feat(core): Deploy sns to enable cloud watch events and notifications (#360)

naveenkoppula · web-flow · commit 49fff99eb8d6 · 2020-08-28T15:27:06.000+05:30
diff --git a/reference-artifacts/master-config-sample-snippets/sample_snippets.json b/reference-artifacts/master-config-sample-snippets/sample_snippets.json
@@ -22,6 +22,16 @@ Config File Examples:  {Not in sample config file}
         "kinesis-stream-shard-count": 1
       }
     },
+****************SNS Topics ignore regions and adding subscription emails for topic subscriptions*********
+****************By default we create High,Medium,Low,Ignore SNS topics with out subscribers**************
+    "central-log-services": {
+      "sns-excl-regions": ["sa-east-1"],
+      "sns-subscription-emails": {
+        "High": ["notify+high@example.com"],
+        "Low": ["notify+low@example.com"],
+        "Medium": ["notify+medium@example.com"]
+      }
+    }
 ************************************cert REQUEST format
       "certificates": [
         {
diff --git a/src/deployments/cdk/src/apps/phase--1.ts b/src/deployments/cdk/src/apps/phase--1.ts
@@ -1,5 +1,5 @@
 import { PhaseInput } from './shared';
-import * as customResourceRoles from '../deployments/iam';
+import * as globalRoles from '../deployments/iam';
 
 /**
  * This is the main entry point to deploy phase -1.
@@ -15,44 +15,51 @@ import * as customResourceRoles from '../deployments/iam';
  */
 export async function deploy({ acceleratorConfig, accountStacks, accounts }: PhaseInput) {
   // creates roles for macie custom resources
-  await customResourceRoles.createMacieRoles({
+  await globalRoles.createMacieRoles({
     accountStacks,
     config: acceleratorConfig,
   });
 
   // creates roles for guardDuty custom resources
-  await customResourceRoles.createGuardDutyRoles({
+  await globalRoles.createGuardDutyRoles({
     accountStacks,
     config: acceleratorConfig,
   });
 
   // creates roles for securityHub custom resources
-  await customResourceRoles.createSecurityHubRoles({
+  await globalRoles.createSecurityHubRoles({
     accountStacks,
     accounts,
   });
 
   // Creates roles for IamCreateRole custom resource
-  await customResourceRoles.createIamRole({
+  await globalRoles.createIamRole({
     accountStacks,
     accounts,
   });
 
   // Creates roles for createSSMDocument custom resource
-  await customResourceRoles.createSSMDocumentRoles({
+  await globalRoles.createSSMDocumentRoles({
     accountStacks,
     accounts,
     config: acceleratorConfig,
   });
 
   // Creates roles for createLogGroup custom resource
-  await customResourceRoles.createLogGroupRole({
+  await globalRoles.createLogGroupRole({
     accountStacks,
     accounts,
   });
 
   // Creates roles for createCwlSubscriptionFilter custom resource
-  await customResourceRoles.createCwlAddSubscriptionFilterRoles({
+  await globalRoles.createCwlAddSubscriptionFilterRoles({
+    accountStacks,
+    accounts,
+    config: acceleratorConfig,
+  });
+
+  // Creates role for SnsSubscriberLambda function
+  await globalRoles.createSnsSubscriberLambdaRole({
     accountStacks,
     accounts,
     config: acceleratorConfig,
diff --git a/src/deployments/cdk/src/apps/phase-2.ts b/src/deployments/cdk/src/apps/phase-2.ts
@@ -24,6 +24,7 @@ import * as tgwDeployment from '../deployments/transit-gateway';
 import * as macie from '../deployments/macie';
 import * as centralServices from '../deployments/central-services';
 import * as guardDutyDeployment from '../deployments/guardduty';
+import * as snsDeployment from '../deployments/sns';
 
 /**
  * This is the main entry point to deploy phase 2.
@@ -288,6 +289,15 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       accounts,
       outputs,
     });
+
+    /**
+     * Creating required SNS Topics in Log accont if baseline is Organizations
+     */
+    await snsDeployment.step1({
+      accountStacks,
+      config: acceleratorConfig,
+      outputs,
+    });
   }
 
   const logBucket = accountBuckets[acceleratorConfig['global-options']['central-log-services'].account];
diff --git a/src/deployments/cdk/src/deployments/iam/index.ts b/src/deployments/cdk/src/deployments/iam/index.ts
@@ -9,3 +9,4 @@ export * from './ssm-document-roles';
 export * from './log-group-role';
 export * from './cwl-central-logging-roles';
 export * from './cwl-add-subscription-filter-role';
+export * from './sns-subscriber-lambda-role';
diff --git a/src/deployments/cdk/src/deployments/iam/sns-subscriber-lambda-role.ts b/src/deployments/cdk/src/deployments/iam/sns-subscriber-lambda-role.ts
@@ -0,0 +1,46 @@
+import * as c from '@aws-accelerator/common-config/src';
+import * as iam from '@aws-cdk/aws-iam';
+import { AccountStacks } from '../../common/account-stacks';
+import { createRoleName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+import { CfnIamRoleOutput } from './outputs';
+import { Account } from '../../utils/accounts';
+
+export interface CreateSnsSubscriberLambdaRoleProps {
+  accountStacks: AccountStacks;
+  config: c.AcceleratorConfig;
+  accounts: Account[];
+}
+
+export async function createSnsSubscriberLambdaRole(props: CreateSnsSubscriberLambdaRoleProps): Promise<void> {
+  const { accountStacks, config } = props;
+  const centralLoggingServices = config['global-options']['central-log-services'];
+  const accountStack = accountStacks.tryGetOrCreateAccountStack(
+    centralLoggingServices.account,
+    centralLoggingServices.region,
+  );
+  if (!accountStack) {
+    console.error(
+      `Not able to create stack for "${centralLoggingServices.account}" while creating role for CWL Central logging`,
+    );
+    return;
+  }
+
+  // Create IAM Role for reading logs from stream and push to destination
+  const role = new iam.Role(accountStack, 'SnsSubscriberLambdaRole', {
+    roleName: createRoleName('SnsSubscriberLambda'),
+    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+  });
+
+  role.addToPrincipalPolicy(
+    new iam.PolicyStatement({
+      actions: ['sns:Publish', 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
+      resources: ['*'],
+    }),
+  );
+
+  new CfnIamRoleOutput(accountStack, `SnsSubscriberLambdaOutput`, {
+    roleName: role.roleName,
+    roleArn: role.roleArn,
+    roleKey: 'SnsSubscriberLambda',
+  });
+}
diff --git a/src/deployments/cdk/src/deployments/sns/index.ts b/src/deployments/cdk/src/deployments/sns/index.ts
@@ -0,0 +1,2 @@
+export * from './outputs';
+export * from './step-1';
diff --git a/src/deployments/cdk/src/deployments/sns/outputs.ts b/src/deployments/cdk/src/deployments/sns/outputs.ts
@@ -0,0 +1,5 @@
+import * as t from 'io-ts';
+import { createCfnStructuredOutput } from '../../common/structured-output';
+import { SnsTopicOutput } from '@aws-accelerator/common-outputs/src/sns-topic';
+
+export const CfnSnsTopicOutput = createCfnStructuredOutput(SnsTopicOutput);
diff --git a/src/deployments/cdk/src/deployments/sns/step-1.ts b/src/deployments/cdk/src/deployments/sns/step-1.ts
@@ -0,0 +1,126 @@
+import * as c from '@aws-accelerator/common-config';
+import { AccountStacks } from '../../common/account-stacks';
+import * as sns from '@aws-cdk/aws-sns';
+import { createSnsTopicName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+import { SNS_NOTIFICATION_TYPES } from '@aws-accelerator/common/src/util/constants';
+import * as path from 'path';
+import * as lambda from '@aws-cdk/aws-lambda';
+import * as cdk from '@aws-cdk/core';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
+import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
+import * as iam from '@aws-cdk/aws-iam';
+
+export interface SnsStep1Props {
+  accountStacks: AccountStacks;
+  config: c.AcceleratorConfig;
+  outputs: StackOutput[];
+}
+
+/**
+ *
+ *  Create SNS Topics High, Medium, Low, Ignore
+ *  in Central-Log-Services Account
+ */
+export async function step1(props: SnsStep1Props) {
+  const { accountStacks, config, outputs } = props;
+  const globalOptions = config['global-options'];
+  const centralLogServices = globalOptions['central-log-services'];
+  const supportedRegions = globalOptions['supported-regions'];
+  const excludeRegions = centralLogServices['sns-excl-regions'];
+  const regions = supportedRegions.filter(r => !excludeRegions?.includes(r));
+  if (!regions.includes(centralLogServices.region)) {
+    regions.push(centralLogServices.region);
+  }
+  const subscribeEmails = centralLogServices['sns-subscription-emails'];
+  const snsSubscriberLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({
+    outputs,
+    accountKey: centralLogServices.account,
+    roleKey: 'SnsSubscriberLambda',
+  });
+  if (!snsSubscriberLambdaRoleOutput) {
+    console.error(`Role required for SNS Subscription Lambda is not created in ${centralLogServices.account}`);
+    return;
+  }
+  for (const region of regions) {
+    const accountStack = accountStacks.tryGetOrCreateAccountStack(centralLogServices.account, region);
+    if (!accountStack) {
+      console.error(`Cannot find account stack ${centralLogServices.account}: ${region}, while deploying SNS`);
+      continue;
+    }
+    const lambdaPath = require.resolve('@aws-accelerator/deployments-runtime');
+    const lambdaDir = path.dirname(lambdaPath);
+    const lambdaCode = lambda.Code.fromAsset(lambdaDir);
+    const role = iam.Role.fromRoleArn(accountStack, `SnsSubscriberLambdaRole`, snsSubscriberLambdaRoleOutput.roleArn);
+    let snsSubscriberFunc: lambda.Function | undefined;
+    if (region !== centralLogServices.region) {
+      snsSubscriberFunc = new lambda.Function(accountStack, `SnsSubscriberLambda`, {
+        runtime: lambda.Runtime.NODEJS_12_X,
+        handler: 'index.createSnsPublishToCentralRegion',
+        code: lambdaCode,
+        role,
+        environment: {
+          CENTRAL_LOG_SERVICES_REGION: centralLogServices.region,
+        },
+        timeout: cdk.Duration.minutes(15),
+      });
+
+      snsSubscriberFunc.addPermission(`InvokePermission-SnsSubscriberLambda`, {
+        action: 'lambda:InvokeFunction',
+        principal: new iam.ServicePrincipal('sns.amazonaws.com'),
+      });
+    }
+
+    const ignoreActionFunc = new lambda.Function(accountStack, `IgnoreActionLambda`, {
+      runtime: lambda.Runtime.NODEJS_12_X,
+      handler: 'index.createIgnoreAction',
+      code: lambdaCode,
+      role,
+      timeout: cdk.Duration.minutes(15),
+    });
+
+    ignoreActionFunc.addPermission(`InvokePermission-IgnoreActionLambda`, {
+      action: 'lambda:InvokeFunction',
+      principal: new iam.ServicePrincipal('sns.amazonaws.com'),
+    });
+
+    for (const notificationType of SNS_NOTIFICATION_TYPES) {
+      const topicName = createSnsTopicName(notificationType);
+      const topic = new sns.Topic(accountStack, `SnsNotificationTopic${notificationType}`, {
+        displayName: topicName,
+        topicName,
+      });
+
+      // Allowing Publish from CloudWatch Service form any account
+      topic.grantPublish({
+        grantPrincipal: new iam.ServicePrincipal('cloudwatch.amazonaws.com'),
+      });
+
+      // Allowing Publish from Lambda Service form any account
+      topic.grantPublish({
+        grantPrincipal: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      });
+
+      if (region === centralLogServices.region && subscribeEmails && subscribeEmails[notificationType]) {
+        subscribeEmails[notificationType].forEach((email, index) => {
+          new sns.CfnSubscription(accountStack, `SNSTopicSubscriptionFor${notificationType}-${index + 1}`, {
+            topicArn: topic.topicArn,
+            protocol: sns.SubscriptionProtocol.EMAIL,
+            endpoint: email,
+          });
+        });
+      } else if (region === centralLogServices.region && notificationType.toLowerCase() === 'ignore') {
+        new sns.CfnSubscription(accountStack, `SNSTopicSubscriptionFor${notificationType}`, {
+          topicArn: topic.topicArn,
+          protocol: sns.SubscriptionProtocol.LAMBDA,
+          endpoint: ignoreActionFunc.functionArn,
+        });
+      } else if (region !== centralLogServices.region && snsSubscriberFunc) {
+        new sns.CfnSubscription(accountStack, `SNSTopicSubscriptionFor${notificationType}`, {
+          topicArn: topic.topicArn,
+          protocol: sns.SubscriptionProtocol.LAMBDA,
+          endpoint: snsSubscriberFunc.functionArn,
+        });
+      }
+    }
+  }
+}
diff --git a/src/deployments/runtime/src/ignore-action.ts b/src/deployments/runtime/src/ignore-action.ts
@@ -0,0 +1,5 @@
+// tslint:disable-next-line: no-any
+export const handler = async (input: any): Promise<void> => {
+  console.log('Ignoring Action input ....');
+  console.log(JSON.stringify(input, null, 2));
+};
diff --git a/src/deployments/runtime/src/index.ts b/src/deployments/runtime/src/index.ts
@@ -1,2 +1,4 @@
+export { handler as createSnsPublishToCentralRegion } from './sns-publish-central-region';
+export { handler as createIgnoreAction } from './ignore-action';
 import * as ouValidationEvents from './ou-validation-events';
 export { ouValidationEvents };
diff --git a/src/deployments/runtime/src/sns-publish-central-region.ts b/src/deployments/runtime/src/sns-publish-central-region.ts
@@ -0,0 +1,19 @@
+import { SNS } from '@aws-accelerator/common/src/aws/sns';
+import { SNSEvent, Context } from 'aws-lambda';
+
+const logCentralRegion = process.env.CENTRAL_LOG_SERVICES_REGION!;
+const sns = new SNS(undefined, logCentralRegion);
+
+export const handler = async (input: SNSEvent, context: Context): Promise<void> => {
+  console.log('Verifying Account Creation status ....');
+  console.log(JSON.stringify(input, null, 2));
+  const snsNotificationConfig = input.Records[0].Sns;
+  const topicArn = snsNotificationConfig.TopicArn;
+  const topicName = topicArn.split(':').pop();
+  const accountId = context.invokedFunctionArn.split(':')[4];
+  await sns.publish({
+    Message: snsNotificationConfig.Message,
+    Subject: snsNotificationConfig.Subject,
+    TopicArn: `arn:aws:sns:${logCentralRegion}:${accountId}:${topicName}`,
+  });
+};
diff --git a/src/lib/cdk-accelerator/src/core/accelerator-name-generator.ts b/src/lib/cdk-accelerator/src/core/accelerator-name-generator.ts
@@ -35,6 +35,13 @@ export function createLogGroupName(name: string, suffixLength?: number): string
   );
 }
 
+export function createSnsTopicName(name: string, suffixLength?: number): string {
+  return createName({
+    name: `Notification-${name}`,
+    suffixLength: suffixLength || 0,
+  });
+}
+
 const DEFAULT_SEPARATOR = '-';
 
 export interface CreateNameProps {
diff --git a/src/lib/common-config/src/index.ts b/src/lib/common-config/src/index.ts
@@ -621,6 +621,8 @@ export const CentralServicesConfigType = t.interface({
   'macie-frequency': optional(t.string),
   'config-excl-regions': optional(t.array(t.string)),
   'config-aggr-excl-regions': optional(t.array(t.string)),
+  'sns-excl-regions': optional(t.array(t.string)),
+  'sns-subscription-emails': fromNullable(t.record(t.string, t.array(t.string)), {}),
 });
 
 export const ScpsConfigType = t.interface({
diff --git a/src/lib/common-outputs/src/sns-topic.ts b/src/lib/common-outputs/src/sns-topic.ts
@@ -0,0 +1,24 @@
+import * as t from 'io-ts';
+import { createStructuredOutputFinder } from './structured-output';
+import { StackOutput } from './stack-output';
+
+export const SnsTopicOutput = t.interface(
+  {
+    topicName: t.string,
+    topicArn: t.string,
+    topicKey: t.string,
+  },
+  'SnsTopic',
+);
+
+export type SnsTopicOutput = t.TypeOf<typeof SnsTopicOutput>;
+
+export const SnsTopicOutputFinder = createStructuredOutputFinder(SnsTopicOutput, finder => ({
+  tryFindOneByName: (props: { outputs: StackOutput[]; accountKey: string; region?: string; topicKey?: string }) =>
+    finder.tryFindOne({
+      outputs: props.outputs,
+      accountKey: props.accountKey,
+      region: props.region,
+      predicate: o => o.topicKey === props.topicKey,
+    }),
+}));
diff --git a/src/lib/common/src/aws/sns.ts b/src/lib/common/src/aws/sns.ts
@@ -5,9 +5,10 @@ import { throttlingBackOff } from './backoff';
 export class SNS {
   private readonly client: aws.SNS;
 
-  constructor(credentials?: aws.Credentials) {
+  constructor(credentials?: aws.Credentials, region?: string) {
     this.client = new aws.SNS({
       credentials,
+      region,
     });
   }
 
diff --git a/src/lib/common/src/util/constants.ts b/src/lib/common/src/util/constants.ts
@@ -3,3 +3,5 @@ export const CLOUD_WATCH_CENTRAL_LOGGING_BUCKET_PREFIX = 'CloudWatchLogs/';
 export const JSON_FORMAT = 'json';
 export const YAML_FORMAT = 'yaml';
 export const RAW_CONFIG_FILE = 'raw/config.json';
+// These SNS Topics are created regions in central log services account
+export const SNS_NOTIFICATION_TYPES = ['High', 'Medium', 'Low', 'Ignore'];

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+export * from './outputs';`
	`2`	`+export * from './step-1';`