chore: minor changes to template formatting

unicorn_contracts/integration/subscriber-policies.yaml

@@ -15,12 +15,13 @@ Parameters:
       - prod
 
 Resources:
-  # Update this policy as you get new subscribers by adding their namespace to events:source
+  # This policy defines who can create rules on the event bus. Only principals subscribing to 
+  # Contracts Service events can create rule on the bus. No rules without a defined source.
   CrossServiceCreateRulePolicy:
     Type: AWS::Events::EventBusPolicy
     Properties:
       EventBusName: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornContractsEventBus}}"
-      StatementId: !Sub "${AWS::StackName}-CreateRule"
+      StatementId: !Sub "OnlyRulesForContractServiceEvents-${Stage}"
       Statement:
         Effect: Allow
         Principal:

unicorn_contracts/template.yaml

@@ -53,7 +53,7 @@ Globals:
     Environment:
       Variables:
         DYNAMODB_TABLE: !Ref ContractsTable
-        SERVICE_NAMESPACE: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornWebNamespace}}"
+        SERVICE_NAMESPACE: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornContractsNamespace}}"
         POWERTOOLS_LOGGER_CASE: PascalCase
         POWERTOOLS_SERVICE_NAME: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornContractsNamespace}}"
         POWERTOOLS_TRACE_DISABLED: "false" # Explicitly disables tracing, default
@@ -106,6 +106,13 @@ Resources:
             ScalingConfig:
               MaximumConcurrency: 5
 
+  ContractEventHandlerFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${ContractEventHandlerFunction}"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
 
   #### API GATEWAY REST API
   UnicornContractsApi:
@@ -168,6 +175,14 @@ Resources:
                   - sqs:GetQueueUrl
                 Resource: !GetAtt UnicornContractsIngestQueue.Arn
 
+  # API GW Cloudwatch Log Group
+  UnicornContractsApiLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
+
   UnicornContractsApiGwAccountConfigRole:
     Type: AWS::IAM::Role
     Properties:
@@ -221,26 +236,6 @@ Resources:
         - Key: namespace
           Value: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornContractsNamespace}}"
 
-
-  #### CLOUDWATCH LOG GROUPS
-  # Logs all invocations of ContractEventHandler Function
-  ContractEventHandlerFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    DeletionPolicy: Delete
-    UpdateReplacePolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/lambda/${ContractEventHandlerFunction}"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-  # API GW CloudWatch Logs Group, logs all requests from API Gateway
-  UnicornContractsApiLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-
   #### DYNAMODB TABLE
   # Persist Contracts information in DynamoDB
   ContractsTable:
@@ -278,7 +273,7 @@ Resources:
     Type: AWS::Events::EventBusPolicy
     Properties:
       EventBusName: !Ref UnicornContractsEventBus
-      StatementId: !Sub ContactsPublishEventsPolicy-${Stage}
+      StatementId: !Sub OnlyContactsServiceCanPublishToEventBus-${Stage}
       Statement:
         Effect: Allow
         Principal:

unicorn_properties/integration/subscriber-policies.yaml

@@ -20,7 +20,7 @@ Resources:
     Type: AWS::Events::EventBusPolicy
     Properties:
       EventBusName: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornPropertiesEventBus}}"
-      StatementId: !Sub "${AWS::StackName}-CreateRule"
+      StatementId: !Sub "OnlyRulesForPropertiesServiceEvents-${Stage}"
       Statement:
         Effect: Allow
         Principal:

unicorn_properties/integration/subscriptions.yaml

@@ -1,7 +1,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 AWSTemplateFormatVersion: '2010-09-09'
-Description: Defines the cross-service subscriptions for Unicorn Properties
+Description: Defines the rule for the events (subscriptions) that Unicorn Properties wants to consume.
 
 Parameters:
   Stage:
@@ -13,11 +13,13 @@ Parameters:
       - prod
 
 Resources:
+
+  #### UNICORN CONTRACTS EVENT SUBSCRIPTIONS
   ContractStatusChangedSubscriptionRule:
     Type: AWS::Events::Rule
     Properties:
-      Name: properties.statuschanged-contract.pubevalcompleted
-      Description: Constract Status Changed subscription
+      Name: unicorn.properties-ContractStatusChanged
+      Description: Contract Status Changed subscription
       EventBusName: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornContractsEventBusArn}}"
       EventPattern:
         source:
@@ -28,35 +30,14 @@ Resources:
       Targets:
         - Id: SendEventTo
           Arn: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornPropertiesEventBusArn}}"
-          RoleArn: !GetAtt UnicornContractsEventBusToUnicornPropertiesEventBusRole.Arn
-
-  # This IAM role allows EventBridge to assume the permissions necessary to send events 
-  # from the Unicorn Contracts event bus to the Unicorn Properties event bus.
-  # If the Unicorn Properties service wants receive events from other services, then add another policy 
-  # the arn of the which includes the event bus arn where Unicorn Properties is creating the 
-  # subscription (rule)
-  UnicornContractsEventBusToUnicornPropertiesEventBusRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-          - Effect: Allow
-            Action: sts:AssumeRole
-            Principal:
-              Service: events.amazonaws.com
-      Policies:
-        - PolicyName: PutEventsOnUnicornPropertiesEventBus
-          PolicyDocument:
-            Statement:
-              - Effect: Allow
-                Action: events:PutEvents
-                Resource: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornPropertiesEventBusArn}}"
+          RoleArn: !GetAtt UnicornPropertiesSubscriptionRole.Arn
 
+  #### UNICORN WEB EVENT SUBSCRIPTIONS
   PublicationApprovalRequestedSubscriptionRule:
     Type: AWS::Events::Rule
     Properties:
-      Name: properties.pubapprovalwf-web.pubapprovalrequested
-      Description: Publication Approval Requested Subscription
+      Name: unicorn.properties-PublicationApprovalRequested
+      Description: Publication evaluation completed subscription
       EventBusName: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornWebEventBusArn}}"
       EventPattern:
         source:
@@ -67,14 +48,12 @@ Resources:
       Targets:
         - Id: SendEventTo
           Arn: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornPropertiesEventBusArn}}"
-          RoleArn: !GetAtt UnicornWebEventBusToUnicornPropertiesEventBusRole.Arn
+          RoleArn: !GetAtt UnicornPropertiesSubscriptionRole.Arn
+
 
   # This IAM role allows EventBridge to assume the permissions necessary to send events 
-  # from the Unicorn Web event bus to the Unicorn Properties event bus.
-  # If the Unicorn Properties service wants receive events from other services, then add another policy 
-  # the arn of the which includes the event bus arn where Unicorn Properties is creating the 
-  # subscription (rule)
-  UnicornWebEventBusToUnicornPropertiesEventBusRole:
+  # from the publishing event bus, to the subscribing event bus (UnicornPropertiesEventBusArn)
+  UnicornPropertiesSubscriptionRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:

unicorn_properties/template.yaml

@@ -98,7 +98,7 @@ Resources:
         StatusChangedEvent:
           Type: EventBridgeRule
           Properties:
-            RuleName: properties.contstatuschangedhdr-contracts.contstatuschanged
+            RuleName: unicorn.properties-ContractStatusChanged
             EventBusName: !GetAtt UnicornPropertiesEventBus.Name
             Pattern:
               source:
@@ -116,6 +116,15 @@ Resources:
             Type: SQS
             Destination: !GetAtt PropertiesServiceDLQ.Arn
 
+  # Log group for the ContractStatusChangedHandlerFunction
+  ContractStatusChangedHandlerFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${ContractStatusChangedHandlerFunction}"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
+
   # Listens to Contract status changes from ContractStatusTable to un-pause StepFunctions
   PropertiesApprovalSyncFunction:
     Type: AWS::Serverless::Function
@@ -154,6 +163,15 @@ Resources:
             Type: SQS
             Destination: !GetAtt PropertiesServiceDLQ.Arn
 
+  # Log group for the PropertiesApprovalSyncFunction
+  PropertiesApprovalSyncFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${PropertiesApprovalSyncFunction}"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
+
   # Part of the ApprovalStateMachine, checks if a given Property has an existing Contract in ContractStatusTable
   ContractExistsCheckerFunction:
     Type: AWS::Serverless::Function
@@ -164,13 +182,31 @@ Resources:
         - DynamoDBCrudPolicy:
             TableName: !Ref ContractStatusTable
 
+  # Log group for the ContractExistsCheckerFunction       
+  ContractExistsCheckerFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${ContractExistsCheckerFunction}"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
+
   # Part of the ApprovalStateMachine, validates if all outputs of content checking steps are OK
   ContentIntegrityValidatorFunction:
     Type: AWS::Serverless::Function
     Properties:
       CodeUri: src/
       Handler: properties_service.content_integrity_validator_function.lambda_handler
 
+  # Log group for the ContentIntegrityValidatorFunction
+  ContentIntegrityValidatorFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${ContentIntegrityValidatorFunction}"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
+
   # Part of the ApprovalStateMachine, pauses the workflow execution and stores token in ContractStatusTable until contract is approved
   WaitForContractApprovalFunction:
     Type: AWS::Serverless::Function
@@ -181,6 +217,14 @@ Resources:
         - DynamoDBCrudPolicy:
             TableName: !Ref ContractStatusTable
 
+  # Log group for the WaitForContractApprovalFunction
+  WaitForContractApprovalFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${WaitForContractApprovalFunction}"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
 
   #### STATE MACHINE
   ApprovalStateMachine:
@@ -227,7 +271,7 @@ Resources:
         PubApproReqEvent:
           Type: EventBridgeRule
           Properties:
-            RuleName: properties.pubapprovalwf-web.pubapprovalrequested
+            RuleName: unicorn.properties-PublicationApprovalRequested
             EventBusName: !GetAtt UnicornPropertiesEventBus.Name
             Pattern:
               source:
@@ -248,6 +292,14 @@ Resources:
         EventBusName: !GetAtt UnicornPropertiesEventBus.Name
         ServiceName: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornPropertiesNamespace}}"
 
+  # Store ApprovalStateMachineLogGroup workflow execution logs
+  ApprovalStateMachineLogGroup:
+    Type: AWS::Logs::LogGroup
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Properties:
+      LogGroupName: !Sub "/aws/states/${AWS::StackName}-ApprovalStateMachine"
+      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
 
   #### DEAD LETTER QUEUES
   # Store EventBridge events that failed to be DELIVERED to ContractStatusChangedHandlerFunction
@@ -282,59 +334,6 @@ Resources:
         - Key: stage
           Value: !Ref Stage
 
-
-  #### CLOUDWATCH LOG GROUPS
-  # Store Lambda execution logs for each Lambda function in Unicorn Properties Service
-  ContractStatusChangedHandlerFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/lambda/${ContractStatusChangedHandlerFunction}"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-  PropertiesApprovalSyncFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/lambda/${PropertiesApprovalSyncFunction}"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-  ContractExistsCheckerFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/lambda/${ContractExistsCheckerFunction}"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-  ContentIntegrityValidatorFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/lambda/${ContentIntegrityValidatorFunction}"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-  WaitForContractApprovalFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/lambda/${WaitForContractApprovalFunction}"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-  # Store ApprovalStateMachineLogGroup workflow execution logs
-  ApprovalStateMachineLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Delete
-    DeletionPolicy: Delete
-    Properties:
-      LogGroupName: !Sub "/aws/states/${AWS::StackName}-ApprovalStateMachine"
-      RetentionInDays: !FindInMap [LogsRetentionPeriodMap, !Ref Stage, Days]
-
-
   #### DYNAMODB TABLE
   ContractStatusTable:
     Type: AWS::DynamoDB::Table
@@ -371,7 +370,7 @@ Resources:
     Type: AWS::Events::EventBusPolicy
     Properties:
       EventBusName: !Ref UnicornPropertiesEventBus
-      StatementId: !Sub PropertiesPublishEventsPolicy-${Stage}
+      StatementId: !Sub OnlyPropertiesServiceCanPublishToEventBus-${Stage}
       Statement:
         Effect: Allow
         Principal:
@@ -384,12 +383,12 @@ Resources:
             events:source:
               - !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornPropertiesNamespace}}"
 
-  # Catchall rule used for development purposes. Logs all events matching any of the services' to CloudWatch Logs
+  # Catchall rule used for development purposes. Logs all events matching any of the services to CloudWatch Logs
   UnicornPropertiesCatchAllRule:
     Type: AWS::Events::Rule
     Properties:
-      Name: contracts.catchall
-      Description: Catch all events published by the contracts service.
+      Name: properties.catchall
+      Description: Catchall rule used for development purposes.
       EventBusName: !Ref UnicornPropertiesEventBus
       EventPattern:
         account:

unicorn_web/integration/subscriber-policies.yaml

@@ -20,7 +20,7 @@ Resources:
     Type: AWS::Events::EventBusPolicy
     Properties:
       EventBusName: !Sub "{{resolve:ssm:/uni-prop/${Stage}/UnicornWebEventBus}}"
-      StatementId: !Sub "${AWS::StackName}-CreateRule"
+      StatementId: !Sub "OnlyRulesForPropertiesServiceEvents-${Stage}"
       Statement:
         Effect: Allow
         Principal: