{
 "Description": "(SO0111J) Automated Security Response on AWS Jira Blueprint Stack, v3.1.5",
 "AWSTemplateFormatVersion": "2010-09-09",
 "Metadata": {
  "AWS::CloudFormation::Interface": {
   "ParameterGroups": [
    {
     "Label": {
      "default": "Jira Project Information"
     },
     "Parameters": [
      "InstanceURI",
      "JiraProjectKey"
     ]
    },
    {
     "Label": {
      "default": "Jira API Credentials"
     },
     "Parameters": [
      "SecretArn"
     ]
    }
   ]
  }
 },
 "Parameters": {
  "InstanceURI": {
   "Type": "String",
   "AllowedPattern": "^https:\\/\\/.+\\.atlassian\\.net$",
   "Description": "The URI of your Jira instance. For example: https://my-jira-instance.atlassian.net"
  },
  "SecretArn": {
   "Type": "String",
   "AllowedPattern": "^arn:(?:aws|aws-cn|aws-us-gov):secretsmanager:(?:[a-z]{2}(?:-gov)?-[a-z]+-\\d):\\d{12}:secret:.+$",
   "Description": "The ARN of the Secrets Manager secret where you have stored your API credentials. This must be a JSON secret with the following keys: Username,Password."
  },
  "JiraProjectKey": {
   "Type": "String",
   "Description": "The key of your Jira project where tickets will be created."
  }
 },
 "Resources": {
  "TicketGeneratorPolicyJira9E5DAA96": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "secretsmanager:GetSecretValue",
       "Effect": "Allow",
       "Resource": {
        "Ref": "SecretArn"
       }
      },
      {
       "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
       ],
       "Effect": "Allow",
       "Resource": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":logs:*:",
          {
           "Ref": "AWS::AccountId"
          },
          ":log-group:*:log-stream:*"
         ]
        ]
       }
      },
      {
       "Action": "logs:CreateLogGroup",
       "Effect": "Allow",
       "Resource": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":logs:*:",
          {
           "Ref": "AWS::AccountId"
          },
          ":log-group:*"
         ]
        ]
       }
      },
      {
       "Action": "organizations:DescribeAccount",
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "TicketGeneratorPolicyJira9E5DAA96",
    "Roles": [
     {
      "Ref": "TicketGeneratorRoleJira07D9B356"
     }
    ]
   },
   "Metadata": {
    "cfn_nag": {
     "rules_to_suppress": [
      {
       "id": "W12",
       "reason": "Resource * is required to create CloudWatch logs."
      }
     ]
    }
   }
  },
  "TicketGeneratorRoleJira07D9B356": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "lambda.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "Description": "Lambda role created by automated-security-response-on-aws to grant permissions to the JiraTicketGenerator Lambda.",
    "Tags": [
     {
      "Key": "Solutions:SolutionID",
      "Value": "SO0111"
     },
     {
      "Key": "Solutions:SolutionName",
      "Value": "automated-security-response-on-aws"
     },
     {
      "Key": "Solutions:SolutionVersion",
      "Value": "v3.1.5"
     }
    ]
   }
  },
  "TicketGeneratorRoleJiraDefaultPolicy7C042A1B": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "xray:PutTraceSegments",
        "xray:PutTelemetryRecords"
       ],
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "TicketGeneratorRoleJiraDefaultPolicy7C042A1B",
    "Roles": [
     {
      "Ref": "TicketGeneratorRoleJira07D9B356"
     }
    ]
   }
  },
  "ASRBlueprintLayerJira1FC744E7": {
   "Type": "AWS::Lambda::LayerVersion",
   "Properties": {
    "CompatibleRuntimes": [
     "python3.11"
    ],
    "Content": {
     "S3Bucket": {
      "Fn::Join": [
       "",
       [
        "solutions-",
        {
         "Ref": "AWS::Region"
        }
       ]
      ]
     },
     "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/blueprints/python-38f69d53.zip"
    },
    "Description": "Layer created by automated-security-response-on-aws to package dependencies necessary for Blueprint ticket generator functions.",
    "LicenseInfo": "https://www.apache.org/licenses/LICENSE-2.0"
   }
  },
  "TicketGeneratorLogsJira2EE6F401": {
   "Type": "AWS::Logs::LogGroup",
   "Properties": {
    "LogGroupName": "/aws/lambda/SO0111-ASR-Jira-TicketGenerator",
    "RetentionInDays": 3653,
    "Tags": [
     {
      "Key": "Solutions:SolutionID",
      "Value": "SO0111"
     },
     {
      "Key": "Solutions:SolutionName",
      "Value": "automated-security-response-on-aws"
     },
     {
      "Key": "Solutions:SolutionVersion",
      "Value": "v3.1.5"
     }
    ]
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "guard": {
     "SuppressedRules": [
      "CLOUDWATCH_LOG_GROUP_ENCRYPTED"
     ]
    }
   }
  },
  "JiraTicketGenerator1415A6A6": {
   "Type": "AWS::Lambda::Function",
   "Properties": {
    "Code": {
     "S3Bucket": {
      "Fn::Join": [
       "",
       [
        "solutions-",
        {
         "Ref": "AWS::Region"
        }
       ]
      ]
     },
     "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/blueprints/jira_ticket_generator-dc476a5b.zip"
    },
    "Description": "Creates a ticket in the provided Jira project with remediation details.",
    "Environment": {
     "Variables": {
      "POWERTOOLS_LOG_LEVEL": "INFO",
      "POWERTOOLS_SERVICE_NAME": "jira_ticket_generator",
      "POWERTOOLS_LOGGER_LOG_EVENT": "false",
      "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true",
      "POWERTOOLS_TRACER_CAPTURE_ERROR": "true",
      "SOLUTION_ID": "SO0111",
      "INSTANCE_URI": {
       "Ref": "InstanceURI"
      },
      "PROJECT_NAME": {
       "Ref": "JiraProjectKey"
      },
      "SECRET_ARN": {
       "Ref": "SecretArn"
      },
      "AWS_ACCOUNT_ID": {
       "Ref": "AWS::AccountId"
      },
      "STACK_ID": {
       "Ref": "AWS::StackId"
      },
      "DISABLE_ACCOUNT_ALIAS_LOOKUP": "false",
      "SECRETS_CACHE_TTL_SECONDS": "300"
     }
    },
    "FunctionName": "SO0111-ASR-Jira-TicketGenerator",
    "Handler": "jira_ticket_generator.lambda_handler",
    "Layers": [
     {
      "Ref": "ASRBlueprintLayerJira1FC744E7"
     }
    ],
    "MemorySize": 256,
    "ReservedConcurrentExecutions": 2,
    "Role": {
     "Fn::GetAtt": [
      "TicketGeneratorRoleJira07D9B356",
      "Arn"
     ]
    },
    "Runtime": "python3.11",
    "Tags": [
     {
      "Key": "Solutions:SolutionID",
      "Value": "SO0111"
     },
     {
      "Key": "Solutions:SolutionName",
      "Value": "automated-security-response-on-aws"
     },
     {
      "Key": "Solutions:SolutionVersion",
      "Value": "v3.1.5"
     }
    ],
    "Timeout": 15,
    "TracingConfig": {
     "Mode": "Active"
    }
   },
   "DependsOn": [
    "TicketGeneratorRoleJiraDefaultPolicy7C042A1B",
    "TicketGeneratorRoleJira07D9B356"
   ],
   "Metadata": {
    "cfn_nag": {
     "rules_to_suppress": [
      {
       "id": "W58",
       "reason": "False positive. Access is provided via a policy"
      },
      {
       "id": "W89",
       "reason": "There is no need to run this lambda in a VPC"
      },
      {
       "id": "W92",
       "reason": "There is no need for Reserved Concurrency"
      }
     ]
    }
   }
  }
 },
 "Outputs": {
  "TicketGeneratorLambdaFunction": {
   "Description": "ARN of the ticket generator lambda function.",
   "Value": {
    "Fn::GetAtt": [
     "JiraTicketGenerator1415A6A6",
     "Arn"
    ]
   }
  }
 }
}