139 lines
3.5 KiB
YAML
139 lines
3.5 KiB
YAML
|
AWSTemplateFormatVersion: "2010-09-09"
|
||
|
|
|
||
|
|
Description: "SNS Topic and tools to fan out alerts to email and or Slack"
|
||
|
|
|
||
|
|
Conditions:
|
||
|
|
|
||
|
|
IsSetEmail:
|
||
|
|
Fn::Not:
|
||
|
|
- Fn::Equals:
|
||
|
|
- Ref: AlertEmail
|
||
|
|
- ""
|
||
|
|
IsSetSlack:
|
||
|
|
Fn::Not:
|
||
|
|
- Fn::Equals:
|
||
|
|
- Ref: AlertSlackWebHook
|
||
|
|
- ""
|
||
|
|
|
||
|
|
Resources:
|
||
|
|
|
||
|
|
AlertHubTopic:
|
||
|
|
Type: AWS::SNS::Topic
|
||
|
|
Properties:
|
||
|
|
TopicName: AlertHub
|
||
|
|
|
||
|
|
# Email
|
||
|
|
EmailAlertsSubscription:
|
||
|
|
Type: AWS::SNS::Subscription
|
||
|
|
Condition: IsSetEmail
|
||
|
|
Properties:
|
||
|
|
Endpoint: { Ref: AlertEmail }
|
||
|
|
Protocol: email
|
||
|
|
TopicArn: { Ref: AlertHubTopic }
|
||
|
|
|
||
|
|
# Slack
|
||
|
|
SlackAlertsSubscription:
|
||
|
|
Type: AWS::SNS::Subscription
|
||
|
|
Condition: IsSetSlack
|
||
|
|
Properties:
|
||
|
|
Endpoint: {"Fn::GetAtt": ["SNSAlertHubFunction", "Arn"] }
|
||
|
|
Protocol: lambda
|
||
|
|
TopicArn: { Ref: AlertHubTopic }
|
||
|
|
|
||
|
|
IamRole:
|
||
|
|
Type: AWS::IAM::Role
|
||
|
|
Condition: IsSetSlack
|
||
|
|
Properties:
|
||
|
|
Policies:
|
||
|
|
- PolicyName: ResolveAccountAlias
|
||
|
|
PolicyDocument:
|
||
|
|
Version: '2012-10-17'
|
||
|
|
Statement:
|
||
|
|
- Effect: Allow
|
||
|
|
Action:
|
||
|
|
- iam:ListAccountAliases
|
||
|
|
Resource:
|
||
|
|
- "*"
|
||
|
|
|
||
|
|
- PolicyName: LogtoCloudwatchGroup
|
||
|
|
PolicyDocument:
|
||
|
|
Version: '2012-10-17'
|
||
|
|
Statement:
|
||
|
|
- Effect: Allow
|
||
|
|
Action:
|
||
|
|
- logs:CreateLogStream
|
||
|
|
- logs:PutLogEvents
|
||
|
|
Resource:
|
||
|
|
- Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SNSAlertHub:log-stream:*"
|
||
|
|
- Effect: Allow
|
||
|
|
Action:
|
||
|
|
- logs:CreateLogGroup
|
||
|
|
Resource:
|
||
|
|
- Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SNSAlertHub:*"
|
||
|
|
|
||
|
|
AssumeRolePolicyDocument:
|
||
|
|
Version: '2012-10-17'
|
||
|
|
Statement:
|
||
|
|
- Action:
|
||
|
|
- sts:AssumeRole
|
||
|
|
Effect: Allow
|
||
|
|
Principal:
|
||
|
|
Service: [ lambda.amazonaws.com ]
|
||
|
|
|
||
|
|
SNSAlertHubAllowed2Lambda:
|
||
|
|
Type: AWS::Lambda::Permission
|
||
|
|
Condition: IsSetSlack
|
||
|
|
Properties:
|
||
|
|
Action: lambda:InvokeFunction
|
||
|
|
Principal: sns.amazonaws.com
|
||
|
|
FunctionName: { Ref: SNSAlertHubFunction }
|
||
|
|
SourceArn: { Ref: AlertHubTopic }
|
||
|
|
|
||
|
|
SNSAlertHubFunction:
|
||
|
|
Type: AWS::Lambda::Function
|
||
|
|
Condition: IsSetSlack
|
||
|
|
Properties:
|
||
|
|
PackageType: Image
|
||
|
|
Code:
|
||
|
|
ImageUri: { "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ImageTag}" }
|
||
|
|
Description: "Lambda function to forward alerts from SNS to Slack"
|
||
|
|
FunctionName: SNSAlertHub
|
||
|
|
MemorySize: 128
|
||
|
|
Role: { "Fn::GetAtt": ["IamRole", "Arn"] }
|
||
|
|
Timeout: 10
|
||
|
|
Environment:
|
||
|
|
Variables:
|
||
|
|
WEBHOOK_URL: { Ref: AlertSlackWebHook }
|
||
|
|
# DEBUG: "1"
|
||
|
|
|
||
|
|
Metadata:
|
||
|
|
Template:
|
||
|
|
Name: sns-alert-hub
|
||
|
|
Hash: 98fcf521f053f7412a90ce360ab62807
|
||
|
|
AwsCfnLib: v0.2.1
|
||
|
|
CloudBender:
|
||
|
|
Version: 0.9.9
|
||
|
|
|
||
|
|
Parameters:
|
||
|
|
|
||
|
|
ImageTag:
|
||
|
|
Type: String
|
||
|
|
Description: "(Optional) Overwrite default ImageTag"
|
||
|
|
Default: "sns-alert-hub:v0.5.8"
|
||
|
|
|
||
|
|
AlertEmail:
|
||
|
|
Type: String
|
||
|
|
Description: "(Optional) Email address to receive alerts via SMTP"
|
||
|
|
Default: ""
|
||
|
|
|
||
|
|
AlertSlackWebHook:
|
||
|
|
Type: String
|
||
|
|
Description: "(Optional) Encrypted (KMS Default key) Slack webhook to post alerts; deploys Slack Lambda function"
|
||
|
|
Default: ""
|
||
|
|
NoEcho: True
|
||
|
|
|
||
|
|
Outputs:
|
||
|
|
|
||
|
|
AlertHubTopic:
|
||
|
|
Value: { Ref: AlertHubTopic }
|
||
|
|
Description: ARN of the SNS AlertHub Topic
|