This repository was archived by the owner on Oct 31, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathtemplate.yml
executable file
·136 lines (131 loc) · 4.38 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Tools to regularly trigger drift detection on AWS CloudFormation Stacks
Transform:
- AWS::Serverless-2016-10-31
Parameters:
Regions:
Type: String
Default: all
Description: >-
Comma-separated list of regions to scan for CloudFormation stacks, e.g. ap-southeast-2,us-west-2.
"all" means scan all available regions.
DriftDetectionMinAgeHours:
Type: Number
Default: 24
Description: >-
The minimum age of a drift detection result in hours to be marked for drift detection. The system will trigger a new
drift detection after this time has passed from the previously completed drift detection. From 24 hours to
168 hours (1 week).
MinValue: 24
MaxValue: 168
ScanFrequencyHours:
Type: Number
Default: 1
Description: >-
The number of hours between scans. Each scan triggers as many drift detections in a region as DriftDetectionBatchSize.
From 1 hour to 24 hours.
MinValue: 1
MaxValue: 24
DriftDetectionBatchSize:
Type: Number
Default: 20
Description: >-
Maximum number of drift detections to be triggered per region by the system in every scan. Adjust this value in combination
with ScanFrequencyHours based on the number of Stacks you have.
MinValue: 1
MaxValue: 200
ExcludedStackArns:
Type: String
Default: ""
Description: >-
Comma-separated list of CloudFormation Stack ARNs to be excluded by the system. Each item can be a regular expression
without the comma character or a full CloudFormation Stack ARN.
LogRetentionDays:
Type: String
Default: 1
Description: >-
Retention in days to keep the Lambda log files in Cloudwatch Logs
AllowedValues:
- 1
- 3
- 5
- 7
- 14
- 30
- 60
- 90
- 120
- 150
- 180
- 365
- 400
- 545
- 731
- 1827
- 3653
Resources:
TriggerCloudFormationDriftDetectionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Action: sts:AssumeRole
Effect: Allow
Principal: {Service: lambda.amazonaws.com}
# the policy is a seperate resource, to break a circular dependency with the loggroup
TriggerCloudFormationDriftDetectionPolicy:
Type: AWS::IAM::Policy
Properties:
Roles: [!Ref TriggerCloudFormationDriftDetectionRole]
PolicyName: TriggerCloudFormationDriftDetectionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: TriggerDetection
Effect: Allow
Action:
- ec2:describeRegions
- cloudformation:ListStacks
- cloudformation:DescribeStacks
- cloudformation:DetectStackDrift
- cloudformation:DetectStackResourceDrift
Resource: "*"
- Sid: WriteLogs
Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !GetAtt TriggerCloudFormationDriftDetectionLogGroup.Arn
TriggerCloudFormationDriftDetection:
Type: AWS::Serverless::Function
Properties:
Description: A Lambda function that triggers CloudFormation drift detection on all eligible Stacks.
Runtime: nodejs18.x
Handler: src/handlers/triggerDriftDetection.handler
Events:
CloudWatchEvent:
Type: Schedule
Name: CloudFormationDriftDetectionSchedule
Properties:
Schedule: !Sub "cron(0 */${ScanFrequencyHours} * * ? *)"
Description: CloudFormation drift detection trigger Lambda function execution frequency
Enabled: True
Input: !Sub >-
{
"regions": "${Regions}",
"driftDetectionMinAgeHours": "${DriftDetectionMinAgeHours}",
"batchSize": "${DriftDetectionBatchSize}",
"excludedStackIds": "${ExcludedStackArns}"
}
Role: !GetAtt TriggerCloudFormationDriftDetectionRole.Arn
MemorySize: 256
Timeout: 300
Tags:
Name: triggerCloudFormationDriftDetection
TriggerCloudFormationDriftDetectionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/lambda/${TriggerCloudFormationDriftDetection}"
RetentionInDays: !Ref LogRetentionDays