{ "Description": "(SO8025-rds) - Centralized Logging with OpenSearch - RDS Log Analysis Pipeline Template - Version v2.4.10", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Source Information" }, "Parameters": [ "logBucketName", "logBucketPrefix", "logSourceAccountId", "logSourceRegion", "logSourceAccountAssumeRole", "defaultCmkArnParam", "pipelineTableArn" ] }, { "Label": { "default": "Backup Settings" }, "Parameters": [ "backupBucketName" ] }, { "Label": { "default": "Destination Information" }, "Parameters": [ "engineType", "domainName", "endpoint", "indexPrefix", "createDashboard" ] }, { "Label": { "default": "Network Information" }, "Parameters": [ "vpcId", "subnetIds", "securityGroupId" ] }, { "Label": { "default": "Advanced Options" }, "Parameters": [ "shardNumbers", "replicaNumbers", "warmAge", "coldAge", "retainAge", "rolloverSize", "indexSuffix", "codec", "refreshInterval" ] } ], "ParameterLabels": { "engineType": { "default": "Engine Type" }, "endpoint": { "default": "OpenSearch Endpoint" }, "domainName": { "default": "OpenSearch Domain Name" }, "vpcId": { "default": "VPC ID" }, "subnetIds": { "default": "Subnet IDs" }, "securityGroupId": { "default": "Security Group ID" }, "indexPrefix": { "default": "Index Prefix" }, "indexSuffix": { "default": "Index Suffix" }, "createDashboard": { "default": "Create Sample Dashboard" }, "warmAge": { "default": "Age to Warm Storage" }, "coldAge": { "default": "Age to Cold Storage" }, "retainAge": { "default": "Age to Retain" }, "rolloverSize": { "default": "Rollover Index Size" }, "codec": { "default": "Compression Type" }, "refreshInterval": { "default": "Refresh Interval" }, "shardNumbers": { "default": "Number Of Shards" }, "replicaNumbers": { "default": "Number of Replicas" }, "logSourceAccountId": { "default": "Log Source Account ID" }, "logSourceRegion": { "default": "Log Source Region" }, "logSourceAccountAssumeRole": { "default": "Log Source Account Assume Role" }, "logProcessorConcurrency": { "default": "Number Of Reserve Concurrency" }, "backupBucketName": { "default": "S3 Backup Bucket" }, "logBucketName": { "default": "Log Bucket Name" }, "logBucketPrefix": { "default": "Log Bucket Prefix" }, "defaultCmkArnParam": { "default": "KMS-CMK ARN" }, "pipelineTableArn": { "default": "Enable OpenSearch Ingestion as processor" } } }, "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" }, { "reason": "The BucketNotificationsHandler lambda is an internal CDK lambda needed to apply bucket notification configurations.", "id": "AwsSolutions-IAM4" }, { "reason": "the lambda 3.9 runtime we use is the latest version", "id": "AwsSolutions-L1" } ] } }, "Parameters": { "engineType": { "Type": "String", "Default": "OpenSearch", "AllowedValues": [ "OpenSearch" ], "Description": "The engine type of the OpenSearch. Select OpenSearch or Elasticsearch." }, "endpoint": { "Type": "String", "Default": "", "Description": "The OpenSearch endpoint URL. e.g. vpc-your_opensearch_domain_name-xcvgw6uu2o6zafsiefxubwuohe.us-east-1.es.amazonaws.com" }, "domainName": { "Type": "String", "Default": "", "Description": "The domain name of the Amazon OpenSearch cluster." }, "vpcId": { "Type": "AWS::EC2::VPC::Id", "Description": "Select a VPC which has access to the OpenSearch domain. The log processing Lambda will be resides in the selected VPC." }, "subnetIds": { "Type": "List", "Description": "Select at least two subnets which has access to the OpenSearch domain and Amazon S3 service." }, "securityGroupId": { "Type": "AWS::EC2::SecurityGroup::Id", "Description": "Select a Security Group which will be associated to the log processing Lambda. Please make sure the Security Group has access to the OpenSearch domain." }, "indexPrefix": { "Type": "String", "Default": "", "Description": "The common prefix of OpenSearch index for the log. The index name will be -rds-." }, "indexSuffix": { "Type": "String", "Default": "yyyy-MM-dd", "AllowedValues": [ "yyyy-MM-dd", "yyyy-MM-dd-HH", "yyyy-MM", "yyyy" ], "Description": "The common suffix format of OpenSearch index for the log(Example: yyyy-MM-dd, yyyy-MM-dd-HH). The index name will be -rds--000001." }, "createDashboard": { "Type": "String", "Default": "Yes", "AllowedValues": [ "Yes", "No" ], "Description": "Whether to create a sample OpenSearch dashboard." }, "warmAge": { "Type": "String", "Default": "", "Description": "The age required to move the index into warm storage (e.g. 7d). Index age is the time between its creation and the present. Supported units are d (days) and h (hours). This is only effecitve when warm storage is enabled in OpenSearch" }, "coldAge": { "Type": "String", "Default": "", "Description": "The age required to move the index into cold storage (e.g. 30d). Index age is the time between its creation and the present. Supported units are d (days) and h (hours). This is only effecitve when cold storage is enabled in OpenSearch." }, "retainAge": { "Type": "String", "Default": "", "Description": "The age to retain the index (e.g. 180d). Index age is the time between its creation and the present. Supported units are d (days) and h (hours). If value is \"\", the index will not be deleted." }, "rolloverSize": { "Type": "String", "Default": "", "Description": "The minimum size of the shard storage required to roll over the index (e.g. 30GB)" }, "codec": { "Type": "String", "Default": "best_compression", "AllowedValues": [ "default", "best_compression" ], "Description": "The compression type to use to compress stored data. Available values are best_compression and default." }, "refreshInterval": { "Type": "String", "Default": "1s", "Description": "How often the index should refresh, which publishes its most recent changes and makes them available for searching. Can be set to -1 to disable refreshing. Default is 1s." }, "shardNumbers": { "Type": "Number", "Default": 5, "Description": "Number of shards to distribute the index evenly across all data nodes, keep the size of each shard between 10–50 GiB" }, "replicaNumbers": { "Type": "Number", "Default": 1, "Description": "Number of replicas for OpenSearch Index. Each replica is a full copy of an index." }, "logSourceAccountId": { "Type": "String", "Description": "Account ID of the S3 bucket which stores the RDS logs. If the source is in the current account, please leave it blank." }, "logSourceRegion": { "Type": "String", "Description": "Region code of the S3 bucket which stores the RDS logs, e.g. us-east-1" }, "logSourceAccountAssumeRole": { "Type": "String", "Description": "the Cross Account Role which is in the log agent cloudformation output. If the source is in the current account, please leave it blank." }, "logProcessorConcurrency": { "Type": "Number", "Default": 0, "Description": "Reserve concurrency for log processor lambda" }, "backupBucketName": { "Type": "String", "AllowedPattern": ".+", "ConstraintDescription": "Failed ingestion log S3 Bucket must not be empty", "Description": "The S3 backup bucket name to store the failed ingestion logs." }, "logBucketName": { "Type": "String", "AllowedPattern": ".+", "ConstraintDescription": "Log S3 Bucket must not be empty", "Description": "The S3 bucket name which stores the RDS logs." }, "logBucketPrefix": { "Type": "String", "Default": "", "Description": "The S3 bucket path prefix which stores the RDS logs." }, "defaultCmkArnParam": { "Type": "String", "Description": "The KMS-CMK Arn for SQS encryption. Leave empty to create a new KMS CMK." }, "pipelineTableArn": { "Type": "String", "Default": "", "Description": "Ingestion table Arn. Leave empty if you do not use OSI as Processor." }, "rolloverIdx": { "Type": "String", "Default": "1", "AllowedValues": [ "0", "1" ], "Description": "Whether or not to trigger a job with a rollover index. 0: this job will be trigger 1: this job has already been done." }, "logProcessorRoleName": { "Type": "String", "Default": "", "Description": "Specify a role name for the log processor. The name should NOT duplicate an existing role name. If no name is specified, a random name is generated. (Optional)" }, "enableS3Notification": { "Type": "String", "Default": "True", "AllowedValues": [ "True", "False" ], "Description": "A binary option is available to enable or disable notifications for Amazon S3 buckets. The default option is recommended for most cases." }, "queueName": { "Type": "String", "Default": "", "Description": "Specify a queue name for a SQS. The name should NOT duplicate an existing role name. If no name is given, a random name will be generated. (Optional)" }, "dbIdentifier": { "Type": "String", "Description": "The identifier of the database." }, "RDSLogs2S3MicroBatchStackNameParameter4A1BE307": { "Type": "AWS::SSM::Parameter::Value", "Default": "/MicroBatch/StackName" }, "RDSLogs2S3SSMLambdaUtilsLayerArnParameterAB5C446F": { "Type": "AWS::SSM::Parameter::Value", "Default": "/MicroBatch/LambdaUtilsLayerArn" } }, "Conditions": { "InitStackisCN7F1C4E76": { "Fn::Equals": [ { "Ref": "AWS::Partition" }, "aws-cn" ] }, "InitStackisLogProcessorConcurrencyZeroFC5546AB": { "Fn::Equals": [ { "Ref": "logProcessorConcurrency" }, 0 ] }, "InitStackhasBackupBucketF0C2ACD7": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "backupBucketName" }, "" ] } ] }, "LogPipelineHasLogProcessorRoleName4727E427": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "logProcessorRoleName" }, "" ] } ] }, "LogPipelineshouldEnableS3NotificationC1F7DC03": { "Fn::Equals": [ { "Ref": "enableS3Notification" }, "True" ] }, "LogPipelineIsCrossAccount99CEA698": { "Fn::Not": [ { "Fn::Equals": [ "", "" ] } ] }, "LogPipelineHasPrefixAndSuffix1FB5DD56": { "Fn::And": [ { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "logBucketPrefix" }, "" ] } ] }, { "Fn::Not": [ { "Fn::Equals": [ "", "" ] } ] } ] }, "RDSLogs2S3IsCrossAccount9B82E004": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "logSourceAccountAssumeRole" }, "" ] } ] }, "AWSCNCondition": { "Fn::Equals": [ "aws-cn", { "Ref": "AWS::Partition" } ] }, "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-3" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-4" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "il-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] } ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } }, "Resources": { "InitStackOpenSearchLogProcessPolicy27F7F7AB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "es:ESHttpGet", "es:ESHttpDelete", "es:ESHttpPatch", "es:ESHttpPost", "es:ESHttpPut", "es:ESHttpHead", "es:DescribeElasticsearchDomainConfig", "es:UpdateElasticsearchDomainConfig" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":es:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "-osLogProcessPolicy" ] ] }, "Roles": [ { "Ref": "InitStackLogProcessorFnServiceRole8BE33452" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/InitStack/OpenSearchLogProcessPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] } } }, "InitStackLogProcessorLayer7FE8A791": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleRuntimes": [ "python3.11" ], "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "centralized-logging-with-opensearch/v2.4.10/a5c8487a3516a9455ff7119734ccb04b487a8ac29f8dd128b7d6a2295bebd210.zip" }, "Description": "Default Lambda layer for Log Pipeline" }, "Metadata": { "aws:cdk:path": "RDSLog/InitStack/LogProcessorLayer/Resource", "aws:asset:path": "asset.a5c8487a3516a9455ff7119734ccb04b487a8ac29f8dd128b7d6a2295bebd210", "aws:asset:is-bundled": true, "aws:asset:property": "Content" } }, "InitStackDLQ0DC13197": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs", "MessageRetentionPeriod": 604800, "VisibilityTimeout": 900 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "RDSLog/InitStack/DLQ/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "it is a DLQ", "id": "AwsSolutions-SQS3" } ] } } }, "InitStackDLQPolicyC675E873": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "InitStackDLQ0DC13197", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "InitStackDLQ0DC13197" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/InitStack/DLQ/Policy/Resource" } }, "InitStackLogProcessorFnServiceRole8BE33452": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ] ] } ], "RoleName": { "Fn::If": [ "LogPipelineHasLogProcessorRoleName4727E427", { "Ref": "logProcessorRoleName" }, { "Ref": "AWS::NoValue" } ] } }, "Metadata": { "aws:cdk:path": "RDSLog/InitStack/LogProcessorFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] }, "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "InitStackLogProcessorFnServiceRoleDefaultPolicyFAAAD16B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InitStackDLQ0DC13197", "Arn" ] } }, { "Action": [ "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Ref": "AWS::StackName" }, "-LogProcessorFn" ] ] } }, { "Action": [ "kms:DescribeCustomKeyStores", "kms:Decrypt", "kms:DescribeKey" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":key/*" ] ] } }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "logBucketName" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "logBucketName" }, "/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":*" ] ] }, { "Fn::If": [ "LogPipelineIsCrossAccount99CEA698", "", { "Ref": "AWS::NoValue" } ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "InitStackLogProcessorFnServiceRoleDefaultPolicyFAAAD16B", "Roles": [ { "Ref": "InitStackLogProcessorFnServiceRole8BE33452" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/InitStack/LogProcessorFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] } } }, "InitStackLogProcessorFn61B8449C": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "centralized-logging-with-opensearch/v2.4.10/9084181d9a2aa901a3a8ffea739c4f13f075b8515d528b1a2245c425b501079c.zip" }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "InitStackDLQ0DC13197", "Arn" ] } }, "Description": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, " - Function to process and load RDS logs into OpenSearch" ] ] }, "Environment": { "Variables": { "ENDPOINT": { "Ref": "endpoint" }, "ENGINE": { "Ref": "engineType" }, "DOMAIN_NAME": { "Ref": "domainName" }, "CREATE_DASHBOARD": { "Ref": "createDashboard" }, "ROLE_ARN": { "Fn::GetAtt": [ "InitStackLogProcessorFnServiceRole8BE33452", "Arn" ] }, "STACK_PREFIX": "CL", "LOG_TYPE": "RDS", "INDEX_PREFIX": { "Ref": "indexPrefix" }, "WARM_AGE": { "Ref": "warmAge" }, "COLD_AGE": { "Ref": "coldAge" }, "RETAIN_AGE": { "Ref": "retainAge" }, "ROLLOVER_SIZE": { "Ref": "rolloverSize" }, "INDEX_SUFFIX": { "Ref": "indexSuffix" }, "CODEC": { "Ref": "codec" }, "REFRESH_INTERVAL": { "Ref": "refreshInterval" }, "NUMBER_OF_SHARDS": { "Ref": "shardNumbers" }, "NUMBER_OF_REPLICAS": { "Ref": "replicaNumbers" }, "SOLUTION_VERSION": "v2.4.10", "SOLUTION_ID": "SO8025", "INDEX_TEMPLATE_GZIP_BASE64": "", "STACK_NAME": { "Ref": "AWS::StackName" }, "LOG_BUCKET_NAME": { "Ref": "logBucketName" }, "BACKUP_BUCKET_NAME": { "Ref": "backupBucketName" }, "PLUGINS": "", "LOG_SOURCE_ACCOUNT_ID": { "Ref": "logSourceAccountId" }, "LOG_SOURCE_REGION": { "Ref": "logSourceRegion" }, "LOG_SOURCE_ACCOUNT_ASSUME_ROLE": "", "INIT_MASTER_ROLE_JOB": "0", "INIT_ISM_JOB": "0", "INIT_TEMPLATE_JOB": "0", "INIT_DASHBOARD_JOB": "0", "INIT_ALIAS_JOB": "0", "INIT_INDEX_PATTERN_JOB": "0", "ROLLOVER_INDEX_JOB": { "Ref": "rolloverIdx" }, "CONFIG_JSON": "", "SUB_CATEGORY": "S3", "BULK_BATCH_SIZE": "10000", "FUNCTION_NAME": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "-LogProcessorFn" ] ] }, "SOURCE": "EVENT_BRIDGE", "WRITE_IDX_DATA": "True", "NO_BUFFER_ACCESS_ROLE_ARN": "", "POWERTOOLS_LOG_LEVEL": "ERROR" } }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "-LogProcessorFn" ] ] }, "Handler": "lambda_function.lambda_handler", "Layers": [ { "Ref": "SharedPythonLayer40DE0AAD" }, { "Ref": "InitStackLogProcessorLayer7FE8A791" } ], "MemorySize": 1024, "ReservedConcurrentExecutions": { "Fn::If": [ "InitStackisLogProcessorConcurrencyZeroFC5546AB", { "Ref": "AWS::NoValue" }, { "Ref": "logProcessorConcurrency" } ] }, "Role": { "Fn::GetAtt": [ "InitStackLogProcessorFnServiceRole8BE33452", "Arn" ] }, "Runtime": "python3.11", "Timeout": 900, "VpcConfig": { "SecurityGroupIds": [ { "Ref": "securityGroupId" } ], "SubnetIds": { "Ref": "subnetIds" } } }, "DependsOn": [ "InitStackLogProcessorFnServiceRoleDefaultPolicyFAAAD16B", "InitStackLogProcessorFnServiceRole8BE33452" ], "Metadata": { "aws:cdk:path": "RDSLog/InitStack/LogProcessorFn/Resource", "aws:asset:path": "asset.9084181d9a2aa901a3a8ffea739c4f13f075b8515d528b1a2245c425b501079c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] }, "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "InitStacklogProcessorBackupBucketPolicy94642A63": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "backupBucketName" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "backupBucketName" }, "/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "-backupBucketPolicy" ] ] }, "Roles": [ { "Ref": "InitStackLogProcessorFnServiceRole8BE33452" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/InitStack/logProcessorBackupBucketPolicy/Resource" }, "Condition": "InitStackhasBackupBucketF0C2ACD7" }, "SharedPythonLayer40DE0AAD": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleArchitectures": [ "x86_64" ], "CompatibleRuntimes": [ "python3.11" ], "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "centralized-logging-with-opensearch/v2.4.10/7d496d348ec407fd35921460679af08665e998f3a6c2cfac7ae2df023920dac3.zip" }, "Description": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, " - Shared python layer" ] ] } }, "Metadata": { "aws:cdk:path": "RDSLog/SharedPythonLayer/Resource", "aws:asset:path": "asset.7d496d348ec407fd35921460679af08665e998f3a6c2cfac7ae2df023920dac3", "aws:asset:is-bundled": true, "aws:asset:property": "Content" } }, "LogPipelineLogProcessorFnLogGroup81D4A0D8": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "AWS::StackName" }, "-LogProcessorFn" ] ] }, "RetentionInDays": 731 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/LogProcessorFnLogGroup/Resource", "guard": { "SuppressedRules": [ "CLOUDWATCH_LOG_GROUP_ENCRYPTED" ] } } }, "LogPipelineLogEventDLQ250636E4": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs", "MessageRetentionPeriod": 604800, "VisibilityTimeout": 900 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/LogEventDLQ/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "it is a DLQ", "id": "AwsSolutions-SQS3" } ] } } }, "LogPipelineLogEventDLQPolicy2A5E205F": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "LogPipelineLogEventDLQ250636E4", "Arn" ] } }, { "Action": "sqs:SendMessage", "Condition": { "ArnEquals": { "aws:SourceArn": { "Fn::GetAtt": [ "LogPipelineS3EventTrigger7B750104", "Arn" ] } } }, "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": { "Fn::GetAtt": [ "LogPipelineLogEventDLQ250636E4", "Arn" ] }, "Sid": "AllowEventRuleRDSLogLogPipelineS3EventTrigger9F95F31A" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "LogPipelineLogEventDLQ250636E4" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/LogEventDLQ/Policy/Resource" } }, "LogPipelineS3EventTrigger7B750104": { "Type": "AWS::Events::Rule", "Properties": { "EventPattern": { "source": [ { "Fn::If": [ "LogPipelineshouldEnableS3NotificationC1F7DC03", "aws.s3", { "Ref": "AWS::NoValue" } ] }, "clo.aws.s3" ], "detail-type": [ "Object Created" ], "detail": { "bucket": { "name": [ { "Ref": "logBucketName" } ] }, "object": { "key": { "Fn::If": [ "LogPipelineHasPrefixAndSuffix1FB5DD56", [ { "wildcard": { "Fn::Join": [ "", [ { "Ref": "logBucketPrefix" }, "*undefined" ] ] } } ], [ { "prefix": { "Ref": "logBucketPrefix" } } ] ] } } } }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "InitStackLogProcessorFn61B8449C", "Arn" ] }, "DeadLetterConfig": { "Arn": { "Fn::GetAtt": [ "LogPipelineLogEventDLQ250636E4", "Arn" ] } }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/S3EventTrigger/Resource" } }, "LogPipelineS3EventTriggerAllowEventRuleRDSLogInitStackLogProcessorFn477989530F3059C0": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "InitStackLogProcessorFn61B8449C", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "LogPipelineS3EventTrigger7B750104", "Arn" ] } }, "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/S3EventTrigger/AllowEventRuleRDSLogInitStackLogProcessorFn47798953" } }, "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] } }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "LogPipelinelogSourceS3NotificationFnServiceRoleDefaultPolicy0AED0CD3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":*" ] ] }, { "Fn::If": [ "LogPipelineIsCrossAccount99CEA698", "", { "Ref": "AWS::NoValue" } ] } ] }, { "Action": [ "s3:PutBucketNotification", "s3:GetBucketNotification" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "logBucketName" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "LogPipelinelogSourceS3NotificationFnServiceRoleDefaultPolicy0AED0CD3", "Roles": [ { "Ref": "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] } }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "LogPipelinelogSourceS3NotificationFnB5CB5F1E": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "centralized-logging-with-opensearch/v2.4.10/2f96244423f71b7944b05a1eaf88fe00866394dc9b93a43df74bf1a5bddbf6f1.zip" }, "Description": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, " - Create Log Source S3 Notification Processor" ] ] }, "Environment": { "Variables": { "STACK_ID": { "Ref": "AWS::StackId" }, "STACK_NAME": { "Ref": "AWS::StackName" }, "SOLUTION_VERSION": "v2.4.10", "SOLUTION_ID": "SO8025", "LOG_TYPE": "RDS", "LOG_SOURCE_ACCOUNT_ID": { "Ref": "logSourceAccountId" }, "LOG_SOURCE_REGION": { "Ref": "logSourceRegion" }, "LOG_SOURCE_ACCOUNT_ASSUME_ROLE": "", "LOG_BUCKET_NAME": { "Ref": "logBucketName" }, "LOG_BUECKET_PREFIX": { "Ref": "logBucketPrefix" } } }, "Handler": "log_source_s3_bucket_policy_processor.lambda_handler", "Layers": [ { "Ref": "SharedPythonLayer40DE0AAD" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C", "Arn" ] }, "Runtime": "python3.11", "Timeout": 60 }, "DependsOn": [ "LogPipelinelogSourceS3NotificationFnServiceRoleDefaultPolicy0AED0CD3", "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C" ], "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationFn/Resource", "aws:asset:path": "asset.2f96244423f71b7944b05a1eaf88fe00866394dc9b93a43df74bf1a5bddbf6f1", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] }, "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRole5620B3B7": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "DependsOn": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "LogPipelinelogSourceS3NotificationFnServiceRoleDefaultPolicy0AED0CD3", "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C" ], "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationProvider/framework-onEvent/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] } }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRoleDefaultPolicy4CBDBA62": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:GetFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRoleDefaultPolicy4CBDBA62", "Roles": [ { "Ref": "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRole5620B3B7" } ] }, "DependsOn": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "LogPipelinelogSourceS3NotificationFnServiceRoleDefaultPolicy0AED0CD3", "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C" ], "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] } }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "LogPipelinelogSourceS3NotificationProviderframeworkonEventA212E396": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "centralized-logging-with-opensearch/v2.4.10/07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57.zip" }, "Description": "AWS CDK resource provider framework - onEvent (RDSLog/LogPipeline/logSourceS3NotificationProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "Arn" ] } } }, "Handler": "framework.onEvent", "LoggingConfig": { "Fn::If": [ "AWSCNCondition", { "Ref": "AWS::NoValue" }, { "LogFormat": "JSON", "ApplicationLogLevel": "FATAL" } ] }, "Role": { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRole5620B3B7", "Arn" ] }, "Runtime": "nodejs22.x", "Timeout": 900 }, "DependsOn": [ "LogPipelinelogSourceS3NotificationFnB5CB5F1E", "LogPipelinelogSourceS3NotificationFnServiceRoleDefaultPolicy0AED0CD3", "LogPipelinelogSourceS3NotificationFnServiceRoleD015171C", "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRoleDefaultPolicy4CBDBA62", "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRole5620B3B7" ], "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationProvider/framework-onEvent/Resource", "aws:asset:path": "asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "The managed policy needs to use any resources.", "id": "AwsSolutions-IAM5" } ] }, "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "LogPipelinelogSourceS3NotificationlambdaTriggerE8C8CB9D": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "LogPipelinelogSourceS3NotificationProviderframeworkonEventA212E396", "Arn" ] } }, "DependsOn": [ "LogPipelinelogSourceS3NotificationProviderframeworkonEventA212E396", "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRoleDefaultPolicy4CBDBA62", "LogPipelinelogSourceS3NotificationProviderframeworkonEventServiceRole5620B3B7" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "RDSLog/LogPipeline/logSourceS3NotificationlambdaTrigger/Default" }, "Condition": "LogPipelineshouldEnableS3NotificationC1F7DC03" }, "RDSLogs2S3ConnectorServiceRoleAAFCBE0D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "RDSLog/RDSLogs2S3/Connector/ServiceRole/Resource" } }, "RDSLogs2S3ConnectorServiceRoleDefaultPolicyE17ED7EA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:UpdateItem" ], "Effect": "Allow", "Resource": { "Fn::ImportValue": { "Fn::Join": [ "", [ { "Ref": "RDSLogs2S3MicroBatchStackNameParameter4A1BE307" }, "::MetadataTableArn" ] ] } } }, { "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", "kms:Encrypt" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":key/*" ] ] } }, { "Action": [ "rds:DownloadDBLogFilePortion", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBClusters" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":db:*" ] ] } ] }, { "Action": [ "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "logBucketName" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "logBucketName" }, "/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "RDSLogs2S3ConnectorServiceRoleDefaultPolicyE17ED7EA", "Roles": [ { "Ref": "RDSLogs2S3ConnectorServiceRoleAAFCBE0D" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/RDSLogs2S3/Connector/ServiceRole/DefaultPolicy/Resource" } }, "RDSLogs2S3ConnectorE1B3DB53": { "Type": "AWS::Lambda::Function", "Properties": { "Architectures": [ "x86_64" ], "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "centralized-logging-with-opensearch/v2.4.10/a0b688035263c1e9bb9870afbc91c7949647382abbd497e6e2c02815aad670c9.zip" }, "Description": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, " - Lambda function to collect rds logs to logging s3 bucket." ] ] }, "Environment": { "Variables": { "SOLUTION_VERSION": "v2.4.10", "SOLUTION_ID": "SO8025", "META_TABLE_NAME": { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::ImportValue": { "Fn::Join": [ "", [ { "Ref": "RDSLogs2S3MicroBatchStackNameParameter4A1BE307" }, "::MetadataTableArn" ] ] } } ] } ] } ] } ] } } }, "Handler": "lambda_function.lambda_handler", "Layers": [ { "Ref": "RDSLogs2S3SSMLambdaUtilsLayerArnParameterAB5C446F" } ], "MemorySize": 128, "Role": { "Fn::GetAtt": [ "RDSLogs2S3ConnectorServiceRoleAAFCBE0D", "Arn" ] }, "Runtime": "python3.11", "Timeout": 900 }, "DependsOn": [ "RDSLogs2S3ConnectorServiceRoleDefaultPolicyE17ED7EA", "RDSLogs2S3ConnectorServiceRoleAAFCBE0D" ], "Metadata": { "aws:cdk:path": "RDSLog/RDSLogs2S3/Connector/Resource", "aws:asset:path": "asset.a0b688035263c1e9bb9870afbc91c7949647382abbd497e6e2c02815aad670c9", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "RDSLogs2S3AssumeRole699A21E4": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ { "Ref": "logSourceAccountAssumeRole" } ] } ] }, "PolicyName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "-AssumeRole" ] ] }, "Roles": [ { "Ref": "RDSLogs2S3ConnectorServiceRoleAAFCBE0D" } ] }, "Metadata": { "aws:cdk:path": "RDSLog/RDSLogs2S3/AssumeRole" }, "Condition": "RDSLogs2S3IsCrossAccount9B82E004" }, "RDSLogs2S3ScheduleRule7120B188": { "Type": "AWS::Events::Rule", "Properties": { "ScheduleExpression": "rate(1 minute)", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "RDSLogs2S3ConnectorE1B3DB53", "Arn" ] }, "Id": "Target0", "Input": { "Fn::Join": [ "", [ "{\"metaName\":\"", { "Ref": "AWS::StackId" }, "\",\"source\":{\"type\":\"rds\",\"context\":{\"DBIdentifiers\":\"", { "Ref": "dbIdentifier" }, "\",\"role\":\"", { "Ref": "logSourceAccountAssumeRole" }, "\"}},\"sink\":{\"type\":\"s3\",\"context\":{\"bucket\":\"", { "Ref": "logBucketName" }, "\",\"prefix\":\"", { "Ref": "logBucketPrefix" }, "\"}}}" ] ] } } ] }, "Metadata": { "aws:cdk:path": "RDSLog/RDSLogs2S3/ScheduleRule/Resource" } }, "RDSLogs2S3ScheduleRuleAllowEventRuleRDSLogRDSLogs2S3ConnectorB3DC8C7E271ABCC4": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "RDSLogs2S3ConnectorE1B3DB53", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "RDSLogs2S3ScheduleRule7120B188", "Arn" ] } }, "Metadata": { "aws:cdk:path": "RDSLog/RDSLogs2S3/ScheduleRule/AllowEventRuleRDSLogRDSLogs2S3ConnectorB3DC8C7E" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/1WQwWrDMAyGn6V3Vyspe4A1sF0KzdKxa1FsNbiJ7c6yW4rJuw+7gWUX/58sCf1SBdXrBjYrvPNaqmE96g7SMaAcRH22DXo0FMiLlthFLyn/1s4qHbSzAu98ShoNpMaNWj5Kz5NaN5birJMY0XQKIe3xQf6bPOfu+mz/xe/RyjAnltyQN5pzySR4e0JmCgxvWQRvYRflQGGHTIJ/GNJnpFhGP6G8f/YW4SRG1zOkves/vIvXYmjmSdCNbGBIbZwXiXkR9bBonOrgC7uR8tBJFCfHgL22vZCRgzMnP9+LofHuphV5UZfM8pBLPsRwjWES1imCC7/cqgqqCjarC2u99tEGbQjap/4CzMtacbYBAAA=" }, "Metadata": { "aws:cdk:path": "RDSLog/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "ProcessorLogGroupName": { "Value": { "Ref": "LogPipelineLogProcessorFnLogGroup81D4A0D8" } }, "LogEventQueueArn": { "Value": { "Fn::GetAtt": [ "LogPipelineS3EventTrigger7B750104", "Arn" ] } }, "LogEventQueueName": { "Value": { "Ref": "LogPipelineS3EventTrigger7B750104" } } }, "Rules": {} }