-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
95 lines (89 loc) · 2.88 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
A serverless scheduled job to report aggregated project AWS usage costs across accounts and post to a Slack channel each week.
Parameters:
TenantsRoleArn:
Type: String
Description: ARN for role to Get Cost and Usage from Tenants account.
SlackWebhookUrl:
Type: String
Description: Incoming webhook for Slack channel to publish report to.
Resources:
ProjectCostsFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: get_costs/
Handler: app.lambda_handler
Runtime: python3.8
Timeout: 20 # CostExplorer query can run long sometimes.
# Layers:
# - !Ref PipDependenciesLayer
Policies:
- Statement:
- Sid: GetCostAndUsage
Effect: Allow
Action:
- ce:GetCostAndUsage
Resource: "*"
- Sid: AssumeTenantsRole
Effect: Allow
Action:
- sts:AssumeRole
Resource: !Ref TenantsRoleArn
- Sid: PublishEvent
Effect: Allow
Action: events:PutEvents
Resource: arn:aws:events:us-west-2:405338390729:event-bus/default
- Sid: ReadSlackWebhookUrlSecret
Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource:
- !Ref SlackWebhookUrlSecret
- SNSPublishMessagePolicy:
TopicName: !GetAtt SnsTopic.TopicName
Environment:
Variables:
TENANTS_ROLE_ARN: !Ref TenantsRoleArn
SLACK_WEBHOOK_URL_SECRET: !Ref SlackWebhookUrlSecret
Events:
RecurrenceEvent:
Type: Schedule
Properties:
Schedule: cron(0 13 ? * MON *) # Every Mon at 7:00 AM
Enabled: True
# PipDependenciesLayer:
# Type: AWS::Serverless::LayerVersion
# Properties:
# ContentUri: .aws-sam/deps
# CompatibleRuntimes:
# - python3.8
SnsTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: Project Blue Cost Report
Subscription:
- Endpoint: https://global.sns-api.chatbot.amazonaws.com
Protocol: https
TopicName: !Ref AWS::StackName
LambdaSnsDestination:
Type: AWS::Lambda::EventInvokeConfig
Properties:
FunctionName: !Ref ProjectCostsFunction
Qualifier: "$LATEST"
DestinationConfig:
OnSuccess:
Destination: !Ref SnsTopic
SlackWebhookUrlSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub ${AWS::StackName}-SlackWebHookUrl
SecretString: !Ref SlackWebhookUrl
Outputs:
Function:
Description: "Lambda Function ARN"
Value: !GetAtt ProjectCostsFunction.Arn
FunctionIamRole:
Description: "Implicit IAM Role created for function"
Value: !GetAtt ProjectCostsFunctionRole.Arn