper": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/cf05686b00292f149e80c2c5a0724046ae16026c011d143d88518a2c36bdab57.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to write ETL logs to DDB Table."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"ETL_LOG_TABLE_NAME": {
"Ref": "ETLLog"
},
"META_TABLE_NAME": {
"Ref": "Metadata"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"ETLHelperRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 300,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"ETLHelperRole"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaETLHelperStack/ETLHelper/Resource",
"aws:asset:path": "asset.cf05686b00292f149e80c2c5a0724046ae16026c011d143d88518a2c36bdab57",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"MetadataWriterRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
},
{
"Ref": "KMSPublicAccessPolicy"
},
{
"Ref": "GluePublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaMetadataWriterStack/MetadataWriterRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"MetadataWriterPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
},
{
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListPolicyVersions"
],
"Effect": "Allow",
"Resource": {
"Ref": "PipelineResourcesBuilderSchedulePolicy"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MetadataWriterPolicy",
"Roles": [
{
"Ref": "MetadataWriterRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaMetadataWriterStack/MetadataWriterPolicy/Resource"
}
},
"MetadataWriter": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/38c221f26f721f12e42283d06e260ce9336e57f1b3a90c47ea0e67945fbf9af0.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda function to write item to Meta Table."
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"META_TABLE_NAME": {
"Ref": "Metadata"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "LambdaUtilsLayer"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"MetadataWriterRole",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"CLVpcDefaultVPCprivateSubnet1DefaultRoute69028806",
"CLVpcDefaultVPCprivateSubnet1RouteTableAssociation584876D0",
"CLVpcDefaultVPCprivateSubnet2DefaultRoute49D29374",
"CLVpcDefaultVPCprivateSubnet2RouteTableAssociation25D246AC",
"MetadataWriterRole"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/Lambda/LambdaMetadataWriterStack/MetadataWriter/Resource",
"aws:asset:path": "asset.38c221f26f721f12e42283d06e260ce9336e57f1b3a90c47ea0e67945fbf9af0",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"AthenaWorkflowLambdaInvokePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "AthenaWorkflowLambdaInvokePolicy",
"Roles": [
{
"Ref": "AthenaWorkflowRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionAthenaWorkflowStack/AthenaWorkflowLambdaInvokePolicy/Resource"
}
},
"AthenaWorkflowRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "S3PublicAccessPolicy"
},
{
"Ref": "GluePublicAccessPolicy"
},
{
"Ref": "AthenaPublicAccessPolicy"
},
{
"Ref": "KMSPublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionAthenaWorkflowStack/AthenaWorkflowRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"AthenaWorkflow": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Athena: StartQueryExecution\",\"States\":{\"Athena: StartQueryExecution\":{\"Next\":\"Put Athena: StartQueryExecution logs to DynamoDB\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":1,\"MaxAttempts\":2,\"BackoffRate\":2,\"MaxDelaySeconds\":10,\"JitterStrategy\":\"FULL\"}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.startQueryExecution\",\"Next\":\"Put Athena: StartQueryExecution failed logs to DynamoDB\"}],\"Type\":\"Task\",\"ResultPath\":\"$.athena.response\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::athena:startQueryExecution.sync\",\"Parameters\":{\"QueryString.$\":\"$.queryString\",\"ResultConfiguration\":{\"EncryptionConfiguration\":{\"EncryptionOption\":\"SSE_KMS\"},\"OutputLocation\":\"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results/\"},\"WorkGroup.$\":\"$.workGroup\"}},\"Put Athena: StartQueryExecution logs to DynamoDB\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2},{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":1,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":10,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Athena: GetQueryExecution\",\"executionName.$\":\"$.executionName\",\"taskId.$\":\"$.athena.response.QueryExecution.QueryExecutionId\",\"parameters\":{\"queryExecutionId.$\":\"$.athena.response.QueryExecution.QueryExecutionId\"},\"extra\":{\"API\":\"Athena: StartQueryExecution\",\"parentTaskId.$\":\"$.extra.parentTaskId\",\"pipelineId.$\":\"$.extra.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$.extra.stateName\"}}}},\"Put Athena: StartQueryExecution failed logs to DynamoDB\":{\"Next\":\"Job Failed\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2},{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":1,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":10,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"DynamoDB: PutItem\",\"executionName.$\":\"$.executionName\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"action\":\"ADD\"},\"extra\":{\"API\":\"Athena: StartQueryExecution\",\"data.$\":\"$.queryString\",\"startTime.$\":\"$$.Execution.StartTime\",\"endTime.$\":\"$$.State.EnteredTime\",\"status\":\"FAILED\",\"parentTaskId.$\":\"$.extra.parentTaskId\",\"pipelineId.$\":\"$.extra.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$.extra.stateName\"}}}},\"Job Failed\":{\"Type\":\"Fail\"}}}"
]
]
},
"RoleArn": {
"Fn::GetAtt": [
"AthenaWorkflowRole",
"Arn"
]
}
},
"DependsOn": [
"AthenaWorkflowRole"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionAthenaWorkflowStack/AthenaWorkflow/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Step Function: AthenaWorkflow does not need enable Logging.",
"id": "AwsSolutions-SF1"
}
]
}
}
},
"LogProcessorLambdaInvokePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
":*"
]
]
},
{
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
":*"
]
]
},
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogProcessorLambdaInvokePolicy",
"Roles": [
{
"Ref": "LogProcessorRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorLambdaInvokePolicy/Resource"
}
},
"LogProcessorRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogProcessorRWDDBPolicy",
"Roles": [
{
"Ref": "LogProcessorRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorRWDDBPolicy/Resource"
}
},
"LogProcessorStartStateMachinePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "AthenaWorkflow"
}
},
{
"Action": [
"states:DescribeExecution",
"states:StopExecution"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
{
"Ref": "AthenaWorkflow"
},
":*"
]
]
}
},
{
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogProcessorStartStateMachinePolicy",
"Roles": [
{
"Ref": "LogProcessorRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorStartStateMachinePolicy/Resource"
}
},
"LogProcessorRWSNSPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SNS:Publish",
"Effect": "Allow",
"Resource": {
"Ref": "ReceiveStatesFailedTopic"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogProcessorRWSNSPolicy",
"Roles": [
{
"Ref": "LogProcessorRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorRWSNSPolicy/Resource"
}
},
"LogProcessorRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "S3PublicAccessPolicy"
},
{
"Ref": "GluePublicAccessPolicy"
},
{
"Ref": "AthenaPublicAccessPolicy"
},
{
"Ref": "KMSPublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"LogProcessor": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Put task info of Step Function to DynamoDB\",\"States\":{\"Put task info of Step Function to DynamoDB\":{\"Next\":\"Step 1: Migration S3 Objects from Staging to Archive\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:putItem\",\"Parameters\":{\"Item\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"},\"API\":{\"S\":\"Step Functions: StartExecution\"},\"data\":{\"S.$\":\"States.JsonToString($$.Execution.Input)\"},\"pipelineId\":{\"S.$\":\"$.metadata.pipelineId\"},\"startTime\":{\"S.$\":\"$$.Execution.StartTime\"},\"stateMachineName\":{\"S.$\":\"$$.StateMachine.Name\"},\"stateName\":{\"S.$\":\"$$.State.Name\"},\"pipelineIndexKey\":{\"S.$\":\"States.Format('{}:{}:{}', $.metadata.pipelineId, $.metadata.scheduleType, '00000000-0000-0000-0000-000000000000')\"},\"status\":{\"S\":\"Running\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\"}},\"Step 1: Migration S3 Objects from Staging to Archive\":{\"Next\":\"Staging has Data?\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.S3MigrationTaskFromStagingToArchive\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":\"$.results.staging\",\"ResultSelector\":{\"hasObjects.$\":\"$.hasObjects\"},\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
"\",\"Payload\":{\"metadata.$\":\"$.metadata\",\"executionName.$\":\"$$.Execution.Name\",\"srcPath.$\":\"$.metadata.s3.srcPath\",\"dstPath.$\":\"States.Format('{}/{}', $.metadata.s3.archivePath, $$.Execution.Name)\",\"sqsName\":\"",
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"QueueName"
]
},
"\",\"keepPrefix\":true,\"merge\":false,\"deleteOnSuccess\":true,\"maxRecords\":15000,\"maxObjectFilesNumPerCopyTask\":50,\"maxObjectFilesSizePerCopyTask\":\"10GiB\",\"sourceType.$\":\"$.metadata.sourceType\",\"enrichmentPlugins.$\":\"$.metadata.enrichmentPlugins\",\"taskToken.$\":\"$$.Task.Token\",\"extra\":{\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"API\":\"Lambda: Invoke\"}}}},\"Staging has Data?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.results.staging.hasObjects\",\"BooleanEquals\":true,\"Next\":\"Step 2: Execution input formatting...\"}],\"Default\":\"Update task status of Step Function to Succeeded\"},\"Update task status of Step Function to Succeeded\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"status\",\"#endTime\":\"endTime\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"Succeeded\"},\":endTime\":{\"S.$\":\"$$.State.EnteredTime\"}},\"UpdateExpression\":\"SET #status = :status, #endTime = :endTime\"}},\"Measuring KPIs Map\":{\"Type\":\"Map\",\"ResultPath\":null,\"Next\":\"Update task status of Step Function to Succeeded\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.measuringKPIsMap\",\"Next\":\"Send Failure Notification\"}],\"ItemsPath\":\"$.input.metadata.athena.statements.aggregate\",\"ItemSelector\":{\"metadata.$\":\"$.metadata\",\"aggregate.$\":\"$$.Map.Item.Value\"},\"ItemProcessor\":{\"ProcessorConfig\":{\"Mode\":\"INLINE\"},\"StartAt\":\"Step 3.4: Measuring KPIs in Athena - Optional\",\"States\":{\"Step 3.4: Measuring KPIs in Athena - Optional\":{\"End\":true,\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.sync:2\",\"Parameters\":{\"Input\":{\"queryString.$\":\"$.aggregate\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"executionName.$\":\"$$.Execution.Name\",\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateName.$\":\"$$.State.Name\"},\"taskTimeout\":{\"seconds\":1800},\"AWS_STEP_FUNCTIONS_STARTED_BY_EXECUTION_ID.$\":\"$$.Execution.Id\"},\"StateMachineArn\":\"",
{
"Ref": "AthenaWorkflow"
},
"\"}}}},\"MaxConcurrency\":1},\"Has errors or need aggregate?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.errors\",\"IsPresent\":true,\"Next\":\"Send Failure Notification\"},{\"Variable\":\"$.input.metadata.athena.statements.aggregate\",\"IsPresent\":true,\"Next\":\"Measuring KPIs Map\"}],\"Default\":\"Update task status of Step Function to Succeeded\"},\"Step 3.3: Dropping tmp table in Athena\":{\"Next\":\"Has errors or need aggregate?\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.droppingTmpTableInAthena\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Athena: StartQueryExecution\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"queryString.$\":\"$.input.metadata.athena.statements.drop\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"outputLocation\":\"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"},\"taskToken.$\":\"$$.Task.Token\"}}},\"Step 3.2: Insert into delta from tmp table in Athena\":{\"Next\":\"Step 3.3: Dropping tmp table in Athena\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.insertIntoDeltaFromTmpTableInAthena\",\"Next\":\"Step 3.3: Dropping tmp table in Athena\"}],\"Type\":\"Task\",\"TimeoutSeconds\":1800,\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.sync:2\",\"Parameters\":{\"Input\":{\"queryString.$\":\"$.input.metadata.athena.statements.insert\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"executionName.$\":\"$$.Execution.Name\",\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateName.$\":\"$$.State.Name\"},\"AWS_STEP_FUNCTIONS_STARTED_BY_EXECUTION_ID.$\":\"$$.Execution.Id\"},\"StateMachineArn\":\"",
{
"Ref": "AthenaWorkflow"
},
"\"}},\"Step 3.1: Create tmp table in Athena\":{\"Next\":\"Step 3.2: Insert into delta from tmp table in Athena\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.createTmpTableInAthena\",\"Next\":\"Step 3.3: Dropping tmp table in Athena\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Athena: StartQueryExecution\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"queryString.$\":\"$.input.metadata.athena.statements.create\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"outputLocation\":\"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"},\"taskToken.$\":\"$$.Task.Token\"}}},\"Step 2: Execution input formatting...\":{\"Next\":\"Step 3.1: Create tmp table in Athena\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.executionInputFormatting\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":\"$.input\",\"ResultSelector\":{\"metadata.$\":\"$.metadata\"},\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Step Functions: ExecutionInputFormatter\",\"parameters\":{\"input\":{\"metadata.$\":\"$.metadata\"}},\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"taskToken.$\":\"$$.Task.Token\",\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"}}}},\"Send Failure Notification\":{\"Next\":\"Update task status of Step Function to Failed\",\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::sns:publish\",\"Parameters\":{\"TopicArn\":\"",
{
"Ref": "ReceiveStatesFailedTopic"
},
"\",\"Message\":{\"API\":\"SNS: Publish\",\"stateMachineId.$\":\"$$.StateMachine.Id\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"executionId.$\":\"$$.Execution.Id\",\"executionName.$\":\"$$.Execution.Name\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"tableName.$\":\"$.metadata.athena.tableName\",\"scheduleType.$\":\"$.metadata.scheduleType\",\"sourceType.$\":\"$.metadata.sourceType\",\"notification.$\":\"$.metadata.notification\",\"archivePath.$\":\"States.Format('{}/{}', $.metadata.s3.archivePath, $$.Execution.Name)\",\"status\":\"Failed\",\"metadata.$\":\"$.metadata\"}}},\"Update task status of Step Function to Failed\":{\"Next\":\"Job Failed\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"status\",\"#endTime\":\"endTime\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"Failed\"},\":endTime\":{\"S.$\":\"$$.State.EnteredTime\"}},\"UpdateExpression\":\"SET #status = :status, #endTime = :endTime\"}},\"Job Failed\":{\"Type\":\"Fail\"}}}"
]
]
},
"RoleArn": {
"Fn::GetAtt": [
"LogProcessorRole",
"Arn"
]
}
},
"DependsOn": [
"LogProcessorRole",
"LogProcessorStartStateMachinePolicy"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessor/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Step Function: LogProcessor does not need enable Logging.",
"id": "AwsSolutions-SF1"
}
]
}
}
},
"LogProcessorStartExecutionPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "LogProcessor"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogProcessorStartExecutionPolicy",
"Roles": [
{
"Ref": "LogProcessorStartExecutionRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorStartExecutionPolicy/Resource"
}
},
"LogProcessorStartExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogProcessorStack/LogProcessorStartExecutionRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"LogMergerLambdaInvokePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
":*"
]
]
},
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
":*"
]
]
},
{
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogMergerLambdaInvokePolicy",
"Roles": [
{
"Ref": "LogMergerRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMergerLambdaInvokePolicy/Resource"
}
},
"LogMergerRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogMergerRWDDBPolicy",
"Roles": [
{
"Ref": "LogMergerRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMergerRWDDBPolicy/Resource"
}
},
"LogMergerRWSNSPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SNS:Publish",
"Effect": "Allow",
"Resource": {
"Ref": "ReceiveStatesFailedTopic"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogMergerRWSNSPolicy",
"Roles": [
{
"Ref": "LogMergerRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMergerRWSNSPolicy/Resource"
}
},
"LogMergerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "KMSPublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMergerRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"LogMerger": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Put task info of Step Function to DynamoDB\",\"States\":{\"Put task info of Step Function to DynamoDB\":{\"Next\":\"Convert Execution.StartTime to etl date\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:putItem\",\"Parameters\":{\"Item\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"},\"API\":{\"S\":\"Step Functions: StartExecution\"},\"data\":{\"S.$\":\"States.JsonToString($$.Execution.Input)\"},\"pipelineId\":{\"S.$\":\"$.metadata.pipelineId\"},\"startTime\":{\"S.$\":\"$$.Execution.StartTime\"},\"stateMachineName\":{\"S.$\":\"$$.StateMachine.Name\"},\"stateName\":{\"S.$\":\"$$.State.Name\"},\"pipelineIndexKey\":{\"S.$\":\"States.Format('{}:{}:{}', $.metadata.pipelineId, $.metadata.scheduleType, '00000000-0000-0000-0000-000000000000')\"},\"status\":{\"S\":\"Running\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\"}},\"Convert Execution.StartTime to etl date\":{\"Next\":\"Step 1: Merge S3 Objects from Delta to Archive\",\"Type\":\"Task\",\"ResultPath\":\"$.results.migrationDate\",\"ResultSelector\":{\"date.$\":\"$.Payload.date\"},\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"ETL: DateTransform\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"dateString.$\":\"$$.Execution.StartTime\",\"format\":\"%Y-%m-%dT%H:%M:%S.%f%z\",\"intervalDays.$\":\"$.metadata.athena.intervalDays\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"}}}},\"Step 1: Merge S3 Objects from Delta to Archive\":{\"Next\":\"Delta has Data?\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.S3MergeTaskFromDeltaToArchive\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":\"$.results.delta\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
"\",\"Payload\":{\"executionName.$\":\"$$.Execution.Name\",\"srcPath.$\":\"States.Format('{}/{}={}', $.metadata.s3.srcPath, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"dstPath.$\":\"States.Format('{}/{}/merge/{}={}', $.metadata.s3.archivePath, $$.Execution.Name, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"sqsName\":\"",
{
"Fn::GetAtt": [
"S3ObjectMergeQ",
"QueueName"
]
},
"\",\"keepPrefix.$\":\"$.metadata.athena.partitionInfo\",\"merge\":true,\"size\":\"256MiB\",\"deleteOnSuccess\":false,\"maxRecords\":-1,\"maxObjectFilesNumPerCopyTask\":1000,\"maxObjectFilesSizePerCopyTask\":\"10GiB\",\"taskToken.$\":\"$$.Task.Token\",\"extra\":{\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"API\":\"Lambda: Invoke\"}}}},\"Delta has Data?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.results.delta.hasObjects\",\"BooleanEquals\":true,\"Next\":\"Step 2: Migration S3 Objects from Delta to Archive for Backup\"}],\"Default\":\"Update task status of Step Function to Succeeded\"},\"Update task status of Step Function to Succeeded\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"status\",\"#endTime\":\"endTime\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"Succeeded\"},\":endTime\":{\"S.$\":\"$$.State.EnteredTime\"}},\"UpdateExpression\":\"SET #status = :status, #endTime = :endTime\"}},\"Step 5: Batch Drop Partitions before Merging\":{\"Next\":\"Update task status of Step Function to Succeeded\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.dropPartitionForDeltaTable\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Athena: BatchUpdatePartition\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"action\":\"DROP\",\"database.$\":\"$.metadata.athena.database\",\"tableName.$\":\"$.metadata.athena.tableName\",\"location.$\":\"States.Format('{}/{}/original', $.metadata.s3.archivePath, $$.Execution.Name)\",\"partitionPrefix.$\":\"States.Format('{}={}', $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"outputLocation\":\"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"}}}},\"Step 4: Add Merged Partitions in Batch operation\":{\"Next\":\"Step 5: Batch Drop Partitions before Merging\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.addPartitionForDeltaTable\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Athena: BatchUpdatePartition\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"action\":\"ADD\",\"database.$\":\"$.metadata.athena.database\",\"tableName.$\":\"$.metadata.athena.tableName\",\"location.$\":\"$.metadata.s3.srcPath\",\"partitionPrefix.$\":\"States.Format('{}={}', $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"outputLocation\":\"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"}}}},\"Step 3: Migration Merged S3 Objects from Archive to Delta\":{\"Next\":\"Step 4: Add Merged Partitions in Batch operation\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.S3MergedMigrationTaskFromArchiveToDelta\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
"\",\"Payload\":{\"executionName.$\":\"$$.Execution.Name\",\"srcPath.$\":\"States.Format('{}/{}/merge/{}={}', $.metadata.s3.archivePath, $$.Execution.Name, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"dstPath.$\":\"States.Format('{}/{}={}', $.metadata.s3.srcPath, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"sqsName\":\"",
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"QueueName"
]
},
"\",\"keepPrefix\":true,\"merge\":false,\"deleteOnSuccess\":true,\"maxRecords\":-1,\"maxObjectFilesNumPerCopyTask\":1000,\"maxObjectFilesSizePerCopyTask\":\"10GiB\",\"taskToken.$\":\"$$.Task.Token\",\"extra\":{\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"API\":\"Lambda: Invoke\"}}}},\"Step 2: Migration S3 Objects from Delta to Archive for Backup\":{\"Next\":\"Step 3: Migration Merged S3 Objects from Archive to Delta\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.S3MigrationTaskFromDeltaToArchive\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
"\",\"Payload\":{\"executionName.$\":\"$$.Execution.Name\",\"srcPath.$\":\"States.Format('{}/{}={}', $.metadata.s3.srcPath, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"dstPath.$\":\"States.Format('{}/{}/original/{}={}', $.metadata.s3.archivePath, $$.Execution.Name, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"sqsName\":\"",
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"QueueName"
]
},
"\",\"keepPrefix\":true,\"merge\":false,\"deleteOnSuccess\":true,\"maxRecords\":-1,\"maxObjectFilesNumPerCopyTask\":1000,\"maxObjectFilesSizePerCopyTask\":\"10GiB\",\"taskToken.$\":\"$$.Task.Token\",\"extra\":{\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"API\":\"Lambda: Invoke\"}}}},\"Send Failure Notification\":{\"Next\":\"Update task status of Step Function to Failed\",\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::sns:publish\",\"Parameters\":{\"TopicArn\":\"",
{
"Ref": "ReceiveStatesFailedTopic"
},
"\",\"Message\":{\"API\":\"SNS: Publish\",\"stateMachineId.$\":\"$$.StateMachine.Id\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"executionId.$\":\"$$.Execution.Id\",\"executionName.$\":\"$$.Execution.Name\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"tableName.$\":\"$.metadata.athena.tableName\",\"scheduleType.$\":\"$.metadata.scheduleType\",\"sourceType.$\":\"$.metadata.sourceType\",\"notification.$\":\"$.metadata.notification\",\"archivePath.$\":\"States.Format('{}/{}/original', $.metadata.s3.archivePath, $$.Execution.Name)\",\"status\":\"Failed\",\"metadata.$\":\"$.metadata\"}}},\"Update task status of Step Function to Failed\":{\"Next\":\"Job Failed\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"status\",\"#endTime\":\"endTime\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"Failed\"},\":endTime\":{\"S.$\":\"$$.State.EnteredTime\"}},\"UpdateExpression\":\"SET #status = :status, #endTime = :endTime\"}},\"Job Failed\":{\"Type\":\"Fail\"}}}"
]
]
},
"RoleArn": {
"Fn::GetAtt": [
"LogMergerRole",
"Arn"
]
}
},
"DependsOn": [
"LogMergerRole"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMerger/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Step Function: LogMerger does not need enable Logging.",
"id": "AwsSolutions-SF1"
}
]
}
}
},
"LogMergerStartExecutionPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "LogMerger"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogMergerStartExecutionPolicy",
"Roles": [
{
"Ref": "LogMergerStartExecutionRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMergerStartExecutionPolicy/Resource"
}
},
"LogMergerStartExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogMergerStack/LogMergerStartExecutionRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"LogArchiveLambdaInvokePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
":*"
]
]
},
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
":*"
]
]
},
{
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SendTemplateEmail",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogArchiveLambdaInvokePolicy",
"Roles": [
{
"Ref": "LogArchiveRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchiveLambdaInvokePolicy/Resource"
}
},
"LogArchiveRWDDBPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogArchiveRWDDBPolicy",
"Roles": [
{
"Ref": "LogArchiveRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchiveRWDDBPolicy/Resource"
}
},
"LogArchiveRWSNSPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "SNS:Publish",
"Effect": "Allow",
"Resource": {
"Ref": "ReceiveStatesFailedTopic"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogArchiveRWSNSPolicy",
"Roles": [
{
"Ref": "LogArchiveRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchiveRWSNSPolicy/Resource"
}
},
"LogArchiveRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "KMSPublicAccessPolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchiveRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"LogArchive": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Put task info of Step Function to DynamoDB\",\"States\":{\"Put task info of Step Function to DynamoDB\":{\"Next\":\"Convert Execution.StartTime to Archive date\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:putItem\",\"Parameters\":{\"Item\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"},\"API\":{\"S\":\"Step Functions: StartExecution\"},\"data\":{\"S.$\":\"States.JsonToString($$.Execution.Input)\"},\"pipelineId\":{\"S.$\":\"$.metadata.pipelineId\"},\"startTime\":{\"S.$\":\"$$.Execution.StartTime\"},\"stateMachineName\":{\"S.$\":\"$$.StateMachine.Name\"},\"stateName\":{\"S.$\":\"$$.State.Name\"},\"pipelineIndexKey\":{\"S.$\":\"States.Format('{}:{}:{}', $.metadata.pipelineId, $.metadata.scheduleType, '00000000-0000-0000-0000-000000000000')\"},\"status\":{\"S\":\"Running\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\"}},\"Convert Execution.StartTime to Archive date\":{\"Next\":\"Step 1: Migration S3 Objects from Delta to Archive\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.convertStartTimeToArchiveDate\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":\"$.results.migrationDate\",\"ResultSelector\":{\"date.$\":\"$.Payload.date\"},\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"ETL: DateTransform\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"dateString.$\":\"$$.Execution.StartTime\",\"format\":\"%Y-%m-%dT%H:%M:%S.%f%z\",\"intervalDays.$\":\"$.metadata.athena.intervalDays\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"}}}},\"Step 1: Migration S3 Objects from Delta to Archive\":{\"Next\":\"Delta has Data?\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.S3MigrationTaskFromHistoryToArchive\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":\"$.results.delta\",\"ResultSelector\":{\"hasObjects.$\":\"$.hasObjects\"},\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke.waitForTaskToken\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"S3ObjectScanning",
"Arn"
]
},
"\",\"Payload\":{\"executionName.$\":\"$$.Execution.Name\",\"srcPath.$\":\"States.Format('{}/{}={}', $.metadata.s3.srcPath, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"dstPath.$\":\"States.Format('{}/{}/{}={}', $.metadata.s3.archivePath, $$.Execution.Name, $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"sqsName\":\"",
{
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"QueueName"
]
},
"\",\"keepPrefix\":true,\"merge\":false,\"deleteOnSuccess\":true,\"maxRecords\":-1,\"maxObjectFilesNumPerCopyTask\":1000,\"maxObjectFilesSizePerCopyTask\":\"10GiB\",\"taskToken.$\":\"$$.Task.Token\",\"extra\":{\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"API\":\"Lambda: Invoke\"}}}},\"Delta has Data?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.results.delta.hasObjects\",\"BooleanEquals\":true,\"Next\":\"Step 2: Batch Drop Partitions for History Data\"}],\"Default\":\"Update task status of Step Function to Succeeded\"},\"Update task status of Step Function to Succeeded\":{\"End\":true,\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"status\",\"#endTime\":\"endTime\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"Succeeded\"},\":endTime\":{\"S.$\":\"$$.State.EnteredTime\"}},\"UpdateExpression\":\"SET #status = :status, #endTime = :endTime\"}},\"Step 2: Batch Drop Partitions for History Data\":{\"Next\":\"Update task status of Step Function to Succeeded\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.errors.dropPartitionForHistoryTable\",\"Next\":\"Send Failure Notification\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"ETLHelper",
"Arn"
]
},
"\",\"Payload\":{\"API\":\"Athena: BatchUpdatePartition\",\"executionName.$\":\"$$.Execution.Name\",\"taskId.$\":\"States.UUID()\",\"parameters\":{\"action\":\"DROP\",\"database.$\":\"$.metadata.athena.database\",\"tableName.$\":\"$.metadata.athena.tableName\",\"location.$\":\"States.Format('{}/{}', $.metadata.s3.archivePath, $$.Execution.Name)\",\"partitionPrefix.$\":\"States.Format('{}={}', $.metadata.athena.firstPartitionKey, $.results.migrationDate.date)\",\"workGroup\":\"CentralizedLoggingWithOpenSearch\",\"outputLocation\":\"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results\"},\"extra\":{\"parentTaskId\":\"00000000-0000-0000-0000-000000000000\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\"}}}},\"Send Failure Notification\":{\"Next\":\"Update task status of Step Function to Failed\",\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::sns:publish\",\"Parameters\":{\"TopicArn\":\"",
{
"Ref": "ReceiveStatesFailedTopic"
},
"\",\"Message\":{\"API\":\"SNS: Publish\",\"stateMachineId.$\":\"$$.StateMachine.Id\",\"stateMachineName.$\":\"$$.StateMachine.Name\",\"stateName.$\":\"$$.State.Name\",\"executionId.$\":\"$$.Execution.Id\",\"executionName.$\":\"$$.Execution.Name\",\"pipelineId.$\":\"$.metadata.pipelineId\",\"tableName.$\":\"$.metadata.athena.tableName\",\"scheduleType.$\":\"$.metadata.scheduleType\",\"sourceType.$\":\"$.metadata.sourceType\",\"notification.$\":\"$.metadata.notification\",\"archivePath.$\":\"States.Format('{}/{}/original', $.metadata.s3.archivePath, $$.Execution.Name)\",\"status\":\"Failed\",\"metadata.$\":\"$.metadata\"}}},\"Update task status of Step Function to Failed\":{\"Next\":\"Job Failed\",\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":10,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"executionName\":{\"S.$\":\"$$.Execution.Name\"},\"taskId\":{\"S\":\"00000000-0000-0000-0000-000000000000\"}},\"TableName\":\"",
{
"Ref": "ETLLog"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"status\",\"#endTime\":\"endTime\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"Failed\"},\":endTime\":{\"S.$\":\"$$.State.EnteredTime\"}},\"UpdateExpression\":\"SET #status = :status, #endTime = :endTime\"}},\"Job Failed\":{\"Type\":\"Fail\"}}}"
]
]
},
"RoleArn": {
"Fn::GetAtt": [
"LogArchiveRole",
"Arn"
]
}
},
"DependsOn": [
"LogArchiveRole"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchive/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Step Function: LogArchive does not need enable Logging.",
"id": "AwsSolutions-SF1"
}
]
}
}
},
"LogArchiveStartExecutionPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "LogArchive"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogArchiveStartExecutionPolicy",
"Roles": [
{
"Ref": "LogArchiveStartExecutionRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchiveStartExecutionPolicy/Resource"
}
},
"LogArchiveStartExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/StepFunctionLogArchiveStack/LogArchiveStartExecutionRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"S3ObjectMigrationCallbackSFN": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"states:SendTaskSuccess",
"states:SendTaskFailure",
"states:SendTaskHeartbeat"
],
"Effect": "Allow",
"Resource": [
{
"Ref": "LogProcessor"
},
{
"Ref": "LogMerger"
},
{
"Ref": "LogArchive"
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "S3ObjectMigrationCallbackSFN",
"Roles": [
{
"Ref": "S3ObjectMigrationRole"
},
{
"Ref": "ETLHelperRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/S3ObjectMigrationCallbackSFN/Resource"
}
},
"SFNPassRolePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogProcessorStartExecutionRole",
"Arn"
]
},
{
"Fn::GetAtt": [
"LogMergerStartExecutionRole",
"Arn"
]
},
{
"Fn::GetAtt": [
"LogArchiveStartExecutionRole",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "SFNPassRolePolicy",
"Roles": [
{
"Ref": "PipelineResourcesBuilderRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/SFNPassRolePolicy/Resource"
}
},
"UpdateAssumeRolePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogProcessorStartExecutionRole",
"Arn"
]
},
{
"Fn::GetAtt": [
"LogMergerStartExecutionRole",
"Arn"
]
},
{
"Fn::GetAtt": [
"LogArchiveStartExecutionRole",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "UpdateAssumeRolePolicy",
"Roles": [
{
"Ref": "MetadataWriterRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/StepFunction/UpdateAssumeRolePolicy/Resource"
}
},
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRole681E7854": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/DynamoDBData/MetadataWriterProvider/framework-onEvent/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRoleDefaultPolicy9C4F0F84": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"MetadataWriter",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"MetadataWriter",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "lambda:GetFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MetadataWriter",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRoleDefaultPolicy9C4F0F84",
"Roles": [
{
"Ref": "MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRole681E7854"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/DynamoDBData/MetadataWriterProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource"
}
},
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEvent6DFE478B": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57.zip"
},
"Description": "AWS CDK resource provider framework - onEvent (CentralizedLogging/MicroBatchStack/DynamoDBData/MetadataWriterProvider)",
"Environment": {
"Variables": {
"USER_ON_EVENT_FUNCTION_ARN": {
"Fn::GetAtt": [
"MetadataWriter",
"Arn"
]
}
}
},
"FunctionName": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"-MetadataWriterProvider"
]
]
},
"Handler": "framework.onEvent",
"LoggingConfig": {
"Fn::If": [
"AWSCNCondition",
{
"Ref": "AWS::NoValue"
},
{
"LogFormat": "JSON",
"ApplicationLogLevel": "FATAL"
}
]
},
"Role": {
"Fn::GetAtt": [
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRole681E7854",
"Arn"
]
},
"Runtime": "nodejs22.x",
"Timeout": 900
},
"DependsOn": [
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRoleDefaultPolicy9C4F0F84",
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEventServiceRole681E7854"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/DynamoDBData/MetadataWriterProvider/framework-onEvent/Resource",
"aws:asset:path": "asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"MetadataWriterCustomResource": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"MicroBatchStackDynamoDBDataMetadataWriterProviderframeworkonEvent6DFE478B",
"Arn"
]
},
"Items": [
{
"metaName": "EmailAddress",
"service": "CloudFormation",
"type": "Parameter",
"arn": "",
"name": "EmailAddress",
"value": {
"Ref": "adminEmail"
}
},
{
"metaName": "SimpleEmailServiceState",
"service": "CloudFormation",
"type": "Parameter",
"arn": "",
"name": "SimpleEmailServiceState",
"value": "DISABLED"
},
{
"metaName": "SimpleEmailServiceTemplate",
"service": "SES",
"type": "Template",
"arn": "",
"name": "SimpleEmailServiceTemplate",
"value": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"-SESEmailTemplate"
]
]
}
},
{
"metaName": "AccountId",
"service": "AWS",
"type": "Account",
"arn": "",
"name": "Account",
"value": {
"Ref": "AWS::AccountId"
}
},
{
"metaName": "Region",
"service": "AWS",
"type": "Region",
"arn": "",
"name": "Region",
"value": {
"Ref": "AWS::Region"
}
},
{
"metaName": "Partition",
"service": "AWS",
"type": "Partition",
"arn": "",
"name": "Partition",
"value": {
"Ref": "AWS::Partition"
}
},
{
"metaName": "ETLLogTimeToLiveSecs",
"service": "Solution",
"type": "Parameter",
"arn": "",
"name": "ETLLogTimeToLiveSecs",
"value": 2592000
},
{
"metaName": "StagingBucket",
"service": "S3",
"arn": {
"Fn::GetAtt": [
"StagingBucket",
"Arn"
]
},
"name": {
"Ref": "StagingBucket"
}
},
{
"metaName": "SendTemplateEmailSNSPublicPolicy",
"service": "IAM",
"type": "Policy",
"arn": {
"Ref": "SendTemplateEmailSNSPublicPolicy"
},
"name": {
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Ref": "SendTemplateEmailSNSPublicPolicy"
}
]
}
]
}
]
}
]
}
},
{
"metaName": "S3PublicAccessPolicy",
"service": "IAM",
"type": "Policy",
"arn": {
"Ref": "S3PublicAccessPolicy"
},
"name": {
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Ref": "S3PublicAccessPolicy"
}
]
}
]
}
]
}
]
}
},
{
"metaName": "GluePublicAccessPolicy",
"service": "IAM",
"type": "Policy",
"arn": {
"Ref": "GluePublicAccessPolicy"
},
"name": {
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Ref": "GluePublicAccessPolicy"
}
]
}
]
}
]
}
]
}
},
{
"metaName": "LogProcessorStartExecutionRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"LogProcessorStartExecutionRole",
"Arn"
]
},
"name": {
"Ref": "LogProcessorStartExecutionRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "LogProcessorStartExecutionRole"
}
]
]
}
},
{
"metaName": "LogMergerStartExecutionRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"LogMergerStartExecutionRole",
"Arn"
]
},
"name": {
"Ref": "LogMergerStartExecutionRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "LogMergerStartExecutionRole"
}
]
]
}
},
{
"metaName": "LogArchiveStartExecutionRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"LogArchiveStartExecutionRole",
"Arn"
]
},
"name": {
"Ref": "LogArchiveStartExecutionRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "LogArchiveStartExecutionRole"
}
]
]
}
},
{
"metaName": "ETLHelperRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"ETLHelperRole",
"Arn"
]
},
"name": {
"Ref": "ETLHelperRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "ETLHelperRole"
}
]
]
}
},
{
"metaName": "PipelineResourcesBuilder",
"service": "Lambda",
"type": "Function",
"arn": {
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"name": {
"Ref": "PipelineResourcesBuilder"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/lambda/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/functions/",
{
"Ref": "PipelineResourcesBuilder"
}
]
]
}
},
{
"metaName": "PipelineResourcesBuilderRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"PipelineResourcesBuilderRole",
"Arn"
]
},
"name": {
"Ref": "PipelineResourcesBuilderRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "PipelineResourcesBuilderRole"
}
]
]
}
},
{
"metaName": "PipelineResourcesBuilderSchedulePolicy",
"service": "IAM",
"type": "Policy",
"arn": {
"Ref": "PipelineResourcesBuilderSchedulePolicy"
},
"name": {
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Ref": "PipelineResourcesBuilderSchedulePolicy"
}
]
}
]
}
]
}
]
}
},
{
"metaName": "S3ObjectScanningRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"S3ObjectScanningRole",
"Arn"
]
},
"name": {
"Ref": "S3ObjectScanningRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "S3ObjectScanningRole"
}
]
]
}
},
{
"metaName": "S3ObjectMigrationRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"S3ObjectMigrationRole",
"Arn"
]
},
"name": {
"Ref": "S3ObjectMigrationRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "S3ObjectMigrationRole"
}
]
]
}
},
{
"metaName": "AthenaPublicAccessRole",
"service": "IAM",
"type": "Role",
"arn": {
"Fn::GetAtt": [
"AthenaPublicAccessRole",
"Arn"
]
},
"name": {
"Ref": "AthenaPublicAccessRole"
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/iamv2/home?region=",
{
"Ref": "AWS::Region"
},
"#/roles/details/",
{
"Ref": "AthenaPublicAccessRole"
}
]
]
}
},
{
"metaName": "LogProcessor",
"service": "StepFunction",
"arn": {
"Ref": "LogProcessor"
},
"name": {
"Fn::GetAtt": [
"LogProcessor",
"Name"
]
},
"url": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com/states/home?region=",
{
"Ref": "AWS::Region"
},
"#/statemachines/view/",
{
"Ref": "LogProcessor"
}
]
]
}
},
{
"metaName": "LogMerger",
"service": "StepFunction",
"arn": {
"Ref": "LogMerger"
},
"name": {
"Fn::GetAtt": [
"LogMerger",
"Name"
]
}
},
{
"metaName": "LogArchive",
"service": "StepFunction",
"arn": {
"Ref": "LogArchive"
},
"name": {
"Fn::GetAtt": [
"LogArchive",
"Name"
]
}
},
{
"metaName": "S3ObjectMigrationQueue",
"service": "SQS",
"arn": {
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"Arn"
]
},
"name": {
"Fn::GetAtt": [
"S3ObjectMigrationQ",
"QueueName"
]
},
"url": {
"Ref": "S3ObjectMigrationQ"
}
},
{
"metaName": "S3ObjectMergeQueue",
"service": "SQS",
"arn": {
"Fn::GetAtt": [
"S3ObjectMergeQ",
"Arn"
]
},
"name": {
"Fn::GetAtt": [
"S3ObjectMergeQ",
"QueueName"
]
},
"url": {
"Ref": "S3ObjectMergeQ"
}
},
{
"metaName": "AthenaWorkGroup",
"service": "Athena",
"arn": "",
"name": "CentralizedLoggingWithOpenSearch"
},
{
"metaName": "AthenaOutputLocation",
"service": "Athena",
"arn": "",
"name": {
"Fn::Join": [
"",
[
"s3://",
{
"Ref": "StagingBucket"
},
"/athena-results/"
]
]
}
},
{
"metaName": "CustomerManagedKey",
"service": "KMS",
"arn": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"name": {
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
]
}
]
}
]
}
]
}
},
{
"metaName": "CentralizedCatalog",
"service": "GLUE",
"arn": "",
"name": "AwsDataCatalog"
},
{
"metaName": "CentralizedDatabase",
"service": "GLUE",
"arn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_centralized"
]
]
},
"name": "amazon_cl_centralized"
},
{
"metaName": "TmpDatabase",
"service": "GLUE",
"arn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_tmp"
]
]
},
"name": "amazon_cl_tmp"
},
{
"metaName": "ReceiveStatesFailedTopic",
"service": "SNS",
"arn": {
"Ref": "ReceiveStatesFailedTopic"
},
"name": {
"Fn::GetAtt": [
"ReceiveStatesFailedTopic",
"TopicName"
]
}
},
{
"metaName": "SendEmailTopic",
"service": "SNS",
"arn": {
"Ref": "SendEmailTopic"
},
"name": {
"Fn::GetAtt": [
"SendEmailTopic",
"TopicName"
]
}
},
{
"metaName": "AwsConsoleUrl",
"service": "AWS",
"type": "Url",
"arn": "",
"name": "AwsConsoleUrl",
"value": {
"Fn::If": [
"MicroBatchStackDynamoDBDataisCNRegion6A8E9914",
{
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.amazonaws.cn"
]
]
},
{
"Fn::Join": [
"",
[
"https://",
{
"Ref": "AWS::Region"
},
".console.aws.amazon.com"
]
]
}
]
}
}
]
},
"DependsOn": [
"Metadata"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/DynamoDBData/MetadataWriterCustomResource/Default"
}
},
"MicroBatchStackName": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "/MicroBatch/StackName",
"Type": "String",
"Value": {
"Ref": "AWS::StackName"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/MicroBatchStack/MicroBatchStackName/Resource"
}
},
"OpenSearchMasterRole8E762096": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/OpenSearchMasterRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackApiLogRoleC9E4FBD0": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/ApiLogRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackApiLogPolicy86FCB38F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackApiLogPolicy86FCB38F",
"Roles": [
{
"Ref": "APIAppSyncStackApiLogRoleC9E4FBD0"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/ApiLogPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "The managed policy AWSAppSyncPushToCloudWatchLogs needs to use any resources"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPI12A83B84": {
"Type": "AWS::AppSync::GraphQLApi",
"Properties": {
"AdditionalAuthenticationProviders": [
{
"AuthenticationType": "AWS_IAM"
}
],
"AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
"IntrospectionConfig": "DISABLED",
"LogConfig": {
"CloudWatchLogsRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackApiLogRoleC9E4FBD0",
"Arn"
]
},
"FieldLogLevel": "ERROR"
},
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - GraphQL APIs"
]
]
},
"UserPoolConfig": {
"AppIdClientRegex": {
"Ref": "CLAuthAPIClientABDADF79"
},
"AwsRegion": {
"Ref": "AWS::Region"
},
"DefaultAction": "ALLOW",
"UserPoolId": {
"Ref": "CLAuthUserPool7BDCEF8D"
}
},
"XrayEnabled": true
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPISchemaCA6DA305": {
"Type": "AWS::AppSync::GraphQLSchema",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Definition": "scalar AWSDateTime\nscalar AWSJSON\n\nschema {\n query: Query\n mutation: Mutation\n}\n\ntype Query {\n latestVersion: AWSJSON!\n # List OpenSearch Domain names in a region\n listDomainNames(region: String): DomainNames\n\n # Get OpenSearch domain vpc info\n getDomainVpc(domainName: String!, region: String): ESVPCInfo\n\n # List imported domain details.\n listImportedDomains(\n metrics: Boolean\n includeFailed: Boolean\n ): [ImportedDomain]\n\n # Get Domain Detail by ID\n getDomainDetails(id: ID!, metrics: Boolean): DomainDetails\n\n # List service logging pipeline info\n listServicePipelines(page: Int, count: Int): ListServicePipelineResponse\n\n # Get service logging pipeline info by ID\n getServicePipeline(id: ID!): ServicePipeline\n\n # List Common AWS Resources\n listResources(\n type: ResourceType!\n parentId: String\n accountId: String\n region: String\n ): [Resource]\n\n # Get logging bucket for a type of resource by resource name or id\n getResourceLoggingBucket(\n type: ResourceType!\n resourceName: String!\n accountId: String\n region: String\n ): LoggingBucket\n\n # Get a list of logging configurations for AWS Resource\n getResourceLogConfigs(\n type: ResourceType!\n resourceName: String!\n accountId: String\n region: String\n ): [ResourceLogConf]\n\n # List logging conf info v2\n listLogConfigs(page: Int!, count: Int!): ListLogConfigsResponse\n\n # get all version of LogConfig\n listLogConfigVersions(id: ID!): [LogConfig]\n\n # Get logging conf v2 info by ID\n getLogConfig(id: ID!, version: Int): LogConfig\n\n # List app pipeline info\n listAppPipelines(page: Int, count: Int): ListAppPipelineResponse\n\n # batch export app pipeline info\n batchExportAppPipelines(appPipelineIds: [ID!]!): String\n\n # validate batch import app pipeline yaml\n batchImportAppPipelinesAnalyzer(\n contentString: String!\n ): BatchImportAppPipelinesAnalyzerResponse\n\n # Get app pipeline info by ID\n getAppPipeline(id: ID!): AppPipeline\n\n # List app logging ingestion info\n listAppLogIngestions(\n page: Int\n count: Int\n appPipelineId: String\n sourceId: String\n region: String\n accountId: String\n ): ListAppLogIngestionResponse\n\n # Get app logging ingestion info by ID\n getAppLogIngestion(id: ID!): AppLogIngestion\n\n # Get k8s deployment YAML with Sidecar by ID\n getK8sDeploymentContentWithSidecar(id: ID!): String\n\n # Get k8s deployment YAML with DaemonSet by sourceId\n getK8sDeploymentContentWithDaemonSet(sourceId: ID!): String\n\n # List AWS Instance\n listInstances(\n maxResults: Int\n nextToken: String\n instanceSet: [String]\n tags: [TagFilterInput]\n region: String\n accountId: String\n platformType: EC2GroupPlatform\n ): ListInstanceResponse\n\n # Get log Agent Status by instanceId\n getInstanceAgentStatus(\n instanceIds: [String]!\n region: String\n accountId: String\n commandId: String\n ): InstanceAgentStatusResponse\n\n # Verify if CIDR Conflict\n validateVpcCidr(domainName: String!, region: String): String\n\n # Get logging source info by ID\n getLogSource(type: LogSourceType!, sourceId: ID!): LogSource\n\n getAutoScalingGroupConf(groupId: String!): String\n\n listLogSources(\n type: LogSourceType!\n page: Int!\n count: Int!\n ): ListLogSourceResponse\n\n # Check Time format\n checkTimeFormat(timeStr: String!, formatStr: String!): CheckTimeFormatRes\n\n # List sub account info\n listSubAccountLinks(page: Int, count: Int): ListSubAccountLinkResponse\n\n # Get sub account info\n getSubAccountLink(subAccountId: String!, region: String): SubAccountLink\n\n checkCustomPort(\n sourceType: LogSourceType\n syslogProtocol: ProtocolType!\n syslogPort: Int!\n ): checkCustomPortResponse\n\n # Get the list of log group by log group name\n listLogStreams(\n logGroupName: String!\n logStreamNamePrefix: String\n page: Int\n count: Int\n ): ListLogStreamsResponse\n\n # Get the log events by log group name and log stream name\n getLogEvents(\n logGroupName: String!\n logStreamName: String!\n startTime: Int\n endTime: Int\n filterPattern: String\n limit: Int = 100\n nextToken: String\n ): GetLogEventsResponse\n\n # Get the log metric history data\n getMetricHistoryData(\n pipelineId: String!\n pipelineType: PipelineType!\n metricNames: [MetricName]\n startTime: Int\n endTime: Int\n ): MetricHistoryData\n\n # Get the pipeline alarm status of a specific metric alarm\n getPipelineAlarm(\n pipelineId: String!\n pipelineType: PipelineType!\n alarmName: AlarmMetricName!\n ): PipelineAlarm\n\n # Check the networking requirements and any other requirements for a AOS domain\n domainStatusCheck(\n domainName: String!\n region: String\n ): DomainStatusCheckResponse\n\n # Check if OSI is available in the current region\n checkOSIAvailability: Boolean\n\n # Get account unreserved concurrency limit\n getAccountUnreservedConurrency: Int\n\n listGrafanas(page: Int, count: Int): ListGrafanasResponse\n\n getGrafana(id: String!): Grafana\n\n checkGrafana(\n id: String\n url: String\n token: String\n ): GrafanaStatusCheckResponse\n\n # Get Light Engine Application pipeline execution.\n getLightEngineAppPipelineExecutionLogs(\n pipelineId: String!\n stateMachineName: String!\n type: ScheduleType!\n status: ExecutionStatus\n startTime: String\n endTime: String\n lastEvaluatedKey: AWSJSON\n limit: Int\n ): LightEnginePipelineExecutionLogsResponse\n\n # Get Light Engine Application pipeline details.\n getLightEngineAppPipelineDetail(\n pipelineId: String!\n ): LightEnginePipelineDetailResponse\n\n # Get Light Engine Service pipeline execution.\n getLightEngineServicePipelineExecutionLogs(\n pipelineId: String!\n stateMachineName: String!\n type: ScheduleType!\n status: ExecutionStatus\n startTime: String\n endTime: String\n lastEvaluatedKey: AWSJSON\n limit: Int\n ): LightEnginePipelineExecutionLogsResponse\n\n # Get Light Engine Service pipeline details.\n getLightEngineServicePipelineDetail(\n pipelineId: String!\n ): LightEnginePipelineDetailResponse\n}\n\ntype Mutation {\n # Import an OpenSearch Domain\n importDomain(\n domainName: String!\n region: String\n vpc: VPCInput\n tags: [TagInput]\n ): ImportDomainResponse\n\n # Remove an OpenSearch Domain by ID V2\n removeDomain(id: ID!, isReverseConf: Boolean): RemoveDomainResponse\n\n # Create a new service pipeline\n createServicePipeline(\n type: ServiceType!\n source: String\n target: String\n parameters: [ParameterInput]\n tags: [TagInput]\n logSourceAccountId: String\n logSourceRegion: String\n destinationType: DestinationType!\n osiParams: OpenSearchIngestionInput\n monitor: MonitorInput\n logProcessorConcurrency: String!\n ): String\n\n # Create a new service pipeline with light engine\n createLightEngineServicePipeline(\n type: ServiceType!\n parameters: [ParameterInput]\n ingestion: LightEngineIngestion!\n tags: [TagInput]\n source: String\n logSourceAccountId: String\n logSourceRegion: String\n monitor: MonitorInput\n ): String\n\n # Remove a service pipeline\n deleteServicePipeline(id: ID!): String\n\n # Create an nginx proxy stack for OpenSearch\n createProxyForOpenSearch(id: ID!, input: ProxyInput!): String\n\n # Create an alarm stack for OpenSearch\n createAlarmForOpenSearch(id: ID!, input: AlarmStackInput!): String\n\n # Delete an nginx proxy stack for OpenSearch\n deleteProxyForOpenSearch(id: ID!): String\n\n # Delete an alarm stack for OpenSearch domain\n deleteAlarmForOpenSearch(id: ID!): String\n\n # Put logging bucket for a type of resource by resource name or id\n putResourceLoggingBucket(\n type: ResourceType!\n resourceName: String!\n accountId: String\n region: String\n ): LoggingBucket\n\n # Add logging configuration to resources.\n # Log Format is only requried if the format can be customized.\n putResourceLogConfig(\n type: ResourceType!\n resourceName: String!\n accountId: String\n region: String\n destinationType: DestinationType!\n destinationName: String!\n LogFormat: String\n ): ResourceLogConf\n\n # *The following belongs to applog* #\n\n # Create a logging conf v2\n createLogConfig(\n name: String!\n logType: LogType!\n syslogParser: SyslogParser\n multilineLogParser: MultiLineLogParser\n iisLogParser: IISlogParser\n filterConfigMap: ProcessorFilterRegexInput\n regex: String\n jsonSchema: AWSJSON\n regexFieldSpecs: [RegularSpecInput]\n timeKey: String\n timeOffset: String\n timeKeyRegex: String\n userLogFormat: String\n userSampleLog: String\n description: String\n ): String\n\n # Remove a logging conf v2\n deleteLogConfig(id: ID!): String\n\n # Update a logging conf v2\n updateLogConfig(\n id: ID!\n version: Int\n name: String!\n logType: LogType!\n syslogParser: SyslogParser\n multilineLogParser: MultiLineLogParser\n iisLogParser: IISlogParser\n filterConfigMap: ProcessorFilterRegexInput\n regex: String\n jsonSchema: AWSJSON\n regexFieldSpecs: [RegularSpecInput]\n timeKey: String\n timeOffset: String\n timeKeyRegex: String\n userLogFormat: String\n userSampleLog: String\n description: String\n ): String\n\n createAppPipeline(\n bufferType: BufferType!\n bufferParams: [BufferInput]\n parameters: [ParameterInput]\n aosParams: AOSParameterInput!\n logConfigId: ID!\n logConfigVersionNumber: Int!\n monitor: MonitorInput\n force: Boolean\n osiParams: OpenSearchIngestionInput\n tags: [TagInput]\n logProcessorConcurrency: String!\n ): ID\n\n resumePipeline(id: ID!): String\n\n createLightEngineAppPipeline(\n params: LightEngineParameterInput!\n bufferParams: [BufferInput]\n logConfigId: ID!\n logConfigVersionNumber: Int!\n monitor: MonitorInput\n force: Boolean\n tags: [TagInput]\n logStructure: LogStructure\n ): ID\n # Update a app pipeline\n updateAppPipeline(\n id: ID!\n logConfigId: ID!\n logConfigVersionNumber: Int!\n logProcessorConcurrency: String!\n ): String\n # Remove a app pipeline\n deleteAppPipeline(id: ID!): String\n\n # Create a new app logging ingestion\n createAppLogIngestion(\n sourceId: String!\n appPipelineId: String!\n tags: [TagInput]\n logPath: String\n autoAddPermission: Boolean! = false\n ): String\n\n # Remove a app logging ingestion\n deleteAppLogIngestion(ids: [ID!]!): String\n\n #regenerate the FLB conf by appPipeline ID\n refreshAppLogIngestion(appPipelineId: ID!): String\n\n # request to install logging agent\n requestInstallLogAgent(\n instanceIdSet: [String!]!\n accountId: String\n region: String\n ): String\n\n createLogSource(\n type: LogSourceType!\n region: String\n accountId: String\n ec2: EC2SourceInput # required if type == EC2\n syslog: SyslogSourceInput # required if type == Syslog\n eks: EKSSourceInput # required if type == EKS\n s3: S3SourceInput # required if type == S3\n tags: [TagInput]\n ): ID\n\n updateLogSource(\n type: LogSourceType!\n sourceId: ID!\n action: LogSourceUpdateAction!\n ec2: EC2SourceUpdateInput # required if type == EC2\n ): String\n\n deleteLogSource(type: LogSourceType!, sourceId: ID!): String\n\n # *The following belongs to cross account* #\n\n # Create a new cross account link\n createSubAccountLink(\n subAccountId: String!\n region: String\n subAccountName: String!\n subAccountRoleArn: String!\n agentInstallDoc: String!\n agentConfDoc: String!\n windowsAgentInstallDoc: String!\n windowsAgentConfDoc: String!\n agentStatusCheckDoc: String!\n subAccountBucketName: String!\n subAccountStackId: String!\n subAccountKMSKeyArn: String!\n subAccountIamInstanceProfileArn: String!\n tags: [TagInput]\n ): String\n\n # update a cross account link\n updateSubAccountLink(\n subAccountId: String!\n region: String\n windowsAgentInstallDoc: String!\n windowsAgentConfDoc: String!\n agentStatusCheckDoc: String!\n agentInstallDoc: String!\n ): String\n # Remove a cross account link\n deleteSubAccountLink(subAccountId: String!, region: String): String\n\n # Create the alarm config of a specific Pipeline, including App and Service\n createPipelineAlarm(\n pipelineId: String!\n pipelineType: PipelineType!\n snsTopicArn: String\n emails: String\n snsTopicName: String\n ): String\n\n # Update the alarm config of a specific Pipeline, including App and Service\n updatePipelineAlarm(\n pipelineId: String!\n pipelineType: PipelineType!\n snsTopicArn: String\n emails: String\n ): String\n\n # Delete the alarm config of a specific Pipeline, including App and Service\n deletePipelineAlarm(pipelineId: String!, pipelineType: PipelineType!): String\n\n createGrafana(\n name: String!\n url: String!\n token: String!\n tags: [TagInput]\n ): String\n\n updateGrafana(id: String!, url: String, token: String): String\n\n deleteGrafana(id: String!): String\n}\n\nenum DomainImportStatus {\n ACTIVE\n IMPORTED\n INACTIVE\n IN_PROGRESS\n UNKNOWN\n FAILED\n}\n\ntype DomainNameAndStatus {\n domainName: String\n status: DomainImportStatus\n}\n\ntype DomainNames {\n domainNames: [DomainNameAndStatus!]\n}\n\nenum DomainHealth {\n GREEN\n RED\n YELLOW\n UNKNOWN\n ERROR\n}\n\nenum EngineType {\n Elasticsearch\n OpenSearch\n}\n\nenum AnalyticEngineType {\n OpenSearch\n LightEngine\n}\n\ntype DomainMetrics {\n searchableDocs: Float\n freeStorageSpace: Float\n health: DomainHealth\n}\n\ninput VPCInput {\n vpcId: String!\n publicSubnetIds: String\n privateSubnetIds: String\n securityGroupId: String!\n}\n\ntype VPCInfo {\n vpcId: String!\n privateSubnetIds: String\n publicSubnetIds: String\n securityGroupId: String\n}\n\ntype ESVPCInfo {\n vpcId: String!\n subnetIds: [String!]\n availabilityZones: [String]\n securityGroupIds: [String]\n}\n\ntype ImportedDomain {\n id: ID!\n domainName: String!\n engine: EngineType\n version: String!\n endpoint: String!\n metrics: DomainMetrics\n}\n\n# Node Info\ntype Node {\n instanceType: String!\n instanceCount: Int\n dedicatedMasterEnabled: Boolean\n zoneAwarenessEnabled: Boolean\n dedicatedMasterType: String\n dedicatedMasterCount: Int\n warmEnabled: Boolean\n warmType: String\n warmCount: Int\n coldEnabled: Boolean\n}\n\nenum StorageType {\n EBS\n Instance\n}\n\nenum LogEventQueueType {\n EventBridge\n SQS\n}\n\n# Volume Info\ntype Volume {\n type: String!\n size: Int!\n}\n\n# Cognito info\ntype Cognito {\n enabled: Boolean\n userPoolId: String\n domain: String\n identityPoolId: String\n roleArn: String\n}\n\ntype DomainDetails {\n id: ID!\n domainArn: String!\n domainName: String!\n engine: EngineType\n version: String!\n endpoint: String!\n region: String\n accountId: String\n vpc: VPCInfo\n esVpc: ESVPCInfo\n nodes: Node\n storageType: StorageType!\n volume: Volume\n cognito: Cognito\n tags: [Tag]\n proxyStatus: StackStatus\n proxyALB: String\n proxyError: String\n proxyInput: ProxyInfo\n alarmStatus: StackStatus\n alarmError: String\n alarmInput: AlarmStackInfo\n metrics: DomainMetrics\n status: String\n resources: [DomainRelevantResource]\n}\n\nenum StackStatus {\n CREATING\n DELETING\n ERROR\n ENABLED\n DISABLED\n}\n\nenum PipelineStatus {\n ACTIVE\n PAUSED\n INACTIVE\n CREATING\n DELETING\n UPDATING\n ERROR\n}\nenum ServiceType {\n S3\n CloudTrail\n CloudFront\n RDS\n VPC\n Lambda\n ELB\n WAF\n WAFSampled\n Config\n}\n\nenum LogStructure {\n RAW\n FLUENT_BIT_PARSED_JSON\n}\n\nenum ProtocolType {\n TCP\n UDP\n}\n\nenum PipelineMonitorStatus {\n ENABLED\n DISABLED\n}\n\nenum PipelineAlarmStatus {\n ENABLED\n DISABLED\n}\n\nenum AlarmMetricStatus {\n ALARM\n OK\n INSUFFICIENT_DATA\n LOADING\n}\n\ntype Tag {\n key: String\n value: String\n}\n\ntype ServicePipeline {\n id: ID!\n type: ServiceType!\n destinationType: DestinationType\n source: String\n target: String\n parameters: [Parameter]\n createdAt: String\n status: PipelineStatus\n tags: [Tag]\n error: String\n monitor: MonitorDetail\n osiParams: OpenSearchIngestionParams\n osiPipelineName: String\n processorLogGroupName: String\n helperLogGroupName: String\n logEventQueueName: String\n logEventQueueType: LogEventQueueType\n deliveryStreamName: String\n bufferResourceName: String\n stackId: String\n logSourceAccountId: String\n logSourceRegion: String\n engineType: AnalyticEngineType\n lightEngineParams: LightEngineParameter\n logProcessorConcurrency: String\n}\n\ntype LightEngineIngestionResp {\n bucket: String!\n prefix: String!\n}\n\ntype ListServicePipelineResponse {\n pipelines: [ServicePipeline]\n total: Int\n}\n\ninput TagInput {\n key: String\n value: String\n}\n\ninput TagFilterInput {\n Key: String\n Values: [String]\n}\n\ntype Parameter {\n parameterKey: String\n parameterValue: String\n}\n\ninput ParameterInput {\n parameterKey: String\n parameterValue: String\n}\n\ninput LightEngineIngestion {\n bucket: String!\n prefix: String!\n}\n\ntype Resource {\n id: String!\n name: String!\n parentId: String\n description: String\n}\n\nenum ResourceType {\n S3Bucket\n VPC\n Subnet\n SecurityGroup\n Certificate\n Trail\n KeyPair\n Distribution\n RDS\n Lambda\n ELB\n WAF\n WAFSampled\n Config\n EKSCluster\n ASG\n SNS\n}\n\n# Log Format is only requried if the format can be customized.\n# the processor need to know the customized fields\ntype ResourceLogConf {\n destinationType: DestinationType!\n destinationName: String!\n name: String\n logFormat: String\n region: String\n}\n\nenum DestinationType {\n S3\n CloudWatch\n KDS\n KDF\n}\n\ninput ProxyInput {\n vpc: VPCInput!\n certificateArn: String!\n keyName: String!\n customEndpoint: String!\n cognitoEndpoint: String\n proxyInstanceType: String\n proxyInstanceNumber: String\n}\n\ntype ProxyInfo {\n vpc: VPCInfo\n certificateArn: String\n keyName: String\n customEndpoint: String\n cognitoEndpoint: String\n proxyInstanceType: String\n proxyInstanceNumber: String\n}\n\nenum AlarmType {\n CLUSTER_RED\n CLUSTER_YELLOW\n FREE_STORAGE_SPACE\n WRITE_BLOCKED\n NODE_UNREACHABLE\n SNAPSHOT_FAILED\n CPU_UTILIZATION\n JVM_MEMORY_PRESSURE\n KMS_KEY_DISABLED\n KMS_KEY_INACCESSIBLE\n MASTER_CPU_UTILIZATION\n MASTER_JVM_MEMORY_PRESSURE\n}\n\ninput AlarmInput {\n type: AlarmType\n value: String\n}\n\ninput AlarmStackInput {\n alarms: [AlarmInput]\n email: String\n phone: String\n}\n\ntype AlarmInfo {\n type: AlarmType\n value: String\n}\n\ntype AlarmStackInfo {\n alarms: [AlarmInfo]\n email: String\n phone: String\n}\n\ntype LoggingBucket {\n enabled: Boolean\n bucket: String\n prefix: String\n source: LoggingBucketSource\n}\n\n# *The following belongs to applog* #\nenum LogType {\n JSON\n Regex\n Nginx\n Apache\n Syslog\n SingleLineText\n MultiLineText\n WindowsEvent\n IIS\n}\n\nenum IISlogParser {\n W3C\n IIS\n NCSA\n}\n\nenum MultiLineLogParser {\n JAVA_SPRING_BOOT\n CUSTOM\n}\n\nenum SyslogParser {\n RFC5424\n RFC3164\n CUSTOM\n}\n\nenum ArchiveFormat {\n gzip\n json\n text\n}\n\nenum LogSourceType {\n EC2\n S3\n EKSCluster\n Syslog\n}\n\nenum LogSourceUpdateAction {\n ADD\n REMOVE\n MODIFY\n}\n\nenum LoggingBucketSource {\n WAF\n KinesisDataFirehoseForWAF\n}\n\nenum ErrorCode {\n DuplicatedIndexPrefix\n DuplicatedWithInactiveIndexPrefix\n OverlapIndexPrefix\n OverlapWithInactiveIndexPrefix\n AccountNotFound\n OldAOSVersion\n AOSNotInPrivateSubnet\n WithoutNAT\n EKS_CLUSTER_NOT_CLEANED\n ASSOCIATED_STACK_UNDER_PROCESSING\n SVC_PIPELINE_NOT_CLEANED\n APP_PIPELINE_NOT_CLEANED\n DOMAIN_ALREADY_IMPORTED\n DOMAIN_NOT_ACTIVE\n DOMAIN_UNDER_PROCESSING\n DOMAIN_RELATED_RESOURCES_REVERSE_FAILED\n IMPORT_OPENSEARCH_DOMAIN_FAILED\n REMOVE_OPENSEARCH_DOMAIN_FAILED\n UNSUPPORTED_DOMAIN_ENGINE\n DOMAIN_NETWORK_TYPE_NOT_PRIVATE\n OLD_DOMAIN_VERSION\n SUBNET_WITHOUT_NAT\n AOS_SECURITY_GROUP_CHECK_FAILED\n NETWORK_ACL_CHECK_FAILED\n VPC_PEERING_CHECK_FAILED\n AOS_VPC_ROUTING_CHECK_FAILED\n SOLUTION_VPC_ROUTING_CHECK_FAILED\n DUPLICATED_INDEX_PREFIX\n DUPLICATED_WITH_INACTIVE_INDEX_PREFIX\n OVERLAP_INDEX_PREFIX\n OVERLAP_WITH_INACTIVE_INDEX_PREFIX\n UNSUPPORTED_ACTION_HAS_INGESTION\n UNSUPPORTED_ACTION_SOURCE_HAS_INGESTION\n UPDATE_CWL_ROLE_FAILED\n ASSUME_ROLE_CHECK_FAILED\n ACCOUNT_NOT_FOUND\n ACCOUNT_ALREADY_EXISTS\n ITEM_NOT_FOUND\n UNKNOWN_ERROR\n GRAFANA_URL_CONNECTIVITY_FAILED\n GRAFANA_TOKEN_VALIDATION_FAILED\n GRAFANA_HAS_INSTALLED_ATHENA_PLUGIN_FAILED\n GRAFANA_DATA_SOURCE_PERMISSION_CHECK_FAILED\n GRAFANA_FOLDER_PERMISSION_CHECK_FAILED\n GRAFANA_DASHBOARDS_PERMISSION_CHECK_FAILED\n}\n\ntype LogConfig {\n id: ID\n version: Int\n createdAt: String\n name: String\n logType: LogType\n syslogParser: SyslogParser\n multilineLogParser: MultiLineLogParser\n iisLogParser: IISlogParser\n filterConfigMap: ProcessorFilterRegex\n regex: String\n jsonSchema: AWSJSON\n regexFieldSpecs: [RegularSpec]\n timeKey: String\n timeOffset: String\n timeKeyRegex: String\n userLogFormat: String\n userSampleLog: String\n description: String\n}\n\ninput ProcessorFilterRegexInput {\n enabled: Boolean!\n filters: [LogConfFilterInput]\n}\n\ntype ProcessorFilterRegex {\n enabled: Boolean\n filters: [LogConfFilter]\n}\n\ninput LogConfFilterInput {\n key: String!\n condition: LogConfFilterCondition!\n value: String!\n}\n\ntype LogConfFilter {\n key: String!\n condition: LogConfFilterCondition!\n value: String!\n}\n\nenum LogConfFilterCondition {\n Include\n Exclude\n}\n\ntype ListLogConfigsResponse {\n logConfigs: [LogConfig]\n total: Int\n}\n\ntype LogSource {\n sourceId: ID!\n name: String\n type: LogSourceType\n accountId: String\n region: String\n eks: EKSSource\n s3: S3Source\n ec2: EC2Source\n syslog: SyslogSource\n createdAt: AWSDateTime\n updatedAt: AWSDateTime\n status: PipelineStatus\n tags: [Tag]\n}\n\ntype ListLogSourceResponse {\n logSources: [LogSource]\n total: Int\n}\n\ninput AOSParameterInput {\n vpc: VPCInput!\n opensearchArn: String!\n opensearchEndpoint: String!\n domainName: String!\n indexPrefix: String!\n warmLogTransition: String\n coldLogTransition: String\n logRetention: String\n rolloverSize: String\n codec: Codec\n indexSuffix: IndexSuffix\n refreshInterval: String\n shardNumbers: Int!\n replicaNumbers: Int!\n engine: EngineType!\n failedLogBucket: String!\n}\n\ninput LightEngineParameterInput {\n centralizedBucketName: String!\n centralizedBucketPrefix: String!\n centralizedTableName: String!\n logProcessorSchedule: String!\n logMergerSchedule: String!\n logArchiveSchedule: String!\n logMergerAge: String!\n logArchiveAge: String!\n importDashboards: String!\n grafanaId: String\n recipients: String\n}\nenum IndexSuffix {\n yyyy_MM_dd\n yyyy_MM_dd_HH\n yyyy_MM\n yyyy\n}\nenum Codec {\n best_compression\n default\n}\n\ntype AOSParameter {\n opensearchArn: String\n domainName: String\n indexPrefix: String\n warmLogTransition: String\n coldLogTransition: String\n logRetention: String\n rolloverSize: String\n codec: Codec\n indexSuffix: IndexSuffix\n refreshInterval: String\n shardNumbers: Int\n replicaNumbers: Int\n engine: EngineType\n}\n\nenum NotificationService {\n SNS\n SES\n}\n\ntype LightEngineParameter {\n stagingBucketPrefix: String!\n centralizedBucketName: String!\n centralizedBucketPrefix: String!\n centralizedTableName: String!\n logProcessorSchedule: String!\n logMergerSchedule: String!\n logArchiveSchedule: String!\n logMergerAge: String!\n logArchiveAge: String!\n importDashboards: String!\n grafanaId: String\n recipients: String\n notificationService: NotificationService\n enrichmentPlugins: String\n}\n\ntype LightEngineTableMetadata {\n databaseName: String!\n tableName: String!\n location: String!\n classification: String!\n dashboardName: String\n dashboardLink: String\n}\n\ntype AnalyticsEngine {\n engineType: AnalyticEngineType!\n table: LightEngineTableMetadata\n metric: LightEngineTableMetadata\n}\n\nenum SchedulerType {\n EventBridgeScheduler\n EventBridgeEvents\n}\n\ntype Scheduler {\n type: SchedulerType!\n group: String!\n name: String!\n expression: String!\n age: Int\n}\n\ntype StateMachine {\n arn: String!\n name: String!\n}\n\nenum ScheduleType {\n LogProcessor\n LogMerger\n LogArchive\n LogMergerForMetrics\n LogArchiveForMetrics\n}\n\ntype Schedule {\n type: ScheduleType!\n stateMachine: StateMachine!\n scheduler: Scheduler!\n}\n\ntype LightEnginePipelineDetailResponse {\n analyticsEngine: AnalyticsEngine\n schedules: [Schedule]\n}\n\nenum ExecutionStatus {\n Running\n Succeeded\n Failed\n Timed_out\n Aborted\n}\n\ntype LightEnginePipelineExecutionLog {\n executionName: String\n executionArn: String\n taskId: String\n startTime: String\n endTime: String\n status: ExecutionStatus\n}\n\ntype LightEnginePipelineExecutionLogsResponse {\n items: [LightEnginePipelineExecutionLog]\n lastEvaluatedKey: AWSJSON\n}\n\ntype AppPipeline {\n pipelineId: ID!\n bufferType: BufferType\n bufferParams: [BufferParameter]\n parameters: [Parameter]\n aosParams: AOSParameter\n lightEngineParams: LightEngineParameter\n createdAt: String\n status: PipelineStatus\n logConfigId: String\n logConfigVersionNumber: Int\n logConfig: LogConfig\n bufferAccessRoleArn: String\n bufferAccessRoleName: String\n bufferResourceName: String\n bufferResourceArn: String\n processorLogGroupName: String\n helperLogGroupName: String\n logEventQueueName: String\n logEventQueueType: LogEventQueueType\n logProcessorConcurrency: String\n monitor: MonitorDetail\n osiParams: OpenSearchIngestionParams\n osiPipelineName: String\n minCapacity: Int\n maxCapacity: Int\n stackId: String\n error: String\n engineType: AnalyticEngineType\n logStructure: LogStructure\n tags: [Tag]\n}\n\ntype ListAppPipelineResponse {\n appPipelines: [AppPipeline]\n total: Int\n}\n\ntype BatchImportAppPipelinesAnalyzerFindingLocation {\n path: String\n}\n\nenum BatchImportAppPipelinesAnalyzerFindingType {\n ERROR\n WARNING\n SUGGESTION\n}\n\nenum BatchImportAppPipelinesAnalyzerFindingIssueCode {\n YAML_SYNTAX_ERROR\n INVALID_ELEMENT\n INVALID_BUCKET\n BUCKET_NOTIFICATION_OVERLAP\n INVALID_RESOURCE\n INVALID_RESOURCE_STATUS\n INVALID_VALUE\n MISSING_ELEMENT\n MISMATCH_DATA_TYPE\n MISSING_VERSION\n INVALID_ENUM\n HTTP_REQUEST_ERROR\n UNSUPPORTED_LOG_SOURCE\n OPENSEARCH_INDEX_OVERLAP\n}\n\ntype BatchImportAppPipelinesAnalyzerFinding {\n findingDetails: String\n findingType: BatchImportAppPipelinesAnalyzerFindingType\n issueCode: BatchImportAppPipelinesAnalyzerFindingIssueCode\n location: BatchImportAppPipelinesAnalyzerFindingLocation\n}\n\ntype Resolver {\n operationName: String\n variables: AWSJSON\n}\n\ntype BatchImportAppPipelinesAnalyzerResponse {\n findings: [BatchImportAppPipelinesAnalyzerFinding]\n resolvers: [Resolver]\n}\n\ntype AppLogIngestion {\n id: ID!\n stackId: String\n stackName: String\n appPipelineId: String\n logPath: String\n sourceId: String\n sourceType: String\n createdAt: String\n status: String\n tags: [Tag]\n accountId: String\n region: String\n}\n\ntype InstanceIngestionDetail {\n instanceId: String\n ssmCommandId: String\n ssmCommandStatus: String\n details: String\n}\n\ntype ListAppLogIngestionResponse {\n appLogIngestions: [AppLogIngestion]\n total: Int\n}\n\nenum LogAgentStatus {\n Online\n Offline\n Installing\n Installed\n Not_Installed\n Unknown\n}\n\ntype InstanceAgentStatusResponse {\n commandId: String\n instanceAgentStatusList: [InstanceAgentStatus]\n}\n\ntype InstanceAgentStatus {\n instanceId: String\n status: LogAgentStatus\n invocationOutput: String\n curlOutput: String\n}\n\ninput LogAgentParameterInput {\n agentName: String\n version: String\n}\n\ntype LogAgentParameter {\n agentName: String\n version: String\n}\n\n# Instance info\ntype Instance {\n id: ID!\n platformName: String\n platformType: String\n ipAddress: String\n computerName: String\n name: String\n}\n\ntype ListInstanceResponse {\n instances: [Instance]\n nextToken: String\n}\n\ninput RegularSpecInput {\n key: String!\n type: String!\n format: String\n}\n\ntype RegularSpec {\n key: String!\n type: String!\n format: String\n}\n\nenum EKSDeployKind {\n DaemonSet\n Sidecar\n}\nenum CRI {\n containerd\n docker\n}\n\nenum IngestionMode {\n ONE_TIME\n ON_GOING\n}\n\nenum CompressionType {\n GZIP\n NONE\n}\n\ntype S3Source {\n mode: IngestionMode\n bucketName: String\n keyPrefix: String\n keySuffix: String\n compressionType: CompressionType\n}\n\ninput S3SourceInput {\n mode: IngestionMode\n bucketName: String\n keyPrefix: String\n keySuffix: String\n compressionType: CompressionType\n}\n\ntype SyslogSource {\n protocol: ProtocolType\n port: Int\n nlbArn: String\n nlbDNSName: String\n}\n\ninput SyslogSourceInput {\n protocol: ProtocolType\n port: Int\n nlbArn: String\n nlbDNSName: String\n}\n\nenum EC2GroupType {\n EC2\n ASG\n}\n\nenum EC2GroupPlatform {\n Linux\n Windows\n}\n\ntype EC2Instances {\n instanceId: String!\n}\n\ninput EC2InstancesInput {\n instanceId: String\n}\n\ntype EC2Source {\n groupName: String!\n groupType: EC2GroupType!\n groupPlatform: EC2GroupPlatform!\n asgName: String\n instances: [EC2Instances]\n}\n\ninput EC2SourceInput {\n groupName: String\n groupType: EC2GroupType\n groupPlatform: EC2GroupPlatform\n asgName: String\n instances: [EC2InstancesInput]\n}\n\ninput EC2SourceUpdateInput {\n instances: [EC2InstancesInput]\n}\n\ntype EKSSource {\n eksClusterName: String\n eksClusterArn: String\n cri: CRI\n vpcId: String\n eksClusterSGId: String\n subnetIds: [String]\n oidcIssuer: String\n endpoint: String\n logAgentRoleArn: String\n deploymentKind: EKSDeployKind\n}\n\ninput EKSSourceInput {\n eksClusterName: String\n cri: CRI\n deploymentKind: EKSDeployKind\n}\n\ntype CheckTimeFormatRes {\n isMatch: Boolean\n}\n\ntype SubAccountLink {\n id: ID\n subAccountId: String\n region: String\n subAccountName: String\n subAccountRoleArn: String\n agentInstallDoc: String\n agentConfDoc: String\n windowsAgentInstallDoc: String\n windowsAgentConfDoc: String\n agentStatusCheckDoc: String\n subAccountBucketName: String\n subAccountStackId: String\n subAccountKMSKeyArn: String\n subAccountVpcId: String\n subAccountPublicSubnetIds: String\n subAccountIamInstanceProfileArn: String\n createdAt: String\n status: String\n tags: [Tag]\n}\n\ntype ListSubAccountLinkResponse {\n subAccountLinks: [SubAccountLink]\n total: Int\n}\n\ntype checkCustomPortResponse {\n isAllowedPort: Boolean\n msg: String\n recommendedPort: Int\n}\n\nenum BufferType {\n None\n KDS\n S3\n MSK\n}\ntype BufferParameter {\n paramKey: String\n paramValue: String\n}\n\ninput BufferInput {\n paramKey: String\n paramValue: String\n}\n\ntype LogStream {\n logStreamName: String\n creationTime: String\n firstEventTimestamp: String\n lastEventTimestamp: String\n lastIngestionTime: String\n uploadSequenceToken: String\n arn: String\n storedBytes: Int\n}\n\ntype ListLogStreamsResponse {\n logStreams: [LogStream]\n total: Int\n}\n\ntype LogEvent {\n timestamp: String\n message: String\n ingestionTime: String\n}\n\ntype GetLogEventsResponse {\n logEvents: [LogEvent]\n nextForwardToken: String\n nextBackwardToken: String\n}\n\ntype DataSerie {\n name: String\n data: [Float]\n}\n\ntype GraphXaxis {\n categories: [Float]\n}\n\ntype MetricHistoryData {\n series: [DataSerie]\n xaxis: GraphXaxis\n}\n\nenum PipelineType {\n APP\n SERVICE\n}\n\nenum AlarmMetricName {\n DEAD_LETTER_INVOCATIONS\n OLDEST_MESSAGE_AGE_ALARM\n PROCESSOR_ERROR_RATE_ALARM\n PROCESSOR_ERROR_INVOCATION_ALARM\n PROCESSOR_ERROR_RECORD_ALARM\n PROCESSOR_DURATION_ALARM\n KDS_THROTTLED_RECORDS_ALARM\n FLUENTBIT_OUTPUT_RETRIED_RECORDS_ALARM\n}\n\ntype AlarmMetricDetail {\n name: AlarmMetricName\n status: AlarmMetricStatus\n resourceId: String\n}\n\ntype PipelineAlarm {\n alarms: [AlarmMetricDetail]\n}\n\nenum DomainStatusCheckType {\n FAILED\n PASSED\n WARNING\n CHECKING\n NOT_STARTED\n}\n\ntype DomainStatusCheckDetail {\n name: String\n values: [String]\n errorCode: ErrorCode\n status: DomainStatusCheckType\n}\n\ntype DomainStatusCheckResponse {\n status: DomainStatusCheckType\n details: [DomainStatusCheckDetail]\n multiAZWithStandbyEnabled: Boolean\n}\n\ntype GrafanaStatusCheckResponse {\n status: DomainStatusCheckType\n details: [DomainStatusCheckDetail]\n}\n\nenum ResourceStatus {\n CREATED\n UPDATED\n DELETED\n REVERSED\n UNCHANGED\n ERROR\n}\n\ntype DomainRelevantResource {\n name: String\n values: [String]\n status: ResourceStatus\n}\n\ntype RemoveDomainResponse {\n error: String\n errorCode: ErrorCode\n resources: [DomainRelevantResource]\n}\n\ninput MonitorInput {\n status: PipelineMonitorStatus\n pipelineAlarmStatus: PipelineAlarmStatus\n snsTopicName: String\n snsTopicArn: String\n emails: String\n}\n\ntype MonitorDetail {\n status: PipelineMonitorStatus\n backupBucketName: String\n errorLogPrefix: String\n pipelineAlarmStatus: PipelineAlarmStatus\n snsTopicName: String\n snsTopicArn: String\n emails: String\n}\n\ntype OpenSearchIngestionParams {\n minCapacity: Int\n maxCapacity: Int\n}\n\ninput OpenSearchIngestionInput {\n minCapacity: Int\n maxCapacity: Int\n}\n\ntype ImportDomainResponse {\n id: String\n resources: [DomainRelevantResource]\n}\n\nenum MetricName {\n TotalLogs\n FailedLogs\n ExcludedLogs\n LoadedLogs\n SQSNumberOfMessagesSent\n SQSNumberOfMessagesDeleted\n SQSApproximateNumberOfMessagesVisible\n SQSApproximateAgeOfOldestMessage\n EvtMatchedEvents\n EvtInvocations\n EvtTriggeredRules\n EvtFailedInvocations\n ProcessorFnError\n ProcessorFnConcurrentExecutions\n ProcessorFnDuration\n ProcessorFnThrottles\n ProcessorFnInvocations\n ReplicationFnError\n ReplicationFnConcurrentExecutions\n ReplicationFnDuration\n ReplicationFnThrottles\n ReplicationFnInvocations\n KDFIncomingBytes\n KDFIncomingRecords\n KDFDeliveryToS3Bytes\n KDSIncomingBytes\n KDSIncomingRecords\n KDSPutRecordsBytes\n KDSThrottledRecords\n KDSWriteProvisionedThroughputExceeded\n SyslogNLBActiveFlowCount\n SyslogNLBProcessedBytes\n FluentBitInputBytes\n FluentBitInputRecords\n FluentBitOutputDroppedRecords\n FluentBitOutputErrors\n FluentBitOutputRetriedRecords\n FluentBitOutputRetriesFailed\n FluentBitOutputRetries\n FluentBitOutputProcBytes\n FluentBitOutputProcRecords\n OSICPUUsage\n OSIComputeUnits\n OSIMemoryUsage\n OSIBufferUsage\n OSIBufferOverflowDrops\n OSIObjectsSucceeded\n OSIS3ObjectsEvents\n OSIS3ObjectsEventsSum\n OSISqsMessagesReceived\n OSISqsMessagesDeleted\n OSISqsMessagesFailed\n OSISqsMessageDelayCount\n OSISqsMessageDelaySum\n OSIBytesTransmitted\n OSIDocumentsWritten\n OSIDocumentsFailedWrite\n OSIDocumentsRetriedWrite\n OSIDLQS3RecordsSuccess\n OSIDLQS3RecordsFailed\n}\n\ntype Grafana {\n id: ID!\n name: String!\n url: String!\n createdAt: String\n tags: [Tag]\n}\n\ntype ListGrafanasResponse {\n grafanas: [Grafana]\n total: Int\n}\n"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/Schema",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILogRetention6D2F2D62": {
"Type": "Custom::LogRetention",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A",
"Arn"
]
},
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/appsync/apis/",
{
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
}
]
]
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogRetention/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILatestVersionDSServiceRole3F8C2675": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LatestVersionDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPILatestVersionDS62A88DE9": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"HttpConfig": {
"Endpoint": {
"Fn::If": [
"IsChinaPartition",
"https://s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"https://s3.amazonaws.com"
]
}
},
"Name": "LatestVersionDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPILatestVersionDSServiceRole3F8C2675",
"Arn"
]
},
"Type": "HTTP"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LatestVersionDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILatestVersionResolver102981BF": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LatestVersionDS",
"FieldName": "latestVersion",
"Kind": "UNIT",
"RequestMappingTemplate": {
"Fn::Join": [
"",
[
"{\"version\":\"2018-05-29\",\"method\":\"GET\",\"resourcePath\":\"/",
{
"Fn::If": [
"IsChinaPartition",
"solutions-reference-cn",
"solutions-reference"
]
},
"/centralized-logging-with-opensearch/latest/version\",\"params\":{\"headers\":{\"Content-Type\":\"application/json\"}}}"
]
]
},
"ResponseMappingTemplate": "#if($ctx.error)\n {\"version\": \"unknown\", \"reason\": $util.toJson($ctx.error)}\n#else\n #if($ctx.result.statusCode == 200)\n $ctx.result.body\n #else\n {\"version\": \"unknown\"}\n #end\n#end",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILatestVersionDS62A88DE9",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LatestVersionResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPICrossAccountLambdaDSServiceRoleD1137378": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CrossAccountLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPICrossAccountLambdaDSServiceRoleDefaultPolicyD27F4BDF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APICrossAccountStackLinkSubAccountHandlerEA41BC6E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APICrossAccountStackLinkSubAccountHandlerEA41BC6E",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPICrossAccountLambdaDSServiceRoleDefaultPolicyD27F4BDF",
"Roles": [
{
"Ref": "APIAppSyncStackAPICrossAccountLambdaDSServiceRoleD1137378"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CrossAccountLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPICrossAccountLambdaDSC75BC25B": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APICrossAccountStackLinkSubAccountHandlerEA41BC6E",
"Arn"
]
}
},
"Name": "CrossAccountLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPICrossAccountLambdaDSServiceRoleD1137378",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CrossAccountLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistSubAccountLinks404CCB09": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CrossAccountLambdaDS",
"FieldName": "listSubAccountLinks",
"Kind": "UNIT",
"RequestMappingTemplate": "#if($ctx.args.count<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n#end\n\n#if($ctx.args.page<1 or $ctx.args.page>1000)\n $util.error(\"Page must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $subAccountLink in $ctx.result.subAccountLinks )\n #set($subAccountLink.agentInstallDoc = $util.urlEncode($subAccountLink.agentInstallDoc))\n #set($subAccountLink.agentConfDoc = $util.urlEncode($subAccountLink.agentConfDoc))\n \n #foreach( $param in $subAccountLink.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n #end\n#end\n\n$util.toJson($ctx.result)\n",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPICrossAccountLambdaDSC75BC25B",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listSubAccountLinks/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetSubAccountLink9A894E75": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CrossAccountLambdaDS",
"FieldName": "getSubAccountLink",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.subAccountId, '123456789012')), \"Invalid Account ID\")\n\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "\n#set($ctx.result.agentInstallDoc = $util.urlEncode($ctx.result.agentInstallDoc))\n#set($ctx.result.agentConfDoc = $util.urlEncode($ctx.result.agentConfDoc))\n\n#foreach( $param in $ctx.result.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n#end\n\n$util.toJson($ctx.result)\n",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPICrossAccountLambdaDSC75BC25B",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getSubAccountLink/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIupdateSubAccountLink3F5F0EEF": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CrossAccountLambdaDS",
"FieldName": "updateSubAccountLink",
"Kind": "UNIT",
"RequestMappingTemplate": "\n$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.subAccountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}\n",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPICrossAccountLambdaDSC75BC25B",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/updateSubAccountLink/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateSubAccountLinkC84C53CE": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CrossAccountLambdaDS",
"FieldName": "createSubAccountLink",
"Kind": "UNIT",
"RequestMappingTemplate": "\n$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.subAccountId, '123456789012')), \"Invalid Account ID\")\n\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n$util.validate($util.matches(\"[a-zA-Z0-9-]{1,1024}\", $ctx.args.subAccountName), \"Invalid Account Name\")\n\n$util.validate($util.matches(\"^arn:([^:\\n]*):([^:\\n]*):([^:\\n]*):([^:\\n]*):(([^:\\/\\n]*)[:\\/])?(.*)$\", $ctx.args.subAccountRoleArn), \"Invalid Cross Account Role ARN\")\n\n#set($ctx.args.agentInstallDoc = $util.urlDecode($ctx.args.agentInstallDoc))\n#set($ctx.args.agentConfDoc = $util.urlDecode($ctx.args.agentConfDoc))\n\n$util.validate($util.matches(\"^(?!(^((\\d{1,3}[.]){3}\\d{1,3}$)|.*\\.\\.|.*\\.-|.*-\\.|.*\\._|.*_\\.))[a-z\\d][\\w.-]{1,253}[a-z\\d]$\", $ctx.args.subAccountBucketName), \"Invalid Bucket Name\")\n\n$util.validate($util.matches(\"^arn:([^:\\n]*):([^:\\n]*):([^:\\n]*):([^:\\n]*):(([^:\\/\\n]*)[:\\/])?(.*)$\", $ctx.args.subAccountStackId), \"Invalid Cross Account Stack ID\")\n\n$util.validate($util.matches(\"^arn:([^:\\n]*):([^:\\n]*):([^:\\n]*):([^:\\n]*):(([^:\\/\\n]*)[:\\/])?(.*)$\", $ctx.args.subAccountKMSKeyArn), \"Invalid Cross Account KMS Key\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}\n",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPICrossAccountLambdaDSC75BC25B",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createSubAccountLink/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteSubAccountLinkA967E41A": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CrossAccountLambdaDS",
"FieldName": "deleteSubAccountLink",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.subAccountId, '123456789012')), \"Invalid Account ID\")\n\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPICrossAccountLambdaDSC75BC25B",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteSubAccountLink/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIResourceLambdaDSServiceRole63F3AAD1": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ResourceLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIResourceLambdaDSServiceRoleDefaultPolicy16C62CAF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIResourceAPIResourceHandlerFEC80983",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIResourceAPIResourceHandlerFEC80983",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIResourceLambdaDSServiceRoleDefaultPolicy16C62CAF",
"Roles": [
{
"Ref": "APIAppSyncStackAPIResourceLambdaDSServiceRole63F3AAD1"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ResourceLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIResourceLambdaDS4B719D94": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIResourceAPIResourceHandlerFEC80983",
"Arn"
]
}
},
"Name": "ResourceLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIResourceLambdaDSServiceRole63F3AAD1",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ResourceLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistResources0AB899EC": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ResourceLambdaDS",
"FieldName": "listResources",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIResourceLambdaDS4B719D94",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listResources/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetResourceLoggingBucket5FFCEFFC": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ResourceLambdaDS",
"FieldName": "getResourceLoggingBucket",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIResourceLambdaDS4B719D94",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getResourceLoggingBucket/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIputResourceLoggingBucketC063C129": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ResourceLambdaDS",
"FieldName": "putResourceLoggingBucket",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIResourceLambdaDS4B719D94",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/putResourceLoggingBucket/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetResourceLogConfigs9806B249": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ResourceLambdaDS",
"FieldName": "getResourceLogConfigs",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIResourceLambdaDS4B719D94",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getResourceLogConfigs/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIputResourceLogConfig77F161E4": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ResourceLambdaDS",
"FieldName": "putResourceLogConfig",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIResourceLambdaDS4B719D94",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/putResourceLogConfig/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIGrafanaLambdaDSServiceRole52D9E6AE": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/GrafanaLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIGrafanaLambdaDSServiceRoleDefaultPolicyAE045B4A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIGrafanaAPIGrafanaHandlerAD82CA33",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIGrafanaAPIGrafanaHandlerAD82CA33",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIGrafanaLambdaDSServiceRoleDefaultPolicyAE045B4A",
"Roles": [
{
"Ref": "APIAppSyncStackAPIGrafanaLambdaDSServiceRole52D9E6AE"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/GrafanaLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIGrafanaLambdaDSE182898C": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIGrafanaAPIGrafanaHandlerAD82CA33",
"Arn"
]
}
},
"Name": "GrafanaLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIGrafanaLambdaDSServiceRole52D9E6AE",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/GrafanaLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateGrafana0684E718": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "GrafanaLambdaDS",
"FieldName": "createGrafana",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[a-zA-Z0-9-_]{1,128}$\", $ctx.args.name), \"Invalid name. The name convention must follow ^[a-zA-Z0-9-_]{1,128}$\")\n$util.validate($util.matches(\"^(http(s)?:\\/\\/.)[-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6}\\b([-a-zA-Z0-9@:%_\\+.~#?&//=]*)$\", $ctx.args.url), \"Invalid url\")\n$util.validate($util.matches(\"^[a-zA-Z0-9-_]{1,128}$\", $ctx.args.token), \"Invalid token. The token convention must follow ^[a-zA-Z0-9-_]{1,128}$\")\n\n#foreach( $tag in $ctx.args.tags )\n #set($tag.key = $util.urlDecode($tag.key))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $tag.key), \"Invalid key. Keys can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n #set($tag.value = $util.urlDecode($tag.value))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{0,256}$\", $tag.value), \"Invalid value. Values can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIGrafanaLambdaDSE182898C",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createGrafana/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistGrafanas0A0810B9": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "GrafanaLambdaDS",
"FieldName": "listGrafanas",
"Kind": "UNIT",
"RequestMappingTemplate": "#if($ctx.args.count<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n#end\n\n#if($ctx.args.page<1 or $ctx.args.page>1000)\n $util.error(\"Page must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIGrafanaLambdaDSE182898C",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listGrafanas/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetGrafana056C49B7": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "GrafanaLambdaDS",
"FieldName": "getGrafana",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $param in $ctx.result.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n#end \n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIGrafanaLambdaDSE182898C",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getGrafana/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteGrafana0DAB03A5": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "GrafanaLambdaDS",
"FieldName": "deleteGrafana",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIGrafanaLambdaDSE182898C",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteGrafana/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIupdateGrafana68785B64": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "GrafanaLambdaDS",
"FieldName": "updateGrafana",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[a-zA-Z0-9-_]{1,128}$\", $ctx.args.id), \"Invalid id.\")\n$util.validate($util.matches(\"^[a-zA-Z0-9-_]{1,128}$\", $ctx.args.token), \"Invalid token. The token convention must follow ^[a-zA-Z0-9-_]{1,128}$\")\n$util.validate($util.matches(\"^(http(s)?:\\/\\/.)[-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6}\\b([-a-zA-Z0-9@:%_\\+.~#?&//=]*)$\", $ctx.args.url), \"Invalid url\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIGrafanaLambdaDSE182898C",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/updateGrafana/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcheckGrafana2CE6507B": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "GrafanaLambdaDS",
"FieldName": "checkGrafana",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIGrafanaLambdaDSE182898C",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/checkGrafana/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIPipelineLambdaDSServiceRoleEE1D1C2B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/PipelineLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIPipelineLambdaDSServiceRoleDefaultPolicyB892F703": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineHandler2790128E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineHandler2790128E",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIPipelineLambdaDSServiceRoleDefaultPolicyB892F703",
"Roles": [
{
"Ref": "APIAppSyncStackAPIPipelineLambdaDSServiceRoleEE1D1C2B"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/PipelineLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineHandler2790128E",
"Arn"
]
}
},
"Name": "PipelineLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIPipelineLambdaDSServiceRoleEE1D1C2B",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/PipelineLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistServicePipelines53CFCA18": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "listServicePipelines",
"Kind": "UNIT",
"RequestMappingTemplate": "#if($ctx.args.count<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n#end\n\n#if($ctx.args.page<1 or $ctx.args.page>1000)\n $util.error(\"Page must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $pipeline in $ctx.result.pipelines )\n #foreach( $param in $pipeline.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n #end \n\n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listServicePipelines/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetServicePipeline84C812BF": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "getServicePipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $param in $ctx.result.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n#end \n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getServicePipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateServicePipeline803A48D6": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "createServicePipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "#foreach( $tag in $ctx.args.tags )\n #set($tag.key = $util.urlDecode($tag.key))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $tag.key), \"Invalid key. Keys can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n #set($tag.value = $util.urlDecode($tag.value))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{0,256}$\", $tag.value), \"Invalid value. Values can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n#end\n\n#foreach( $param in $ctx.args.parameters )\n #set($param.parameterKey = $util.urlDecode($param.parameterKey))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $param.parameterKey), \"Invalid Parameter Key\")\n \n #set($param.parameterValue = $util.urlDecode($param.parameterValue))\n $util.validate($util.matches(\"^.{0,2048}$\", $param.parameterValue), \"Invalid Parameter Value\")\n#end\n\n$util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,1024}$\", $ctx.args.source), \"Invalid Source Name\")\n$util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,1024}$\", $ctx.args.target), \"Invalid Target Name\")\n$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.logSourceAccountId, '123456789012')), \"Invalid Log Source Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.logSourceRegion,'us-west-2')), \"Invalid Log Source Region Name\")\n\n#foreach( $param in $ctx.args.parameters )\n #if( $param.parameterKey == \"logBucketName\" || $param.parameterKey == \"backupBucketName\" )\n $util.validate($util.matches(\"^(?!(^((\\d{1,3}[.]){3}\\d{1,3}$)|.*\\.\\.|.*\\.-|.*-\\.|.*\\._|.*_\\.))[a-z\\d][\\w.-]{1,253}[a-z\\d]$\", $param.parameterValue), \"Invalid Bucket Name\")\n #elseif( $param.parameterKey == \"logBucketPrefix\")\n \t#set($param.parameterValue = $util.urlDecode($param.parameterValue))\n $util.validate($util.matches(\"^.{0,1024}$\", $param.parameterValue), \"Invalid Prefix\")\n #elseif ($param.parameterKey == \"domainName\" )\n \t$util.validate($util.matches(\"[a-zA-Z0-9-]{1,1024}\", $param.parameterValue), \"Invalid OpenSearch Domain Name\")\n #elseif ($param.parameterKey == \"vpcId\" )\n \t$util.validate($util.matches(\"^vpc-[a-z0-9]{8,1020}$\", $param.parameterValue), \"Invalid VPC ID\")\n #elseif ($param.parameterKey == \"subnetIds\" )\n \t$util.validate($util.matches(\"^subnet-[a-z0-9]{8,1017}(,subnet-[a-z0-9]{8,1017})*$\", $param.parameterValue), \"Invalid Subnet IDs\")\n #elseif ($param.parameterKey == \"securityGroupId\" )\n \t$util.validate($util.matches(\"^sg-[a-z0-9]{8,1021}$\", $param.parameterValue), \"Invalid Security Group ID\")\n #end\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createServicePipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateLightEngineServicePipelineF261978A": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "createLightEngineServicePipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "#foreach( $tag in $ctx.args.tags )\n #set($tag.key = $util.urlDecode($tag.key))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $tag.key), \"Invalid key. Keys can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n #set($tag.value = $util.urlDecode($tag.value))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{0,256}$\", $tag.value), \"Invalid value. Values can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n#end\n\n#foreach( $param in $ctx.args.parameters )\n #set($param.parameterKey = $util.urlDecode($param.parameterKey))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $param.parameterKey), \"Invalid Parameter Key\")\n \n #set($param.parameterValue = $util.urlDecode($param.parameterValue))\n $util.validate($util.matches(\"^.{0,2048}$\", $param.parameterValue), \"Invalid Parameter Value\")\n#end\n\n$util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,1024}$\", $ctx.args.source), \"Invalid Source Name\")\n$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.logSourceAccountId, '123456789012')), \"Invalid Log Source Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.logSourceRegion,'us-west-2')), \"Invalid Log Source Region Name\")\n\n#foreach( $param in $ctx.args.parameters )\n #if( $param.parameterKey == \"StagingBucketName\" )\n $util.validate($util.matches(\"^(?!(^((\\d{1,3}[.]){3}\\d{1,3}$)|.*\\.\\.|.*\\.-|.*-\\.|.*\\._|.*_\\.))[a-z\\d][\\w.-]{1,253}[a-z\\d]$\", $param.parameterValue), \"Invalid Bucket Name\")\n #elseif( $param.parameterKey == \"stagingBucketPrefix\")\n \t#set($param.parameterValue = $util.urlDecode($param.parameterValue))\n $util.validate($util.matches(\"^.{0,1024}$\", $param.parameterValue), \"Invalid Prefix\")\n #end\n#end\n\n$util.validate($util.matches(\"^(?!(^((\\d{1,3}[.]){3}\\d{1,3}$)|.*\\.\\.|.*\\.-|.*-\\.|.*\\._|.*_\\.))[a-z\\d][\\w.-]{1,253}[a-z\\d]$\", $ctx.args.ingestion.bucket), \"Invalid Bucket Name\")\n#set($ctx.args.ingestion.prefix = $util.urlDecode($ctx.args.ingestion.prefix))\n$util.validate($util.matches(\"^.{0,1024}$\", $ctx.args.ingestion.prefix), \"Invalid Prefix\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createLightEngineServicePipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteServicePipelineF8754854": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "deleteServicePipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteServicePipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetLightEngineServicePipelineDetailB239BF3B": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "getLightEngineServicePipelineDetail",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.pipelineId), \"Invalid pipelineId\") \n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}\n",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getLightEngineServicePipelineDetail/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetLightEngineServicePipelineExecutionLogs54BCFD06": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "PipelineLambdaDS",
"FieldName": "getLightEngineServicePipelineExecutionLogs",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.pipelineId), \"Invalid pipelineId\") \n$util.validate($util.matches(\"^(LogProcessor|LogMerger|LogArchive)-\\w+$\", $ctx.args.stateMachineName), \"Invalid stateMachineName\") \n\n#if($util.isNullOrEmpty($ctx.args.startTime)==false)\n $util.validate($util.matches(\"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$\", $ctx.args.startTime), \"Invalid startTime format\") \n#end\n\n#if($util.isNullOrEmpty($ctx.args.endTime)==false)\n $util.validate($util.matches(\"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$\", $ctx.args.endTime), \"Invalid endTime format\") \n#end\n\n#if($util.isNullOrEmpty($ctx.args.limit)==false)\n #if($ctx.args.limit<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n #end \n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIPipelineLambdaDS9DE24CDE",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getLightEngineServicePipelineExecutionLogs/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILogSourceLambdaDSServiceRole8E334128": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogSourceLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPILogSourceLambdaDSServiceRoleDefaultPolicy47640D3F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APILogSourceAPILogSourceHandler5F673C8E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APILogSourceAPILogSourceHandler5F673C8E",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPILogSourceLambdaDSServiceRoleDefaultPolicy47640D3F",
"Roles": [
{
"Ref": "APIAppSyncStackAPILogSourceLambdaDSServiceRole8E334128"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogSourceLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILogSourceLambdaDS3E206985": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APILogSourceAPILogSourceHandler5F673C8E",
"Arn"
]
}
},
"Name": "LogSourceLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPILogSourceLambdaDSServiceRole8E334128",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogSourceLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateLogSource619F065D": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogSourceLambdaDS",
"FieldName": "createLogSource",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPILogSourceLambdaDS3E206985",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createLogSource/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIupdateLogSource5B8A1ADD": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogSourceLambdaDS",
"FieldName": "updateLogSource",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPILogSourceLambdaDS3E206985",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/updateLogSource/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetLogSource9C966658": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogSourceLambdaDS",
"FieldName": "getLogSource",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogSourceLambdaDS3E206985",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getLogSource/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistLogSources81E70584": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogSourceLambdaDS",
"FieldName": "listLogSources",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogSourceLambdaDS3E206985",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listLogSources/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteLogSource815D7328": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogSourceLambdaDS",
"FieldName": "deleteLogSource",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPILogSourceLambdaDS3E206985",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteLogSource/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcheckCustomPortC4334A78": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogSourceLambdaDS",
"FieldName": "checkCustomPort",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogSourceLambdaDS3E206985",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/checkCustomPort/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILogConfLambdaDSServiceRoleA3CFA2A8": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogConfLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPILogConfLambdaDSServiceRoleDefaultPolicy013A2857": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APILogConfAPILogConfHandlerAA6F8688",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APILogConfAPILogConfHandlerAA6F8688",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPILogConfLambdaDSServiceRoleDefaultPolicy013A2857",
"Roles": [
{
"Ref": "APIAppSyncStackAPILogConfLambdaDSServiceRoleA3CFA2A8"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogConfLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPILogConfLambdaDSDED5EE50": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "LogConf Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APILogConfAPILogConfHandlerAA6F8688",
"Arn"
]
}
},
"Name": "LogConfLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPILogConfLambdaDSServiceRoleA3CFA2A8",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/LogConfLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateLogConfig651545B2": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "createLogConfig",
"Kind": "UNIT",
"RequestMappingTemplate": "#set($ctx.args.name = $util.urlDecode($ctx.args.name))\n$util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $ctx.args.name), \"Invalid Config Name, can only contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n\n\n#set($ctx.args.userLogFormat = $util.urlDecode($ctx.args.userLogFormat))\n#set($ctx.args.userSampleLog = $util.urlDecode($ctx.args.userSampleLog))\n\n#set($ctx.args.regex = $util.urlDecode($ctx.args.regex))\n#set($ctx.args.timeKeyRegex = $util.urlDecode($ctx.args.timeKeyRegex))\n\n#if($ctx.args.userLogFormat.length() > 1024)\n $util.error(\"userLogFormat cannot exceed 1024 characters.\")\n#end\n#if($ctx.args.userSampleLog.length() > 2048)\n $util.error(\"userSampleLog cannot exceed 2048 characters.\")\n#end\n#if($ctx.args.regex.length() > 2048)\n $util.error(\"regex cannot exceed 2048 characters.\")\n#end\n#if($ctx.args.timeKeyRegex.length() > 1024)\n $util.error(\"timeKeyRegex cannot exceed 1024 characters.\")\n#end\n\n#foreach($param in $ctx.args.regexFieldSpecs)\n #set($param.key = $util.urlDecode($param.key))\n #if($param.key.length() > 250)\n $util.error(\"Value for key cannot exceed 250 characters.\")\n #end\n #set($param.type = $util.urlDecode($param.type))\n #if($param.type.length() > 250)\n $util.error(\"Value for type cannot exceed 250 characters.\")\n #end\n#end\n \n#foreach($param in $ctx.args.filterConfigMap.filters)\n #set($param.key = $util.urlDecode($param.key))\n #set($param.value = $util.urlDecode($param.value))\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createLogConfig/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIupdateLogConfig37DBF150": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "updateLogConfig",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.id), \"Invalid id\") \n\n#set($ctx.args.name = $util.urlDecode($ctx.args.name))\n$util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $ctx.args.name), \"Invalid Config Name, can only contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n\n\n#set($ctx.args.userLogFormat = $util.urlDecode($ctx.args.userLogFormat))\n#set($ctx.args.userSampleLog = $util.urlDecode($ctx.args.userSampleLog))\n#set($ctx.args.regex = $util.urlDecode($ctx.args.regex))\n#set($ctx.args.timeKeyRegex = $util.urlDecode($ctx.args.timeKeyRegex))\n\n#if($ctx.args.userLogFormat.length() > 1024)\n $util.error(\"userLogFormat cannot exceed 1024 characters.\")\n#end\n#if($ctx.args.userSampleLog.length() > 2048)\n $util.error(\"userSampleLog cannot exceed 2048 characters.\")\n#end\n#if($ctx.args.regex.length() > 2048)\n $util.error(\"regex cannot exceed 2048 characters.\")\n#end\n#if($ctx.args.timeKeyRegex.length() > 1024)\n $util.error(\"timeKeyRegex cannot exceed 1024 characters.\")\n#end\n\n#foreach($param in $ctx.args.regexFieldSpecs)\n #set($param.key = $util.urlDecode($param.key))\n #if($param.key.length() > 250)\n $util.error(\"Value for key cannot exceed 250 characters.\")\n #end\n #set($param.type = $util.urlDecode($param.type))\n #if($param.type.length() > 250)\n $util.error(\"Value for type cannot exceed 250 characters.\")\n #end\n#end\n\n#foreach($param in $ctx.args.filterConfigMap.filters)\n #set($param.key = $util.urlDecode($param.key))\n #set($param.value = $util.urlDecode($param.value))\n#end\n \n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/updateLogConfig/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteLogConfig3A4D4854": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "deleteLogConfig",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteLogConfig/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetLogConfigCE6A6D64": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "getLogConfig",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#set($ctx.result.name = $util.urlEncode($ctx.result.name))\n#set($ctx.result.userLogFormat = $util.urlEncode($ctx.result.userLogFormat))\n#set($ctx.result.userSampleLog = $util.urlEncode($ctx.result.userSampleLog))\n#set($ctx.result.regex = $util.urlEncode($ctx.result.regex))\n#set($ctx.result.timeKeyRegex = $util.urlEncode($ctx.result.timeKeyRegex))\n#foreach($param in $ctx.result.regexFieldSpecs)\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.type = $util.urlEncode($param.type))\n#end\n\n#foreach($param in $ctx.result.filterConfigMap.filters)\n #set($param.key = $util.urlEncode($param.key))\n #set($param.value = $util.urlEncode($param.value))\n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getLogConfig/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistLogConfigVersionsB0C74BD5": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "listLogConfigVersions",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.id), \"Invalid LogConfig Id\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listLogConfigVersions/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistLogConfigsDA39B18C": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "listLogConfigs",
"Kind": "UNIT",
"RequestMappingTemplate": "#if($ctx.args.count<1 or $ctx.args.count>10000)\n $util.error(\"Count (per page) must between 1 and 10000\")\n#end\n\n#if($ctx.args.page<1 or $ctx.args.page>1000)\n $util.error(\"Page must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $logConfig in $ctx.result.logConfigs )\n #set($logConfig.name = $util.urlEncode($logConfig.name))\n #set($logConfig.userLogFormat = $util.urlEncode($logConfig.userLogFormat))\n #set($logConfig.userSampleLog = $util.urlEncode($logConfig.userSampleLog))\n #set($logConfig.regex = $util.urlEncode($logConfig.regex))\n #set($logConfig.timeKeyRegex = $util.urlEncode($logConfig.timeKeyRegex))\n \n #foreach($param in $ctx.args.regexFieldSpecs)\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.type = $util.urlEncode($param.type))\n #end\n #foreach($param in $ctx.args.filterConfigMap.filters)\n #set($param.key = $util.urlEncode($param.key))\n #set($param.value = $util.urlEncode($param.value))\n #end\n#end\n \n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listLogConfigs/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcheckTimeFormatEE9FF936": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "LogConfLambdaDS",
"FieldName": "checkTimeFormat",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPILogConfLambdaDSDED5EE50",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/checkTimeFormat/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIinstanceDSServiceRoleEB9B081B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/instanceDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIinstanceDSServiceRoleDefaultPolicy8FD4E8DA": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIInstanceAPIInstanceAgentStatusHandler77086C66",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIInstanceAPIInstanceAgentStatusHandler77086C66",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIinstanceDSServiceRoleDefaultPolicy8FD4E8DA",
"Roles": [
{
"Ref": "APIAppSyncStackAPIinstanceDSServiceRoleEB9B081B"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/instanceDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIinstanceDSBB61C796": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIInstanceAPIInstanceAgentStatusHandler77086C66",
"Arn"
]
}
},
"Name": "instanceDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIinstanceDSServiceRoleEB9B081B",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/instanceDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetInstanceAgentStatusEA0DFDBF": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "instanceDS",
"FieldName": "getInstanceAgentStatus",
"Kind": "UNIT",
"RequestMappingTemplate": "#foreach( $instance in $ctx.args.instanceIds )\n #set($instance = $util.urlDecode($instance)) \n#end\n$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#set($commandId = $util.urlEncode(commandId))\n#foreach( $InstanceAgentStatus in $ctx.result.instanceAgentStatusList )\n #set($InstanceAgentStatus = $util.urlEncode($InstanceAgentStatus)) \n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIinstanceDSBB61C796",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getInstanceAgentStatus/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIrequestInstallLogAgentA8730F48": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "instanceDS",
"FieldName": "requestInstallLogAgent",
"Kind": "UNIT",
"RequestMappingTemplate": "#foreach( $param in $ctx.args.instanceIdSet )\n $util.validate($util.matches(\"i-[a-z0-9]+$\", $param), \"Invalid instance ID\")\n#end\n$util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($ctx.args.accountId, '123456789012')), \"Invalid Account ID\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIinstanceDSBB61C796",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/requestInstallLogAgent/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistInstances18FB2D5E": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "instanceDS",
"FieldName": "listInstances",
"Kind": "UNIT",
"RequestMappingTemplate": "#if($ctx.args.maxResults<1 or $ctx.args.maxResults>1000)\n $util.error(\"Max Results (per page) must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIinstanceDSBB61C796",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listInstances/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIClusterAPILambdaDSServiceRole1D9C53E2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ClusterAPILambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIClusterAPILambdaDSServiceRoleDefaultPolicyAEFFDBFA": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIClusterAPIClusterHandlerB36287A2",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIClusterAPIClusterHandlerB36287A2",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIClusterAPILambdaDSServiceRoleDefaultPolicyAEFFDBFA",
"Roles": [
{
"Ref": "APIAppSyncStackAPIClusterAPILambdaDSServiceRole1D9C53E2"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ClusterAPILambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIClusterAPIClusterHandlerB36287A2",
"Arn"
]
}
},
"Name": "ClusterAPILambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIClusterAPILambdaDSServiceRole1D9C53E2",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ClusterAPILambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistDomainNames91151EF7": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "listDomainNames",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listDomainNames/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistImportedDomains8D89DA6F": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "listImportedDomains",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listImportedDomains/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetDomainDetails4E7B7FC2": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "getDomainDetails",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[a-f0-9]{32}$\", $ctx.args.id), \"Invalid Domain ID\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#set($ctx.result.proxyError = $util.urlEncode($ctx.result.proxyError))\n#set($ctx.result.alarmError = $util.urlEncode($ctx.result.alarmError))\n\n#foreach( $param in $ctx.result.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getDomainDetails/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetDomainVpcAA3940FA": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "getDomainVpc",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"[a-zA-Z0-9-]{1,1024}\", $ctx.args.domainName), \"Invalid Domain Name\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getDomainVpc/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIimportDomain17DB32C8": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "importDomain",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"[a-zA-Z0-9-]{1,1024}\", $ctx.args.domainName), \"Invalid Domain Name\")\n$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), \"Invalid Region Name\")\n\n#foreach( $tag in $ctx.args.tags )\n #set($tag.key = $util.urlDecode($tag.key))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $tag.key), \"Invalid key. Keys can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n #set($tag.value = $util.urlDecode($tag.value))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{0,256}$\", $tag.value), \"Invalid value. Values can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/importDomain/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIremoveDomain908C6DB6": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "removeDomain",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[a-f0-9]{32}$\", $ctx.args.id), \"Invalid Domain ID\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/removeDomain/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateProxyForOpenSearch6AB61081": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "createProxyForOpenSearch",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^arn:([^:\\n]*):([^:\\n]*):([^:\\n]*):([^:\\n]*):(([^:\\/\\n]*)[:\\/])?(.*)$\", $ctx.args.input.certificateArn), \"Invalid Certificate ARN\")\n$util.validate($util.matches('(^$)|([a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\.[a-zA-Z0-9][-a-zA-Z0-9]{0,3})(\\.[a-zA-Z0-9][-a-zA-Z0-9]{0,62})+\\.amazoncognito.com)', $ctx.args.input.cognitoEndpoint), \"Invalid Cognito Endpoint\")\n$util.validate($util.matches('(^$)|[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\.[a-zA-Z0-9][-a-zA-Z0-9]{0,62})+\\.?', $ctx.args.input.customEndpoint), \"Invalid Custom Endpoint\")\n$util.validate($util.matches(\"[^\\u4e00-\\u9fa5]{0,255}$\", $ctx.args.input.keyName), \"Invalid Key Name\")\n$util.validate($util.matches(\"^t3.[a-z0-9]{4,5}\", $ctx.args.input.proxyInstanceType), \"Invalid instance type\")\n$util.validate($util.matches(\"[1234]\", $ctx.args.input.proxyInstanceNumber), \"Invalid instance number\")\n$util.validate($util.matches(\"^vpc-[a-z0-9]{8,1020}$\", $ctx.args.input.vpc.vpcId), \"Invalid VPC ID\")\n$util.validate($util.matches(\"^subnet-[a-z0-9]{8,1017}(,subnet-[a-z0-9]{8,1017})+$\", $ctx.args.input.vpc.privateSubnetIds), \"Invalid Subnet IDs\")\n$util.validate($util.matches(\"^subnet-[a-z0-9]{8,1017}(,subnet-[a-z0-9]{8,1017})+$\", $ctx.args.input.vpc.publicSubnetIds), \"Invalid Subnet IDs\")\n$util.validate($util.matches(\"^sg-[a-z0-9]{8,1021}$\", $ctx.args.input.vpc.securityGroupId), \"Invalid Security Group ID\")\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createProxyForOpenSearch/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteProxyForOpenSearch898B80BD": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "deleteProxyForOpenSearch",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteProxyForOpenSearch/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateAlarmForOpenSearch2C089087": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "createAlarmForOpenSearch",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^\\w+([-+.]\\w+)*@\\w+([-.]\\w+)*\\.\\w+([-.]\\w+)*$\", $ctx.args.input.email), \"Invalid email\")\n#foreach( $param in $ctx.args.input.alarms )\n #set($param.value = $util.urlDecode($param.value))\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createAlarmForOpenSearch/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteAlarmForOpenSearch1EAD0FC7": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "deleteAlarmForOpenSearch",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteAlarmForOpenSearch/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIvalidateVpcCidr05F82145": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "validateVpcCidr",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/validateVpcCidr/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdomainStatusCheckFAD94972": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ClusterAPILambdaDS",
"FieldName": "domainStatusCheck",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIClusterAPILambdaDS7CA5CAEC",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/domainStatusCheck/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIAppPipelineLambdaDSServiceRoleC68E0BC4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/AppPipelineLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIAppPipelineLambdaDSServiceRoleDefaultPolicy17DD8360": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIAppPipelineLambdaDSServiceRoleDefaultPolicy17DD8360",
"Roles": [
{
"Ref": "APIAppSyncStackAPIAppPipelineLambdaDSServiceRoleC68E0BC4"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/AppPipelineLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"Arn"
]
}
},
"Name": "AppPipelineLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIAppPipelineLambdaDSServiceRoleC68E0BC4",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/AppPipelineLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistAppPipelines99B1FE2A": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "listAppPipelines",
"Kind": "UNIT",
"RequestMappingTemplate": "#if($ctx.args.count<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n#end\n\n#if($ctx.args.page<1 or $ctx.args.page>1000)\n $util.error(\"Page must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $appPipeline in $ctx.result.appPipelines )\n #foreach( $param in $appPipeline.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n #end \n #set($aosParams=$appPipeline.aosParams)\n #set($aosParams.indexSuffix = $aosParams.indexSuffix.replace(\"-\",\"_\")) \n\n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listAppPipelines/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateAppPipelineDAD94100": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "createAppPipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createAppPipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIresumePipeline5616AB12": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "resumePipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.id), \"Invalid appPipelineId\") \n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/resumePipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIupdateAppPipeline8F88C1B3": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "updateAppPipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.id), \"Invalid appPipelineId\")\n\n$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.logConfigId), \"Invalid logConfigId\") \n\n\n#if($ctx.args.logConfigVersionNumber.length() > 5)\n $util.error(\"logConfigVersionNumber cannot exceed 5 characters.\")\n#end\n\n#if($ctx.args.logProcessorConcurrency.length() > 4)\n $util.error(\"logProcessorConcurrency cannot exceed 5 characters.\")\n#end\n\n#if(!$ctx.args.logConfigVersionNumber || !$util.isNumber($ctx.args.logConfigVersionNumber)||$ctx.args.logConfigVersionNumber<1)\n $util.error(\"Invalid logConfigVersionNumber\")\n#end\n\n\n#if(!$ctx.args.logProcessorConcurrency || !$ctx.args.logProcessorConcurrency.matches(\"^(0|[1-9][0-9]*)$\"))\n $util.error(\"Invalid logProcessorConcurrency\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/updateAppPipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateLightEngineAppPipelineC32F3B1B": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "createLightEngineAppPipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createLightEngineAppPipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteAppPipeline48475BAC": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "deleteAppPipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteAppPipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetAppPipelineA15C93FF": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "getAppPipeline",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $param in $ctx.result.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n#end \n#set($aosParams=$ctx.result.aosParams)\n#set($aosParams.indexSuffix = $aosParams.indexSuffix.replace(\"-\",\"_\"))\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getAppPipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetLightEngineAppPipelineDetail3D9ED636": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "getLightEngineAppPipelineDetail",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.pipelineId), \"Invalid pipelineId\") \n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}\n",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getLightEngineAppPipelineDetail/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetLightEngineAppPipelineExecutionLogs1A1BD46F": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "getLightEngineAppPipelineExecutionLogs",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.pipelineId), \"Invalid pipelineId\") \n$util.validate($util.matches(\"^(LogProcessor|LogMerger|LogArchive)-\\w+$\", $ctx.args.stateMachineName), \"Invalid stateMachineName\") \n\n#if($util.isNullOrEmpty($ctx.args.startTime)==false)\n $util.validate($util.matches(\"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$\", $ctx.args.startTime), \"Invalid startTime format\") \n#end\n\n#if($util.isNullOrEmpty($ctx.args.endTime)==false)\n $util.validate($util.matches(\"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$\", $ctx.args.endTime), \"Invalid endTime format\") \n#end\n\n#if($util.isNullOrEmpty($ctx.args.limit)==false)\n #if($ctx.args.limit<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n #end \n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getLightEngineAppPipelineExecutionLogs/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcheckOSIAvailability338A0742": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "checkOSIAvailability",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/checkOSIAvailability/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetAccountUnreservedConurrency8E97FC0C": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "getAccountUnreservedConurrency",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getAccountUnreservedConurrency/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIbatchExportAppPipelinesE45AEA3F": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "batchExportAppPipelines",
"Kind": "UNIT",
"RequestMappingTemplate": "#foreach( $appPipelineId in $ctx.args.appPipelineIds )\n $util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $appPipelineId), \"Invalid AppPipeline Id\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/batchExportAppPipelines/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIbatchImportAppPipelinesAnalyzerA50D98DE": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppPipelineLambdaDS",
"FieldName": "batchImportAppPipelinesAnalyzer",
"Kind": "UNIT",
"RequestMappingTemplate": "#set($contentString = $ctx.args.contentString)\n#set($isValidBase64 = false)\n\n#set($isValidBase64 = $util.matches('^[A-Za-z0-9+/=]+$', $contentString))\n\n#if($isValidBase64)\n #set($length = $contentString.length())\n #set($isValidBase64 = ($length % 4 == 0) && !$util.matches('={3,}', $contentString))\n#end\n\n#if(!$isValidBase64)\n $util.error(\"Input value is not a valid Base64 encoded string.\", \"Invalid Base64 Input\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}\n",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppPipelineLambdaDS1E9CB393",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/batchImportAppPipelinesAnalyzer/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcwlLambdaDSServiceRole74060749": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/cwlLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIcwlLambdaDSServiceRoleDefaultPolicyF40D7C2A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APICloudWatchAPICloudWatchHandlerC0FECCE0",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APICloudWatchAPICloudWatchHandlerC0FECCE0",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIcwlLambdaDSServiceRoleDefaultPolicyF40D7C2A",
"Roles": [
{
"Ref": "APIAppSyncStackAPIcwlLambdaDSServiceRole74060749"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/cwlLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcwlLambdaDS3D1BADF3": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Data Source",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APICloudWatchAPICloudWatchHandlerC0FECCE0",
"Arn"
]
}
},
"Name": "cwlLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIcwlLambdaDSServiceRole74060749",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/cwlLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIQueryListLogStreamsResolver0C8A44DB": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "cwlLambdaDS",
"FieldName": "listLogStreams",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIcwlLambdaDS3D1BADF3",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/QueryListLogStreamsResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIQueryGetLogEventsResolver5A432F93": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "cwlLambdaDS",
"FieldName": "getLogEvents",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIcwlLambdaDS3D1BADF3",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/QueryGetLogEventsResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIQueryGetMetricHistoryDataResolverE3208360": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "cwlLambdaDS",
"FieldName": "getMetricHistoryData",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIcwlLambdaDS3D1BADF3",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/QueryGetMetricHistoryDataResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIAppLogIngestionLambdaDSServiceRole15E45597": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/AppLogIngestionLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIAppLogIngestionLambdaDSServiceRoleDefaultPolicy7F5047BD": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIAppLogIngestionHandler607503C8",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIAppLogIngestionHandler607503C8",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIAppLogIngestionLambdaDSServiceRoleDefaultPolicy7F5047BD",
"Roles": [
{
"Ref": "APIAppSyncStackAPIAppLogIngestionLambdaDSServiceRole15E45597"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/AppLogIngestionLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIAppLogIngestionHandler607503C8",
"Arn"
]
}
},
"Name": "AppLogIngestionLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIAppLogIngestionLambdaDSServiceRole15E45597",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/AppLogIngestionLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIlistAppLogIngestions92A916E3": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "listAppLogIngestions",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#foreach( $appLogIngestion in $ctx.result.appLogIngestions )\n #set($appLogIngestion.confName = $util.urlEncode($appLogIngestion.confName))\n #set($appLogIngestion.logPath = $util.urlEncode($appLogIngestion.logPath))\n\n #foreach( $param in $appLogIngestion.tags )\n #set($param.key = $util.urlEncode($param.key)) \n #set($param.value = $util.urlEncode($param.value))\n #end \n\n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/listAppLogIngestions/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetK8sDeploymentContentWithSidecar228DD99A": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "getK8sDeploymentContentWithSidecar",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getK8sDeploymentContentWithSidecar/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetK8sDeploymentContentWithDaemonSet6BAFD940": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "getK8sDeploymentContentWithDaemonSet",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getK8sDeploymentContentWithDaemonSet/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetAppLogIngestionBE18583A": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "getAppLogIngestion",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "#set($ctx.result.confName = $util.urlEncode($ctx.result.confName))\n#set($ctx.result.logPath = $util.urlEncode($ctx.result.logPath))\n\n#foreach( $param in $ctx.result.tags )\n #set($param.key = $util.urlEncode($param.key))\n #set($param.value = $util.urlEncode($param.value))\n#end\n\n$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getAppLogIngestion/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIcreateAppLogIngestion9728BBEE": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "createAppLogIngestion",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.appPipelineId), \"Invalid appPipelineId\") \n#if($util.isNullOrEmpty($ctx.args.logPath)==false)\n $util.validate($util.matches(\"^.{0,1024}$\", $ctx.args.logPath), \"Invalid LogPath\")\n#end\n\n#foreach( $tag in $ctx.args.tags )\n #set($tag.key = $util.urlDecode($tag.key))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{1,128}$\", $tag.key), \"Invalid key. Keys can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n #set($tag.value = $util.urlDecode($tag.value))\n $util.validate($util.matches(\"^[\\w\\s_.:\\/=+\\-@]{0,256}$\", $tag.value), \"Invalid value. Values can contain alphanumeric characters, spaces, or any of the following: _.:/=+-@\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/createAppLogIngestion/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIdeleteAppLogIngestion8F8F8965": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "deleteAppLogIngestion",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/deleteAppLogIngestion/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIrefreshAppLogIngestion13772715": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "AppLogIngestionLambdaDS",
"FieldName": "refreshAppLogIngestion",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.appPipelineId), \"Invalid appPipelineId\") \n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPIAppLogIngestionLambdaDS0FC96237",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/refreshAppLogIngestion/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIASGConfigGeneratorDSServiceRoleA1E76D1C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ASGConfigGeneratorDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPIASGConfigGeneratorDSServiceRoleDefaultPolicyCB6DF55B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIASGConfigGenerateFnCBCFDFD7",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIASGConfigGenerateFnCBCFDFD7",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPIASGConfigGeneratorDSServiceRoleDefaultPolicyCB6DF55B",
"Roles": [
{
"Ref": "APIAppSyncStackAPIASGConfigGeneratorDSServiceRoleA1E76D1C"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ASGConfigGeneratorDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIASGConfigGeneratorDSB218E3A1": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIASGConfigGenerateFnCBCFDFD7",
"Arn"
]
}
},
"Name": "ASGConfigGeneratorDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPIASGConfigGeneratorDSServiceRoleA1E76D1C",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/ASGConfigGeneratorDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIgetAutoScalingGroupConf82BA5310": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "ASGConfigGeneratorDS",
"FieldName": "getAutoScalingGroupConf",
"Kind": "UNIT",
"RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.groupId), \"Invalid GroupId\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPIASGConfigGeneratorDSB218E3A1",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/getAutoScalingGroupConf/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPICentralAlarmLambdaDSServiceRoleA1541BD4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CentralAlarmLambdaDS/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAPICentralAlarmLambdaDSServiceRoleDefaultPolicyFEE36E8C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAPICentralAlarmLambdaDSServiceRoleDefaultPolicyFEE36E8C",
"Roles": [
{
"Ref": "APIAppSyncStackAPICentralAlarmLambdaDSServiceRoleA1541BD4"
}
]
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CentralAlarmLambdaDS/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPICentralAlarmLambdaDS414044EA": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"Description": "Central Alarm Lambda Resolver Datasource",
"LambdaConfig": {
"LambdaFunctionArn": {
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
}
},
"Name": "CentralAlarmLambdaDS",
"ServiceRoleArn": {
"Fn::GetAtt": [
"APIAppSyncStackAPICentralAlarmLambdaDSServiceRoleA1541BD4",
"Arn"
]
},
"Type": "AWS_LAMBDA"
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CentralAlarmLambdaDS/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIGetPipelineAlarmDataResolver815DDE07": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CentralAlarmLambdaDS",
"FieldName": "getPipelineAlarm",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Query"
},
"DependsOn": [
"APIAppSyncStackAPICentralAlarmLambdaDS414044EA",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/GetPipelineAlarmDataResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPICreatePipelineAlarmResolverBB6490FC": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CentralAlarmLambdaDS",
"FieldName": "createPipelineAlarm",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPICentralAlarmLambdaDS414044EA",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/CreatePipelineAlarmResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIUpdatePipelineAlarmResolver90718F69": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CentralAlarmLambdaDS",
"FieldName": "updatePipelineAlarm",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPICentralAlarmLambdaDS414044EA",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/UpdatePipelineAlarmResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAPIDeletePipelineAlarmResolver94AE933C": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"ApiId"
]
},
"DataSourceName": "CentralAlarmLambdaDS",
"FieldName": "deletePipelineAlarm",
"Kind": "UNIT",
"RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}",
"ResponseMappingTemplate": "$util.toJson($ctx.result)",
"TypeName": "Mutation"
},
"DependsOn": [
"APIAppSyncStackAPICentralAlarmLambdaDS414044EA",
"APIAppSyncStackAPISchemaCA6DA305",
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/API/DeletePipelineAlarmResolver/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRole8D31F37E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleFn/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRoleDefaultPolicy2A413495": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"iam:GetRole",
"iam:CreateServiceLinkedRole"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAppSyncServiceLinkRoleFnServiceRoleDefaultPolicy2A413495",
"Roles": [
{
"Ref": "APIAppSyncStackAppSyncServiceLinkRoleFnServiceRole8D31F37E"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleFn/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/f646d2b6b6ed4e4b5eb3afef20f6423e8447675ba12071cb4077a80dcf539647.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Service Linked Role Create Handler"
]
]
},
"Handler": "create_service_linked_role.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRole8D31F37E",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRoleDefaultPolicy2A413495",
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRole8D31F37E"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleFn/Resource",
"aws:asset:path": "asset.f646d2b6b6ed4e4b5eb3afef20f6423e8447675ba12071cb4077a80dcf539647",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleE9B6DF8B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleProvider/framework-onEvent/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleDefaultPolicy5B452CC3": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "lambda:GetFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleDefaultPolicy5B452CC3",
"Roles": [
{
"Ref": "APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleE9B6DF8B"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEvent915DA8A3": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57.zip"
},
"Description": "AWS CDK resource provider framework - onEvent (CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleProvider)",
"Environment": {
"Variables": {
"USER_ON_EVENT_FUNCTION_ARN": {
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B",
"Arn"
]
}
}
},
"Handler": "framework.onEvent",
"LoggingConfig": {
"Fn::If": [
"AWSCNCondition",
{
"Ref": "AWS::NoValue"
},
{
"LogFormat": "JSON",
"ApplicationLogLevel": "FATAL"
}
]
},
"Role": {
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleE9B6DF8B",
"Arn"
]
},
"Runtime": "nodejs22.x",
"Timeout": 900
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleDefaultPolicy5B452CC3",
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEventServiceRoleE9B6DF8B"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleProvider/framework-onEvent/Resource",
"aws:asset:path": "asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppSyncStackAppSyncServiceLinkRoleFnCR8FF8965C": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"APIAppSyncStackAppSyncServiceLinkRoleProviderframeworkonEvent915DA8A3",
"Arn"
]
},
"service": "Lambda",
"action": "invoke",
"parameters": {
"FunctionName": {
"Ref": "APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B"
},
"InvocationType": "Event"
},
"physicalResourceId": {
"id": "1776767316004"
}
},
"DependsOn": [
"APIAppSyncStackAppSyncServiceLinkRoleFn90B5EF3B",
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRoleDefaultPolicy2A413495",
"APIAppSyncStackAppSyncServiceLinkRoleFnServiceRole8D31F37E"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppSyncStack/AppSyncServiceLinkRoleFnCR/Default",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICrossAccountStackCentralAssumeRolePolicy59025B7D": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
}
],
"Version": "2012-10-17"
},
"Roles": [
{
"Ref": "PipelineResourcesBuilderRole"
},
{
"Ref": "APIResourceAPIResourceHandlerServiceRole10DB7E84"
},
{
"Ref": "APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2"
},
{
"Ref": "APILogSourceAPILogSourceHandlerServiceRoleDC23DEAA"
},
{
"Ref": "APIInstanceAPIInstanceAgentStatusHandlerServiceRoleEC3D19C0"
},
{
"Ref": "APIClusterAPIClusterHandlerServiceRole770F7CF6"
},
{
"Ref": "APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81"
},
{
"Ref": "APICloudWatchAPICloudWatchHandlerServiceRole3CE2D967"
},
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802"
},
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleC1143A06"
},
{
"Ref": "APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561"
},
{
"Ref": "APIAppLogIngestionAPIASGConfigGenerateFnServiceRole0F0F8B10"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/CentralAssumeRolePolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"SubAccount": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "subAccountId",
"AttributeType": "S"
},
{
"AttributeName": "region",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "subAccountId",
"KeyType": "HASH"
},
{
"AttributeName": "region",
"KeyType": "RANGE"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
},
"StreamSpecification": {
"StreamViewType": "NEW_AND_OLD_IMAGES"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/SubAccount/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICrossAccountStackCWLAccessPolicyD954A808": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:CL-flb-internal-group*:*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APICrossAccountStackCWLAccessPolicyD954A808",
"Roles": [
{
"Ref": "APICrossAccountStackCWLAccessRoleBD3C44A8"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/CWLAccessPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICrossAccountStackCWLAccessRoleBD3C44A8": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
}
}
],
"Version": "2012-10-17"
},
"Description": "Using this role to send log data to cloudwatch flb monitor log group",
"RoleName": {
"Fn::Join": [
"",
[
"CL-cloudwatch-access-",
{
"Ref": "AWS::StackName"
},
"-",
{
"Ref": "AWS::Region"
}
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/CWLAccessRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APICrossAccountStackLinkSubAccountHandlerServiceRoleBD926228": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/LinkSubAccountHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APICrossAccountStackLinkSubAccountHandlerServiceRoleDefaultPolicyDEEF9982": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:ListAttachedRolePolicies",
"iam:UpdateAssumeRolePolicy"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"events:RemovePermission",
"events:PutPermission"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:*:events:*:",
{
"Ref": "AWS::AccountId"
},
":event-bus/default"
]
]
}
},
{
"Action": [
"iam:CreatePolicyVersion",
"iam:SetDefaultPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeletePolicyVersion"
],
"Effect": "Allow",
"Resource": {
"Ref": "APICrossAccountStackCentralAssumeRolePolicy59025B7D"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APICrossAccountStackLinkSubAccountHandlerServiceRoleDefaultPolicyDEEF9982",
"Roles": [
{
"Ref": "APICrossAccountStackLinkSubAccountHandlerServiceRoleBD926228"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/LinkSubAccountHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICrossAccountStackLinkSubAccountHandlerEA41BC6E": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/e45d60fcd08093f8667326eac56fc72be1376281b6cfaf27c13ee01a5dc6422d.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - CrossAccount APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"CENTRAL_ASSUME_ROLE_POLICY_ARN": {
"Ref": "APICrossAccountStackCentralAssumeRolePolicy59025B7D"
},
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"BASE_RESOURCE_ARN": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
},
"CWL_MONITOR_ROLE_NAME": {
"Ref": "APICrossAccountStackCWLAccessRoleBD3C44A8"
},
"CWL_MONITOR_ROLE_ARN": {
"Fn::GetAtt": [
"APICrossAccountStackCWLAccessRoleBD3C44A8",
"Arn"
]
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 2048,
"Role": {
"Fn::GetAtt": [
"APICrossAccountStackLinkSubAccountHandlerServiceRoleBD926228",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900
},
"DependsOn": [
"APICrossAccountStackLinkSubAccountHandlerServiceRoleDefaultPolicyDEEF9982",
"APICrossAccountStackLinkSubAccountHandlerServiceRoleBD926228"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CrossAccountStack/LinkSubAccountHandler/Resource",
"aws:asset:path": "asset.e45d60fcd08093f8667326eac56fc72be1376281b6cfaf27c13ee01a5dc6422d",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APICfnFlowCfnHelperServiceRole6E635A5C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/CfnHelper/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APICfnFlowCfnHelper558B885D": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/15782451912c9b099ac146b8f431136db7f4c3e63507610a142c7164eb281a75.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Helper function to handle CloudFormation deployment"
]
]
},
"Environment": {
"Variables": {
"TEMPLATE_BASE_URL": {
"Fn::If": [
"IsChinaPartition",
"https://solutions-reference-cn---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"https://solutions-reference.s3.amazonaws.com"
]
},
"SOLUTION_NAME": "centralized-logging-with-opensearch",
"SOLUTION_ID": "SO8025",
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"SOLUTION_VERSION": "v2.4.10"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"APICfnFlowCfnHelperServiceRole6E635A5C",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APICfnFlowCfnHelperServiceRole6E635A5C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/CfnHelper/Resource",
"aws:asset:path": "asset.15782451912c9b099ac146b8f431136db7f4c3e63507610a142c7164eb281a75",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APICfnFlowCfnHandlerPolicyE6E69D7D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::*:role/*CrossAccountRole*"
]
]
}
},
{
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStackInstances",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateTerminationProtection",
"cloudformation:UpdateStackSet",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStackInstances",
"cloudformation:DeleteChangeSet",
"cloudformation:UpdateStack",
"cloudformation:CreateStackSet",
"cloudformation:DeleteStackSet",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"apigateway:DELETE",
"apigateway:PUT",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:GET",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:DeleteListener",
"firehose:CreateDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:TagDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:DeleteDeliveryStream",
"es:ListDomainNames",
"es:DescribeElasticsearchDomain",
"es:UpdateElasticsearchDomainConfig",
"es:ESHttp*",
"execute-api:Invoke",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"kms:DescribeKey",
"kms:CreateKey",
"kinesis:DescribeStreamSummary",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:SubscribeToShard",
"kinesis:DescribeStreamConsumer",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:DescribeStream",
"kinesis:DescribeLimits",
"kinesis:ListTagsForStream",
"kinesis:StopStreamEncryption",
"kinesis:DeregisterStreamConsumer",
"kinesis:EnableEnhancedMonitoring",
"kinesis:DecreaseStreamRetentionPeriod",
"kinesis:CreateStream",
"kinesis:RegisterStreamConsumer",
"kinesis:UpdateStreamMode",
"kinesis:RemoveTagsFromStream",
"kinesis:DeleteStream",
"kinesis:SplitShard",
"kinesis:MergeShards",
"kinesis:AddTagsToStream",
"kinesis:IncreaseStreamRetentionPeriod",
"kinesis:UpdateShardCount",
"kinesis:StartStreamEncryption",
"kinesis:DisableEnhancedMonitoring",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:PublishLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:DeleteFunction",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionCode",
"lambda:PublishVersion",
"lambda:TagResource",
"lambda:GetLayerVersion",
"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:GetLayerVersionPolicy",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:List*",
"lambda:GetAlias",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"lambda:GetFunctionUrlConfig",
"lambda:GetFunctionCodeSigningConfig",
"lambda:GetFunctionConcurrency",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetCodeSigningConfig",
"lambda:GetPolicy",
"lambda:PutFunctionConcurrency",
"lambda:DeleteFunctionConcurrency",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:AddTagsToResource",
"ssm:DeleteParameter",
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:GetObject",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DescribeInsightRules",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:GetInsightRuleReport",
"cloudwatch:GetMetricData",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStream",
"cloudwatch:GetMetricWidgetImage",
"cloudwatch:ListManagedInsightRules",
"cloudwatch:DescribeAnomalyDetectors",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:CreateLogStream",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:PutMetricFilter",
"logs:DeleteMetricFilter",
"logs:DescribeMetricFilters",
"logs:TagResource",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeScalingActivities",
"autoscaling:PutScalingPolicy",
"autoscaling:DeletePolicy",
"ec2:createTags",
"ec2:Describe*",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:GetLaunchTemplateData",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ecs:Update*",
"ecs:List*",
"ecs:Describe*",
"ecs:Create*",
"ecs:Delete*",
"ecs:PutAttributes",
"ecs:StartTask",
"ecs:RegisterTaskDefinition",
"ecs:StopTask",
"ecs:DeregisterContainerInstance",
"ecs:TagResource",
"ecs:SubmitTaskStateChange",
"ecs:PutAccountSetting",
"ecs:StartTelemetrySession",
"ecs:ExecuteCommand",
"ecs:RegisterContainerInstance",
"ecs:SubmitAttachmentStateChanges",
"ecs:DeregisterTaskDefinition",
"ecs:RunTask",
"ecs:SubmitContainerStateChange",
"ecs:UntagResource",
"ecs:PutClusterCapacityProviders",
"ecs:DiscoverPollEndpoint",
"ecs:PutAccountSettingDefault",
"cloudfront:GetDistri*",
"cloudfront:UpdateDistribution",
"cloudfront:DeleteRealtimeLogConfig",
"cloudfront:GetRealtimeLogConfig",
"cloudfront:CreateRealtimeLogConfig",
"cloudfront:ListRealtimeLogConfigs",
"cloudfront:UpdateRealtimeLogConfig",
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:DescribeStateMachine",
"states:TagResource",
"states:UntagResource"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudformation:DescribeStacks",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/CL*"
]
]
}
},
{
"Action": [
"sqs:SendMessage",
"sqs:CreateQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":sqs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:DeleteTable",
"dynamodb:UpdateItem",
"dynamodb:DescribeContinuousBackups",
"dynamodb:UpdateContinuousBackups"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":dynamodb:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"sns:CreateTopic",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:TagResource",
"sns:SetTopicAttributes"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":sns:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"events:PutRule",
"events:RemoveTargets",
"events:DescribeRule",
"events:PutTargets",
"events:DeleteRule"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:TagRole",
"iam:AttachRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetPolicy",
"iam:GetRolePolicy",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:CreateServiceLinkedRole",
"iam:GetInstanceProfile"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/CL*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/custom-resource.application-autoscaling.amazonaws.com/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":policy/CL*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":instance-profile/CL*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService"
]
]
},
{
"Fn::GetAtt": [
"PipelineResourcesBuilderRole",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APICfnFlowCfnHandlerPolicyE6E69D7D",
"Roles": [
{
"Ref": "APICfnFlowCfnHelperServiceRole6E635A5C"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/CfnHandlerPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "This policy needs to be able to start/delete other cloudformation stacks of the plugin with unknown resources names",
"id": "AwsSolutions-IAM5"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"cfn_nag": {
"rules_to_suppress": [
{
"id": "F4",
"reason": "This policy requires related actions in order to start/delete sub cloudformation stacks with many other services"
},
{
"id": "W76",
"reason": "This policy needs to be able to start/delete other complex cloudformation stacks"
},
{
"id": "W12",
"reason": "This policy needs to be able to start/delete other cloudformation stacks of the plugin with unknown resources names"
}
]
}
}
},
"APICfnFlowSfnHelperServiceRoleBE5FD74A": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/SfnHelper/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APICfnFlowSfnHelperEA9C4AA6": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/6627dbaf198b9c5a4d45218e44f4b2f7a2f48250b35c47c5cace7115af0626f6.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Helper function to handle Step Functions"
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"APICfnFlowSfnHelperServiceRoleBE5FD74A",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 30
},
"DependsOn": [
"APICfnFlowSfnHelperServiceRoleBE5FD74A"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/SfnHelper/Resource",
"aws:asset:path": "asset.6627dbaf198b9c5a4d45218e44f4b2f7a2f48250b35c47c5cace7115af0626f6",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APICfnFlowSfnHandlerPolicy252D5A3D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"states:SendTaskSuccess",
"states:SendTaskFailure"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APICfnFlowSfnHandlerPolicy252D5A3D",
"Roles": [
{
"Ref": "APICfnFlowSfnHelperServiceRoleBE5FD74A"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/SfnHandlerPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "This policy needs to be able to start/delete other complex cloudformation stacks",
"id": "AwsSolutions-IAM5"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "These actions can only support all resources"
}
]
}
}
},
"APICfnFlowErrorLogGroup1D20AF52": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/",
{
"Fn::Select": [
6,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"APICfnFlowSfnHelperEA9C4AA6",
"Arn"
]
}
]
}
]
},
"-SM-cfn-error"
]
]
},
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/ErrorLogGroup/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"APICfnFlowSMRole63BC6CF0": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/SMRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "This role does not have wildcard permission",
"id": "AwsSolutions-IAM5"
},
{
"reason": "This sm does not need xray",
"id": "AwsSolutions-SF2"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APICfnFlowSMRoleDefaultPolicy832B57C9": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:UpdateLogDelivery",
"logs:AssociateKmsKey",
"logs:GetLogGroupFields",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup",
"logs:PutDestination",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries",
"logs:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"APICfnFlowErrorLogGroup1D20AF52",
"Arn"
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APICfnFlowCfnHelper558B885D",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APICfnFlowCfnHelper558B885D",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APICfnFlowSfnHelperEA9C4AA6",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APICfnFlowSfnHelperEA9C4AA6",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APICfnFlowSMRoleDefaultPolicy832B57C9",
"Roles": [
{
"Ref": "APICfnFlowSMRole63BC6CF0"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/SMRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICfnFlowSM2282E4F1": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Start or Stop Stack\",\"States\":{\"Start or Stop Stack\":{\"Next\":\"Failed?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"InputPath\":\"$.input\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"APICfnFlowCfnHelper558B885D",
"Arn"
]
},
"\",\"Payload.$\":\"$\"}},\"Failed?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.result.stackStatus\",\"StringMatches\":\"*_IN_PROGRESS\",\"Next\":\"Wait for 15 seconds\"}],\"Default\":\"Notify result\"},\"Notify result\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"APICfnFlowSfnHelperEA9C4AA6",
"Arn"
]
},
"\",\"Payload\":{\"token.$\":\"$$.Execution.Input.token\",\"result.$\":\"$.result\",\"args.$\":\"$.args\"}}},\"Wait for 15 seconds\":{\"Type\":\"Wait\",\"Seconds\":15,\"Next\":\"Query Stack Status\"},\"In progress?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.result.stackStatus\",\"StringMatches\":\"*_IN_PROGRESS\",\"Next\":\"Wait for 15 seconds\"}],\"Default\":\"Notify result\"},\"Query Stack Status\":{\"Next\":\"In progress?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"ResultSelector\":{\"args.$\":\"$.Payload.args\",\"action.$\":\"$.Payload.action\",\"stackId.$\":\"$.Payload.result.stackId\",\"stackStatus.$\":\"$.Payload.result.stackStatus\",\"error.$\":\"$.Payload.result.error\",\"outputs.$\":\"$.Payload.result.outputs\"},\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"APICfnFlowCfnHelper558B885D",
"Arn"
]
},
"\",\"Payload.$\":\"$\"}}},\"TimeoutSeconds\":7200}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"APICfnFlowErrorLogGroup1D20AF52",
"Arn"
]
}
}
}
],
"Level": "ALL"
},
"RoleArn": {
"Fn::GetAtt": [
"APICfnFlowSMRole63BC6CF0",
"Arn"
]
}
},
"DependsOn": [
"APICfnFlowSMRoleDefaultPolicy832B57C9",
"APICfnFlowSMRole63BC6CF0"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CfnFlow/SM/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIResourceAPIResourceHandlerServiceRole10DB7E84": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ResourceAPI/ResourceHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIResourceAPIResourceHandlerServiceRoleDefaultPolicy96D93D1F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIResourceAPIResourceHandlerServiceRoleDefaultPolicy96D93D1F",
"Roles": [
{
"Ref": "APIResourceAPIResourceHandlerServiceRole10DB7E84"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ResourceAPI/ResourceHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIResourceAPIResourceHandlerFEC80983": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/65b11a07e17fc3626226c71e47ea9c9a10760fc3d2a5f149049faec4dae702df.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Resource APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"DEFAULT_LOGGING_BUCKET": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"STACK_PREFIX": "CL",
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIResourceAPIResourceHandlerServiceRole10DB7E84",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APIResourceAPIResourceHandlerServiceRoleDefaultPolicy96D93D1F",
"APIResourceAPIResourceHandlerServiceRole10DB7E84"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ResourceAPI/ResourceHandler/Resource",
"aws:asset:path": "asset.65b11a07e17fc3626226c71e47ea9c9a10760fc3d2a5f149049faec4dae702df",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIResourceAPIResourceHandlerPolicyB4EE1E04": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"iam:GetRole",
"iam:CreateRole",
"iam:PassRole",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/service-role/CL-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/CL-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":policy/CL-*"
]
]
}
]
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/wafv2.amazonaws.com/AWSServiceRoleForWAFV2Logging"
]
]
}
},
{
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DescribeDeliveryStream",
"s3:ListAllMyBuckets",
"s3:PutBucketLogging",
"s3:GetBucketLogging",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteAccessPointPolicy",
"s3:DeleteAccessPointPolicyForObjectLambda",
"s3:DeleteBucketPolicy",
"s3:PutAccessPointPolicy",
"s3:PutAccessPointPolicyForObjectLambda",
"s3:PutBucketPolicy",
"s3:PutMultiRegionAccessPointPolicy",
"s3:PutBucketAcl",
"s3:PutBucketOwnershipControls",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyForObjectLambda",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccessPointPolicyStatusForObjectLambda",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus",
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:CreateFlowLogs",
"ec2:DescribeFlowLogs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"acm:ListCertificates",
"acm:DescribeCertificate",
"cloudtrail:ListTrails",
"cloudtrail:GetTrail",
"cloudtrail:UpdateTrail",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig",
"cloudfront:UpdateDistribution",
"cloudfront:GetRealtimeLogConfig",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"wafv2:GetLoggingConfiguration",
"wafv2:ListWebACLs",
"wafv2:PutLoggingConfiguration",
"wafv2:GetWebACL",
"config:DescribeDeliveryChannels",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:CreateLogDelivery",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"eks:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"sns:ListTopics"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIResourceAPIResourceHandlerPolicyB4EE1E04",
"Roles": [
{
"Ref": "APIResourceAPIResourceHandlerServiceRole10DB7E84"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ResourceAPI/ResourceHandlerPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "This policy needs to be able to execute step functions flow"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIGrafanaAPIgrafanasecret28E4228B": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"KmsKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"Name": "grafana-secret",
"SecretString": "{}"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/GrafanaAPI/grafana-secret/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "This secret does not need to have automatic rotation scheduled in that it is used to store grafana token",
"id": "AwsSolutions-SMG4"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"Grafana": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"SSEEnabled": false
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/GrafanaAPI/Grafana/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"DYNAMODB_TABLE_ENCRYPTED_KMS"
]
}
}
},
"APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/GrafanaAPI/GrafanaHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIGrafanaAPIGrafanaHandlerServiceRoleDefaultPolicyC7504B36": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
},
{
"Action": [
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage"
],
"Effect": "Allow",
"Resource": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Grafana",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Grafana",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIGrafanaAPIGrafanaHandlerServiceRoleDefaultPolicyC7504B36",
"Roles": [
{
"Ref": "APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/GrafanaAPI/GrafanaHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIGrafanaAPIGrafanaHandlerAD82CA33": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/15404495a6ac17ab99ae87bc268c12ba7d890212aed2be1b0771f49e04ec9594.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Grafana APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"GRAFANA_TABLE": {
"Ref": "Grafana"
},
"GRAFANA_SECRET_ARN": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
},
"STACK_PREFIX": "CL",
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"APIGrafanaAPIGrafanaHandlerServiceRoleDefaultPolicyC7504B36",
"APIGrafanaAPIGrafanaHandlerServiceRoleD0B99F1B"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/GrafanaAPI/GrafanaHandler/Resource",
"aws:asset:path": "asset.15404495a6ac17ab99ae87bc268c12ba7d890212aed2be1b0771f49e04ec9594",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"SvcPipeline": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/SvcPipeline/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W73",
"reason": "This table has billing mode as PROVISIONED"
},
{
"id": "W74",
"reason": "This table is set to use DEFAULT encryption, the key is owned by DDB."
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRole7575C0B4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/SvcPipeFlowFn/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRoleDefaultPolicy7874DB5F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
]
},
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":parameter/CLO/anonymous_metrics_uuid"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRoleDefaultPolicy7874DB5F",
"Roles": [
{
"Ref": "APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRole7575C0B4"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/SvcPipeFlowFn/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFn027992D7": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/620cd625b6d329ae99e6c102dba202e1c7571496b7dc776ed1650949b2ecf333.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Helper function to update svc pipeline status"
]
]
},
"Environment": {
"Variables": {
"SOLUTION_ID": "SO8025",
"PIPELINE_TABLE_NAME": {
"Ref": "SvcPipeline"
},
"SOLUTION_VERSION": "v2.4.10",
"ACCOUNT_ID": {
"Ref": "AWS::AccountId"
},
"DEPLOYMENT_UUID": {
"Fn::If": [
"AnonymousDatatoAWS",
{
"Fn::GetAtt": [
"SolutionMetricsCreateUniqueIDA4248A30",
"UUID"
]
},
""
]
},
"SEND_ANONYMIZED_USAGE_DATA": {
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
}
}
},
"Handler": "svc_pipe_flow.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRole7575C0B4",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRoleDefaultPolicy7874DB5F",
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFnServiceRole7575C0B4"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/SvcPipeFlowFn/Resource",
"aws:asset:path": "asset.620cd625b6d329ae99e6c102dba202e1c7571496b7dc776ed1650949b2ecf333",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMErrorLogGroup63052B0C": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/",
{
"Fn::Select": [
6,
{
"Fn::Split": [
":",
{
"Ref": "APICfnFlowSM2282E4F1"
}
]
}
]
},
"-SM-pipeline-error"
]
]
},
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/ErrorLogGroup/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMSMRole37263A0E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/SMRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMSMRoleDefaultPolicy1C390D73": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:UpdateLogDelivery",
"logs:AssociateKmsKey",
"logs:GetLogGroupFields",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup",
"logs:PutDestination",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMErrorLogGroup63052B0C",
"Arn"
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "APICfnFlowSM2282E4F1"
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFn027992D7",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFn027992D7",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APISvcPipelineAPIPipelineFlowSMSMRoleDefaultPolicy1C390D73",
"Roles": [
{
"Ref": "APISvcPipelineAPIPipelineFlowSMSMRole37263A0E"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/SMRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APISvcPipelineAPIPipelineFlowSMSvcFlowAlarmFnPolicyDEA6E90C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sns:ListTopics",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ListSubscriptionsByTopic"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APISvcPipelineAPIPipelineFlowSMSvcFlowAlarmFnPolicyDEA6E90C",
"Roles": [
{
"Ref": "SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/SvcFlowAlarmFnPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "This policy needs to be able to control un-predicable sns topics"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"ServicePipelineFlowSM": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"CloudFormation Flow\",\"States\":{\"CloudFormation Flow\":{\"Next\":\"Update Status\",\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.waitForTaskToken\",\"Parameters\":{\"Input\":{\"token.$\":\"$$.Task.Token\",\"input.$\":\"$\"},\"StateMachineArn\":\"",
{
"Ref": "APICfnFlowSM2282E4F1"
},
"\"}},\"Update Status\":{\"Next\":\"Enable Alarm or not?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"InputPath\":\"$\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMSvcPipeFlowFn027992D7",
"Arn"
]
},
"\",\"Payload.$\":\"$\"}},\"Enable Alarm or not?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.alarmAction\",\"StringEquals\":\"createPipelineAlarm\",\"Next\":\"SVC Pipeline Alarm Task\"},{\"Variable\":\"$.alarmAction\",\"StringEquals\":\"deletePipelineAlarm\",\"Next\":\"SVC Pipeline Alarm Task\"}],\"Default\":\"Engine type is LightEngine or not?\"},\"Engine type is LightEngine or not?\":{\"Type\":\"Choice\",\"Choices\":[{\"And\":[{\"Variable\":\"$$.Execution.Input.action\",\"StringEquals\":\"START\"},{\"Variable\":\"$$.Execution.Input.args.engineType\",\"StringEquals\":\"LightEngine\"},{\"Variable\":\"$$.Execution.Input.args.ingestion\",\"IsPresent\":true}],\"Next\":\"SVC Pipeline ingestion Task\"}],\"Default\":\"SVC Pipeline Flow Complete\"},\"SVC Pipeline Alarm Task\":{\"Next\":\"Engine type is LightEngine or not?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"InputPath\":\"$\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
"\",\"Payload.$\":\"$\"}},\"SVC Pipeline Flow Complete\":{\"Type\":\"Succeed\"},\"SVC Pipeline ingestion Task\":{\"Next\":\"SVC Pipeline Flow Complete\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"\",\"Payload\":{\"RequestType\":\"Create\",\"ResourceProperties\":{\"Resource\":\"ingestion\",\"Id.$\":\"$$.Execution.Input.args.ingestion.id\",\"Item\":{\"metaName.$\":\"$$.Execution.Input.args.ingestion.id\",\"data\":{\"role\":{\"sts.$\":\"$$.Execution.Input.args.ingestion.role\"},\"source\":{\"bucket.$\":\"$$.Execution.Input.args.ingestion.bucket\",\"prefix.$\":\"$$.Execution.Input.args.ingestion.prefix\",\"context.$\":\"$$.Execution.Input.args.ingestion.context\"},\"services.$\":\"$$.Execution.Input.args.ingestion.services\"},\"pipelineId.$\":\"$$.Execution.Input.args.ingestion.pipelineId\"}}}}}}}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMErrorLogGroup63052B0C",
"Arn"
]
}
}
}
],
"Level": "ALL"
},
"RoleArn": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineFlowSMSMRole37263A0E",
"Arn"
]
}
},
"DependsOn": [
"APISvcPipelineAPIPipelineFlowSMSMRoleDefaultPolicy1C390D73",
"APISvcPipelineAPIPipelineFlowSMSMRole37263A0E"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineFlowSM/PipelineFlowSM/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APISvcPipelineAPIPipelineHandlerServiceRoleDefaultPolicy0B926F3C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
},
{
"Action": [
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage"
],
"Effect": "Allow",
"Resource": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Grafana",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Grafana",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "ServicePipelineFlowSM"
}
},
{
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeDomain"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
},
{
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": "s3:GetBucketNotification",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::*"
]
]
}
},
{
"Action": "glue:GetTable",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_centralized"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":table/amazon_cl_centralized/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":catalog"
]
]
}
]
},
{
"Action": {
"Fn::If": [
"APISvcPipelineAPIisCNRegion77A09296",
"events:DescribeRule",
"scheduler:GetSchedule"
]
},
"Effect": "Allow",
"Resource": {
"Fn::If": [
"APISvcPipelineAPIisCNRegion77A09296",
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":rule/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":scheduler:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":schedule/*"
]
]
}
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APISvcPipelineAPIPipelineHandlerServiceRoleDefaultPolicy0B926F3C",
"Roles": [
{
"Ref": "APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APISvcPipelineAPIPipelineHandler2790128E": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/2fb80a7b6b8815fe84a08c30d1d41c23527e886aa68618ddbf914639b9fa57f9.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Pipeline APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"STATE_MACHINE_ARN": {
"Ref": "ServicePipelineFlowSM"
},
"PIPELINE_TABLE": {
"Ref": "SvcPipeline"
},
"PIPELINR_TABLE_ARN": {
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
},
"GRAFANA_TABLE": {
"Ref": "Grafana"
},
"META_TABLE": {
"Ref": "Metadata"
},
"ETLLOG_TABLE": {
"Ref": "ETLLog"
},
"STACK_PREFIX": "CL",
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"ACCOUNT_ID": {
"Ref": "AWS::AccountId"
},
"REGION": {
"Ref": "AWS::Region"
},
"PARTITION": {
"Ref": "AWS::Partition"
},
"GRAFANA_SECRET_ARN": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APISvcPipelineAPIPipelineHandlerServiceRoleDefaultPolicy0B926F3C",
"APISvcPipelineAPIPipelineHandlerServiceRole0999EFB2"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/SvcPipelineAPI/PipelineHandler/Resource",
"aws:asset:path": "asset.2fb80a7b6b8815fe84a08c30d1d41c23527e886aa68618ddbf914639b9fa57f9",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "The managed policy needs to use any resources.",
"id": "AwsSolutions-IAM5"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"LogConf": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
},
{
"AttributeName": "version",
"AttributeType": "N"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
},
{
"AttributeName": "version",
"KeyType": "RANGE"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppTables/LogConf/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"Instance": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
},
{
"AttributeName": "sourceId",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"GlobalSecondaryIndexes": [
{
"IndexName": "SourceToInstanceIndex",
"KeySchema": [
{
"AttributeName": "sourceId",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "ALL"
}
}
],
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
},
{
"AttributeName": "sourceId",
"KeyType": "RANGE"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
},
"StreamSpecification": {
"StreamViewType": "NEW_IMAGE"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppTables/Instance/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"LogSource": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "sourceId",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "sourceId",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppTables/LogSource/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"AppPipeline": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "pipelineId",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "pipelineId",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppTables/AppPipeline/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"AppLogIngestion": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
},
{
"AttributeName": "sourceId",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"GlobalSecondaryIndexes": [
{
"IndexName": "SourceToIngestionIndex",
"KeySchema": [
{
"AttributeName": "sourceId",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "ALL"
}
}
],
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppTables/AppLogIngestion/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"InstanceIngestionDetail": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppTables/InstanceIngestionDetail/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APILogSourceAPIEKSClusterLayerDE064EC4": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleArchitectures": [
"x86_64"
],
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/28a212f97c4c399a8430f15e79079d9e2ab03fac1a81c7d76cc2d78a213bb355.zip"
},
"Description": "Default Lambda layer for EKS Cluster"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogSourceAPI/EKSClusterLayer/Resource",
"aws:asset:path": "asset.28a212f97c4c399a8430f15e79079d9e2ab03fac1a81c7d76cc2d78a213bb355",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APILogSourceAPILogSourceHandlerServiceRoleDC23DEAA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogSourceAPI/LogSourceHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APILogSourceAPILogSourceHandlerServiceRoleDefaultPolicy9D754932": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"eks:DescribeCluster",
"eks:ListIdentityProviderConfigs",
"eks:UpdateClusterConfig",
"eks:ListClusters"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":eks:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/*"
]
]
},
"Sid": "eks"
},
{
"Action": [
"iam:GetServerCertificate",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":oidc-provider/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":server-certificate/*"
]
]
}
],
"Sid": "IamOidc"
},
{
"Action": [
"iam:TagRole",
"iam:CreateRole"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*-EKS-LogAgent-Role-*"
]
]
},
"Sid": "iam"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APILogSourceAPILogSourceHandlerServiceRoleDefaultPolicy9D754932",
"Roles": [
{
"Ref": "APILogSourceAPILogSourceHandlerServiceRoleDC23DEAA"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogSourceAPI/LogSourceHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APILogSourceAPILogSourceHandler5F673C8E": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/c242227f3833b6912d6e2b620d6194fbb36c0698fd1599a8e2f15a4508dd4945.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - LogSource APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"LOG_SOURCE_TABLE_NAME": {
"Ref": "LogSource"
},
"INSTANCE_TABLE_NAME": {
"Ref": "Instance"
},
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"STACK_PREFIX": "CL",
"EKS_OIDC_CLIENT_ID": "sts.amazonaws.com",
"SOLUTION_ID": "SO8025",
"SOLUTION_VERSION": "v2.4.10"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
},
{
"Ref": "APILogSourceAPIEKSClusterLayerDE064EC4"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APILogSourceAPILogSourceHandlerServiceRoleDC23DEAA",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APILogSourceAPILogSourceHandlerServiceRoleDefaultPolicy9D754932",
"APILogSourceAPILogSourceHandlerServiceRoleDC23DEAA"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogSourceAPI/LogSourceHandler/Resource",
"aws:asset:path": "asset.c242227f3833b6912d6e2b620d6194fbb36c0698fd1599a8e2f15a4508dd4945",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APILogConfAPILogConfHandlerServiceRoleC9832F1D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogConfAPI/LogConfHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"Roles": [
{
"Ref": "APILogConfAPILogConfHandlerServiceRoleC9832F1D"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogConfAPI/LogConfHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APILogConfAPILogConfHandlerAA6F8688": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/b33698b3a2036deabf8685030af9e1a349f79ee2af84dda2d69dab9cc763efcb.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - LogConf APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"LOGCONFIG_TABLE": {
"Ref": "LogConf"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025"
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/LogConfAPI/LogConfHandler/Resource",
"aws:asset:path": "asset.b33698b3a2036deabf8685030af9e1a349f79ee2af84dda2d69dab9cc763efcb",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIInstanceAPILinuxFluentBitDocumentInstallation294A6663": {
"Type": "AWS::SSM::Document",
"Properties": {
"Content": {
"schemaVersion": "2.2",
"description": "Install Fluent-Bit in Linux OS and the AWS output plugins via AWS Systems Manager",
"parameters": {
"ARCHITECTURE": {
"type": "String",
"default": "",
"description": "(Required) Machine Architecture"
},
"SYSTEMDPATH": {
"type": "String",
"default": "/usr/lib",
"description": "(Required) systemd path for current OS"
},
"FluentBitSource": {
"default": "AWS",
"description": "(Required) The source of FluentBit",
"type": "String",
"allowedValues": [
"AWS",
"Community"
]
}
},
"mainSteps": [
{
"action": "aws:downloadContent",
"name": "downloadFluentBit",
"precondition": {
"StringEquals": [
"{{FluentBitSource}}",
"AWS"
]
},
"inputs": {
"sourceType": "S3",
"sourceInfo": {
"Fn::Join": [
"",
[
"{\"path\":\"https://",
{
"Fn::If": [
"APIInstanceAPIisCN2C8F469A",
"aws-solutions-assets---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"aws-gcr-solutions-assets.s3.amazonaws.com"
]
},
"/clo/aws-for-fluent-bit%3A2.31.12/fluent-bit{{ARCHITECTURE}}.tar.gz\"}"
]
]
},
"destinationPath": "/opt"
}
},
{
"action": "aws:runShellScript",
"name": "installFluentBit",
"precondition": {
"StringEquals": [
"{{FluentBitSource}}",
"AWS"
]
},
"inputs": {
"runCommand": [
"cd /opt",
"FLUENT_BIT_CONFIG=$(ls /opt/fluent-bit/etc/fluent-bit.conf | wc -l)",
"if [ ${FLUENT_BIT_CONFIG} = 1 ]; then tar zxvf fluent-bit{{ARCHITECTURE}}.tar.gz --exclude=fluent-bit/etc/fluent-bit.conf --exclude=fluent-bit/etc/parsers.conf ; else sudo tar zxvf fluent-bit{{ARCHITECTURE}}.tar.gz; fi"
]
}
},
{
"action": "aws:runShellScript",
"name": "installCommunityFluentBit",
"precondition": {
"StringEquals": [
"{{FluentBitSource}}",
"Community"
]
},
"inputs": {
"runCommand": [
"set -x",
"export FLUENT_BIT_RELEASE_VERSION=3.0.4",
"curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh"
]
}
},
{
"action": "aws:runShellScript",
"name": "startFluentBit",
"inputs": {
"runCommand": [
"cat << EOF | sudo tee {{SYSTEMDPATH}}/systemd/system/fluent-bit.service",
"[Unit]",
"Description=Fluent Bit",
"Requires=network.target",
"After=network.target",
"",
"[Service]",
"Type=simple",
"ExecStart=/opt/fluent-bit/bin/fluent-bit -c /opt/fluent-bit/etc/fluent-bit.conf",
"Type=simple",
"Restart=always",
"",
"[Install]",
"WantedBy=multi-user.target",
"",
"EOF",
"sudo systemctl daemon-reload",
"sudo service fluent-bit restart"
]
}
}
]
},
"DocumentFormat": "JSON",
"DocumentType": "Command"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/InstanceAPI/LinuxFluent-BitDocumentInstallation",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIInstanceAPIWindowsFluentBitDocumentInstallation7CDB8577": {
"Type": "AWS::SSM::Document",
"Properties": {
"Content": {
"schemaVersion": "2.2",
"description": "Deploy and install PowerShell modules.",
"parameters": {
"workingDirectory": {
"type": "String",
"default": "",
"description": "(Optional) The path to the working directory on your instance.",
"maxChars": 4096
},
"source": {
"type": "String",
"description": "The URL or local path on the instance to the application .zip file."
},
"sourceHash": {
"type": "String",
"default": "",
"description": "(Optional) The SHA256 hash of the zip file."
},
"commands": {
"type": "StringList",
"default": [],
"description": "(Optional) Specify PowerShell commands to run on your instance.",
"displayType": "textarea"
},
"executionTimeout": {
"type": "String",
"default": "3600",
"description": "(Optional) The time in seconds for a command to be completed before it is considered to have failed. Default is 3600 (1 hour). Maximum is 172800 (48 hours).",
"allowedPattern": "([1-9][0-9]{0,4})|(1[0-6][0-9]{4})|(17[0-1][0-9]{3})|(172[0-7][0-9]{2})|(172800)"
}
},
"mainSteps": [
{
"action": "aws:runPowerShellScript",
"name": "createDownloadFolder",
"precondition": {
"StringEquals": [
"platformType",
"Windows"
]
},
"inputs": {
"runCommand": [
"try {",
" $sku = (Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU",
" if ($sku -eq 143 -or $sku -eq 144) {",
" Write-Host \"This document is not supported on Windows 2016 Nano Server.\"",
" exit 40",
" }",
" $ssmAgentService = Get-ItemProperty 'HKLM:SYSTEM\\\\CurrentControlSet\\\\Services\\\\AmazonSSMAgent\\\\'",
" if ($ssmAgentService -and [System.Version]$ssmAgentService.Version -ge [System.Version]'3.0.1031.0') {",
" exit 0",
" }",
" $DataFolder = \"Application Data\"",
" if ( ![string]::IsNullOrEmpty($env:ProgramData) ) {",
" $DataFolder = $env:ProgramData",
" } elseif ( ![string]::IsNullOrEmpty($env:AllUsersProfile) ) {",
" $DataFolder = \"$env:AllUsersProfile\\Application Data\"",
" }",
" $TempFolder = \"/\"",
" if ( $env:Temp -ne $null ) {",
" $TempFolder = $env:Temp",
" }",
" $DataFolder = Join-Path $DataFolder 'Amazon\\SSM'",
" $DownloadFolder = Join-Path $TempFolder 'Amazon\\SSM'",
" if ( !( Test-Path -LiteralPath $DataFolder )) {",
" $none = New-Item -ItemType directory -Path $DataFolder",
" }",
" $DataACL = Get-Acl $DataFolder",
" if ( Test-Path -LiteralPath $DownloadFolder ) {",
" $DownloadACL = Get-Acl $DownloadFolder",
" $ACLDiff = Compare-Object ($DownloadACL.AccessToString) ($DataACL.AccessToString)",
" if ( $ACLDiff.count -eq 0 ) {",
" exit 0",
" }",
" Remove-Item $DownloadFolder -Recurse -Force",
" }",
" $none = New-Item -ItemType directory -Path $DownloadFolder",
" Set-Acl $DownloadFolder -aclobject $DataACL",
" $DownloadACL = Get-Acl $DownloadFolder",
" $ACLDiff = Compare-Object ($DownloadACL.AccessToString) ($DataACL.AccessToString)",
" if ( $ACLDiff.count -ne 0 ) {",
" Write-Error \"Failed to create download folder\" -ErrorAction Continue",
" exit 41",
" }",
"} catch {",
" Write-Host \"Failed to create download folder\"",
" Write-Error $Error[0] -ErrorAction Continue",
" exit 42",
"}"
]
}
},
{
"action": "aws:psModule",
"name": "installModule",
"inputs": {
"id": "0.aws:psModule",
"runCommand": "{{ commands }}",
"source": "{{ source }}",
"sourceHash": "{{ sourceHash }}",
"workingDirectory": "{{ workingDirectory }}",
"timeoutSeconds": "{{ executionTimeout }}"
}
}
]
},
"DocumentFormat": "JSON",
"DocumentType": "Command"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/InstanceAPI/WindowsFluent-BitDocumentInstallation",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIInstanceAPIFluentBitStatusCheckDocumentFBD1F175": {
"Type": "AWS::SSM::Document",
"Properties": {
"Content": {
"schemaVersion": "2.2",
"description": "Execute scripts stored in a remote location. The following remote locations are currently supported: GitHub (public and private) and Amazon S3 (S3). The following script types are currently supported: #! support on Linux and file associations on Windows.",
"parameters": {
"executionTimeout": {
"default": "3600",
"description": "(Optional) The time in seconds for a command to complete before it is considered to have failed. Default is 3600 (1 hour). Maximum is 28800 (8 hours).",
"type": "String",
"allowedPattern": "([1-9][0-9]{0,3})|(1[0-9]{1,4})|(2[0-7][0-9]{1,3})|(28[0-7][0-9]{1,2})|(28800)"
},
"winCommandLine": {
"default": "",
"description": "(Required) Specify the command line to be executed. The following formats of commands can be run: 'pythonMainFile.py argument1 argument2', 'ansible-playbook -i \"localhost,\" -c local example.yml'",
"type": "String"
},
"linuxCommandLine": {
"default": "",
"description": "(Required) Specify the command line to be executed. The following formats of commands can be run: 'pythonMainFile.py argument1 argument2', 'ansible-playbook -i \"localhost,\" -c local example.yml'",
"type": "String"
}
},
"mainSteps": [
{
"inputs": {
"timeoutSeconds": "{{ executionTimeout }}",
"runCommand": [
"",
"$directory = Convert-Path .",
"$env:PATH += \";$directory\"",
" {{ winCommandLine }}",
"if ($?) {",
" exit $LASTEXITCODE",
"} else {",
" exit 255",
"}",
""
]
},
"name": "runPowerShellScript",
"action": "aws:runPowerShellScript",
"precondition": {
"StringEquals": [
"platformType",
"Windows"
]
}
},
{
"inputs": {
"timeoutSeconds": "{{ executionTimeout }}",
"runCommand": [
"",
"directory=$(pwd)",
"export PATH=$PATH:$directory",
" {{ linuxCommandLine }} ",
""
]
},
"name": "runShellScript",
"action": "aws:runShellScript",
"precondition": {
"StringEquals": [
"platformType",
"Linux"
]
}
}
]
},
"DocumentFormat": "JSON",
"DocumentType": "Command"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/InstanceAPI/FluentBit-StatusCheckDocument",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIInstanceAPIInstanceAgentStatusHandlerServiceRoleEC3D19C0": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"DependsOn": [
"APIInstanceAPILinuxFluentBitDocumentInstallation294A6663"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/InstanceAPI/InstanceAgentStatusHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIInstanceAPIInstanceAgentStatusHandlerServiceRoleDefaultPolicy9A1C65BE": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"ssm:DescribeInstanceInformation",
"ssm:SendCommand",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ssm:GetCommandInvocation",
"ssm:ListCommandInvocations",
"ssm:DescribeInstanceProperties"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIInstanceAPIInstanceAgentStatusHandlerServiceRoleDefaultPolicy9A1C65BE",
"Roles": [
{
"Ref": "APIInstanceAPIInstanceAgentStatusHandlerServiceRoleEC3D19C0"
}
]
},
"DependsOn": [
"APIInstanceAPILinuxFluentBitDocumentInstallation294A6663"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/InstanceAPI/InstanceAgentStatusHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIInstanceAPIInstanceAgentStatusHandler77086C66": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/b0937356ba4b2d1ad991c6dd6db1a65842fc2deb04759d28a75c16b907f73d31.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Instance Agent Status Query Resolver"
]
]
},
"Environment": {
"Variables": {
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"LINUX_AGENT_INSTALLATION_DOCUMENT": {
"Ref": "APIInstanceAPILinuxFluentBitDocumentInstallation294A6663"
},
"WINDOWS_AGENT_INSTALLATION_DOCUMENT": {
"Ref": "APIInstanceAPIWindowsFluentBitDocumentInstallation7CDB8577"
},
"AGENT_STATUS_CHECK_DOCUMENT": {
"Ref": "APIInstanceAPIFluentBitStatusCheckDocumentFBD1F175"
},
"FLB_DOWNLOAD_S3_ADDR": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::If": [
"APIInstanceAPIisCN2C8F469A",
"aws-solutions-assets---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"aws-gcr-solutions-assets.s3.amazonaws.com"
]
},
"/aws-for-fluent-bit%3A2.31.12/"
]
]
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"LoggingConfig": {
"Fn::If": [
"AWSCNCondition",
{
"Ref": "AWS::NoValue"
},
{
"LogFormat": "JSON",
"ApplicationLogLevel": "INFO",
"SystemLogLevel": "WARN"
}
]
},
"MemorySize": 2048,
"Role": {
"Fn::GetAtt": [
"APIInstanceAPIInstanceAgentStatusHandlerServiceRoleEC3D19C0",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 300
},
"DependsOn": [
"APIInstanceAPIInstanceAgentStatusHandlerServiceRoleDefaultPolicy9A1C65BE",
"APIInstanceAPIInstanceAgentStatusHandlerServiceRoleEC3D19C0",
"APIInstanceAPILinuxFluentBitDocumentInstallation294A6663"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/InstanceAPI/InstanceAgentStatusHandler/Resource",
"aws:asset:path": "asset.b0937356ba4b2d1ad991c6dd6db1a65842fc2deb04759d28a75c16b907f73d31",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"OpenSearchDomain": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
"PointInTimeRecoverySpecification": {
"PointInTimeRecoveryEnabled": true
},
"SSESpecification": {
"KMSMasterKeyId": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SSEEnabled": true,
"SSEType": "KMS"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/OpenSearchDomain/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W73",
"reason": "This table has billing mode as PROVISIONED"
},
{
"id": "W74",
"reason": "This table is set to use DEFAULT encryption, the key is owned by DDB."
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIClusterAPIClusterFlowSMErrorLogGroup039F48FA": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/",
{
"Fn::Select": [
6,
{
"Fn::Split": [
":",
{
"Ref": "APICfnFlowSM2282E4F1"
}
]
}
]
},
"-SM-cluster-error"
]
]
},
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterFlowSM/ErrorLogGroup/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"APIClusterAPIClusterFlowSMSMRole809550D1": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterFlowSM/SMRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIClusterAPIClusterFlowSMSMRoleDefaultPolicy926A2E75": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:UpdateLogDelivery",
"logs:AssociateKmsKey",
"logs:GetLogGroupFields",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup",
"logs:PutDestination",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"APIClusterAPIClusterFlowSMErrorLogGroup039F48FA",
"Arn"
]
}
},
{
"Action": "kms:Decrypt*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "APICfnFlowSM2282E4F1"
}
},
{
"Action": "dynamodb:UpdateItem",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":dynamodb:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":table/",
{
"Ref": "OpenSearchDomain"
}
]
]
}
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIClusterAPIClusterFlowSMSMRoleDefaultPolicy926A2E75",
"Roles": [
{
"Ref": "APIClusterAPIClusterFlowSMSMRole809550D1"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterFlowSM/SMRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"ClusterFlowSM": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Check Stack Type\",\"States\":{\"Check Stack Type\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.type\",\"StringEquals\":\"Proxy\",\"Next\":\"Proxy Stack Flow\"}],\"Default\":\"Alarm Stack Flow\"},\"Alarm Stack Flow\":{\"Next\":\"Check Alarm Status\",\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.waitForTaskToken\",\"Parameters\":{\"Input\":{\"token.$\":\"$$.Task.Token\",\"input.$\":\"$\"},\"StateMachineArn\":\"",
{
"Ref": "APICfnFlowSM2282E4F1"
},
"\"}},\"Check Alarm Status\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.result.stackStatus\",\"StringEquals\":\"CREATE_COMPLETE\",\"Next\":\"Alarm ENABLED Status\"},{\"Variable\":\"$.result.stackStatus\",\"StringEquals\":\"DELETE_COMPLETE\",\"Next\":\"Alarm DISABLED Status\"}],\"Default\":\"Alarm ERROR Status\"},\"Alarm ERROR Status\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"id\":{\"S.$\":\"$.id\"}},\"TableName\":\"",
{
"Ref": "OpenSearchDomain"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"alarmStatus\",\"#sid\":\"alarmStackId\",\"#error\":\"alarmError\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"ERROR\"},\":sid\":{\"S.$\":\"$.result.stackId\"},\":error\":{\"S.$\":\"$.result.error\"}},\"UpdateExpression\":\"SET #status = :status, #sid = :sid, #error = :error\"}},\"Alarm ENABLED Status\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"id\":{\"S.$\":\"$.id\"}},\"TableName\":\"",
{
"Ref": "OpenSearchDomain"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"alarmStatus\",\"#sid\":\"alarmStackId\",\"#error\":\"alarmError\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"ENABLED\"},\":sid\":{\"S.$\":\"$.result.stackId\"},\":error\":{\"S.$\":\"$.result.error\"}},\"UpdateExpression\":\"SET #status = :status, #sid = :sid, #error = :error\"}},\"Alarm DISABLED Status\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"id\":{\"S.$\":\"$.id\"}},\"TableName\":\"",
{
"Ref": "OpenSearchDomain"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"alarmStatus\",\"#sid\":\"alarmStackId\",\"#error\":\"alarmError\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"DISABLED\"},\":sid\":{\"S.$\":\"$.result.stackId\"},\":error\":{\"S.$\":\"$.result.error\"}},\"UpdateExpression\":\"SET #status = :status, #sid = :sid, #error = :error\"}},\"Proxy Stack Flow\":{\"Next\":\"Check Proxy Status\",\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.waitForTaskToken\",\"Parameters\":{\"Input\":{\"token.$\":\"$$.Task.Token\",\"input.$\":\"$\"},\"StateMachineArn\":\"",
{
"Ref": "APICfnFlowSM2282E4F1"
},
"\"}},\"Check Proxy Status\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.result.stackStatus\",\"StringEquals\":\"CREATE_COMPLETE\",\"Next\":\"Proxy ENABLED Status\"},{\"Variable\":\"$.result.stackStatus\",\"StringEquals\":\"DELETE_COMPLETE\",\"Next\":\"Proxy DISABLED Status\"}],\"Default\":\"Proxy ERROR Status\"},\"Proxy ERROR Status\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"id\":{\"S.$\":\"$.id\"}},\"TableName\":\"",
{
"Ref": "OpenSearchDomain"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"proxyStatus\",\"#sid\":\"proxyStackId\",\"#url\":\"proxyALB\",\"#error\":\"proxyError\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"ERROR\"},\":sid\":{\"S.$\":\"$.result.stackId\"},\":url\":{\"S\":\"\"},\":error\":{\"S.$\":\"$.result.error\"}},\"UpdateExpression\":\"SET #status = :status, #sid = :sid, #url = :url, #error = :error\"}},\"Proxy ENABLED Status\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"id\":{\"S.$\":\"$.id\"}},\"TableName\":\"",
{
"Ref": "OpenSearchDomain"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"proxyStatus\",\"#sid\":\"proxyStackId\",\"#url\":\"proxyALB\",\"#error\":\"proxyError\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"ENABLED\"},\":sid\":{\"S.$\":\"$.result.stackId\"},\":url\":{\"S.$\":\"$.result.outputs[0].OutputValue\"},\":error\":{\"S.$\":\"$.result.error\"}},\"UpdateExpression\":\"SET #status = :status, #sid = :sid, #url = :url, #error = :error\"}},\"Proxy DISABLED Status\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::dynamodb:updateItem\",\"Parameters\":{\"Key\":{\"id\":{\"S.$\":\"$.id\"}},\"TableName\":\"",
{
"Ref": "OpenSearchDomain"
},
"\",\"ExpressionAttributeNames\":{\"#status\":\"proxyStatus\",\"#sid\":\"proxyStackId\",\"#url\":\"proxyALB\",\"#error\":\"proxyError\"},\"ExpressionAttributeValues\":{\":status\":{\"S\":\"DISABLED\"},\":sid\":{\"S.$\":\"$.result.stackId\"},\":url\":{\"S\":\"\"},\":error\":{\"S.$\":\"$.result.error\"}},\"UpdateExpression\":\"SET #status = :status, #sid = :sid, #url = :url, #error = :error\"}}}}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"APIClusterAPIClusterFlowSMErrorLogGroup039F48FA",
"Arn"
]
}
}
}
],
"Level": "ALL"
},
"RoleArn": {
"Fn::GetAtt": [
"APIClusterAPIClusterFlowSMSMRole809550D1",
"Arn"
]
}
},
"DependsOn": [
"APIClusterAPIClusterFlowSMSMRoleDefaultPolicy926A2E75",
"APIClusterAPIClusterFlowSMSMRole809550D1"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterFlowSM/ClusterFlowSM/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIClusterAPIClusterLayer58F1BDC7": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/3a18ff2ff0b454f71a60c1b32a955f6f7678860881eb6ab8711d90f0488346b6.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Lambda layer for OpenSearch Cluster"
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterLayer/Resource",
"aws:asset:path": "asset.3a18ff2ff0b454f71a60c1b32a955f6f7678860881eb6ab8711d90f0488346b6",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIClusterAPIClusterHandlerServiceRole770F7CF6": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIClusterAPIClusterHandlerServiceRoleDefaultPolicy93FE8BA4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"OpenSearchDomain",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"OpenSearchDomain",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIClusterAPIClusterHandlerServiceRoleDefaultPolicy93FE8BA4",
"Roles": [
{
"Ref": "APIClusterAPIClusterHandlerServiceRole770F7CF6"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIClusterAPIClusterHandlerB36287A2": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/a50c000b9684bc08ecf2a0ea113d5999a4bf8ec2297c2542734cfccb540ce0d8.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Cluster APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"PARTITION": {
"Ref": "AWS::Partition"
},
"OPENSEARCH_MASTER_ROLE_ARN": {
"Fn::GetAtt": [
"OpenSearchMasterRole8E762096",
"Arn"
]
},
"CLUSTER_TABLE": {
"Ref": "OpenSearchDomain"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"SVC_PIPELINE_TABLE": {
"Ref": "SvcPipeline"
},
"STATE_MACHINE_ARN": {
"Ref": "ClusterFlowSM"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"STACK_PREFIX": "CL",
"DEFAULT_VPC_ID": {
"Ref": "CLVpcDefaultVPC866079B7"
},
"DEFAULT_SG_ID": {
"Fn::GetAtt": [
"ProcessSecurityGroup",
"GroupId"
]
},
"DEFAULT_PRIVATE_SUBNET_IDS": {
"Fn::Join": [
",",
[
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
]
},
"DEFAULT_LOGGING_BUCKET": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"DEPLOYMENT_UUID": {
"Fn::If": [
"AnonymousDatatoAWS",
{
"Fn::GetAtt": [
"SolutionMetricsCreateUniqueIDA4248A30",
"UUID"
]
},
""
]
},
"SEND_ANONYMIZED_USAGE_DATA": {
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "APIClusterAPIClusterLayer58F1BDC7"
},
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIClusterAPIClusterHandlerServiceRole770F7CF6",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 180
},
"DependsOn": [
"APIClusterAPIClusterHandlerServiceRoleDefaultPolicy93FE8BA4",
"APIClusterAPIClusterHandlerServiceRole770F7CF6"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterHandler/Resource",
"aws:asset:path": "asset.a50c000b9684bc08ecf2a0ea113d5999a4bf8ec2297c2542734cfccb540ce0d8",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIClusterAPIClusterHandlerEventBridgeInvoke89306DAD": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"APIClusterAPIClusterHandlerB36287A2",
"Arn"
]
},
"Principal": "events.amazonaws.com",
"SourceArn": {
"Fn::GetAtt": [
"APIClusterAPIOpenSearchMetricsRuleEA1B9BC2",
"Arn"
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterHandler/EventBridgeInvoke",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
},
"Condition": "APIClusterAPIEnableMetricsCondition3CA83FD4"
},
"APIClusterAPIClusterHandlerPolicy837D5472": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"es:ListDomainNames",
"es:DescribeElasticsearchDomain",
"es:UpdateElasticsearchDomainConfig",
"es:DescribeDomainConfig",
"es:UpdateDomainConfig"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudwatch:GetMetricData",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cognito-idp:DescribeUserPool",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "ClusterFlowSM"
}
},
{
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AcceptVpcPeeringConnection",
"ec2:CreateRoute",
"ec2:CreateVpcPeeringConnection",
"ec2:CreateNetworkAclEntry",
"ec2:CreateTags",
"ec2:DeleteVpcPeeringConnection",
"ec2:DeleteRoute",
"ec2:DeleteNetworkAclEntry",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:",
{
"Ref": "AWS::AccountId"
},
":route-table/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:",
{
"Ref": "AWS::AccountId"
},
":network-acl/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:",
{
"Ref": "AWS::AccountId"
},
":vpc/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:",
{
"Ref": "AWS::AccountId"
},
":security-group/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:",
{
"Ref": "AWS::AccountId"
},
":vpc-peering-connection/*"
]
]
}
]
},
{
"Action": [
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:DescribeCustomKeyStores",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIClusterAPIClusterHandlerPolicy837D5472",
"Roles": [
{
"Ref": "APIClusterAPIClusterHandlerServiceRole770F7CF6"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/ClusterHandlerPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "This policy needs to be able to have access to all resources"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIClusterAPIOpenSearchMetricsRuleEA1B9BC2": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "Trigger Anonymized OpenSearch metrics collection every week",
"ScheduleExpression": "rate(7 days)",
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"APIClusterAPIClusterHandlerB36287A2",
"Arn"
]
},
"Id": "OpenSearchMetricsTarget",
"Input": "{\"source\":\"aws.events\",\"detail-type\":\"Anonymized-Metrics-Collection\",\"detail\":{}}"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/ClusterAPI/OpenSearchMetricsRule",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
},
"Condition": "APIClusterAPIEnableMetricsCondition3CA83FD4"
},
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/AppPipeFlowFn/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":parameter/CLO/anonymous_metrics_uuid"
]
]
}
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"Roles": [
{
"Ref": "APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/AppPipeFlowFn/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/620cd625b6d329ae99e6c102dba202e1c7571496b7dc776ed1650949b2ecf333.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Helper function to update app pipeline status"
]
]
},
"Environment": {
"Variables": {
"SOLUTION_ID": "SO8025",
"PIPELINE_TABLE": {
"Ref": "AppPipeline"
},
"SOLUTION_VERSION": "v2.4.10",
"DEPLOYMENT_UUID": {
"Fn::If": [
"AnonymousDatatoAWS",
{
"Fn::GetAtt": [
"SolutionMetricsCreateUniqueIDA4248A30",
"UUID"
]
},
""
]
},
"SEND_ANONYMIZED_USAGE_DATA": {
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
}
}
},
"Handler": "app_pipe_flow.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/AppPipeFlowFn/Resource",
"aws:asset:path": "asset.620cd625b6d329ae99e6c102dba202e1c7571496b7dc776ed1650949b2ecf333",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sns:ListTopics",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ListSubscriptionsByTopic"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"Roles": [
{
"Ref": "SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/AppFlowAlarmFnPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "This policy needs to be able to control un-predicable sns topics"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/",
{
"Fn::Select": [
6,
{
"Fn::Split": [
":",
{
"Ref": "APICfnFlowSM2282E4F1"
}
]
}
]
},
"-SM-app-pipe-error"
]
]
},
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/ErrorLogGroup/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/SMRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:UpdateLogDelivery",
"logs:AssociateKmsKey",
"logs:GetLogGroupFields",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup",
"logs:PutDestination",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"Arn"
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "APICfnFlowSM2282E4F1"
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"Roles": [
{
"Ref": "APIAppPipelineAPIPipelineFlowSMSMRole2674FC77"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/SMRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"AppPipelineFlowSM": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"CloudFormation Flow\",\"States\":{\"CloudFormation Flow\":{\"Next\":\"Update Status\",\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.waitForTaskToken\",\"Parameters\":{\"Input\":{\"token.$\":\"$$.Task.Token\",\"input.$\":\"$\"},\"StateMachineArn\":\"",
{
"Ref": "APICfnFlowSM2282E4F1"
},
"\"}},\"Update Status\":{\"Next\":\"Enable Alarm or not?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"InputPath\":\"$\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"Arn"
]
},
"\",\"Payload.$\":\"$\"}},\"Enable Alarm or not?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.alarmAction\",\"StringEquals\":\"createPipelineAlarm\",\"Next\":\"APP Pipeline Alarm Task\"},{\"Variable\":\"$.alarmAction\",\"StringEquals\":\"deletePipelineAlarm\",\"Next\":\"APP Pipeline Alarm Task\"}],\"Default\":\"Engine type is LightEngine or not?\"},\"Engine type is LightEngine or not?\":{\"Type\":\"Choice\",\"Choices\":[{\"And\":[{\"Variable\":\"$$.Execution.Input.action\",\"StringEquals\":\"START\"},{\"Variable\":\"$$.Execution.Input.args.engineType\",\"StringEquals\":\"LightEngine\"},{\"Variable\":\"$$.Execution.Input.args.ingestion\",\"IsPresent\":true}],\"Next\":\"SVC Pipeline ingestion Task\"}],\"Default\":\"APP Pipeline Flow Complete\"},\"APP Pipeline Alarm Task\":{\"Next\":\"Engine type is LightEngine or not?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"InputPath\":\"$\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08",
"Arn"
]
},
"\",\"Payload.$\":\"$\"}},\"APP Pipeline Flow Complete\":{\"Type\":\"Succeed\"},\"SVC Pipeline ingestion Task\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"\",\"Payload\":{\"RequestType\":\"Create\",\"ResourceProperties\":{\"Resource\":\"ingestion\",\"Id.$\":\"$$.Execution.Input.args.ingestion.id\",\"Item\":{\"metaName.$\":\"$$.Execution.Input.args.ingestion.id\",\"data\":{\"role\":{\"sts.$\":\"$$.Execution.Input.args.ingestion.role\"},\"source\":{\"bucket.$\":\"$$.Execution.Input.args.ingestion.bucket\",\"prefix.$\":\"$$.Execution.Input.args.ingestion.prefix\",\"context.$\":\"$$.Execution.Input.args.ingestion.context\"},\"services.$\":\"$$.Execution.Input.args.ingestion.services\"},\"pipelineId.$\":\"$$.Execution.Input.args.ingestion.pipelineId\"}}}}}}}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"Arn"
]
}
}
}
],
"Level": "ALL"
},
"RoleArn": {
"Fn::GetAtt": [
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"Arn"
]
}
},
"DependsOn": [
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/PipelineFlowSM/AppPipelineFlowSM/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppPipelineAPIAppPipelineLayer84F66B91": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/b73decb45ba03e4ee6c7327f7388f230c0f9d985638bb083972b9daabbbf044f.zip"
},
"Description": "Default Lambda layer for AppPipeline"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/AppPipelineLayer/Resource",
"aws:asset:path": "asset.b73decb45ba03e4ee6c7327f7388f230c0f9d985638bb083972b9daabbbf044f",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
}
]
},
"DependsOn": [
"CLVpcDefaultVPCprivateSubnet1DefaultRoute69028806",
"CLVpcDefaultVPCprivateSubnet1RouteTableAssociation584876D0",
"CLVpcDefaultVPCprivateSubnet2DefaultRoute49D29374",
"CLVpcDefaultVPCprivateSubnet2RouteTableAssociation25D246AC"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/AppPipelineHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
},
{
"Action": [
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage"
],
"Effect": "Allow",
"Resource": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Grafana",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Grafana",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"OpenSearchDomain",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"OpenSearchDomain",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ETLLog",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"OpenSearchMasterRole8E762096",
"Arn"
]
}
},
{
"Action": [
"lambda:PutFunctionConcurrency",
"lambda:GetFunctionConcurrency",
"lambda:DeleteFunctionConcurrency"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":lambda:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":function:CL-*"
]
]
}
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "AppPipelineFlowSM"
}
},
{
"Action": "kinesis:DescribeStreamSummary",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:GetAccountSettings",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeDomain"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::*:role/CL-*"
]
]
}
},
{
"Action": "iam:GetRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/osis.amazonaws.com/AWSServiceRoleForAmazonOpenSearchIngestionService"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"Roles": [
{
"Ref": "APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81"
}
]
},
"DependsOn": [
"CLVpcDefaultVPCprivateSubnet1DefaultRoute69028806",
"CLVpcDefaultVPCprivateSubnet1RouteTableAssociation584876D0",
"CLVpcDefaultVPCprivateSubnet2DefaultRoute49D29374",
"CLVpcDefaultVPCprivateSubnet2RouteTableAssociation25D246AC"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/AppPipelineHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Part of the policies for CentralizedLogging/API/AppPipelineAPI/AppPipelineHandler/ServiceRole",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
},
{
"Action": [
"s3:GetBucketNotification",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::*"
]
]
}
},
{
"Action": "sns:GetTopicAttributes",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":sns:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": "glue:GetTable",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_centralized"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":table/amazon_cl_centralized/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":catalog"
]
]
}
]
},
{
"Action": {
"Fn::If": [
"APIAppPipelineAPIisCNRegion449D591B",
"events:DescribeRule",
"scheduler:GetSchedule"
]
},
"Effect": "Allow",
"Resource": {
"Fn::If": [
"APIAppPipelineAPIisCNRegion449D591B",
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":rule/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":scheduler:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":schedule/*"
]
]
}
]
}
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"Roles": [
{
"Ref": "APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81"
}
]
},
"DependsOn": [
"CLVpcDefaultVPCprivateSubnet1DefaultRoute69028806",
"CLVpcDefaultVPCprivateSubnet1RouteTableAssociation584876D0",
"CLVpcDefaultVPCprivateSubnet2DefaultRoute49D29374",
"CLVpcDefaultVPCprivateSubnet2RouteTableAssociation25D246AC"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/AppPipelineHandler/ServiceRole/OverflowPolicy1/Resource"
}
},
"APIAppPipelineAPIAppPipelineHandler49D6FD2E": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/bd91d13e3b2aba7218c145241420ecfc8bbe2809285178eb1acdc39ef34a1fa6.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - AppPipeline APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"STATE_MACHINE_ARN": {
"Ref": "AppPipelineFlowSM"
},
"SVC_PIPELINE_TABLE_NAME": {
"Ref": "SvcPipeline"
},
"APPPIPELINE_TABLE": {
"Ref": "AppPipeline"
},
"APPPIPELINE_TABLE_ARN": {
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
},
"APPLOGINGESTION_TABLE": {
"Ref": "AppLogIngestion"
},
"OPENSEARCH_MASTER_ROLE_ARN": {
"Fn::GetAtt": [
"OpenSearchMasterRole8E762096",
"Arn"
]
},
"LOG_CONFIG_TABLE": {
"Ref": "LogConf"
},
"CLUSTER_TABLE": {
"Ref": "OpenSearchDomain"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"STACK_PREFIX": "CL",
"GRAFANA_TABLE": {
"Ref": "Grafana"
},
"METADATA_TABLE": {
"Ref": "Metadata"
},
"ETLLOG_TABLE": {
"Ref": "ETLLog"
},
"LOG_SOURCE_TABLE_NAME": {
"Ref": "LogSource"
},
"ACCOUNT_ID": {
"Ref": "AWS::AccountId"
},
"REGION": {
"Ref": "AWS::Region"
},
"PARTITION": {
"Ref": "AWS::Partition"
},
"DEFAULT_LOGGING_BUCKET": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"DEFAULT_CMK_ARN": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"GRAFANA_SECRET_ARN": {
"Ref": "APIGrafanaAPIgrafanasecret28E4228B"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
},
{
"Ref": "APIAppPipelineAPIAppPipelineLayer84F66B91"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60,
"VpcConfig": {
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"ProcessSecurityGroup",
"GroupId"
]
}
],
"SubnetIds": [
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
}
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"CLVpcDefaultVPCprivateSubnet1DefaultRoute69028806",
"CLVpcDefaultVPCprivateSubnet1RouteTableAssociation584876D0",
"CLVpcDefaultVPCprivateSubnet2DefaultRoute49D29374",
"CLVpcDefaultVPCprivateSubnet2RouteTableAssociation25D246AC"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppPipelineAPI/AppPipelineHandler/Resource",
"aws:asset:path": "asset.bd91d13e3b2aba7218c145241420ecfc8bbe2809285178eb1acdc39ef34a1fa6",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "The managed policy needs to use any resources.",
"id": "AwsSolutions-IAM5"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"Ec2IamInstanceProfilePolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "",
"Path": "/",
"PolicyDocument": {
"Statement": [
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
"/*"
]
]
},
"Sid": "AccessLoggingBucket"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/CL-buffer-access*"
]
]
},
"Sid": "AssumeRoleInMainAccount"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/CL-cloudwatch-access*"
]
]
},
"Sid": "AssumeRoleInMainAccountCWL"
},
{
"Action": [
"ssm:DescribeInstanceProperties",
"ssm:UpdateInstanceInformation"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "SSM"
},
{
"Action": [
"ec2messages:GetEndpoint",
"ec2messages:AcknowledgeMessage",
"ec2messages:SendReply",
"ec2messages:GetMessages"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "EC2Messages"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"AthenaPublicAccessRole",
"Arn"
]
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/Ec2IamInstanceProfile/Ec2IamInstanceProfilePolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "The managed policy needs to use any resources.",
"id": "AwsSolutions-IAM5"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W13",
"reason": "The managed policy needs to use any resources."
}
]
}
}
},
"Ec2IamInstanceProfileRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "Ec2IamInstanceProfilePolicy"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/Ec2IamInstanceProfile/Ec2IamInstanceProfileRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"Ec2IamInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "Ec2IamInstanceProfileRole"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/Ec2IamInstanceProfile/Ec2IamInstanceProfile",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroup7C2D7C61": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"CL-flb-internal-group-",
{
"Ref": "AWS::StackName"
}
]
]
},
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitInputBytes292C92FE": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_input_bytes_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "InputBytes",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitInputBytes/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitInputRecords2D21A88E": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_input_records_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "InputRecords",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitInputRecords/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputProcBytes56192C87": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_proc_bytes_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputProcBytes",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputProcBytes/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputProcRecords44BC1D63": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_proc_records_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputProcRecords",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputProcRecords/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputDroppedRecords4462AA02": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_dropped_records_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputDroppedRecords",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputDroppedRecords/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputErrors9097E317": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_errors_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputErrors",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputErrors/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputRetriedRecordsDCF260F6": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_retried_records_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputRetriedRecords",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputRetriedRecords/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputRetriesFailed2F5A5A34": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_retries_failed_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputRetriesFailed",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputRetriesFailed/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputRetriesA796E074": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": "{ $.metric = \"fluentbit_output_retries_total\" }",
"LogGroupName": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"MetricTransformations": [
{
"Dimensions": [
{
"Key": "IngestionId",
"Value": "$.plugin"
}
],
"MetricName": "OutputRetries",
"MetricNamespace": "Solution/CL/FluentBit",
"MetricValue": "$.value"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/FluentBitLogGroup/FluentBitOutputRetries/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPICloudWatchHandlerServiceRole3CE2D967": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/CloudWatchHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APICloudWatchAPICloudWatchHandlerServiceRoleDefaultPolicy894CE315": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:GetLogDelivery",
"logs:ListLogDeliveries",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APICloudWatchAPICloudWatchHandlerServiceRoleDefaultPolicy894CE315",
"Roles": [
{
"Ref": "APICloudWatchAPICloudWatchHandlerServiceRole3CE2D967"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/CloudWatchHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APICloudWatchAPICloudWatchHandlerC0FECCE0": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/62e274d5ca832f8626f065419e20caeb23e9e71664e4bc2c99b75f5f4c1885a7.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - CloudWatch APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"STACK_PREFIX": "CL",
"SVC_PIPELINE_TABLE_NAME": {
"Ref": "SvcPipeline"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"LOG_SOURCE_TABLE_NAME": {
"Ref": "LogSource"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APICloudWatchAPICloudWatchHandlerServiceRole3CE2D967",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APICloudWatchAPICloudWatchHandlerServiceRoleDefaultPolicy894CE315",
"APICloudWatchAPICloudWatchHandlerServiceRole3CE2D967"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/CloudWatchAPI/CloudWatchHandler/Resource",
"aws:asset:path": "asset.62e274d5ca832f8626f065419e20caeb23e9e71664e4bc2c99b75f5f4c1885a7",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "Lambda function requires to query logs and streams"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1": {
"Type": "AWS::SSM::Document",
"Properties": {
"Content": {
"schemaVersion": "2.2",
"description": "Download Fluent-Bit config file and reboot the Fluent-Bit",
"parameters": {
"INSTANCEID": {
"type": "String",
"default": "",
"description": "(Required) Instance Id"
}
},
"mainSteps": [
{
"action": "aws:runShellScript",
"name": "stopFluentBit",
"inputs": {
"runCommand": [
"sudo service fluent-bit stop"
]
}
},
{
"action": "aws:runShellScript",
"name": "updateFluentBitVersion",
"inputs": {
"runCommand": [
{
"Fn::Join": [
"",
[
"ARCHITECTURE=''; if [ \"$(uname -m)\" = \"aarch64\" ]; then ARCHITECTURE='-arm64'; fi; [ -e /opt/fluent-bit/bin/fluent-bit ] && [ -z \"$(/opt/fluent-bit/bin/fluent-bit -V | grep 'v1.9.10')\" ] && curl -o /opt/fluent-bit$ARCHITECTURE.tar.gz https://",
{
"Fn::If": [
"APIAppLogIngestionAPIisCNRegion59A1FE54",
"aws-solutions-assets---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"aws-gcr-solutions-assets.s3.amazonaws.com"
]
},
"/clo/v2.4.10/aws-for-fluent-bit/fluent-bit$ARCHITECTURE.tar.gz && tar xzvf /opt/fluent-bit$ARCHITECTURE.tar.gz -C /opt/ --exclude=fluent-bit/etc; echo 0"
]
]
}
]
}
},
{
"action": "aws:downloadContent",
"name": "downloadFluentBitParserConfig",
"inputs": {
"sourceType": "S3",
"sourceInfo": {
"Fn::Join": [
"",
[
"{\"path\":\"https://",
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"RegionalDomainName"
]
},
"/app_log_config/{{INSTANCEID}}/applog_parsers.conf\"}"
]
]
},
"destinationPath": "/opt/fluent-bit/etc"
}
},
{
"action": "aws:downloadContent",
"name": "downloadFluentBitConfig",
"inputs": {
"sourceType": "S3",
"sourceInfo": {
"Fn::Join": [
"",
[
"{\"path\":\"https://",
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"RegionalDomainName"
]
},
"/app_log_config/{{INSTANCEID}}/fluent-bit.conf\"}"
]
]
},
"destinationPath": "/opt/fluent-bit/etc"
}
},
{
"action": "aws:runShellScript",
"name": "startFluentBit",
"inputs": {
"runCommand": [
"sudo systemctl enable fluent-bit.service",
"sudo service fluent-bit start"
]
}
}
]
},
"DocumentFormat": "JSON",
"DocumentType": "Command"
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/Fluent-BitConfigDownloading",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIFluentBitConfigDownloadingForWindowsCBB21C46": {
"Type": "AWS::SSM::Document",
"Properties": {
"Content": {
"schemaVersion": "2.2",
"description": "Execute scripts stored in a remote location. The following remote locations are currently supported: GitHub (public and private) and Amazon S3 (S3). The following script types are currently supported: #! support on Linux and file associations on Windows.",
"parameters": {
"executionTimeout": {
"default": "3600",
"description": "(Optional) The time in seconds for a command to complete before it is considered to have failed. Default is 3600 (1 hour). Maximum is 28800 (8 hours).",
"type": "String",
"allowedPattern": "([1-9][0-9]{0,3})|(1[0-9]{1,4})|(2[0-7][0-9]{1,3})|(28[0-7][0-9]{1,2})|(28800)"
},
"workingDirectory": {
"default": "",
"description": "(Optional) The path where the content will be downloaded and executed from on your instance.",
"maxChars": 4096,
"type": "String"
},
"INSTANCEID": {
"type": "String",
"default": "",
"description": "(Required) Instance Id"
},
"commandLine": {
"default": "ReStart-Service fluent-bit",
"description": "(Required) Specify the command line to be executed. The following formats of commands can be run: 'pythonMainFile.py argument1 argument2', 'ansible-playbook -i \"localhost,\" -c local example.yml'",
"type": "String"
}
},
"mainSteps": [
{
"inputs": {
"sourceInfo": {
"Fn::Join": [
"",
[
"{\"path\":\"https://",
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"RegionalDomainName"
]
},
"/app_log_config/{{INSTANCEID}}/applog_parsers.conf\"}"
]
]
},
"sourceType": "S3",
"destinationPath": "C:/fluent-bit/etc"
},
"name": "downloadFluentBitParserConfig",
"action": "aws:downloadContent"
},
{
"inputs": {
"sourceInfo": {
"Fn::Join": [
"",
[
"{\"path\":\"https://",
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"RegionalDomainName"
]
},
"/app_log_config/{{INSTANCEID}}/fluent-bit.conf\"}"
]
]
},
"sourceType": "S3",
"destinationPath": "C:/fluent-bit/etc"
},
"name": "downloadFluentBitConfig",
"action": "aws:downloadContent"
},
{
"inputs": {
"workingDirectory": "{{ workingDirectory }}",
"timeoutSeconds": "{{ executionTimeout }}",
"runCommand": [
"",
"$directory = Convert-Path .",
"$env:PATH += \";$directory\"",
" {{ commandLine }}",
"if ($?) {",
" exit $LASTEXITCODE",
"} else {",
" exit 255",
"}",
""
]
},
"name": "runPowerShellScript",
"action": "aws:runPowerShellScript",
"precondition": {
"StringEquals": [
"platformType",
"Windows"
]
}
},
{
"inputs": {
"workingDirectory": "{{ workingDirectory }}",
"timeoutSeconds": "{{ executionTimeout }}",
"runCommand": [
"",
"directory=$(pwd)",
"export PATH=$PATH:$directory",
" {{ commandLine }} ",
""
]
},
"name": "runShellScript",
"action": "aws:runShellScript",
"precondition": {
"StringEquals": [
"platformType",
"Linux"
]
}
}
]
},
"DocumentFormat": "JSON",
"DocumentType": "Command",
"UpdateMethod": "NewVersion"
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/Fluent-BitConfigDownloadingForWindows",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionLayer19CDEE0D": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"CompatibleRuntimes": [
"python3.11"
],
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/6a46964f8f2b46513e295cfe1d7d3c75e9f56c1284ffd75fd5b5c30ecfa369df.zip"
},
"Description": "Default Lambda layer for AppLog Ingestion"
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionLayer/Resource",
"aws:asset:path": "asset.6a46964f8f2b46513e295cfe1d7d3c75e9f56c1284ffd75fd5b5c30ecfa369df",
"aws:asset:is-bundled": true,
"aws:asset:property": "Content",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionEC2ModificationHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleDefaultPolicy6B954FD6": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "dynamodb:ListStreams",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Instance",
"StreamArn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"InstanceIngestionDetail",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"InstanceIngestionDetail",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleDefaultPolicy6B954FD6",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802"
}
]
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionEC2ModificationHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandler501193DB": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Async AppLogIngestion Resolver for instance ingestion adding and deleting instances event"
]
]
},
"Environment": {
"Variables": {
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"INSTANCE_TABLE_NAME": {
"Ref": "Instance"
},
"SSM_LOG_CONFIG_DOCUMENT_NAME": {
"Ref": "APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1"
},
"SSM_WINDOWS_LOG_CONFIG_DOCUMENT_NAME": {
"Ref": "APIAppLogIngestionAPIFluentBitConfigDownloadingForWindowsCBB21C46"
},
"CONFIG_FILE_S3_BUCKET_NAME": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"INSTANCE_INGESTION_DETAIL_TABLE_NAME": {
"Ref": "InstanceIngestionDetail"
},
"APP_LOG_CONFIG_TABLE_NAME": {
"Ref": "LogConf"
},
"LOG_SOURCE_TABLE_NAME": {
"Ref": "LogSource"
},
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"FLUENT_BIT_LOG_GROUP_NAME": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"FLUENT_BIT_IMAGE": "public.ecr.aws/aws-observability/aws-for-fluent-bit:2.32.2.20241008",
"FLUENT_BIT_EKS_CLUSTER_NAME_SPACE": "logging",
"EC2_IAM_INSTANCE_PROFILE_ARN": {
"Fn::GetAtt": [
"Ec2IamInstanceProfile",
"Arn"
]
},
"CWL_MONITOR_ROLE_ARN": {
"Fn::GetAtt": [
"APICrossAccountStackCWLAccessRoleBD3C44A8",
"Arn"
]
},
"DEFAULT_OPEN_EXTRA_METADATA_FLAG": "true",
"LOG_AGENT_VPC_ID": {
"Ref": "CLVpcDefaultVPC866079B7"
},
"LOG_AGENT_SUBNETS_IDS": {
"Fn::Join": [
",",
[
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
]
},
"DEFAULT_CMK_ARN": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"ECS_CLUSTER_NAME": {
"Ref": "ECSClusterStackCLClusterBCB8AA1C"
},
"FLB_S3_ADDR": {
"Fn::If": [
"APIAppLogIngestionAPIisCNRegion59A1FE54",
"aws-solutions-assets---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"aws-gcr-solutions-assets.s3.amazonaws.com"
]
}
}
},
"Handler": "ingestion_modification_event_lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
},
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionLayer19CDEE0D"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900
},
"DependsOn": [
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleDefaultPolicy6B954FD6",
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802",
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionEC2ModificationHandler/Resource",
"aws:asset:path": "asset.efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerDynamoDBEventSourceCentralizedLoggingAPIAppTablesInstanceCD31F0DF73C1A15D": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 1,
"EventSourceArn": {
"Fn::GetAtt": [
"Instance",
"StreamArn"
]
},
"FilterCriteria": {
"Filters": [
{
"Pattern": "{\"eventName\":[\"INSERT\"]}"
},
{
"Pattern": "{\"eventName\":[\"REMOVE\"]}"
}
]
},
"FunctionName": {
"Ref": "APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandler501193DB"
},
"MaximumRetryAttempts": 5,
"StartingPosition": "LATEST"
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionEC2ModificationHandler/DynamoDBEventSource:CentralizedLoggingAPIAppTablesInstanceCD31F0DF/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIssmPolicyAD25DAE8": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations",
"ssm:GetCommandInvocation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:SendCommand",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:",
{
"Ref": "AWS::AccountId"
},
":instance/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:*:",
{
"Ref": "AWS::AccountId"
},
":document/AWS-RunShellScript"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:*:",
{
"Ref": "AWS::AccountId"
},
":document/*FluentBitDocumentInstallation*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:*:",
{
"Ref": "AWS::AccountId"
},
":document/*FluentBitConfigDownloading*"
]
]
}
],
"Sid": "EC2SSMPolicy"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIssmPolicyAD25DAE8",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802"
},
{
"Ref": "APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561"
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/ssmPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "F4",
"reason": "These actions can only support all resources"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPISourceCommonPolicy08941E39": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "iam:UpdateAssumeRolePolicy",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/CL-EKS-LogAgent-Role-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*buffer-access*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*BufferAccessRole*"
]
]
}
]
},
{
"Action": [
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:ListAttachedRolePolicies"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/CL-EKS-LogAgent-Role-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*buffer-access*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*BufferAccessRole*"
]
]
}
]
},
{
"Action": [
"iam:GetRole",
"iam:ListAttachedRolePolicies"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":instance-profile/*"
]
]
},
{
"Fn::GetAtt": [
"Ec2IamInstanceProfileRole",
"Arn"
]
}
]
},
{
"Action": "iam:AttachRolePolicy",
"Condition": {
"StringEquals": {
"iam:PolicyARN": {
"Ref": "Ec2IamInstanceProfilePolicy"
}
}
},
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":instance-profile/*"
]
]
}
]
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":instance-profile/*"
]
]
}
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Ec2IamInstanceProfileRole",
"Arn"
]
},
{
"Fn::GetAtt": [
"Ec2IamInstanceProfile",
"Arn"
]
}
],
"Sid": "PassRoleForEc2IamInstanceProfileRole"
},
{
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:AssociateIamInstanceProfile"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPISourceCommonPolicy08941E39",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionEC2ModificationHandlerServiceRoleC4E56802"
},
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleC1143A06"
},
{
"Ref": "APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561"
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/SourceCommonPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRole4C3F73A2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/AppIngestionFlowFn/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRoleDefaultPolicy61B688F3": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": "cloudformation:DescribeStackEvents",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRoleDefaultPolicy61B688F3",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRole4C3F73A2"
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/AppIngestionFlowFn/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFn5FA5A488": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/620cd625b6d329ae99e6c102dba202e1c7571496b7dc776ed1650949b2ecf333.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Helper function to update Ingestion status for S3 Source and Syslog Ingestion"
]
]
},
"Environment": {
"Variables": {
"SOLUTION_ID": "SO8025",
"INGESTION_TABLE": {
"Ref": "AppLogIngestion"
},
"LOG_SOURCE_TABLE": {
"Ref": "LogSource"
},
"SOLUTION_VERSION": "v2.4.10"
}
},
"Handler": "app_ingestion_flow.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRole4C3F73A2",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRoleDefaultPolicy61B688F3",
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFnServiceRole4C3F73A2",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/AppIngestionFlowFn/Resource",
"aws:asset:path": "asset.620cd625b6d329ae99e6c102dba202e1c7571496b7dc776ed1650949b2ecf333",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppLogIngestionAPIPipelineFlowSMErrorLogGroupF2446D81": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/",
{
"Fn::Select": [
6,
{
"Fn::Split": [
":",
{
"Ref": "APICfnFlowSM2282E4F1"
}
]
}
]
},
"-SM-app-ingestion-error"
]
]
},
"RetentionInDays": 731
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/ErrorLogGroup/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]
}
}
},
"APIAppLogIngestionAPIPipelineFlowSMSMRoleE640B852": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/SMRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppLogIngestionAPIPipelineFlowSMSMRoleDefaultPolicy2CD85A6D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeLogGroups",
"logs:UpdateLogDelivery",
"logs:AssociateKmsKey",
"logs:GetLogGroupFields",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup",
"logs:PutDestination",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMErrorLogGroupF2446D81",
"Arn"
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "APICfnFlowSM2282E4F1"
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFn5FA5A488",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFn5FA5A488",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIPipelineFlowSMSMRoleDefaultPolicy2CD85A6D",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIPipelineFlowSMSMRoleE640B852"
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/SMRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"AppIngestionFlowSM": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Choice\",\"States\":{\"Choice\":{\"Type\":\"Choice\",\"Choices\":[{\"And\":[{\"Variable\":\"$$.Execution.Input.args.engineType\",\"StringEquals\":\"LightEngine\"},{\"Variable\":\"$$.Execution.Input.action\",\"StringEquals\":\"START\"},{\"Variable\":\"$$.Execution.Input.args.pattern\",\"StringEquals\":\"S3SourceStack\"}],\"Next\":\"Create S3 as Source ingestion for Light Engine.\"},{\"And\":[{\"Variable\":\"$$.Execution.Input.args.engineType\",\"StringEquals\":\"LightEngine\"},{\"Variable\":\"$$.Execution.Input.action\",\"StringEquals\":\"STOP\"},{\"Variable\":\"$$.Execution.Input.args.pattern\",\"StringEquals\":\"S3SourceStack\"}],\"Next\":\"Delete S3 as Source ingestion for Light Engine.\"}],\"Default\":\"CloudFormation Flow\"},\"CloudFormation Flow\":{\"Next\":\"Update Status\",\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::states:startExecution.waitForTaskToken\",\"Parameters\":{\"Input\":{\"token.$\":\"$$.Task.Token\",\"input.$\":\"$\"},\"StateMachineArn\":\"",
{
"Ref": "APICfnFlowSM2282E4F1"
},
"\"}},\"Update Status\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"InputPath\":\"$\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMAppIngestionFlowFn5FA5A488",
"Arn"
]
},
"\",\"Payload\":{\"id.$\":\"$$.Execution.Input.id\",\"engineType.$\":\"$$.Execution.Input.args.engineType\",\"pattern.$\":\"$$.Execution.Input.args.pattern\",\"action.$\":\"$$.Execution.Input.action\",\"result.$\":\"$.result\"}}},\"Create S3 as Source ingestion for Light Engine.\":{\"Next\":\"Update Status\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2},{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":60,\"MaxAttempts\":5,\"BackoffRate\":2,\"MaxDelaySeconds\":120,\"JitterStrategy\":\"FULL\"}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.result\",\"Next\":\"Delete ingestion when failed.\"}],\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"\",\"Payload\":{\"RequestType\":\"Create\",\"ResourceProperties\":{\"Resource\":\"ingestion\",\"Id.$\":\"$$.Execution.Input.id\",\"Item\":{\"metaName.$\":\"$$.Execution.Input.id\",\"data\":{\"role\":{\"sts.$\":\"$$.Execution.Input.args.role\"},\"source\":{\"bucket.$\":\"$$.Execution.Input.args.bucket\",\"prefix.$\":\"$$.Execution.Input.args.prefix\"}},\"pipelineId.$\":\"$$.Execution.Input.args.pipelineId\"}}}}},\"Delete ingestion when failed.\":{\"Next\":\"Update Status\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":null,\"Next\":\"Update Status\"}],\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"\",\"Payload\":{\"RequestType\":\"Delete\",\"ResourceProperties\":{\"Resource\":\"ingestion\",\"Id.$\":\"$$.Execution.Input.id\"}}}},\"Delete S3 as Source ingestion for Light Engine.\":{\"Next\":\"Update Status\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.result\",\"Next\":\"Update Status\"}],\"Type\":\"Task\",\"ResultPath\":\"$.result\",\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",
{
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"\",\"Payload\":{\"RequestType\":\"Delete\",\"ResourceProperties\":{\"Resource\":\"ingestion\",\"Id.$\":\"$$.Execution.Input.id\"}}}}}}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMErrorLogGroupF2446D81",
"Arn"
]
}
}
}
],
"Level": "ALL"
},
"RoleArn": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIPipelineFlowSMSMRoleE640B852",
"Arn"
]
}
},
"DependsOn": [
"APIAppLogIngestionAPIPipelineFlowSMSMRoleDefaultPolicy2CD85A6D",
"APIAppLogIngestionAPIPipelineFlowSMSMRoleE640B852",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/PipelineFlowSM/PipelineFlowSM/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleC1143A06": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleDefaultPolicy47B8B53B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"InstanceIngestionDetail",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"InstanceIngestionDetail",
"Arn"
]
}
]
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "AppIngestionFlowSM"
}
},
{
"Action": "eks:DescribeCluster",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iam:PutRolePolicy",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":role/*-EKS-LogAgent-Role-*"
]
]
}
},
{
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeDomain"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "s3:GetBucketNotification",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ssm:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":parameter/CL/FLB/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleDefaultPolicy47B8B53B",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleC1143A06"
}
]
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIAppLogIngestionHandler607503C8": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - AppLogIngestion APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"SSM_LOG_CONFIG_DOCUMENT_NAME": {
"Ref": "APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1"
},
"SSM_WINDOWS_LOG_CONFIG_DOCUMENT_NAME": {
"Ref": "APIAppLogIngestionAPIFluentBitConfigDownloadingForWindowsCBB21C46"
},
"CONFIG_FILE_S3_BUCKET_NAME": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"CWL_MONITOR_ROLE_ARN": {
"Fn::GetAtt": [
"APICrossAccountStackCWLAccessRoleBD3C44A8",
"Arn"
]
},
"DEFAULT_OPEN_EXTRA_METADATA_FLAG": "true",
"FLUENT_BIT_EKS_CLUSTER_NAME_SPACE": "logging",
"INSTANCE_TABLE_NAME": {
"Ref": "Instance"
},
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"APP_LOG_CONFIG_TABLE_NAME": {
"Ref": "LogConf"
},
"LOG_SOURCE_TABLE_NAME": {
"Ref": "LogSource"
},
"INSTANCE_INGESTION_DETAIL_TABLE_NAME": {
"Ref": "InstanceIngestionDetail"
},
"STATE_MACHINE_ARN": {
"Ref": "AppIngestionFlowSM"
},
"EC2_IAM_INSTANCE_PROFILE_ARN": {
"Fn::GetAtt": [
"Ec2IamInstanceProfile",
"Arn"
]
},
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"LOG_AGENT_VPC_ID": {
"Ref": "CLVpcDefaultVPC866079B7"
},
"LOG_AGENT_SUBNETS_IDS": {
"Fn::Join": [
",",
[
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
]
},
"DEFAULT_CMK_ARN": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"ECS_CLUSTER_NAME": {
"Ref": "ECSClusterStackCLClusterBCB8AA1C"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"STACK_PREFIX": "CL",
"FLUENT_BIT_LOG_GROUP_NAME": {
"Ref": "APICloudWatchAPIFluentBitLogGroup7C2D7C61"
},
"FLUENT_BIT_IMAGE": "public.ecr.aws/aws-observability/aws-for-fluent-bit:2.32.2.20241008",
"FLB_S3_ADDR": {
"Fn::If": [
"APIAppLogIngestionAPIisCNRegion59A1FE54",
"aws-solutions-assets---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"aws-gcr-solutions-assets.s3.amazonaws.com"
]
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
},
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionLayer19CDEE0D"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleC1143A06",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 120
},
"DependsOn": [
"APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleDefaultPolicy47B8B53B",
"APIAppLogIngestionAPIAppLogIngestionHandlerServiceRoleC1143A06",
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/AppLogIngestionHandler/Resource",
"aws:asset:path": "asset.efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "The managed policy needs to use any resources.",
"id": "AwsSolutions-IAM5"
},
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/EC2IngestionDistributionEventHandler/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleDefaultPolicy147E7948": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"InstanceIngestionDetail",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"InstanceIngestionDetail",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Instance",
"Arn"
]
},
"/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleDefaultPolicy147E7948",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561"
}
]
},
"DependsOn": [
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/EC2IngestionDistributionEventHandler/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandler3AC24175": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Async AppLogIngestion Resolver for instance ingestion distribution event"
]
]
},
"Environment": {
"Variables": {
"SSM_LOG_CONFIG_DOCUMENT_NAME": {
"Ref": "APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1"
},
"SSM_WINDOWS_LOG_CONFIG_DOCUMENT_NAME": {
"Ref": "APIAppLogIngestionAPIFluentBitConfigDownloadingForWindowsCBB21C46"
},
"INSTANCE_INGESTION_DETAIL_TABLE_NAME": {
"Ref": "InstanceIngestionDetail"
},
"INSTANCE_TABLE_NAME": {
"Ref": "Instance"
},
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025",
"FLB_S3_ADDR": {
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"RegionalDomainName"
]
}
}
},
"Handler": "ec2_ingestion_distribution_event_lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
},
{
"Ref": "APIAppLogIngestionAPIAppLogIngestionLayer19CDEE0D"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 900
},
"DependsOn": [
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleDefaultPolicy147E7948",
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandlerServiceRoleD8B62561",
"APIAppLogIngestionAPIFluentBitConfigDownloadingA37716D1",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/EC2IngestionDistributionEventHandler/Resource",
"aws:asset:path": "asset.efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIAppLogIngestionAPIFLBConfigRule1F4EF532": {
"Type": "AWS::Events::Rule",
"Properties": {
"EventPattern": {
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
],
"detail": {
"object": {
"key": [
{
"suffix": "/applog_parsers.conf"
}
]
}
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandler3AC24175",
"Arn"
]
},
"Id": "Target0"
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/FLBConfigRule/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIFLBConfigRuleAllowEventRuleCentralizedLoggingAPIAppLogIngestionAPIEC2IngestionDistributionEventHandlerF50A12F0DDB4C0B7": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIEC2IngestionDistributionEventHandler3AC24175",
"Arn"
]
},
"Principal": "events.amazonaws.com",
"SourceArn": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIFLBConfigRule1F4EF532",
"Arn"
]
}
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/FLBConfigRule/AllowEventRuleCentralizedLoggingAPIAppLogIngestionAPIEC2IngestionDistributionEventHandlerF50A12F0",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIASGConfigGenerateFnServiceRole0F0F8B10": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/ASGConfigGenerateFn/ServiceRole/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"APIAppLogIngestionAPIASGConfigGenerateFnServiceRoleDefaultPolicyC2E2A720": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogConf",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LogSource",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SubAccount",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIAppLogIngestionAPIASGConfigGenerateFnServiceRoleDefaultPolicyC2E2A720",
"Roles": [
{
"Ref": "APIAppLogIngestionAPIASGConfigGenerateFnServiceRole0F0F8B10"
}
]
},
"DependsOn": [
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/ASGConfigGenerateFn/ServiceRole/DefaultPolicy/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIAppLogIngestionAPIASGConfigGenerateFnCBCFDFD7": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - EC2 Auto-Scaling Group Config APIs Resolver"
]
]
},
"Environment": {
"Variables": {
"CONFIG_FILE_S3_BUCKET_NAME": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"APP_LOG_CONFIG_TABLE_NAME": {
"Ref": "LogConf"
},
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"LOG_SOURCE_TABLE_NAME": {
"Ref": "LogSource"
},
"SUB_ACCOUNT_LINK_TABLE_NAME": {
"Ref": "SubAccount"
},
"SOLUTION_VERSION": "v2.4.10",
"SOLUTION_ID": "SO8025"
}
},
"Handler": "auto_scaling_group_config_lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 1024,
"Role": {
"Fn::GetAtt": [
"APIAppLogIngestionAPIASGConfigGenerateFnServiceRole0F0F8B10",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"APIAppLogIngestionAPIASGConfigGenerateFnServiceRoleDefaultPolicyC2E2A720",
"APIAppLogIngestionAPIASGConfigGenerateFnServiceRole0F0F8B10",
"APIAppPipelineAPIAppPipelineHandler49D6FD2E",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleDefaultPolicyF4AB94D8",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleOverflowPolicy165E4EAF6",
"APIAppPipelineAPIAppPipelineHandlerServiceRoleFFDB0F81",
"APIAppPipelineAPIAppPipelineLayer84F66B91",
"APIAppPipelineAPIPipelineFlowSMAppFlowAlarmFnPolicy72872E5D",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnA6450DA7",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRoleDefaultPolicyB8405567",
"APIAppPipelineAPIPipelineFlowSMAppPipeFlowFnServiceRole5E23C95B",
"AppPipelineFlowSM",
"APIAppPipelineAPIPipelineFlowSMErrorLogGroupC5F13E0E",
"APIAppPipelineAPIPipelineFlowSMSMRoleDefaultPolicyBA9678C0",
"APIAppPipelineAPIPipelineFlowSMSMRole2674FC77",
"AppLogIngestion",
"AppPipeline",
"Instance",
"InstanceIngestionDetail",
"LogConf",
"LogSource",
"APILogConfAPILogConfHandlerAA6F8688",
"APILogConfAPILogConfHandlerServiceRoleDefaultPolicyB5B866A2",
"APILogConfAPILogConfHandlerServiceRoleC9832F1D",
"ECSClusterStackCLClusterBCB8AA1C"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/AppLogIngestionAPI/ASGConfigGenerateFn/Resource",
"aws:asset:path": "asset.efcfa06ecbd90b4134da3b01a7b54de4ae3ecdfcf0e044c54dee89ba65d9479d",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
},
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"APIPipelineAlarmAPICentralAlarmHandlerPolicy0B8E19F5": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sns:ListTopics",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ListSubscriptionsByTopic"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:Encrypt"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "APIPipelineAlarmAPICentralAlarmHandlerPolicy0B8E19F5",
"Roles": [
{
"Ref": "SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB"
}
]
},
"DependsOn": [
"APICloudWatchAPICloudWatchHandlerC0FECCE0",
"APICloudWatchAPICloudWatchHandlerServiceRoleDefaultPolicy894CE315",
"APICloudWatchAPICloudWatchHandlerServiceRole3CE2D967",
"APICloudWatchAPIFluentBitLogGroupFluentBitInputBytes292C92FE",
"APICloudWatchAPIFluentBitLogGroupFluentBitInputRecords2D21A88E",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputDroppedRecords4462AA02",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputErrors9097E317",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputProcBytes56192C87",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputProcRecords44BC1D63",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputRetriedRecordsDCF260F6",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputRetriesA796E074",
"APICloudWatchAPIFluentBitLogGroupFluentBitOutputRetriesFailed2F5A5A34",
"APICloudWatchAPIFluentBitLogGroup7C2D7C61"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/PipelineAlarmAPI/CentralAlarmHandlerPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "This policy needs to be able to control un-predicable sns topics"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbLogLevelParameterCFB0EF5A": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "Set the logging verbosity level. Allowed values are: off, error, warn, info, debug and trace. Values are accumulative, e.g: if 'debug' is set, it will include error, warning, info and debug. Note that trace mode is only available if Fluent Bit was built with the WITH_TRACE option enabled.",
"Name": "/CL/FLB/log_level",
"Type": "String",
"Value": "Info"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbLogLevelParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbFlushParameter17F01A5B": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"AllowedPattern": "[1-9]+",
"Description": "The engine loop uses a Flush timeout to define when is required to flush the records ingested by input plugins through the defined output plugins.",
"Name": "/CL/FLB/flush",
"Type": "String",
"Value": "5"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbFlushParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbMemBufLimitParameterADCA844D": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "This option is disabled by default and can be applied to all input plugins.",
"Name": "/CL/FLB/mem_buf_limit",
"Type": "String",
"Value": "30M"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbMemBufLimitParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbBufferChunkSizeParameter44C2D6A1": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "Set the initial buffer size to read files data. This value is used to increase buffer size.",
"Name": "/CL/FLB/buffer_chunk_size",
"Type": "String",
"Value": "512k"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbBufferChunkSizeParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbBufferMaxSizeParameter3AA956E6": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "Set the maximum size of buffer.",
"Name": "/CL/FLB/buffer_max_size",
"Type": "String",
"Value": "5M"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbBufferMaxSizeParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbBufferSizeParameter43144EF4": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "Set the buffer size for HTTP client when reading responses from Kubernetes API server and the buffer size to read data in INPUT plugin. A value of 0 results in no limit, and the buffer will expand as-needed.",
"Name": "/CL/FLB/buffer_size",
"Type": "String",
"Value": "0"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbBufferSizeParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbRetryLimitParameterAF662266": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "Integer value to set the maximum number of retries allowed. When Retry_Limit is set to False, means that there is not limit for the number of retries that the Scheduler can do.",
"Name": "/CL/FLB/retry_limit",
"Type": "String",
"Value": "3"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbRetryLimitParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbStoreDirLimitSizeParameterA1CC8116": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "This parameter is only for using S3 bucket as data buffering. The size of the limitation for disk usage in S3. Limit the amount of s3 buffers in the store_dir to limit disk usage. 0, which means unlimited. Note: Use store_dir_limit_size instead of storage.total_limit_size which can be used to other plugins, because S3 has its own buffering system.",
"Name": "/CL/FLB/store_dir_limit_size",
"Type": "String",
"Value": "500M"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbStoreDirLimitSizeParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbStorageTypeParameter911DADA7": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "This parameter is to specifies the buffering mechanism to use. It can be memory or filesystem.",
"Name": "/CL/FLB/storage_type",
"Type": "String",
"Value": "filesystem"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbStorageTypeParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbStorePauseOnChunksOverlimitParameterBEF76A6B": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "This parameter is to specifies if file storage is to be paused when reaching the chunk limit. Default is off",
"Name": "/CL/FLB/storage_pause_on_chunks_overlimit",
"Type": "String",
"Value": "off"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbStorePauseOnChunksOverlimitParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"APIFluentBitConfigAPIFlbStorageTotalLimitSizeParameter0C80CCBD": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Description": "This parameter is to limit the maximum number of Chunks in the filesystem for the current output logical destination. Default is 500M",
"Name": "/CL/FLB/storage_total_limit_size",
"Type": "String",
"Value": "500M"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/API/FluentBitConfigAPI/FlbStorageTotalLimitSizeParameter/Resource",
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Lambda need get dynamic resources",
"id": "AwsSolutions-IAM5"
}
]
}
}
},
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:PutRetentionPolicy",
"logs:DeleteRetentionPolicy"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
"Roles": [
{
"Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy/Resource"
}
},
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Runtime": "nodejs22.x",
"Timeout": 900,
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/2819175352ad1ce0dae768e83fc328fb70fb5f10b4a8ff0ccbcb791f02b0716d.zip"
},
"Role": {
"Fn::GetAtt": [
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB",
"Arn"
]
}
},
"DependsOn": [
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Resource",
"aws:asset:path": "asset.2819175352ad1ce0dae768e83fc328fb70fb5f10b4a8ff0ccbcb791f02b0716d",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"SingletonLambdaThrottleLambdaServiceRole5C0C89BD": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaThrottleLambda/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"SingletonLambdaThrottleLambdaServiceRoleDefaultPolicy24037D87": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"lambda:PutFunctionConcurrency",
"lambda:GetFunctionConcurrency"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":lambda:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":function:CL-*"
]
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Ref": "SendEmailTopic"
}
},
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "SingletonLambdaThrottleLambdaServiceRoleDefaultPolicy24037D87",
"Roles": [
{
"Ref": "SingletonLambdaThrottleLambdaServiceRole5C0C89BD"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaThrottleLambda/ServiceRole/DefaultPolicy/Resource"
}
},
"SingletonLambdaThrottleLambda3FE58086": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n# SPDX-License-Identifier: Apache-2.0\nimport os\nimport boto3\nimport textwrap\n\nfrom commonlib.logging import get_logger\nfrom commonlib.dao import SvcPipelineDao, AppPipelineDao\nfrom commonlib.model import StatusEnum\n\nSVC_PIPELINE_TABLE_NAME = os.environ[\"PIPELINE_TABLE_NAME\"]\nAPP_PIPELINE_TABLE_NAME = os.environ[\"APP_PIPELINE_TABLE_NAME\"]\nSNS_EMAIL_TOPIC_ARN = os.environ[\"SNS_EMAIL_TOPIC_ARN\"]\n\nlogger = get_logger(\"throttle_lambda\")\n\nsvc_pipeline_dao = SvcPipelineDao(SVC_PIPELINE_TABLE_NAME)\napp_pipeline_dao = AppPipelineDao(APP_PIPELINE_TABLE_NAME)\n\n\ndef extract_lambda_arn(event):\n account_id = event[\"accountId\"]\n region = event[\"region\"]\n function_name = None\n\n # Determine the partition based on the region\n if region.startswith(\"cn-\"):\n partition = \"aws-cn\"\n else:\n partition = \"aws\"\n\n # Iterate through the metrics to find the function name\n for metric in event[\"alarmData\"][\"configuration\"][\"metrics\"]:\n dimensions = (\n metric.get(\"metricStat\", {}).get(\"metric\", {}).get(\"dimensions\", {})\n )\n if \"FunctionName\" in dimensions:\n function_name = dimensions[\"FunctionName\"]\n break\n\n # Construct the Lambda ARN\n if function_name:\n lambda_arn = (\n f\"arn:{partition}:lambda:{region}:{account_id}:function:{function_name}\"\n )\n return lambda_arn\n else:\n return None\n\n\ndef extract_pipeline_type_pipeline_id_prefix_from_arn(arn):\n # Split the ARN string to get the last part containing the function name\n function_name_part = arn.split(\":\")[-1]\n # Split the function name part to get the desired pattern\n function_name_parts = function_name_part.split(\"-\")\n if len(function_name_parts) > 2:\n return function_name_parts[1], function_name_parts[2]\n return None\n\n\ndef get_lambda_concurrency(lambda_arn):\n # Create a boto3 client for Lambda\n client = boto3.client(\"lambda\")\n\n # Get the Lambda function concurrency\n response = client.get_function_concurrency(FunctionName=lambda_arn)\n return response.get(\"ReservedConcurrentExecutions\")\n\n\ndef throttle_lambda(lambda_arn):\n # Extract the region from the Lambda ARN\n arn_parts = lambda_arn.split(\":\")\n region = arn_parts[3]\n\n # Create a boto3 client for Lambda in the correct region\n client = boto3.client(\"lambda\", region_name=region)\n\n # Set the concurrency limit to 0\n response = client.put_function_concurrency(\n FunctionName=lambda_arn, ReservedConcurrentExecutions=0\n )\n\n return response\n\n\ndef send_sns_message(topic_arn, message, subject=None):\n # Create an SNS client\n sns_client = boto3.client(\"sns\")\n\n # Prepare the parameters for the publish action\n params = {\"TopicArn\": topic_arn, \"Message\": message}\n if subject:\n params[\"Subject\"] = subject\n\n # Publish the message to the SNS topic\n response = sns_client.publish(**params)\n\n return response\n\n\ndef handler(event, _):\n logger.info(event)\n\n lambda_arn = extract_lambda_arn(event)\n if not lambda_arn:\n logger.warn(f\"Unable to extract lambda arn from event: {event}\")\n return\n\n result = extract_pipeline_type_pipeline_id_prefix_from_arn(lambda_arn)\n if not result:\n logger.warn(\n f\"Unable to extract pipeline type and pipeline id prefix from arn: {lambda_arn}\"\n )\n return\n\n pipe_type, pipe_id_prefix = result\n pipe_type = pipe_type.lower()\n\n concurrency = get_lambda_concurrency(lambda_arn)\n\n if \"app\" in pipe_type:\n pipelines = app_pipeline_dao.find_id_begins_with(pipe_id_prefix)\n if pipelines:\n p = pipelines[0]\n app_pipeline_dao.update_log_processor_last_concurrency(\n p.pipelineId, concurrency\n )\n else:\n pipelines = svc_pipeline_dao.find_id_begins_with(pipe_id_prefix)\n if pipelines:\n p = pipelines[0]\n svc_pipeline_dao.update_log_processor_last_concurrency(p.id, concurrency)\n\n throttle_lambda(lambda_arn)\n\n def _do_send_email(pipeline_id: str):\n send_sns_message(\n SNS_EMAIL_TOPIC_ARN,\n subject=\"[Action needed] Your log analytics pipeline has been paused\",\n message=textwrap.dedent(\n \"\"\"\\\n Dear,\n This notification is to inform you that your log analytics pipeline ({}) has been paused. This action was automatically taken because the error rate in the log processing has exceeded the threshold.\n To investigate why your pipeline has been paused, please visit the Metrics and Logging page. This page provides detailed insights and metrics that can help you identify and address the underlying issues.\n For more information, please visit the FAQ https://docs.aws.amazon.com/solutions/latest/centralized-logging-with-opensearch/frequently-asked-questions.html and Troubleshooting https://docs.aws.amazon.com/solutions/latest/centralized-logging-with-opensearch/troubleshooting.html sections on the implementation guide.\n Best Regards,\n Centralized Logging with OpenSearch solution\n \"\"\".format(\n pipeline_id\n )\n ),\n )\n\n if \"app\" in pipe_type:\n pipelines = app_pipeline_dao.find_id_begins_with(pipe_id_prefix)\n if pipelines:\n p = pipelines[0]\n app_pipeline_dao.update_app_pipeline(p.pipelineId, status=StatusEnum.PAUSED)\n _do_send_email(p.pipelineId)\n else:\n pipelines = svc_pipeline_dao.find_id_begins_with(pipe_id_prefix)\n if pipelines:\n p = pipelines[0]\n svc_pipeline_dao.update_svc_pipeline(p.id, status=StatusEnum.PAUSED)\n _do_send_email(p.id)\n"
},
"Environment": {
"Variables": {
"SOLUTION_ID": "SO8025",
"SOLUTION_VERSION": "v2.4.10",
"PIPELINE_TABLE_NAME": {
"Ref": "SvcPipeline"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"METADATA_TABLE_NAME": {
"Ref": "Metadata"
},
"SNS_EMAIL_TOPIC_ARN": {
"Ref": "SendEmailTopic"
},
"DEPLOYMENT_UUID": {
"Fn::If": [
"AnonymousDatatoAWS",
{
"Fn::GetAtt": [
"SolutionMetricsCreateUniqueIDA4248A30",
"UUID"
]
},
""
]
},
"SEND_ANONYMIZED_USAGE_DATA": {
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
}
}
},
"Handler": "index.handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"SingletonLambdaThrottleLambdaServiceRole5C0C89BD",
"Arn"
]
},
"Runtime": "python3.11"
},
"DependsOn": [
"SingletonLambdaThrottleLambdaServiceRoleDefaultPolicy24037D87",
"SingletonLambdaThrottleLambdaServiceRole5C0C89BD"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaThrottleLambda/Resource",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"SingletonLambdaThrottleLambdaInvokeFromCWAlarmE664BB92": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"SingletonLambdaThrottleLambda3FE58086",
"Arn"
]
},
"Principal": "lambda.alarms.cloudwatch.amazonaws.com",
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudwatch:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":alarm:CL*"
]
]
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaThrottleLambda/InvokeFromCWAlarm"
}
},
"SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaCentralAlarmHandlerSingleton/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"SingletonLambdaCentralAlarmHandlerSingletonServiceRoleDefaultPolicy3DC16EA0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SvcPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Metadata",
"Arn"
]
}
]
},
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppPipeline",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"AppLogIngestion",
"Arn"
]
},
"/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "SingletonLambdaCentralAlarmHandlerSingletonServiceRoleDefaultPolicy3DC16EA0",
"Roles": [
{
"Ref": "SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaCentralAlarmHandlerSingleton/ServiceRole/DefaultPolicy/Resource"
}
},
"SingletonLambdaCentralAlarmHandlerSingleton6BC08E08": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/360a260a07ff88b0ac610e7db380325e67874a991f3df0c3530f52f171e16877.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Helper function to automated create and delete app pipeline alarm"
]
]
},
"Environment": {
"Variables": {
"SOLUTION_ID": "SO8025",
"STACK_PREFIX": "CL",
"SOLUTION_VERSION": "v2.4.10",
"THROTTLE_LAMBDA_ARN": {
"Fn::GetAtt": [
"SingletonLambdaThrottleLambda3FE58086",
"Arn"
]
},
"PIPELINE_TABLE_NAME": {
"Ref": "SvcPipeline"
},
"APP_PIPELINE_TABLE_NAME": {
"Ref": "AppPipeline"
},
"APP_LOG_INGESTION_TABLE_NAME": {
"Ref": "AppLogIngestion"
},
"METADATA_TABLE_NAME": {
"Ref": "Metadata"
},
"SNS_EMAIL_TOPIC_ARN": {
"Ref": "SendEmailTopic"
},
"DEPLOYMENT_UUID": {
"Fn::If": [
"AnonymousDatatoAWS",
{
"Fn::GetAtt": [
"SolutionMetricsCreateUniqueIDA4248A30",
"UUID"
]
},
""
]
},
"SEND_ANONYMIZED_USAGE_DATA": {
"Fn::FindInMap": [
"AnonymousData",
"SendAnonymizedUsageData",
"Data"
]
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 512,
"Role": {
"Fn::GetAtt": [
"SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 60
},
"DependsOn": [
"SingletonLambdaCentralAlarmHandlerSingletonServiceRoleDefaultPolicy3DC16EA0",
"SingletonLambdaCentralAlarmHandlerSingletonServiceRole9A5E95CB"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/SingletonLambdaCentralAlarmHandlerSingleton/Resource",
"aws:asset:path": "asset.360a260a07ff88b0ac610e7db380325e67874a991f3df0c3530f52f171e16877",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"WebConsoleResponseHeadersPolicyF269B104": {
"Type": "AWS::CloudFront::ResponseHeadersPolicy",
"Properties": {
"ResponseHeadersPolicyConfig": {
"Comment": "Security Headers Policy",
"Name": {
"Fn::Join": [
"",
[
"SecHdr",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
}
]
]
},
"SecurityHeadersConfig": {
"ContentSecurityPolicy": {
"ContentSecurityPolicy": {
"Fn::Join": [
"",
[
"default-src 'self'; upgrade-insecure-requests; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ",
{
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"GraphQLUrl"
]
},
" https://cognito-idp.",
{
"Ref": "AWS::Region"
},
".amazonaws.com/"
]
]
},
"Override": true
},
"ContentTypeOptions": {
"Override": true
},
"FrameOptions": {
"FrameOption": "DENY",
"Override": true
},
"ReferrerPolicy": {
"Override": true,
"ReferrerPolicy": "no-referrer"
},
"StrictTransportSecurity": {
"AccessControlMaxAgeSec": 47304000,
"IncludeSubdomains": true,
"Override": true
},
"XSSProtection": {
"ModeBlock": true,
"Override": true,
"Protection": true
}
}
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/ResponseHeadersPolicy/Resource"
}
},
"WebConsoleUIS3LoggingBucketB4121520": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/S3LoggingBucket/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for another bucket"
}
]
}
}
},
"WebConsoleUIS3LoggingBucketPolicyC1FA1A91": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "WebConsoleUIS3LoggingBucketB4121520"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"WebConsoleUIS3LoggingBucketB4121520",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUIS3LoggingBucketB4121520",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": "s3:PutObject",
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
}
},
"StringEquals": {
"aws:SourceAccount": {
"Ref": "AWS::AccountId"
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUIS3LoggingBucketB4121520",
"Arn"
]
},
"/*"
]
]
}
},
{
"Action": "s3:PutObject",
"Condition": {
"StringEquals": {
"aws:SourceAccount": {
"Ref": "AWS::AccountId"
}
},
"ArnLike": {
"aws:SourceArn": {
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "WebConsoleUIS3LoggingBucketB4121520"
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/S3LoggingBucket/Policy/Resource"
}
},
"WebConsoleUIS3Bucket22191F5E": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"LifecycleConfiguration": {
"Rules": [
{
"NoncurrentVersionTransitions": [
{
"StorageClass": "GLACIER",
"TransitionInDays": 90
}
],
"Status": "Enabled"
}
]
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "WebConsoleUIS3LoggingBucketB4121520"
}
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"Tags": [
{
"Key": "aws-cdk:cr-owned:12bf69e6",
"Value": "true"
}
],
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/S3Bucket/Resource"
}
},
"WebConsoleUIS3BucketPolicy662E41AC": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "WebConsoleUIS3Bucket22191F5E"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": "s3:GetObject",
"Condition": {
"StringEquals": {
"AWS:SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudfront::",
{
"Ref": "AWS::AccountId"
},
":distribution/",
{
"Ref": "WebConsoleUICloudFrontDistributionB74BEDBA"
}
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/S3Bucket/Policy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "F16",
"reason": "Public website bucket policy requires a wildcard principal"
}
]
}
}
},
"WebConsoleUICloudfrontLoggingBucketAccessLogDBD66D43": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/CloudfrontLoggingBucketAccessLog/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for another bucket"
}
]
}
}
},
"WebConsoleUICloudfrontLoggingBucketAccessLogPolicy62E0908C": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "WebConsoleUICloudfrontLoggingBucketAccessLogDBD66D43"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketAccessLogDBD66D43",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketAccessLogDBD66D43",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": "s3:PutObject",
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketB9D4F512",
"Arn"
]
}
},
"StringEquals": {
"aws:SourceAccount": {
"Ref": "AWS::AccountId"
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketAccessLogDBD66D43",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/CloudfrontLoggingBucketAccessLog/Policy/Resource"
}
},
"WebConsoleUICloudfrontLoggingBucketB9D4F512": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "WebConsoleUICloudfrontLoggingBucketAccessLogDBD66D43"
}
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "ObjectWriter"
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/CloudfrontLoggingBucket/Resource"
}
},
"WebConsoleUICloudfrontLoggingBucketPolicy157635EE": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "WebConsoleUICloudfrontLoggingBucketB9D4F512"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketB9D4F512",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketB9D4F512",
"Arn"
]
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/CloudfrontLoggingBucket/Policy/Resource"
}
},
"WebConsoleUICloudFrontOac16AD2480": {
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Description": "Origin access control provisioned by aws-cloudfront-s3",
"Name": {
"Fn::Join": [
"",
[
"aws-cloudfront-s3-UI-",
{
"Fn::Select": [
2,
{
"Fn::Split": [
"/",
{
"Ref": "AWS::StackId"
}
]
}
]
}
]
]
},
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/CloudFrontOac"
}
},
"WebConsoleUICloudFrontDistributionB74BEDBA": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Comment": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Web Console Distribution (",
{
"Ref": "AWS::Region"
},
")"
]
]
},
"CustomErrorResponses": [
{
"ErrorCode": 403,
"ResponseCode": 200,
"ResponsePagePath": "/index.html"
}
],
"DefaultCacheBehavior": {
"CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
"Compress": true,
"ResponseHeadersPolicyId": {
"Ref": "WebConsoleResponseHeadersPolicyF269B104"
},
"TargetOriginId": "CentralizedLoggingWebConsoleUICloudFrontDistributionOrigin174507CD3",
"ViewerProtocolPolicy": "redirect-to-https"
},
"DefaultRootObject": "index.html",
"Enabled": true,
"HttpVersion": "http2",
"IPV6Enabled": false,
"Logging": {
"Fn::If": [
"WebConsoleisOpsInRegion82F77355",
{
"Ref": "AWS::NoValue"
},
{
"Bucket": {
"Fn::GetAtt": [
"WebConsoleUICloudfrontLoggingBucketB9D4F512",
"RegionalDomainName"
]
}
}
]
},
"Origins": [
{
"DomainName": {
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"RegionalDomainName"
]
},
"Id": "CentralizedLoggingWebConsoleUICloudFrontDistributionOrigin174507CD3",
"OriginAccessControlId": {
"Fn::GetAtt": [
"WebConsoleUICloudFrontOac16AD2480",
"Id"
]
},
"S3OriginConfig": {
"OriginAccessIdentity": ""
}
}
],
"PriceClass": "PriceClass_All"
}
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/UI/CloudFrontDistribution/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W70",
"reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
}
]
},
"cdk_nag": {
"rules_to_suppress": [
{
"reason": "Use case does not warrant CloudFront Geo restriction",
"id": "AwsSolutions-CFR1"
},
{
"reason": "Use case does not warrant CloudFront integration with AWS WAF",
"id": "AwsSolutions-CFR2"
},
{
"reason": "CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name",
"id": "AwsSolutions-CFR4"
},
{
"reason": "Origin Access control is not supported in China Partition",
"id": "AwsSolutions-CFR7"
}
]
}
}
},
"WebConsoleDeployWebAssetsAwsCliLayer3FA62AE8": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"Content": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/e2659170a0721541efa761a8d5d04d5e36cbbf691c4b15a9053002b7c825055d.zip"
},
"Description": "/opt/awscli/aws"
},
"DependsOn": [
"KMSCMK4146988D"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/DeployWebAssets/AwsCliLayer/Resource",
"aws:asset:path": "asset.e2659170a0721541efa761a8d5d04d5e36cbbf691c4b15a9053002b7c825055d.zip",
"aws:asset:is-bundled": false,
"aws:asset:property": "Content"
}
},
"WebConsoleDeployWebAssetsCustomResource512MiB1D37EAFE": {
"Type": "Custom::CDKBucketDeployment",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiB6723FB92",
"Arn"
]
},
"SourceBucketNames": [
{
"Fn::Sub": "solutions-${AWS::Region}"
}
],
"SourceObjectKeys": [
"centralized-logging-with-opensearch/v2.4.10/7b1054aa83252aa2f41a3a793bbc8ab1767983c2ca61d3660d6971982e15ba9f.zip"
],
"DestinationBucketName": {
"Ref": "WebConsoleUIS3Bucket22191F5E"
},
"WaitForDistributionInvalidation": true,
"Prune": false,
"OutputObjectKeys": true
},
"DependsOn": [
"KMSCMK4146988D"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/WebConsole/DeployWebAssets/CustomResource-512MiB/Default"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleBA21DBC1": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiB/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleDefaultPolicy96C3E726": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Fn::Sub": "solutions-${AWS::Region}"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Fn::Sub": "solutions-${AWS::Region}"
},
"/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleDefaultPolicy96C3E726",
"Roles": [
{
"Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleBA21DBC1"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiB/ServiceRole/DefaultPolicy/Resource"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiB6723FB92": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/3423a042b818e31c1e34a19d6689ab2e5f9b70fcbe9e71df66f241b20a200bd9.zip"
},
"Environment": {
"Variables": {
"AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
}
},
"Handler": "index.handler",
"Layers": [
{
"Ref": "WebConsoleDeployWebAssetsAwsCliLayer3FA62AE8"
}
],
"MemorySize": 512,
"Role": {
"Fn::GetAtt": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleBA21DBC1",
"Arn"
]
},
"Runtime": "python3.13",
"Timeout": 900
},
"DependsOn": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleDefaultPolicy96C3E726",
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiBServiceRoleBA21DBC1"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C512MiB/Resource",
"aws:asset:path": "asset.3423a042b818e31c1e34a19d6689ab2e5f9b70fcbe9e71df66f241b20a200bd9",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"CognitoLogDeliveryConfiguration": {
"Type": "AWS::Cognito::LogDeliveryConfiguration",
"Properties": {
"LogConfigurations": [
{
"EventSource": "userAuthEvents",
"LogLevel": "INFO",
"S3Configuration": {
"BucketArn": {
"Fn::GetAtt": [
"CLLoggingBucket5F34E4EB",
"Arn"
]
}
}
}
],
"UserPoolId": {
"Ref": "CLAuthUserPool7BDCEF8D"
}
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CognitoLogDeliveryConfiguration"
}
},
"CRInitConfigServiceRoleDFC9F0D4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/InitConfig/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"CRInitConfigServiceRoleDefaultPolicyA16E6A70": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"cloudfront:GetInvalidation",
"cloudfront:CreateInvalidation"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudfront::",
{
"Ref": "AWS::AccountId"
},
":distribution/",
{
"Ref": "WebConsoleUICloudFrontDistributionB74BEDBA"
}
]
]
}
},
{
"Action": [
"s3:PutBucketLogging",
"s3:GetBucketLogging"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "CLLoggingBucket5F34E4EB"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "StagingBucket"
}
]
]
}
]
},
{
"Action": [
"es:DescribeDomainConfig",
"es:UpdateDomainConfig"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:DescribeCustomKeyStores",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"OpenSearchDomain",
"Arn"
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"OpenSearchDomain",
"Arn"
]
}
]
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"WebConsoleUIS3Bucket22191F5E",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "CRInitConfigServiceRoleDefaultPolicyA16E6A70",
"Roles": [
{
"Ref": "CRInitConfigServiceRoleDFC9F0D4"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/InitConfig/ServiceRole/DefaultPolicy/Resource"
}
},
"CRInitConfig61C535DA": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/f646d2b6b6ed4e4b5eb3afef20f6423e8447675ba12071cb4077a80dcf539647.zip"
},
"Description": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
" - Init Config Handler"
]
]
},
"Environment": {
"Variables": {
"WEB_BUCKET_NAME": {
"Ref": "WebConsoleUIS3Bucket22191F5E"
},
"OPENSEARCH_MASTER_ROLE_ARN": {
"Fn::GetAtt": [
"OpenSearchMasterRole8E762096",
"Arn"
]
},
"OPENSEARCH_DOMAIN_TABLE": {
"Ref": "OpenSearchDomain"
},
"API_ENDPOINT": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"GraphQLUrl"
]
},
"OIDC_PROVIDER": "",
"OIDC_CLIENT_ID": "",
"OIDC_CUSTOMER_DOMAIN": "",
"CLOUDFRONT_URL": {
"Fn::GetAtt": [
"WebConsoleUICloudFrontDistributionB74BEDBA",
"DomainName"
]
},
"CLOUDFRONT_DISTRIBUTION_ID": {
"Ref": "WebConsoleUICloudFrontDistributionB74BEDBA"
},
"AUTHENTICATION_TYPE": "AMAZON_COGNITO_USER_POOLS",
"USER_POOL_ID": {
"Ref": "CLAuthUserPool7BDCEF8D"
},
"USER_POOL_CLIENT_ID": {
"Ref": "CLAuthAPIClientABDADF79"
},
"DEFAULT_LOGGING_BUCKET": {
"Ref": "CLLoggingBucket5F34E4EB"
},
"STAGING_BUCKET": {
"Ref": "StagingBucket"
},
"DEFAULT_CMK_ARN": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
},
"SOLUTION_VERSION": "v2.4.10",
"TEMPLATE_OUTPUT_BUCKET": {
"Fn::If": [
"IsChinaPartition",
"solutions-reference-cn",
"solutions-reference"
]
},
"TEMPLATE_BASE_URL": {
"Fn::If": [
"IsChinaPartition",
"https://solutions-reference-cn---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn",
"https://solutions-reference.s3.amazonaws.com"
]
},
"SOLUTION_NAME": "centralized-logging-with-opensearch",
"ACCESS_LOGGING_BUCKET": {
"Ref": "WebConsoleUIS3LoggingBucketB4121520"
},
"SNS_EMAIL_TOPIC_ARN": {
"Ref": "SendEmailTopic"
}
}
},
"Handler": "lambda_function.lambda_handler",
"Layers": [
{
"Ref": "SharedPythonLayer40DE0AAD"
}
],
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"CRInitConfigServiceRoleDFC9F0D4",
"Arn"
]
},
"Runtime": "python3.11",
"Timeout": 300
},
"DependsOn": [
"CRInitConfigServiceRoleDefaultPolicyA16E6A70",
"CRInitConfigServiceRoleDFC9F0D4"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/InitConfig/Resource",
"aws:asset:path": "asset.f646d2b6b6ed4e4b5eb3afef20f6423e8447675ba12071cb4077a80dcf539647",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"CRCRLambdaProviderframeworkonEventServiceRoleB119EBA4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/CRLambdaProvider/framework-onEvent/ServiceRole/Resource",
"guard": {
"SuppressedRules": [
"IAM_NO_INLINE_POLICY_CHECK",
"IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
"CFN_NO_EXPLICIT_RESOURCE_NAMES"
]
}
}
},
"CRCRLambdaProviderframeworkonEventServiceRoleDefaultPolicyD212139B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"CRInitConfig61C535DA",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"CRInitConfig61C535DA",
"Arn"
]
},
":*"
]
]
}
]
},
{
"Action": "lambda:GetFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"CRInitConfig61C535DA",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "CRCRLambdaProviderframeworkonEventServiceRoleDefaultPolicyD212139B",
"Roles": [
{
"Ref": "CRCRLambdaProviderframeworkonEventServiceRoleB119EBA4"
}
]
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/CRLambdaProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource"
}
},
"CRCRLambdaProviderframeworkonEvent2D47754F": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "solutions-${AWS::Region}"
},
"S3Key": "centralized-logging-with-opensearch/v2.4.10/07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57.zip"
},
"Description": "AWS CDK resource provider framework - onEvent (CentralizedLogging/CR/CRLambdaProvider)",
"Environment": {
"Variables": {
"USER_ON_EVENT_FUNCTION_ARN": {
"Fn::GetAtt": [
"CRInitConfig61C535DA",
"Arn"
]
}
}
},
"Handler": "framework.onEvent",
"LoggingConfig": {
"Fn::If": [
"AWSCNCondition",
{
"Ref": "AWS::NoValue"
},
{
"LogFormat": "JSON",
"ApplicationLogLevel": "FATAL"
}
]
},
"Role": {
"Fn::GetAtt": [
"CRCRLambdaProviderframeworkonEventServiceRoleB119EBA4",
"Arn"
]
},
"Runtime": "nodejs22.x",
"Timeout": 900
},
"DependsOn": [
"CRCRLambdaProviderframeworkonEventServiceRoleDefaultPolicyD212139B",
"CRCRLambdaProviderframeworkonEventServiceRoleB119EBA4"
],
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/CRLambdaProvider/framework-onEvent/Resource",
"aws:asset:path": "asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code",
"guard": {
"SuppressedRules": [
"LAMBDA_INSIDE_VPC",
"LAMBDA_CONCURRENCY_CHECK"
]
}
}
},
"CRCRLambdaDFCBCB5E": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CRCRLambdaProviderframeworkonEvent2D47754F",
"Arn"
]
},
"service": "Lambda",
"action": "invoke",
"parameters": {
"FunctionName": {
"Ref": "CRInitConfig61C535DA"
},
"InvocationType": "Event"
},
"physicalResourceId": {
"id": "1776767323573"
}
},
"DependsOn": [
"CRInitConfig61C535DA",
"CRInitConfigServiceRoleDefaultPolicyA16E6A70",
"CRInitConfigServiceRoleDFC9F0D4"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CR/CRLambda/Default"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/31V33PbNgz+W/LOsDlnu9vjXDlJfXVWxUrTRx9MwTJrilQJ0J5Pp/99R0qWnHbbi/h9AAzjF8GZbGe/38m7GzjRrSoPt0ZvZVswqIPIdjYHDzUy+kieoWm0rSLMnC01a2cFnGjTaqhlu3YGoy6duTNanZOLHj2DhQrLSf6LYGmJwSrMvdtpg50wUG9LkO1jsCr9V7azI17BGf0behoU73ihbWWQ3WT+cETLhQte4VUa/y7N0deaoqNO0P2mBSJkkvN4iBIb4841WpYfgzogL0ZBtJZtL/0IhKKH0eWA+mNK+Zp3QrnKanay/Uroc+dMNBnxBWRGo+Vr1a+SeI4/WLgatL1WT5KVqxZo9BH9OXN2p6vggVPixlUk25WrnrwLzWDb45Wr1shoU2Gfkb1Wj9pchuSKdwLVTLZvjYqatzwTedgarYqwtX1dJrR2gfEVtv0M9fJJNidySsNlCpIiNXCZx+Mv4CdgPMFZ5F4fgXFyvLSM3uJo0EcysDkzqH1snng07rRyaQAucDB6a9SDLRun+yK/5dlIC1TBaz6PRfp/wdJWHok6cahJtp8xRfMZz7FQJNvMBBrKOMBO0A+S7UvAkPLtQfpOU3RFO0FUx/vrta3eXd53ZOFU6CcWeI8WZLaz35w/9FGXZwu1K7eyHfuRQCfIkmxfXaNTQ3tQhC0pr5tLb655J4ix2Q2XkGT7CNqIgoHxGdRe277Z1/wZGpHtnVYovoFmUQSlEMufPG0Y6ECynafwCwbPLwH9+eFvVGHYD3F5LO3RHVAsUkZ54CVjPbCvTQmMSVBYSoNJe1EwNpelQcnv6LIT0DR0tkq2Tx6a/Q8zb3SMP7GX1XtWqD3WID4xNwtg6JdMqv3E1kjOHPuWjLgPfLLqBKHyyFSnhellWyQ+DJdH7gTGPRYHaGfXwaCIn04o40K5886ybNdIjbOEnxBK9DQNz38qvnhdaTtXCokyZ9k7Ixaa2OttuPT6mnedSBuyYKjSIg3Ero5pXTIfsUqqjR947OOJfrLPvTvqMt6AaxdfAjeBh5dhY+LO38CJlNEyujA6PQOd+OM3eXfzZ3zTyJkUHt0qZ4l9UEwf0mM3VueW7mUW2WNkr66474R1Jcrv9OE4m8nZTN7dfCetb32wrGuU6/78B9mN4Lo9BwAA"
},
"Metadata": {
"aws:cdk:path": "CentralizedLogging/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
"Outputs": {
"PublicSubnets": {
"Description": "Public subnets",
"Value": {
"Fn::Join": [
"",
[
{
"Ref": "CLVpcDefaultVPCpublicSubnet1Subnet48A8A6B1"
},
",",
{
"Ref": "CLVpcDefaultVPCpublicSubnet2Subnet66EEC41E"
}
]
]
}
},
"PrivateSubnets": {
"Description": "Private subnets",
"Value": {
"Fn::Join": [
"",
[
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
",",
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
]
}
},
"IsolatedSubnets": {
"Description": "Isolated Subnets",
"Value": {
"Fn::Join": [
"",
[
{
"Ref": "CLVpcDefaultVPCisolatedSubnet1Subnet251FE10A"
},
",",
{
"Ref": "CLVpcDefaultVPCisolatedSubnet2Subnet9961324A"
}
]
]
}
},
"DefaultVpcId": {
"Description": "Default VPC ID",
"Value": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"ProxySecurityGroupId": {
"Description": "Public Proxy Security Group",
"Value": {
"Fn::GetAtt": [
"ProxySecurityGroup",
"GroupId"
]
}
},
"ProcessSecurityGroupId": {
"Description": "Log Processing Security Group",
"Value": {
"Fn::GetAtt": [
"ProcessSecurityGroup",
"GroupId"
]
}
},
"OpenSearchSecurityGroupId": {
"Description": "OpenSearch Security Group",
"Value": {
"Fn::GetAtt": [
"OpenSearchSecurityGroup",
"GroupId"
]
}
},
"VpcId": {
"Description": "Vpc Id",
"Value": {
"Ref": "CLVpcDefaultVPC866079B7"
}
},
"PrivateSubnetIds": {
"Description": "Private Subnet Ids",
"Value": {
"Fn::Join": [
",",
[
{
"Ref": "CLVpcDefaultVPCprivateSubnet1SubnetADE399B7"
},
{
"Ref": "CLVpcDefaultVPCprivateSubnet2Subnet54BADF74"
}
]
]
}
},
"PrivateSecurityGroupId": {
"Description": "Private Security Group Id",
"Value": {
"Fn::GetAtt": [
"PrivateSecurityGroup",
"GroupId"
]
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::PrivateSecurityGroupId"
]
]
}
}
},
"CMKeyArn": {
"Description": "CMKey Arn",
"Value": {
"Fn::GetAtt": [
"KMSCMK4146988D",
"Arn"
]
}
},
"StagingBucketName": {
"Description": "Staging Bucket Name",
"Value": {
"Ref": "StagingBucket"
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::StagingBucketName"
]
]
}
}
},
"CentralizedDatabaseArn": {
"Description": "Centralized Database Arn",
"Value": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":glue:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":database/amazon_cl_centralized"
]
]
}
},
"KMSPublicAccessPolicyArn": {
"Description": "KMS Public Access Policy Arn",
"Value": {
"Ref": "KMSPublicAccessPolicy"
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::KMSPublicAccessPolicyArn"
]
]
}
}
},
"AthenaPublicAccessRoleArn": {
"Description": "Athena Public Access Role Arn",
"Value": {
"Fn::GetAtt": [
"AthenaPublicAccessRole",
"Arn"
]
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::AthenaPublicAccessRoleArn"
]
]
}
}
},
"MetadataTableArn": {
"Description": "Metadata Table Arn",
"Value": {
"Fn::GetAtt": [
"Metadata",
"Arn"
]
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::MetadataTableArn"
]
]
}
}
},
"SendEmailTopicArn": {
"Description": "Send Email Topic Arn",
"Value": {
"Ref": "SendEmailTopic"
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::SendEmailTopicArn"
]
]
}
}
},
"LambdaUtilsLayerArn": {
"Description": "Lambda Utils Layer Arn",
"Value": {
"Ref": "LambdaUtilsLayer"
}
},
"LambdaEnrichmentLayerArn": {
"Description": "Lambda Enrichment Layer Arn",
"Value": {
"Ref": "LambdaEnrichmentLayer"
}
},
"PipelineResourcesBuilderRoleArn": {
"Description": "Pipeline Resources Builder Role Arn",
"Value": {
"Fn::GetAtt": [
"PipelineResourcesBuilderRole",
"Arn"
]
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::PipelineResourcesBuilderRoleArn"
]
]
}
}
},
"PipelineResourcesBuilderArn": {
"Description": "Pipeline Resources Builder Arn",
"Value": {
"Fn::GetAtt": [
"PipelineResourcesBuilder",
"Arn"
]
},
"Export": {
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AWS::StackName"
},
"::PipelineResourcesBuilderArn"
]
]
}
}
},
"GraphQLAPIEndpoint": {
"Description": "GraphQL API Endpoint (back-end)",
"Value": {
"Fn::GetAtt": [
"APIAppSyncStackAPI12A83B84",
"GraphQLUrl"
]
}
},
"DefaultLoggingBucket": {
"Description": "Default S3 Buckets to store logs",
"Value": {
"Ref": "CLLoggingBucket5F34E4EB"
}
},
"WebConsoleUrl": {
"Description": "Web Console URL (front-end)",
"Value": {
"Fn::GetAtt": [
"WebConsoleUICloudFrontDistributionB74BEDBA",
"DomainName"
]
}
}
},
"Rules": {}
}