kfs_resources.yaml
---

KFS Environment CloudFormation Deployment

This CloudFormation template is for external KFS resources.

NOTE: This should be used for resources that do not need to be re-deployed often. As you have to destroy any stack that uses values from this first before you can re-deploy it. Currently it only is for: SNS Subscription and Topics for unhealthy counts on ELB NOTE: The python code for the SNS lambda function is stored in S3 kfs-prod-cloudformation-deployment

AWSTemplateFormatVersion: '2010-09-09' Description: KFS Stack resources

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

The S3 bucket name where the Lambda functions lives. Just the bucket name, not the sub folder, that is below

LambdaSNSFunctionS3Bucket: Description: S3 Bucket containing the Lambda functions. Just the bucket name, not a full arn.

Default: kfs-prod-cloudformation-deployment

Default: kfs-prod-cloudformation-deployment Type: String

S3 sub folder path to the zip file containing the code.

LambdaSNSFunctionS3Path: Description: Bucket Key for the Lambda Function, ie 'lambda-base' Default: lambda Type: String

Tagging information

TagService: Type: String Description: Exact name of the Service as defined in the service catalog. Default: UAccess Financials TagEnvironment: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, sup] Default: prd TagContactNetid: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. Default: mhirst TagAccountNumber: Type: String Description: Identifies the financial system account number. Default: '1192620' TagSubAccount: Type: String Description: Identifies the financial system's sub account, which contains a name that identifies a collection of services. Default: 12AWS TagName: Type: String Description: Used by Amazon to display a default name in the AWS console Default: UAccess Financials CloudWatch Alarm and Lambda TagCreatedBy: Type: String Description: Who created this resource TagTicketNumber: Type: String Description: Jira ticket number that references this resource

Resources

These are all of the AWS resources/services needed by this template

Resources:

This Lambda function will receive an SNS event and parse out the message. Then it will format an email and send it to whoever we want Fixes having to add multiple emails to SNS manually

SNSLambdaFunction: Type: AWS::Lambda::Function DependsOn: - SleepDelay Properties:

Be sure to update the handler with the correct file name and function name!

Handler: lambda_function.lambda_handler Description: Handle SNS email notifications for KFS Role: !GetAtt LambdaExecutionRole.Arn Code: S3Bucket: !Ref LambdaSNSFunctionS3Bucket S3Key: !Sub "${LambdaSNSFunctionS3Path}/lambda_function.py.zip"

S3ObjectVersion: "5LB6Ufz5qI3F60TlbwYxh29ibGlCkAt0"

Runtime: python3.7 Timeout: '30' Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetid - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: name Value: !Ref TagName - Key: createdby Value: !Ref TagCreatedBy - Key: ticketnumber Value: !Ref TagTicketNumber

Sleep Delay

This 'resource' calls a foundation Lambda function to simply sleep for 30 seconds. This ensures that the LambdaExecutionRole has finished fully being created so that we can then create the lambda function itself.

SleepDelay: Type: Custom::SleepDelay DependsOn: - LambdaExecutionRole Properties: ServiceToken: !ImportValue foundation-SleepDelayFunction-arn

CloudWatch Logs Group

Create a CloudWatch Log Group for this Lambda function to log to. This allows us to set the retention timeframe.

LambdaLogGroup: Type: "AWS::Logs::LogGroup" DependsOn: - SNSLambdaFunction Properties: LogGroupName: !Sub "/aws/lambda/${SNSLambdaFunction}" RetentionInDays: 7

Lambda Execution Role

This is the IAM role that will be used by Lambda when trying to execute this function. Anything the lambda function needs to do with AWS needs to be allowed in here.

LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: s3policy PolicyDocument: Version: '2012-10-17' Statement: - Sid: s3policy Effect: Allow Action: - s3:GetObject - s3:ListBucket Resource: !Sub "arn:aws:s3:::${LambdaSNSFunctionS3Bucket}/*" - PolicyName: cloudwatch-logs-access PolicyDocument: Version: '2012-10-17' Statement:

Let this Lambda fn create a log group if needed

- Sid: cloudwatchloggroup Effect: Allow Action: - logs:CreateLogGroup - logs:Describe* Resource: - "*"

Let this Lambda fn write logs to its own group

- Sid: cloudwatchlogsput Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents Resource: - "*" - PolicyName: ses-send-email PolicyDocument: Version: '2012-10-17' Statement:

Let this Lambda send email through SES

- Sid: amiLookup Effect: Allow Action: - ses:SendEmail Resource: - "*"

Lambda Invokation Permission

This allows SNS to invoke this lambda function

PermissionForEventsToInvokeLambdaKFS: Type: "AWS::Lambda::Permission" Properties: FunctionName: !Ref SNSLambdaFunction Action: "lambda:InvokeFunction" Principal: "sns.amazonaws.com" SourceArn: !Ref KFSPRDSNSTopic PermissionForEventsToInvokeLambdaRice: Type: "AWS::Lambda::Permission" Properties: FunctionName: !Ref SNSLambdaFunction Action: "lambda:InvokeFunction" Principal: "sns.amazonaws.com" SourceArn: !Ref RicePRDSNSTopic

SNS Subscription for CloudWatch Alerts

This creates a subscription on the KFS SNS Topic.

KFSPRDSNSSubscription: Type: AWS::SNS::Subscription Properties: Endpoint: !GetAtt SNSLambdaFunction.Arn Protocol: lambda TopicArn: !Ref KFSPRDSNSTopic

SNS Subscription for CloudWatch Alerts

This creates a subscription on the Rice SNS Topic.

RicePRDSNSSubscription: Type: AWS::SNS::Subscription Properties: Endpoint: !GetAtt SNSLambdaFunction.Arn Protocol: lambda TopicArn: !Ref RicePRDSNSTopic

SNS For KFS

SNS Topic for the KFS load balancer.

KFSPRDSNSTopic: Type: AWS::SNS::Topic Properties: TopicName: "kfs-prd-topic-lb" DisplayName: "kfs-prd-topic-lb"

SNS For Rice

SNS Topic for the Rice load balancer.

RicePRDSNSTopic: Type: AWS::SNS::Topic Properties: TopicName: "rice-prd-topic-lb" DisplayName: "rice-prd-topic-lb" #### SNS Subscription for Lambda

This creates a subscription on the kfs and rice prd topics for this Lambda function.

LambdaSNSSubscriptionKFS: Type: AWS::SNS::Subscription Properties: Endpoint: !GetAtt SNSLambdaFunction.Arn Protocol: lambda TopicArn: !Ref KFSPRDSNSTopic LambdaSNSSubscriptionRice: Type: AWS::SNS::Subscription Properties: Endpoint: !GetAtt SNSLambdaFunction.Arn Protocol: lambda TopicArn: !Ref RicePRDSNSTopic

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: SNSKFSPRDInfo: Description: The name of the PRD KFS sns topic Value: !Ref KFSPRDSNSTopic Export: Name: !Sub "${AWS::StackName}-SNS-KFSPRD" SNSRICEPRDInfo: Description: The name of the PRD RICE topic Value: !Ref RicePRDSNSTopic Export: Name: !Sub "${AWS::StackName}-SNS-RICEPRD" SNSLambdaFunction: Value: !Ref SNSLambdaFunction LambdaARN: Value: !GetAtt LambdaExecutionRole.Arn LambdaRole: Value: !Ref LambdaExecutionRole