Common-DirectoryFunctions.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Common-DirectoryFunctions Template.
  This creates Lambda Functions related to Directory Services.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Stack Dependencies
        Parameters:
          - LayersStackName
          - BucketsStackName
          - TopicsStackName
      - Label:
          default: Function Configuration
        Parameters:
          - DirectoryAliasFunctionKey
          - DirectoryAliasFunctionObjectVersion
          - DirectoryAliasLogRetention
          - DirectoryConditionalForwarderFunctionKey
          - DirectoryConditionalForwarderFunctionObjectVersion
          - DirectoryConditionalForwarderLogRetention
          - DirectoryLogSubscriptionFunctionKey
          - DirectoryLogSubscriptionFunctionObjectVersion
          - DirectoryLogSubscriptionLogRetention
    ParameterLabels:
      LayersStackName:
        default: Layers Stack Name
      BucketsStackName:
        default: Buckets Stack Name
      TopicsStackName:
        default: Topics Stack Name
      DirectoryAliasFunctionKey:
        default: DirectoryAlias Function S3 Key
      DirectoryAliasFunctionObjectVersion:
        default: DirectoryAlias Function S3 Object Version
      DirectoryAliasLogRetention:
        default: DirectoryAlias Log Retention
      DirectoryConditionalForwarderFunctionKey:
        default: DirectoryConditionalForwarder Function S3 Key
      DirectoryConditionalForwarderFunctionObjectVersion:
        default: DirectoryConditionalForwarder Function S3 Object Version
      DirectoryConditionalForwarderLogRetention:
        default: DirectoryConditionalForwarder Log Retention
      DirectoryLogSubscriptionFunctionKey:
        default: DirectoryLogSubscription Function S3 Key
      DirectoryLogSubscriptionFunctionObjectVersion:
        default: DirectoryLogSubscription Function S3 Object Version
      DirectoryLogSubscriptionLogRetention:
        default: DirectoryLogSubscription LogRetention
Parameters:
  LayersStackName:
    Description: Name of the CloudFormation Stack containing Layers
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: Layers
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
  BucketsStackName:
    Description: Name of the CloudFormation Stack containing Buckets
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: Buckets
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
  TopicsStackName:
    Description: Name of the CloudFormation Stack containing Topics
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: Topics
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
  DirectoryAliasFunctionKey:
    Description: Key of Object within the S3 Bucket containing the DirectoryAlias Lambda Function zipfile
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: DirectoryAlias.zip
    AllowedPattern: ^[-_.a-zA-Z0-9]*\.zip$
    ConstraintDescription: must be a valid zipfilename, not containing slashes.
  DirectoryAliasFunctionObjectVersion:
    Description: Version of Object within the S3 Bucket containing the DirectoryAlias Lambda Function zipfile
    Type: String
    MaxLength: 32
    Default: ''
    ConstraintDescription: must be a valid S3 Object Version.
  DirectoryAliasLogRetention:
    Description: Number of days to retain CloudWatch Log Events for the DirectoryAlias Lambda Function
    Type: Number
    Default: 30
    AllowedValues:
      - 1
      - 3
      - 5
      - 7
      - 14
      - 30
      - 60
      - 90
    ConstraintDescription: must be 1, 3, 5, 7, 14, 30, 60 or 90.
  DirectoryConditionalForwarderFunctionKey:
    Description: Key of Object within the S3 Bucket containing the DirectoryConditionalForwarder Lambda Function zipfile
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: DirectoryConditionalForwarder.zip
    AllowedPattern: ^[-_.a-zA-Z0-9]*\.zip$
    ConstraintDescription: must be a valid zipfilename, not containing slashes.
  DirectoryConditionalForwarderFunctionObjectVersion:
    Description: Version of Object within the S3 Bucket containing the DirectoryConditionalForwarder Lambda Function zipfile
    Type: String
    MaxLength: 32
    Default: ''
    ConstraintDescription: must be a valid S3 Object Version.
  DirectoryConditionalForwarderLogRetention:
    Description: Number of days to retain CloudWatch Log Events for the DirectoryConditionalForwarder Lambda Function
    Type: Number
    Default: 30
    AllowedValues:
      - 1
      - 3
      - 5
      - 7
      - 14
      - 30
      - 60
      - 90
    ConstraintDescription: must be 1, 3, 5, 7, 14, 30, 60 or 90.
  DirectoryLogSubscriptionFunctionKey:
    Description: Key of Object within the S3 Bucket containing the DirectoryLogSubscription Lambda Function zipfile
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: DirectoryLogSubscription.zip
    AllowedPattern: ^[-_.a-zA-Z0-9]*\.zip$
    ConstraintDescription: must be a valid zipfilename, not containing slashes.
  DirectoryLogSubscriptionFunctionObjectVersion:
    Description: Version of Object within the S3 Bucket containing the DirectoryLogSubscription Lambda Function zipfile
    Type: String
    MaxLength: 32
    Default: ''
    ConstraintDescription: must be a valid S3 Object Version.
  DirectoryLogSubscriptionLogRetention:
    Description: Number of days to retain CloudWatch Log Events for the DirectoryLogSubscription Lambda Function
    Type: Number
    Default: 30
    AllowedValues:
      - 1
      - 3
      - 5
      - 7
      - 14
      - 30
      - 60
      - 90
    ConstraintDescription: must be 1, 3, 5, 7, 14, 30, 60 or 90.
Conditions:
  ConfigureDirectoryAliasFunctionObjectVersion: !Not [ !Equals [ !Ref DirectoryAliasFunctionObjectVersion, '' ]]
  ConfigureDirectoryConditionalForwarderFunctionObjectVersion: !Not [ !Equals [ !Ref DirectoryConditionalForwarderFunctionObjectVersion, '' ]]
  ConfigureDirectoryLogSubscriptionFunctionObjectVersion: !Not [ !Equals [ !Ref DirectoryLogSubscriptionFunctionObjectVersion, '' ]]
Resources:
  DirectoryAliasRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: DirectoryAliasPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ds:CreateAlias
                  - ds:EnableSso
                  - ds:DisableSso
                Resource: '*'
  DirectoryAliasLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/DirectoryAlias
      RetentionInDays: !Ref DirectoryAliasLogRetention
  DirectoryAliasFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: DirectoryAlias
      Description: A Lambda function that creates an alias for a directory service.
      Role: !GetAtt DirectoryAliasRole.Arn
      Runtime: nodejs10.x
      Timeout: 30
      Layers:
        - !ImportValue
            Fn::Sub: ${LayersStackName}-AsyncCustomResourceLayerVersionArn
      Handler: DirectoryAlias.handler
      Code:
        S3Bucket: !ImportValue
          Fn::Sub: ${BucketsStackName}-FunctionsBucket
        S3Key: !Ref DirectoryAliasFunctionKey
        S3ObjectVersion: !If [ ConfigureDirectoryAliasFunctionObjectVersion, !Ref DirectoryAliasFunctionObjectVersion, !Ref 'AWS::NoValue' ]
    DependsOn: DirectoryAliasLogGroup
  DirectoryConditionalForwarderRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: DirectoryConditionalForwarderPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ds:DescribeConditionalForwarders
                  - ds:CreateConditionalForwarder
                  - ds:DeleteConditionalForwarder
                Resource: '*'
  DirectoryConditionalForwarderLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/DirectoryConditionalForwarder
      RetentionInDays: !Ref DirectoryConditionalForwarderLogRetention
  DirectoryConditionalForwarderFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: DirectoryConditionalForwarder
      Description: A Lambda function that creates an alias for a directory service.
      Role: !GetAtt DirectoryConditionalForwarderRole.Arn
      Runtime: nodejs10.x
      Timeout: 30
      Layers:
        - !ImportValue
            Fn::Sub: ${LayersStackName}-AsyncCustomResourceLayerVersionArn
      Handler: DirectoryConditionalForwarder.handler
      Code:
        S3Bucket: !ImportValue
          Fn::Sub: ${BucketsStackName}-FunctionsBucket
        S3Key: !Ref DirectoryConditionalForwarderFunctionKey
        S3ObjectVersion: !If [ ConfigureDirectoryConditionalForwarderFunctionObjectVersion, !Ref DirectoryConditionalForwarderFunctionObjectVersion, !Ref 'AWS::NoValue' ]
    DependsOn: DirectoryConditionalForwarderLogGroup
  DirectoryLogSubscriptionRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: DirectoryLogSubscriptionPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ds:ListLogSubscriptions
                  - ds:CreateLogSubscription
                  - ds:DeleteLogSubscription
                Resource: '*'
  DirectoryLogSubscriptionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/DirectoryLogSubscription
      RetentionInDays: !Ref DirectoryLogSubscriptionLogRetention
  DirectoryLogSubscriptionFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: DirectoryLogSubscription
      Description: A Lambda function that creates an alias for a directory service.
      Role: !GetAtt DirectoryLogSubscriptionRole.Arn
      Runtime: nodejs10.x
      Timeout: 30
      Layers:
        - !ImportValue
            Fn::Sub: ${LayersStackName}-AsyncCustomResourceLayerVersionArn
      Handler: DirectoryLogSubscription.handler
      Code:
        S3Bucket: !ImportValue
          Fn::Sub: ${BucketsStackName}-FunctionsBucket
        S3Key: !Ref DirectoryLogSubscriptionFunctionKey
        S3ObjectVersion: !If [ ConfigureDirectoryLogSubscriptionFunctionObjectVersion, !Ref DirectoryLogSubscriptionFunctionObjectVersion, !Ref 'AWS::NoValue' ]
    DependsOn: DirectoryLogSubscriptionLogGroup
Outputs:
  DirectoryAliasFunctionArn:
    Description: The DirectoryAlias Lambda Function ARN
    Value: !GetAtt DirectoryAliasFunction.Arn
    Export:
      Name: !Sub ${AWS::StackName}-DirectoryAliasFunctionArn
  DirectoryConditionalForwarderFunctionArn:
    Description: The DirectoryConditionalForwarder Lambda Function ARN
    Value: !GetAtt DirectoryConditionalForwarderFunction.Arn
    Export:
      Name: !Sub ${AWS::StackName}-DirectoryConditionalForwarderFunctionArn
  DirectoryLogSubscriptionFunctionArn:
    Description: The DirectoryLogSubscription Lambda Function ARN
    Value: !GetAtt DirectoryLogSubscriptionFunction.Arn
    Export:
      Name: !Sub ${AWS::StackName}-DirectoryLogSubscriptionFunctionArn