{ "Description": "(SO8001) - Data Transfer Hub with aws-solutions-constructs: This template deploys an one-stop toolset for transferring data from different sources into AWS. Template version v2.6.6", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "User Pool" }, "Parameters": [ "AdminEmail" ] } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "some policies need to get dynamic resources", "id": "AwsSolutions-IAM5" }, { "reason": "these policies is used by CDK Customer Resource lambda", "id": "AwsSolutions-IAM4" }, { "reason": "these buckets dont need access log", "id": "AwsSolutions-S1" }, { "reason": "these buckets dont need SSL", "id": "AwsSolutions-S10" }, { "reason": "not applicable to use the latest lambda runtime version", "id": "AwsSolutions-L1" } ] } }, "Parameters": { "AdminEmail": { "Type": "String", "AllowedPattern": "\\w[-\\w.+]*@([A-Za-z0-9][-A-Za-z0-9]+\\.)+[A-Za-z]{2,14}", "Description": "The email of Admin user and for receiving task status alarm" } }, "Mappings": { "Send": { "AnonymousUsage": { "Data": "Yes" } }, "ServiceprincipalMap": { "af-south-1": { "states": "states.af-south-1.amazonaws.com" }, "ap-east-1": { "states": "states.ap-east-1.amazonaws.com" }, "ap-northeast-1": { "states": "states.ap-northeast-1.amazonaws.com" }, "ap-northeast-2": { "states": "states.ap-northeast-2.amazonaws.com" }, "ap-northeast-3": { "states": "states.ap-northeast-3.amazonaws.com" }, "ap-south-1": { "states": "states.ap-south-1.amazonaws.com" }, "ap-south-2": { "states": "states.ap-south-2.amazonaws.com" }, "ap-southeast-1": { "states": "states.ap-southeast-1.amazonaws.com" }, "ap-southeast-2": { "states": "states.ap-southeast-2.amazonaws.com" }, "ap-southeast-3": { "states": "states.ap-southeast-3.amazonaws.com" }, "ap-southeast-4": { "states": "states.ap-southeast-4.amazonaws.com" }, "ca-central-1": { "states": "states.ca-central-1.amazonaws.com" }, "cn-north-1": { "states": "states.cn-north-1.amazonaws.com" }, "cn-northwest-1": { "states": "states.cn-northwest-1.amazonaws.com" }, "eu-central-1": { "states": "states.eu-central-1.amazonaws.com" }, "eu-central-2": { "states": "states.eu-central-2.amazonaws.com" }, "eu-north-1": { "states": "states.eu-north-1.amazonaws.com" }, "eu-south-1": { "states": "states.eu-south-1.amazonaws.com" }, "eu-south-2": { "states": "states.eu-south-2.amazonaws.com" }, "eu-west-1": { "states": "states.eu-west-1.amazonaws.com" }, "eu-west-2": { "states": "states.eu-west-2.amazonaws.com" }, "eu-west-3": { "states": "states.eu-west-3.amazonaws.com" }, "il-central-1": { "states": "states.il-central-1.amazonaws.com" }, "me-central-1": { "states": "states.me-central-1.amazonaws.com" }, "me-south-1": { "states": "states.me-south-1.amazonaws.com" }, "sa-east-1": { "states": "states.sa-east-1.amazonaws.com" }, "us-east-1": { "states": "states.us-east-1.amazonaws.com" }, "us-east-2": { "states": "states.us-east-2.amazonaws.com" }, "us-gov-east-1": { "states": "states.us-gov-east-1.amazonaws.com" }, "us-gov-west-1": { "states": "states.us-gov-west-1.amazonaws.com" }, "us-iso-east-1": { "states": "states.amazonaws.com" }, "us-iso-west-1": { "states": "states.amazonaws.com" }, "us-isob-east-1": { "states": "states.amazonaws.com" }, "us-west-1": { "states": "states.us-west-1.amazonaws.com" }, "us-west-2": { "states": "states.us-west-2.amazonaws.com" } } }, "Resources": { "TaskClusterTaskVPCE5385B4D": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", "Tags": [ { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/Resource" } }, "TaskClusterTaskVPCpublicSubnet1SubnetB3F44AEF": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "CidrBlock": "10.0.0.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "public" }, { "Key": "aws-cdk:subnet-type", "Value": "Public" }, { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet1" } ], "VpcId": { "Ref": "TaskClusterTaskVPCE5385B4D" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet1/Subnet", "cfn_nag": { "rules_to_suppress": [ { "id": "W33", "reason": "Default Setting for VPC subnets" } ] } } }, "TaskClusterTaskVPCpublicSubnet1RouteTableE769348F": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet1" } ], "VpcId": { "Ref": "TaskClusterTaskVPCE5385B4D" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet1/RouteTable" } }, "TaskClusterTaskVPCpublicSubnet1RouteTableAssociation154E832E": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "TaskClusterTaskVPCpublicSubnet1RouteTableE769348F" }, "SubnetId": { "Ref": "TaskClusterTaskVPCpublicSubnet1SubnetB3F44AEF" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet1/RouteTableAssociation" } }, "TaskClusterTaskVPCpublicSubnet1DefaultRoute7CDC1040": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "TaskClusterTaskVPCIGW76CA6712" }, "RouteTableId": { "Ref": "TaskClusterTaskVPCpublicSubnet1RouteTableE769348F" } }, "DependsOn": [ "TaskClusterTaskVPCVPCGWB2B682AC" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet1/DefaultRoute" } }, "TaskClusterTaskVPCpublicSubnet2Subnet9FB6145A": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] }, "CidrBlock": "10.0.1.0/24", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "public" }, { "Key": "aws-cdk:subnet-type", "Value": "Public" }, { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet2" } ], "VpcId": { "Ref": "TaskClusterTaskVPCE5385B4D" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet2/Subnet", "cfn_nag": { "rules_to_suppress": [ { "id": "W33", "reason": "Default Setting for VPC subnets" } ] } } }, "TaskClusterTaskVPCpublicSubnet2RouteTableDD4DBDC9": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet2" } ], "VpcId": { "Ref": "TaskClusterTaskVPCE5385B4D" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet2/RouteTable" } }, "TaskClusterTaskVPCpublicSubnet2RouteTableAssociation4F8430D5": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "TaskClusterTaskVPCpublicSubnet2RouteTableDD4DBDC9" }, "SubnetId": { "Ref": "TaskClusterTaskVPCpublicSubnet2Subnet9FB6145A" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet2/RouteTableAssociation" } }, "TaskClusterTaskVPCpublicSubnet2DefaultRoute8FB45401": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "TaskClusterTaskVPCIGW76CA6712" }, "RouteTableId": { "Ref": "TaskClusterTaskVPCpublicSubnet2RouteTableDD4DBDC9" } }, "DependsOn": [ "TaskClusterTaskVPCVPCGWB2B682AC" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/publicSubnet2/DefaultRoute" } }, "TaskClusterTaskVPCIGW76CA6712": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/IGW" } }, "TaskClusterTaskVPCVPCGWB2B682AC": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "InternetGatewayId": { "Ref": "TaskClusterTaskVPCIGW76CA6712" }, "VpcId": { "Ref": "TaskClusterTaskVPCE5385B4D" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/VPCGW" } }, "TaskClusterTaskVPCFlowLogCWIAMRole08EC65EE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC/FlowLogCW" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/FlowLogCW/IAMRole/Resource" } }, "TaskClusterTaskVPCFlowLogCWIAMRoleDefaultPolicyBC6FC631": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "TaskClusterVPCLogGroupEF25F73B", "Arn" ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "TaskClusterTaskVPCFlowLogCWIAMRole08EC65EE", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "TaskClusterTaskVPCFlowLogCWIAMRoleDefaultPolicyBC6FC631", "Roles": [ { "Ref": "TaskClusterTaskVPCFlowLogCWIAMRole08EC65EE" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/FlowLogCW/IAMRole/DefaultPolicy/Resource" } }, "TaskClusterTaskVPCFlowLogCWFlowLog3A8571BE": { "Type": "AWS::EC2::FlowLog", "Properties": { "DeliverLogsPermissionArn": { "Fn::GetAtt": [ "TaskClusterTaskVPCFlowLogCWIAMRole08EC65EE", "Arn" ] }, "LogDestinationType": "cloud-watch-logs", "LogGroupName": { "Ref": "TaskClusterVPCLogGroupEF25F73B" }, "ResourceId": { "Ref": "TaskClusterTaskVPCE5385B4D" }, "ResourceType": "VPC", "Tags": [ { "Key": "Name", "Value": "DataTransferHub-cognito/TaskCluster/TaskVPC/FlowLogCW" } ], "TrafficType": "REJECT" }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/TaskVPC/FlowLogCW/FlowLog" } }, "TaskClusterVPCLogGroupEF25F73B": { "Type": "AWS::Logs::LogGroup", "Properties": { "RetentionInDays": 14 }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/VPCLogGroup/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W84", "reason": "log group is encrypted with the default master key" } ] } } }, "TaskCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterSettings": [ { "Name": "containerInsights", "Value": "enabled" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/TaskCluster/DTHTaskCluster/Resource" } }, "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/AppSyncServiceLinkRoleFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIAppSyncServiceLinkRoleFn2F2DA79D": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/180f992dcfb2aab242da7c255e25a3d9dc927513823adf0f9661c19c14d8bd23.zip" }, "Description": "Data Transfer Hub - Service Linked Role Create Handler", "Handler": "create_service_linked_role.lambda_handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/AppSyncServiceLinkRoleFn/Resource", "aws:asset:path": "asset.180f992dcfb2aab242da7c255e25a3d9dc927513823adf0f9661c19c14d8bd23", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIserviceLikedRolePolicyCCA80038": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APIserviceLikedRolePolicyCCA80038", "Roles": [ { "Ref": "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/serviceLikedRolePolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "This policy needs to be able to have access to all resources" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRole6B217C32": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "DependsOn": [ "APIAppSyncServiceLinkRoleFn2F2DA79D", "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/appSyncServiceLinkRoleFnProvider/framework-onEvent/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRoleDefaultPolicy108B8472": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APIAppSyncServiceLinkRoleFn2F2DA79D", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APIAppSyncServiceLinkRoleFn2F2DA79D", "Arn" ] }, ":*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRoleDefaultPolicy108B8472", "Roles": [ { "Ref": "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRole6B217C32" } ] }, "DependsOn": [ "APIAppSyncServiceLinkRoleFn2F2DA79D", "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/appSyncServiceLinkRoleFnProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIappSyncServiceLinkRoleFnProviderframeworkonEventC881B4E7": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip" }, "Description": "AWS CDK resource provider framework - onEvent (DataTransferHub-cognito/API/appSyncServiceLinkRoleFnProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "APIAppSyncServiceLinkRoleFn2F2DA79D", "Arn" ] } } }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRole6B217C32", "Arn" ] }, "Runtime": "nodejs18.x", "Timeout": 900 }, "DependsOn": [ "APIAppSyncServiceLinkRoleFn2F2DA79D", "APIAppSyncServiceLinkRoleFnServiceRoleB8E4BC8D", "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRoleDefaultPolicy108B8472", "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRole6B217C32" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/appSyncServiceLinkRoleFnProvider/framework-onEvent/Resource", "aws:asset:path": "asset.3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIappSyncServiceLinkRoleFnTrigger535D3D40": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "APIappSyncServiceLinkRoleFnProviderframeworkonEventC881B4E7", "Arn" ] } }, "DependsOn": [ "APIappSyncServiceLinkRoleFnProviderframeworkonEventC881B4E7", "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRoleDefaultPolicy108B8472", "APIappSyncServiceLinkRoleFnProviderframeworkonEventServiceRole6B217C32" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/appSyncServiceLinkRoleFnTrigger/Default", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskTable658DE9FE": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "id", "AttributeType": "S" }, { "AttributeName": "stackId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "GlobalSecondaryIndexes": [ { "IndexName": "byStackId", "KeySchema": [ { "AttributeName": "stackId", "KeyType": "HASH" } ], "Projection": { "NonKeyAttributes": [ "id", "status", "stackStatus" ], "ProjectionType": "INCLUDE" } } ], "KeySchema": [ { "AttributeName": "id", "KeyType": "HASH" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "SSESpecification": { "SSEEnabled": false } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskTable/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W74", "reason": "This table is set to use DEFAULT encryption, the key is owned by DDB." } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APISNSTopicEncryptionKeyD739FE22": { "Type": "AWS::KMS::Key", "Properties": { "Description": "Data Transfer Hub KMS-CMK for encrypting the objects in SNS", "EnableKeyRotation": true, "Enabled": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", "kms:Encrypt" ], "Effect": "Allow", "Principal": { "Service": [ "sns.amazonaws.com", "cloudwatch.amazonaws.com", "lambda.amazonaws.com" ] }, "Resource": "*", "Sid": "0" }, { "Action": [ "kms:ImportKeyMaterial", "kms:RetireGrant", "kms:Decrypt", "kms:Encrypt", "kms:ConnectCustomKeyStore", "sns:Publish" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*", "Sid": "1" }, { "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey", "kms:TagResource", "kms:UntagResource" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*", "Sid": "2" } ], "Version": "2012-10-17" }, "PendingWindowInDays": 7 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/SNSTopicEncryptionKey/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APISNSTopicEncryptionKeyAlias87EE22B4": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Join": [ "", [ "alias/dth/sns/", { "Ref": "AWS::StackName" } ] ] }, "TargetKeyId": { "Fn::GetAtt": [ "APISNSTopicEncryptionKeyD739FE22", "Arn" ] } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/SNSTopicEncryptionKey/Alias/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "DTHCentralAlarmTopic": { "Type": "AWS::SNS::Topic", "Properties": { "DisplayName": { "Fn::Join": [ "", [ "Data Transfer Hub Central Monitor Alarm (", { "Ref": "AWS::StackName" }, ")" ] ] }, "FifoTopic": false, "KmsMasterKeyId": { "Fn::GetAtt": [ "APISNSTopicEncryptionKeyD739FE22", "Arn" ] } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/DTHCentralAlarmTopic/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIDTHCentralAlarmTopicTokenSubscription1FF8954D9": { "Type": "AWS::SNS::Subscription", "Properties": { "Endpoint": { "Ref": "AdminEmail" }, "Protocol": "email", "TopicArn": { "Ref": "DTHCentralAlarmTopic" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/DTHCentralAlarmTopic/TokenSubscription:1/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckFinderJobStatusFnPolicyFFC4CE88": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeLogStreams", "logs:GetLogEvents", "cloudwatch:GetMetricStatistics", "cloudformation:DescribeStacks" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckFinderJobStatusFnPolicyFFC4CE88", "Roles": [ { "Ref": "APItaskMonitorFlowCheckFinderJobStatusFnServiceRole27876943" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckFinderJobStatusFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions in order to start/delete other cloudformation stacks of the plugin with many other services" }, { "id": "F39", "reason": "This policy requires related PassRole actions to unknown resources created by plugin cloudformation stacks" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckFinderJobStatusFnServiceRole27876943": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckFinderJobStatusFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckFinderJobStatusFnServiceRoleDefaultPolicy8B8CBD59": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckFinderJobStatusFnServiceRoleDefaultPolicy8B8CBD59", "Roles": [ { "Ref": "APItaskMonitorFlowCheckFinderJobStatusFnServiceRole27876943" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckFinderJobStatusFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckFinderJobStatusFn1EE0CE65": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Task Monitor Check Finder Job Status Handler", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "check_finder_job_status.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APItaskMonitorFlowCheckFinderJobStatusFnServiceRole27876943", "Arn" ] }, "Runtime": "python3.9", "Timeout": 300 }, "DependsOn": [ "APItaskMonitorFlowCheckFinderJobStatusFnServiceRoleDefaultPolicy8B8CBD59", "APItaskMonitorFlowCheckFinderJobStatusFnServiceRole27876943" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckFinderJobStatusFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckSqsStatusFnPolicy6F97614C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeLogStreams", "logs:GetLogEvents", "cloudwatch:GetMetricStatistics", "cloudformation:DescribeStacks", "sqs:GetQueueUrl", "sqs:GetQueueAttributes", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "states:ListExecutions", "states:ListStateMachines" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckSqsStatusFnPolicy6F97614C", "Roles": [ { "Ref": "APItaskMonitorFlowCheckSqsStatusFnServiceRole740696FE" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckSqsStatusFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions in order to start/delete other cloudformation stacks of the plugin with many other services" }, { "id": "F39", "reason": "This policy requires related PassRole actions to unknown resources created by plugin cloudformation stacks" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckSqsStatusFnServiceRole740696FE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckSqsStatusFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckSqsStatusFnServiceRoleDefaultPolicy0D6176C0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckSqsStatusFnServiceRoleDefaultPolicy0D6176C0", "Roles": [ { "Ref": "APItaskMonitorFlowCheckSqsStatusFnServiceRole740696FE" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckSqsStatusFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckSqsStatusFn5BBF7B17": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Task Monitor Check SQS Status Handler", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "check_sqs_status.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APItaskMonitorFlowCheckSqsStatusFnServiceRole740696FE", "Arn" ] }, "Runtime": "python3.9", "Timeout": 300 }, "DependsOn": [ "APItaskMonitorFlowCheckSqsStatusFnServiceRoleDefaultPolicy0D6176C0", "APItaskMonitorFlowCheckSqsStatusFnServiceRole740696FE" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckSqsStatusFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckTransferCompleteFnPolicy0F5CC338": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeLogStreams", "logs:GetLogEvents", "cloudwatch:GetMetricStatistics", "cloudformation:DescribeStacks", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckTransferCompleteFnPolicy0F5CC338", "Roles": [ { "Ref": "APItaskMonitorFlowCheckTransferCompleteFnServiceRole0F82F060" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckTransferCompleteFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions in order to start/delete other cloudformation stacks of the plugin with many other services" }, { "id": "F39", "reason": "This policy requires related PassRole actions to unknown resources created by plugin cloudformation stacks" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckTransferCompleteFnServiceRole0F82F060": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckTransferCompleteFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckTransferCompleteFnServiceRoleDefaultPolicy2E4F2BD2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckTransferCompleteFnServiceRoleDefaultPolicy2E4F2BD2", "Roles": [ { "Ref": "APItaskMonitorFlowCheckTransferCompleteFnServiceRole0F82F060" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckTransferCompleteFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckTransferCompleteFn2C1992DF": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Task Monitor Check Transfer Complete Handler", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "check_transfer_complete.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APItaskMonitorFlowCheckTransferCompleteFnServiceRole0F82F060", "Arn" ] }, "Runtime": "python3.9", "Timeout": 300 }, "DependsOn": [ "APItaskMonitorFlowCheckTransferCompleteFnServiceRoleDefaultPolicy2E4F2BD2", "APItaskMonitorFlowCheckTransferCompleteFnServiceRole0F82F060" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckTransferCompleteFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowChangeAsgSizeFnPolicy08230BDC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeLogStreams", "logs:GetLogEvents", "cloudwatch:GetMetricStatistics", "cloudformation:DescribeStacks", "autoscaling:UpdateAutoScalingGroup", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowChangeAsgSizeFnPolicy08230BDC", "Roles": [ { "Ref": "APItaskMonitorFlowChangeAsgSizeFnServiceRole3BB92FD2" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/ChangeAsgSizeFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions in order to start/delete other cloudformation stacks of the plugin with many other services" }, { "id": "F39", "reason": "This policy requires related PassRole actions to unknown resources created by plugin cloudformation stacks" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowChangeAsgSizeFnServiceRole3BB92FD2": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/ChangeAsgSizeFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowChangeAsgSizeFnServiceRoleDefaultPolicy72D90806": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowChangeAsgSizeFnServiceRoleDefaultPolicy72D90806", "Roles": [ { "Ref": "APItaskMonitorFlowChangeAsgSizeFnServiceRole3BB92FD2" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/ChangeAsgSizeFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowChangeAsgSizeFn002E10EA": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Task Monitor Change ASG Size Handler", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "change_asg_size.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APItaskMonitorFlowChangeAsgSizeFnServiceRole3BB92FD2", "Arn" ] }, "Runtime": "python3.9", "Timeout": 300 }, "DependsOn": [ "APItaskMonitorFlowChangeAsgSizeFnServiceRoleDefaultPolicy72D90806", "APItaskMonitorFlowChangeAsgSizeFnServiceRole3BB92FD2" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/ChangeAsgSizeFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckIsOneTimeTransferFnPolicy868D79A7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeLogStreams", "logs:GetLogEvents", "cloudwatch:GetMetricStatistics", "cloudformation:DescribeStacks", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckIsOneTimeTransferFnPolicy868D79A7", "Roles": [ { "Ref": "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleD8E19306" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckIsOneTimeTransferFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions in order to start/delete other cloudformation stacks of the plugin with many other services" }, { "id": "F39", "reason": "This policy requires related PassRole actions to unknown resources created by plugin cloudformation stacks" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleD8E19306": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckIsOneTimeTransferFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleDefaultPolicy01C5D06A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleDefaultPolicy01C5D06A", "Roles": [ { "Ref": "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleD8E19306" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckIsOneTimeTransferFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowCheckIsOneTimeTransferFn9B1909EE": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Task Monitor Check Is One Time Transfer Task Handler", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "check_is_onetime_transfer_task.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleD8E19306", "Arn" ] }, "Runtime": "python3.9", "Timeout": 300 }, "DependsOn": [ "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleDefaultPolicy01C5D06A", "APItaskMonitorFlowCheckIsOneTimeTransferFnServiceRoleD8E19306" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/CheckIsOneTimeTransferFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowSendSnsNotificationFnPolicy8322FCFD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Resource": { "Ref": "DTHCentralAlarmTopic" } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ImportKeyMaterial", "kms:TagResource", "kms:UntagResource", "kms:UpdateAlias", "kms:GetPublicKey", "kms:ListKeyPolicies", "kms:ListRetirableGrants", "kms:PutKeyPolicy", "kms:GetKeyPolicy", "kms:ListResourceTags", "kms:RetireGrant", "kms:ListGrants", "kms:GetParametersForImport", "kms:DescribeCustomKeyStores", "kms:ListKeys", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:RevokeGrant", "kms:DescribeKey", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":key/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowSendSnsNotificationFnPolicy8322FCFD", "Roles": [ { "Ref": "APItaskMonitorFlowSendSnsNotificationFnServiceRole099B95FF" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/SendSnsNotificationFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowSendSnsNotificationFnServiceRole099B95FF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/SendSnsNotificationFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowSendSnsNotificationFnServiceRoleDefaultPolicy043C5C3E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowSendSnsNotificationFnServiceRoleDefaultPolicy043C5C3E", "Roles": [ { "Ref": "APItaskMonitorFlowSendSnsNotificationFnServiceRole099B95FF" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/SendSnsNotificationFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowSendSnsNotificationFn34710CC3": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Task Monitor Send Task Alarm to SNS", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" }, "CENTRAL_SNS_ARN": { "Ref": "DTHCentralAlarmTopic" } } }, "Handler": "send_sns_notification.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APItaskMonitorFlowSendSnsNotificationFnServiceRole099B95FF", "Arn" ] }, "Runtime": "python3.9", "Timeout": 300 }, "DependsOn": [ "APItaskMonitorFlowSendSnsNotificationFnServiceRoleDefaultPolicy043C5C3E", "APItaskMonitorFlowSendSnsNotificationFnServiceRole099B95FF" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/SendSnsNotificationFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowErrorLogGroupD3F0CDE6": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/vendedlogs/states/", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "APItaskMonitorFlowCheckFinderJobStatusFn1EE0CE65", "Arn" ] } ] } ] }, "-SM-Monitor" ] ] }, "RetentionInDays": 731 }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/ErrorLogGroup/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W84", "reason": "log group is encrypted with the default master key" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowtaskMonitorStateMachineRole271E1C6C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": { "Fn::FindInMap": [ "ServiceprincipalMap", { "Ref": "AWS::Region" }, "states" ] } } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/taskMonitorStateMachine/Role/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowtaskMonitorStateMachineRoleDefaultPolicy58D4285D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckFinderJobStatusFn1EE0CE65", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckFinderJobStatusFn1EE0CE65", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APItaskMonitorFlowChangeAsgSizeFn002E10EA", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APItaskMonitorFlowChangeAsgSizeFn002E10EA", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckTransferCompleteFn2C1992DF", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckTransferCompleteFn2C1992DF", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APItaskMonitorFlowSendSnsNotificationFn34710CC3", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APItaskMonitorFlowSendSnsNotificationFn34710CC3", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckIsOneTimeTransferFn9B1909EE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckIsOneTimeTransferFn9B1909EE", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckSqsStatusFn5BBF7B17", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APItaskMonitorFlowCheckSqsStatusFn5BBF7B17", "Arn" ] }, ":*" ] ] } ] }, { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APItaskMonitorFlowtaskMonitorStateMachineRoleDefaultPolicy58D4285D", "Roles": [ { "Ref": "APItaskMonitorFlowtaskMonitorStateMachineRole271E1C6C" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/taskMonitorStateMachine/Role/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APItaskMonitorFlowtaskMonitorStateMachine0351B84A": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { "DefinitionString": { "Fn::Join": [ "", [ "{\"StartAt\":\"Check Finder Job Status\",\"States\":{\"Check Finder Job Status\":{\"Next\":\"Check Finder Status Choice\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APItaskMonitorFlowCheckFinderJobStatusFn1EE0CE65", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Wait for 1 minute for Finder\":{\"Type\":\"Wait\",\"Seconds\":60,\"Next\":\"Check Finder Job Status\"},\"Check Finder Status Choice\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.status\",\"StringEquals\":\"ERROR\",\"Next\":\"Scare Down ASG\"},{\"Variable\":\"$.status\",\"StringEquals\":\"COMPLETED\",\"Next\":\"Check is One Time Job\"},{\"Variable\":\"$.status\",\"StringEquals\":\"NO_NEED\",\"Next\":\"Task Monitor Complete\"}],\"Default\":\"Wait for 1 minute for Finder\"},\"Scare Down ASG\":{\"Next\":\"Send Alarm to Central SNS\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APItaskMonitorFlowChangeAsgSizeFn002E10EA", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Check Worker Job Complete\":{\"Next\":\"Scare Down ASG\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APItaskMonitorFlowCheckTransferCompleteFn2C1992DF", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Send Alarm to Central SNS\":{\"Next\":\"Task Monitor Complete\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APItaskMonitorFlowSendSnsNotificationFn34710CC3", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Task Monitor Complete\":{\"Type\":\"Succeed\"},\"Check is One Time Job\":{\"Next\":\"Is One Time Job?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APItaskMonitorFlowCheckIsOneTimeTransferFn9B1909EE", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Is One Time Job?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.isOneTime\",\"StringEquals\":\"true\",\"Next\":\"Check SQS Status\"}],\"Default\":\"Task Monitor Complete\"},\"Check SQS Status\":{\"Next\":\"SQS and SFN are Empty?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APItaskMonitorFlowCheckSqsStatusFn5BBF7B17", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Wait for 1 minute for SQS\":{\"Type\":\"Wait\",\"Seconds\":60,\"Next\":\"Check SQS Status\"},\"Has Checked 3 times?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.checkRound\",\"NumericLessThan\":3,\"Next\":\"Wait for 1 minute for SQS\"}],\"Default\":\"Check Worker Job Complete\"},\"SQS and SFN are Empty?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.isEmpty\",\"StringEquals\":\"true\",\"Next\":\"Has Checked 3 times?\"}],\"Default\":\"Wait for 1 minute for SQS\"}}}" ] ] }, "LoggingConfiguration": { "Destinations": [ { "CloudWatchLogsLogGroup": { "LogGroupArn": { "Fn::GetAtt": [ "APItaskMonitorFlowErrorLogGroupD3F0CDE6", "Arn" ] } } } ], "Level": "ALL" }, "RoleArn": { "Fn::GetAtt": [ "APItaskMonitorFlowtaskMonitorStateMachineRole271E1C6C", "Arn" ] }, "TracingConfiguration": { "Enabled": true } }, "DependsOn": [ "APItaskMonitorFlowtaskMonitorStateMachineRoleDefaultPolicy58D4285D", "APItaskMonitorFlowtaskMonitorStateMachineRole271E1C6C" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/taskMonitorFlow/taskMonitorStateMachine/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowCreateTaskCfnFnServiceRole3938A461": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/CreateTaskCfnFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowCreateTaskCfnFnACF26E17": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/11678f35554804b0022bd3597cb2f257916bbd7c8891aff4f136afc2deee6ef4.zip" }, "Description": "Data Transfer Hub - Create Task", "Environment": { "Variables": { "TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "lambda_function.create_task_cfn", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APICfnWorkflowCreateTaskCfnFnServiceRole3938A461", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APICfnWorkflowCreateTaskCfnFnServiceRole3938A461" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/CreateTaskCfnFn/Resource", "aws:asset:path": "asset.11678f35554804b0022bd3597cb2f257916bbd7c8891aff4f136afc2deee6ef4", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowStopTaskCfnFnServiceRoleCB7981E0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/StopTaskCfnFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowStopTaskCfnFn512164BE": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/11678f35554804b0022bd3597cb2f257916bbd7c8891aff4f136afc2deee6ef4.zip" }, "Description": "Data Transfer Hub - Stop Task", "Environment": { "Variables": { "TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "lambda_function.stop_task_cfn", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APICfnWorkflowStopTaskCfnFnServiceRoleCB7981E0", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APICfnWorkflowStopTaskCfnFnServiceRoleCB7981E0" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/StopTaskCfnFn/Resource", "aws:asset:path": "asset.11678f35554804b0022bd3597cb2f257916bbd7c8891aff4f136afc2deee6ef4", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowTaskFnPolicy9138F2E2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "states:CreateStateMachine", "states:DeleteStateMachine", "states:DescribeStateMachine", "states:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":states:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":activity:DTH*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":states:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":stateMachine:DTH*" ] ] } ] }, { "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:EnableMetricsCollection", "autoscaling:DescribeScalingActivities", "autoscaling:PutScalingPolicy", "autoscaling:DeletePolicy" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "SNS:CreateTopic", "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:Unsubscribe", "SNS:TagResource" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":DTH*" ] ] } }, { "Action": [ "ssm:GetParameters", "ssm:PutParameter", "ssm:AddTagsToResource", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "events:PutRule", "events:RemoveTargets", "events:DescribeRule", "events:PutTargets", "events:DeleteRule" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":events:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":rule/DTH*" ] ] } }, { "Action": [ "cloudformation:Create*", "cloudformation:Update*", "cloudformation:Delete*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:PutBucketNotification", "s3:GetBucketNotification", "s3:GetObject" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DescribeTable", "dynamodb:DeleteTable", "dynamodb:UpdateItem", "dynamodb:DescribeContinuousBackups", "dynamodb:UpdateContinuousBackups", "dynamodb:TagResource", "dynamodb:ListTagsOfResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":dynamodb:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":table/DTH*" ] ] }, { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] } ] }, { "Action": [ "sqs:SendMessage", "sqs:CreateQueue", "sqs:GetQueueAttributes", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sqs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":DTH*" ] ] } }, { "Action": [ "ec2:createTags", "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:DescribeInstances", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeTags", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:LaunchTemplate", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DeleteLaunchTemplateVersions", "ec2:GetLaunchTemplateData", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:Describe*", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecs:RunTask", "ecs:ListTasks", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:DescribeTaskDefinition", "ecs:TagResource" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:CreateLogStream", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:PutMetricFilter", "logs:DeleteMetricFilter", "logs:DescribeMetricFilters", "logs:PutLogEvents", "logs:TagResource" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*", "cloudwatch:PutMetricData", "cloudwatch:PutMetricAlarm", "cloudwatch:GetDashboard", "cloudwatch:DeleteDashboards", "cloudwatch:DeleteAlarms", "cloudwatch:PutDashboard", "cloudwatch:ListDashboards" ], "Effect": "Allow", "Resource": "*" }, { "Action": "tag:TagResources", "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:CreateInstanceProfile", "iam:CreateRole", "iam:PutRolePolicy", "iam:PassRole", "iam:AttachRolePolicy", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetRole", "iam:GetPolicy", "iam:GetRolePolicy", "iam:ListRoles", "iam:ListPolicies", "iam:ListRolePolicies", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetInstanceProfile", "iam:TagRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":instance-profile/DTH*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/DTH*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":policy/DTH*" ] ] } ] }, { "Action": [ "lambda:InvokeFunction", "lambda:AddPermission", "lambda:CreateFunction", "lambda:CreateEventSourceMapping", "lambda:DeleteEventSourceMapping", "lambda:PublishLayerVersion", "lambda:DeleteLayerVersion", "lambda:DeleteFunction", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:UpdateFunctionCode", "lambda:PublishVersion", "lambda:TagResource", "lambda:Get*", "lambda:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:CreateKey", "kms:CreateAlias", "kms:CreateGrant", "kms:DeleteAlias", "kms:DescribeKey", "kms:DisableKey", "kms:EnableKey", "kms:EnableKeyRotation", "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:GetParametersForImport", "kms:ImportKeyMaterial", "kms:PutKeyPolicy", "kms:TagResource", "kms:UntagResource", "kms:UpdateAlias", "kms:ScheduleKeyDeletion" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecr:CreateRepository", "ecr:CompleteLayerUpload", "ecr:UploadLayerPart", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:GetAuthorizationToken" ], "Effect": "Allow", "Resource": "*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "APICfnWorkflowTaskFnPolicy9138F2E2", "Roles": [ { "Ref": "APICfnWorkflowCreateTaskCfnFnServiceRole3938A461" }, { "Ref": "APICfnWorkflowStopTaskCfnFnServiceRoleCB7981E0" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/TaskFnPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F4", "reason": "This policy requires related actions in order to start/delete other cloudformation stacks of the plugin with many other services" }, { "id": "F39", "reason": "This policy requires related PassRole actions to unknown resources created by plugin cloudformation stacks" }, { "id": "W76", "reason": "This policy needs to be able to start/delete other complex cloudformation stacks" }, { "id": "W12", "reason": "This policy needs to be able to start/delete other cloudformation stacks of the plugin with unknown resources names" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowQueryTaskCfnFnServiceRoleD084A22B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/QueryTaskCfnFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowQueryTaskCfnFnServiceRoleDefaultPolicyB540C3AD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:Query", "dynamodb:UpdateItem" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] } }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudformation:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":stack/DTH*" ] ] } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APICfnWorkflowQueryTaskCfnFnServiceRoleDefaultPolicyB540C3AD", "Roles": [ { "Ref": "APICfnWorkflowQueryTaskCfnFnServiceRoleD084A22B" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/QueryTaskCfnFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowQueryTaskCfnFn2D7564D5": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/11678f35554804b0022bd3597cb2f257916bbd7c8891aff4f136afc2deee6ef4.zip" }, "Description": "Data Transfer Hub - Query Task", "Environment": { "Variables": { "TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "lambda_function.query_task_cfn", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APICfnWorkflowQueryTaskCfnFnServiceRoleD084A22B", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APICfnWorkflowQueryTaskCfnFnServiceRoleDefaultPolicyB540C3AD", "APICfnWorkflowQueryTaskCfnFnServiceRoleD084A22B" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/QueryTaskCfnFn/Resource", "aws:asset:path": "asset.11678f35554804b0022bd3597cb2f257916bbd7c8891aff4f136afc2deee6ef4", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowStartMonitorFlowFnServiceRole4718B14E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/StartMonitorFlowFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowStartMonitorFlowFnServiceRoleDefaultPolicyFD6700A9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "states:StartExecution", "Effect": "Allow", "Resource": { "Ref": "APItaskMonitorFlowtaskMonitorStateMachine0351B84A" } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APICfnWorkflowStartMonitorFlowFnServiceRoleDefaultPolicyFD6700A9", "Roles": [ { "Ref": "APICfnWorkflowStartMonitorFlowFnServiceRole4718B14E" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/StartMonitorFlowFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowStartMonitorFlowFn31508196": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c.zip" }, "Description": "Data Transfer Hub - Start Task Monitoring Flow Handler", "Environment": { "Variables": { "MONITOR_SFN_ARN": { "Ref": "APItaskMonitorFlowtaskMonitorStateMachine0351B84A" } } }, "Handler": "start_monitor_flow.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APICfnWorkflowStartMonitorFlowFnServiceRole4718B14E", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APICfnWorkflowStartMonitorFlowFnServiceRoleDefaultPolicyFD6700A9", "APICfnWorkflowStartMonitorFlowFnServiceRole4718B14E" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/StartMonitorFlowFn/Resource", "aws:asset:path": "asset.4368ed05fdbbe85d439458da51fc085c944d6a0c38fa66deb84656a1e96c1f9c", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowCfnDeploySMLogGroup85EF2A81": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/vendedlogs/states/", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "APICfnWorkflowStartMonitorFlowFn31508196", "Arn" ] } ] } ] }, "-CfnDeploy-SM" ] ] }, "RetentionInDays": 731 }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/CfnDeploySMLogGroup/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W84", "reason": "log group is encrypted with the default master key" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowCfnDeploymentStateMachineRole94AFCD72": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": { "Fn::FindInMap": [ "ServiceprincipalMap", { "Ref": "AWS::Region" }, "states" ] } } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/CfnDeploymentStateMachine/Role/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowCfnDeploymentStateMachineRoleDefaultPolicyF7DE5FEB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APICfnWorkflowCreateTaskCfnFnACF26E17", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APICfnWorkflowCreateTaskCfnFnACF26E17", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APICfnWorkflowStopTaskCfnFn512164BE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APICfnWorkflowStopTaskCfnFn512164BE", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APICfnWorkflowQueryTaskCfnFn2D7564D5", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APICfnWorkflowQueryTaskCfnFn2D7564D5", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APICfnWorkflowStartMonitorFlowFn31508196", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APICfnWorkflowStartMonitorFlowFn31508196", "Arn" ] }, ":*" ] ] } ] }, { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APICfnWorkflowCfnDeploymentStateMachineRoleDefaultPolicyF7DE5FEB", "Roles": [ { "Ref": "APICfnWorkflowCfnDeploymentStateMachineRole94AFCD72" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/CfnDeploymentStateMachine/Role/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICfnWorkflowCfnDeploymentStateMachineFC154A5B": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { "DefinitionString": { "Fn::Join": [ "", [ "{\"StartAt\":\"Stack Action Choice\",\"States\":{\"Stack Action Choice\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.action\",\"StringEquals\":\"START\",\"Next\":\"Start Stack\"},{\"Variable\":\"$.action\",\"StringEquals\":\"STOP\",\"Next\":\"Stop Stack\"}]},\"Start Stack\":{\"Next\":\"Wait for 5 seconds\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APICfnWorkflowCreateTaskCfnFnACF26E17", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Wait for 5 seconds\":{\"Type\":\"Wait\",\"Seconds\":5,\"Next\":\"Query Stack Status\"},\"Stop Stack\":{\"Next\":\"Wait for 5 seconds\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APICfnWorkflowStopTaskCfnFn512164BE", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Query Stack Status\":{\"Next\":\"Query Stack Status Choice\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APICfnWorkflowQueryTaskCfnFn2D7564D5", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Query Stack Status Choice\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"CREATE_COMPLETE\",\"Next\":\"Start Monitoring Flow\"},{\"Or\":[{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"UPDATE_COMPLETE\"},{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"DELETE_COMPLETE\"}],\"Next\":\"Stack Ops Succeed\"},{\"Or\":[{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"CREATE_FAILED\"},{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"DELETE_FAILED\"},{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"UPDATE_ROLLBACK_FAILED\"},{\"Variable\":\"$.stackStatus.S\",\"StringEquals\":\"ROLLBACK_COMPLETE\"}],\"Next\":\"Stack Ops Failed\"}],\"Default\":\"Wait for 5 seconds\"},\"Start Monitoring Flow\":{\"Next\":\"Stack Ops Succeed\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "APICfnWorkflowStartMonitorFlowFn31508196", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Stack Ops Succeed\":{\"Type\":\"Succeed\"},\"Stack Ops Failed\":{\"Type\":\"Fail\"}},\"TimeoutSeconds\":7200}" ] ] }, "LoggingConfiguration": { "Destinations": [ { "CloudWatchLogsLogGroup": { "LogGroupArn": { "Fn::GetAtt": [ "APICfnWorkflowCfnDeploySMLogGroup85EF2A81", "Arn" ] } } } ], "Level": "ALL" }, "RoleArn": { "Fn::GetAtt": [ "APICfnWorkflowCfnDeploymentStateMachineRole94AFCD72", "Arn" ] }, "TracingConfiguration": { "Enabled": true } }, "DependsOn": [ "APICfnWorkflowCfnDeploymentStateMachineRoleDefaultPolicyF7DE5FEB", "APICfnWorkflowCfnDeploymentStateMachineRole94AFCD72" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CfnWorkflow/CfnDeploymentStateMachine/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIUserPoolSmsRoleC14F30EE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "cognito-idp.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/UserPoolSmsRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIPoolSmsPolicy7FBA90AA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APIPoolSmsPolicy7FBA90AA", "Roles": [ { "Ref": "APIUserPoolSmsRoleC14F30EE" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/PoolSmsPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "User Pool SMS notification requires to publish to any resources" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "DataTransferHubUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { "AccountRecoverySetting": { "RecoveryMechanisms": [ { "Name": "verified_phone_number", "Priority": 1 }, { "Name": "verified_email", "Priority": 2 } ] }, "AdminCreateUserConfig": { "AllowAdminCreateUserOnly": true }, "AutoVerifiedAttributes": [ "email", "phone_number" ], "EmailVerificationMessage": "The verification code to your new account is {####}", "EmailVerificationSubject": "Verify your new account", "Policies": { "PasswordPolicy": { "MinimumLength": 8, "RequireNumbers": true, "RequireSymbols": true, "RequireUppercase": true } }, "SmsConfiguration": { "SnsCallerArn": { "Fn::GetAtt": [ "APIUserPoolSmsRoleC14F30EE", "Arn" ] } }, "SmsVerificationMessage": "The verification code to your new account is {####}", "UserPoolAddOns": { "AdvancedSecurityMode": "ENFORCED" }, "UsernameAttributes": [ "email", "phone_number" ], "UsernameConfiguration": { "CaseSensitive": false }, "VerificationMessageTemplate": { "DefaultEmailOption": "CONFIRM_WITH_CODE", "EmailMessage": "The verification code to your new account is {####}", "EmailSubject": "Verify your new account", "SmsMessage": "The verification code to your new account is {####}" } }, "DependsOn": [ "APIPoolSmsPolicy7FBA90AA", "APIUserPoolSmsRoleC14F30EE" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/UserPool/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIUserPoolClientF836008A": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "AllowedOAuthFlows": [ "implicit", "code" ], "AllowedOAuthFlowsUserPoolClient": true, "AllowedOAuthScopes": [ "profile", "phone", "email", "openid", "aws.cognito.signin.user.admin" ], "CallbackURLs": [ "https://example.com" ], "ClientName": "DTHPortal", "PreventUserExistenceErrors": "ENABLED", "SupportedIdentityProviders": [ "COGNITO" ], "UserPoolId": { "Ref": "DataTransferHubUserPool" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/UserPoolClient/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIAdminUserAC21E95A": { "Type": "AWS::Cognito::UserPoolUser", "Properties": { "UserAttributes": [ { "Name": "email", "Value": { "Ref": "AdminEmail" } } ], "UserPoolId": { "Ref": "DataTransferHubUserPool" }, "Username": { "Ref": "AdminEmail" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/AdminUser", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIUserPoolDomain18D47904": { "Type": "AWS::Cognito::UserPoolDomain", "Properties": { "Domain": { "Fn::Join": [ "", [ "dth-portal-", { "Ref": "AWS::AccountId" } ] ] }, "UserPoolId": { "Ref": "DataTransferHubUserPool" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/UserPoolDomain/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiLogRoleBA526E47": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "appsync.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiLogRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiLogPolicy50D2F23A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APIApiLogPolicy50D2F23A", "Roles": [ { "Ref": "APIApiLogRoleBA526E47" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiLogPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "The managed policy AWSAppSyncPushToCloudWatchLogs needs to use any resources" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint2023018D2D2AB5": { "Type": "AWS::AppSync::GraphQLApi", "Properties": { "AdditionalAuthenticationProviders": [ { "AuthenticationType": "AWS_IAM" } ], "AuthenticationType": "AMAZON_COGNITO_USER_POOLS", "LogConfig": { "CloudWatchLogsRoleArn": { "Fn::GetAtt": [ "APIApiLogRoleBA526E47", "Arn" ] }, "FieldLogLevel": "ERROR" }, "Name": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, " - GraphQL APIs" ] ] }, "UserPoolConfig": { "AppIdClientRegex": { "Ref": "APIUserPoolClientF836008A" }, "AwsRegion": { "Ref": "AWS::Region" }, "DefaultAction": "ALLOW", "UserPoolId": { "Ref": "DataTransferHubUserPool" } }, "XrayEnabled": true }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301Schema845E352C": { "Type": "AWS::AppSync::GraphQLSchema", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "Definition": "scalar AWSDateTime\ndirective @aws_iam on FIELD_DEFINITION | OBJECT\ndirective @aws_cognito_user_pools on FIELD_DEFINITION | OBJECT\ndirective @aws_oidc on FIELD_DEFINITION | OBJECT\ndirective @aws_subscribe on FIELD_DEFINITION\n\nschema {\n query: Query\n mutation: Mutation\n}\n\n\ntype Query {\n \"\"\"\n Get a task list.\n \"\"\"\n listTasksV2(progress: TaskProgress, page: Int, count: Int): ListTasksResponseV2\n\n \"\"\"\n Get a task object by ID.\n \"\"\"\n getTask(id: ID!): Task\n\n \"\"\"\n Get the list of Secrets names from Secret Manager\n \"\"\"\n listSecrets: [Secret]\n\n \"\"\"\n Get the list of log group by log group name\n \"\"\"\n listLogStreams(logGroupName: String, logStreamNamePrefix: String, page: Int, count: Int): ListLogStreamsResponse\n\n \"\"\"\n Get the log events by log group name and log stream name\n \"\"\"\n getLogEvents(limit: Int = 100, logGroupName: String, logStreamName: String, nextToken: String): GetLogEventsResponse\n \n \"\"\"\n Get the log metric history data\n \"\"\"\n getMetricHistoryData(id: String!, graphName: GraphName!, startTime: String, endTime: String, period: Int): GetMetricHistoryDataResponse\n\n \"\"\"\n Get the task error message\n \"\"\"\n getErrorMessage(id: String!): GetErrorMessageResponse\n}\n\ntype Mutation {\n \"\"\"\n Start a transfer task. \n This is to start a cloudformation deployment of plugins\n\n Arguments\n input: parameters value set to start a transfer task.\n \"\"\"\n createTask(input: CreateTaskInput!): Task @aws_iam @aws_cognito_user_pools @aws_oidc\n\n \"\"\"\n Stop a transfer task.\n This is to delete a cloudformation deployment of plugins\n\n Arguments\n id: A unique ID of the task\n \"\"\"\n stopTask(id: String): Task @aws_iam @aws_cognito_user_pools @aws_oidc\n}\n\n\n\n\"\"\"\nSecret in Secrets Manager\n\"\"\"\ntype Secret @aws_iam @aws_cognito_user_pools @aws_oidc{\n \"Secret Name.\"\n name: String!\n\n \"Secret Description\"\n description: String\n\n}\n\n\"\"\"\nTask. A Data Transfer Hub task.\n\"\"\"\ntype Task @aws_iam @aws_cognito_user_pools @aws_oidc{\n \"ID. Auto-generated.\"\n id: ID!\n\n \"Explanatory description of the task.\"\n description: String\n\n \"Task type\"\n type: TaskType\n\n \"The CloudFormation template url.\"\n templateUrl: String\n\n \"CloudFormation template parameters.\"\n parameters: [ TaskParameter ]\n\n \"Task creation time.\"\n createdAt: AWSDateTime\n\n \"Task stop time.\"\n stoppedAt: AWSDateTime\n\n \"Task progress indicator.\"\n progress: TaskProgress\n\n \"Task progress information. Not used for now\"\n progressInfo: CommonProgressInfo\n\n \"CloudFormation Stack ID\"\n stackId: String\n\n \"CloudFormation Stack Name.\"\n stackName: String\n\n \"CloudFormation template parameters.\"\n stackOutputs: [ StackOutputs ]\n\n \"CloudFormation Stack status\"\n stackStatus: String\n\n \"CloudFormation Stack status reason. Normally holds error message.\"\n stackStatusReason: String\n\n \"StepFunctions execution ARN.\"\n executionArn: String\n\n \"Task schedule type.\"\n scheduleType: ScheduleType\n}\n\n\"\"\"\nThe set of task types supported by Data Transfer Hub.\n\"\"\"\nenum TaskType {\n S3EC2\n ECR\n}\n\n\"\"\"\nTask progress indicator.\n\"\"\"\nenum TaskProgress {\n \"The task has been started. The underlying infrastructure is provisioning.\"\n STARTING\n\n \"The task is stopping. The underlying infrastructure is being destroyed.\"\n STOPPING\n\n \"Error occurs.\"\n ERROR\n\n \"Task in progress.\"\n IN_PROGRESS\n\n \"Done. This is used for one-time replication task ONLY.\"\n DONE\n\n \"Task stopped. The underlying infrastructure has been destroyed.\"\n STOPPED\n}\n\n\"\"\"\nCloudWatch graph name.\n\"\"\"\nenum GraphName {\n \"Network Graph\"\n Network\n\n \"Transferred data and failed data graph\"\n TransferredFailedObjects\n\n \"Running job and waiting job graph\"\n RunningWaitingJobHistory\n\n \"Desired and in-service instance graph\"\n DesiredInServiceInstances\n}\n\n\"\"\"\nTask Error Code.\n\"\"\"\nenum TaskErrorCode {\n \"Error in cloudformation stack deployment or deletion\"\n CFN_ERROR\n \n \"Error in check the finder job status\"\n FINDER_ERROR\n\n \"Error in check the complete check\"\n COMPLETE_CHECK_ERROR\n\n UN_KNOWN\n}\n\n\"\"\"\nTask Schedule.\n\"\"\"\nenum ScheduleType {\n ONE_TIME\n\n FIXED_RATE\n}\n\ntype CommonProgressInfo @aws_iam @aws_cognito_user_pools @aws_oidc{\n \"Total number of records. In S3 task, it is the total number of objects.\"\n total: Int\n\n \"Number of records being replicated.\"\n replicated: Int\n}\n\n\ntype StackOutputs {\n Description: String\n OutputKey: String\n OutputValue: String\n}\n\ntype TaskParameter {\n ParameterKey: String\n ParameterValue: String\n}\n\ntype ListTasksResponseV2 {\n items: [Task],\n total: Int\n}\n\ntype LogStream {\n logStreamName: String\n creationTime: String\n firstEventTimestamp: String\n lastEventTimestamp: String\n lastIngestionTime: String\n uploadSequenceToken: String\n arn: String\n storedBytes: Int\n}\n\ntype ListLogStreamsResponse {\n logStreams: [LogStream],\n total: Int\n}\n\ntype LogEvent {\n timestamp: String\n message: String\n ingestionTime: String\n}\n\ntype GetLogEventsResponse {\n logEvents: [LogEvent],\n nextForwardToken: String,\n nextBackwardToken: String\n}\n\ntype DataSerie {\n name: String,\n data: [Float]\n}\n\ntype GraphXaxis {\n categories: [Float]\n}\n\ntype GetMetricHistoryDataResponse {\n series: [DataSerie],\n xaxis: GraphXaxis\n}\n\ntype GetErrorMessageResponse {\n errMessage: String,\n errCode: TaskErrorCode\n}\n\ninput TaskParameterInput {\n ParameterKey: String\n ParameterValue: String\n}\n\ninput CreateTaskInput {\n type: TaskType!\n description: String\n scheduleType: ScheduleType!\n parameters: [ TaskParameterInput ]\n}\n" }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/Schema", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301TaskTableDSServiceRole7B3B7137": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "appsync.amazonaws.com" } } ], "Version": "2012-10-17" } }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/TaskTableDS/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301TaskTableDSServiceRoleDefaultPolicyEBB7374B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APIApiEndpoint202301TaskTableDSServiceRoleDefaultPolicyEBB7374B", "Roles": [ { "Ref": "APIApiEndpoint202301TaskTableDSServiceRole7B3B7137" } ] }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/TaskTableDS/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301TaskTableDSC39953AA": { "Type": "AWS::AppSync::DataSource", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DynamoDBConfig": { "AwsRegion": { "Ref": "AWS::Region" }, "TableName": { "Ref": "APITaskTable658DE9FE" } }, "Name": "TaskTableDS", "ServiceRoleArn": { "Fn::GetAtt": [ "APIApiEndpoint202301TaskTableDSServiceRole7B3B7137", "Arn" ] }, "Type": "AMAZON_DYNAMODB" }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/TaskTableDS/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryGetTaskResolver19BBC982": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "TaskTableDS", "FieldName": "getTask", "Kind": "UNIT", "RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"GetItem\", \"consistentRead\": false, \"key\": {\"id\": $util.dynamodb.toDynamoDBJson($ctx.args.id)}}", "ResponseMappingTemplate": "#set($ctx.result.description = $util.urlEncode($ctx.result.description))\n\n#foreach( $param in $ctx.result.parameters )\n #if( $param.ParameterKey == \"srcPrefix\" || $param.ParameterKey == \"destPrefix\" )\n \t#set($param.ParameterValue = $util.urlEncode($param.ParameterValue))\n #end\n#end\n\n$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301Schema845E352C", "APIApiEndpoint202301TaskTableDSC39953AA", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryGetTaskResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301TaskLambdaDSServiceRole21796EA6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "appsync.amazonaws.com" } } ], "Version": "2012-10-17" } }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/TaskLambdaDS/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301TaskLambdaDSServiceRoleDefaultPolicy5D7F3490": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskHandlerFnE5AB3CEB", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskHandlerFnE5AB3CEB", "Arn" ] }, ":*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APIApiEndpoint202301TaskLambdaDSServiceRoleDefaultPolicy5D7F3490", "Roles": [ { "Ref": "APIApiEndpoint202301TaskLambdaDSServiceRole21796EA6" } ] }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/TaskLambdaDS/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301TaskLambdaDS627798BB": { "Type": "AWS::AppSync::DataSource", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "Description": "Lambda Resolver Datasource", "LambdaConfig": { "LambdaFunctionArn": { "Fn::GetAtt": [ "APITaskHandlerFnE5AB3CEB", "Arn" ] } }, "Name": "TaskLambdaDS", "ServiceRoleArn": { "Fn::GetAtt": [ "APIApiEndpoint202301TaskLambdaDSServiceRole21796EA6", "Arn" ] }, "Type": "AWS_LAMBDA" }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/TaskLambdaDS/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301MutationCreateTaskResolver69598EF3": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "TaskLambdaDS", "FieldName": "createTask", "Kind": "UNIT", "RequestMappingTemplate": "#set($ctx.args.input.description = $util.urlDecode($ctx.args.input.description))\n#if( $ctx.args.input.description.length() > 250)\n $util.error(\"Value for description field cannot exceed 250 characters.\")\n#end\n\n#foreach( $param in $ctx.args.input.parameters )\n #if( $param.ParameterKey == \"srcBucket\" || $param.ParameterKey == \"destBucket\" )\n $util.validate($util.matches(\"^(?!(^((\\d{1,3}[.]){3}\\d{1,3}$)|.*\\.\\.|.*\\.-|.*-\\.|.*\\._|.*_\\.))[a-z\\d][\\w.-]{1,253}[a-z\\d]$\", $param.ParameterValue), \"Invalid Bucket Name\")\n #elseif( $param.ParameterKey == \"srcPrefix\" || $param.ParameterKey == \"destPrefix\" )\n \t#set($param.ParameterValue = $util.urlDecode($param.ParameterValue))\n $util.validate($util.matches(\"^.{0,1024}$\", $param.ParameterValue), \"Invalid Prefix\")\n #elseif( $param.ParameterKey == \"srcAccountId\" || $param.ParameterKey == \"destAccountId\" )\n $util.validate($util.matches(\"^\\d{12}$\", $util.defaultIfNullOrEmpty($param.ParameterValue, '123456789012')), \"Invalid Account ID\")\n #elseif( $param.ParameterKey == \"srcCredential\" || $param.ParameterKey == \"destCredential\" )\n $util.validate($util.matches(\"^[\\w/+=.@-]{0,1024}$\", $param.ParameterValue), \"Invalid Credential\")\n\t#elseif ($param.ParameterKey == \"srcRegion\" || $param.ParameterKey == \"destRegion\" )\n \t$util.validate($util.matches(\"^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$\", $util.defaultIfNullOrEmpty($param.ParameterValue,'us-west-2')), \"Invalid Region Name\")\n #elseif ($param.ParameterKey == \"ecsClusterName\" )\n \t$util.validate($util.matches(\"[a-zA-Z0-9-]{1,1024}\", $param.ParameterValue), \"Invalid ECS Cluster Name\")\n #end\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Mutation" }, "DependsOn": [ "APIApiEndpoint202301Schema845E352C", "APIApiEndpoint202301TaskLambdaDS627798BB", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/MutationCreateTaskResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301MutationStopTaskResolverBBA7A6AA": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "TaskLambdaDS", "FieldName": "stopTask", "Kind": "UNIT", "RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Mutation" }, "DependsOn": [ "APIApiEndpoint202301Schema845E352C", "APIApiEndpoint202301TaskLambdaDS627798BB", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/MutationStopTaskResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301secretManagerLambdaDSServiceRoleD5A249C8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "appsync.amazonaws.com" } } ], "Version": "2012-10-17" } }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/secretManagerLambdaDS/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301secretManagerLambdaDSServiceRoleDefaultPolicyFDCDFDC0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APISecretManagerHandlerFnDECAB7F6", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APISecretManagerHandlerFnDECAB7F6", "Arn" ] }, ":*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APIApiEndpoint202301secretManagerLambdaDSServiceRoleDefaultPolicyFDCDFDC0", "Roles": [ { "Ref": "APIApiEndpoint202301secretManagerLambdaDSServiceRoleD5A249C8" } ] }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/secretManagerLambdaDS/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301secretManagerLambdaDS0D6A021A": { "Type": "AWS::AppSync::DataSource", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "Description": "Lambda Resolver Datasource for Secret Manager", "LambdaConfig": { "LambdaFunctionArn": { "Fn::GetAtt": [ "APISecretManagerHandlerFnDECAB7F6", "Arn" ] } }, "Name": "secretManagerLambdaDS", "ServiceRoleArn": { "Fn::GetAtt": [ "APIApiEndpoint202301secretManagerLambdaDSServiceRoleD5A249C8", "Arn" ] }, "Type": "AWS_LAMBDA" }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/secretManagerLambdaDS/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryListSecretsResolverEE540E64": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "secretManagerLambdaDS", "FieldName": "listSecrets", "Kind": "UNIT", "RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301Schema845E352C", "APIApiEndpoint202301secretManagerLambdaDS0D6A021A", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryListSecretsResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301taskLambdaDSServiceRole494ED149": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "appsync.amazonaws.com" } } ], "Version": "2012-10-17" } }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/taskLambdaDS/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301taskLambdaDSServiceRoleDefaultPolicy095D425B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskV2HandlerFn8B121876", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskV2HandlerFn8B121876", "Arn" ] }, ":*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APIApiEndpoint202301taskLambdaDSServiceRoleDefaultPolicy095D425B", "Roles": [ { "Ref": "APIApiEndpoint202301taskLambdaDSServiceRole494ED149" } ] }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/taskLambdaDS/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301taskLambdaDS06A90809": { "Type": "AWS::AppSync::DataSource", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "Description": "Lambda Resolver Datasource v2", "LambdaConfig": { "LambdaFunctionArn": { "Fn::GetAtt": [ "APITaskV2HandlerFn8B121876", "Arn" ] } }, "Name": "taskLambdaDS", "ServiceRoleArn": { "Fn::GetAtt": [ "APIApiEndpoint202301taskLambdaDSServiceRole494ED149", "Arn" ] }, "Type": "AWS_LAMBDA" }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/taskLambdaDS/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryListTasksV2ResolverDCEBC760": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "taskLambdaDS", "FieldName": "listTasksV2", "Kind": "UNIT", "RequestMappingTemplate": "{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301Schema845E352C", "APIApiEndpoint202301taskLambdaDS06A90809", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryListTasksV2Resolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryGetErrorMessageResolver12D585BE": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "taskLambdaDS", "FieldName": "getErrorMessage", "Kind": "UNIT", "RequestMappingTemplate": "$util.validate($util.matches(\"^[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$\", $ctx.args.id), \"Invalid Task Id\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301Schema845E352C", "APIApiEndpoint202301taskLambdaDS06A90809", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryGetErrorMessageResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301cwlMonitorLambdaDSServiceRoleBB625EE0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "appsync.amazonaws.com" } } ], "Version": "2012-10-17" } }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/cwlMonitorLambdaDS/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301cwlMonitorLambdaDSServiceRoleDefaultPolicy33013298": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APICWLMonitorHandlerFnB32D44EE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APICWLMonitorHandlerFnB32D44EE", "Arn" ] }, ":*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APIApiEndpoint202301cwlMonitorLambdaDSServiceRoleDefaultPolicy33013298", "Roles": [ { "Ref": "APIApiEndpoint202301cwlMonitorLambdaDSServiceRoleBB625EE0" } ] }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/cwlMonitorLambdaDS/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301cwlMonitorLambdaDS4E68C937": { "Type": "AWS::AppSync::DataSource", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "Description": "Lambda Resolver Datasource v2", "LambdaConfig": { "LambdaFunctionArn": { "Fn::GetAtt": [ "APICWLMonitorHandlerFnB32D44EE", "Arn" ] } }, "Name": "cwlMonitorLambdaDS", "ServiceRoleArn": { "Fn::GetAtt": [ "APIApiEndpoint202301cwlMonitorLambdaDSServiceRoleBB625EE0", "Arn" ] }, "Type": "AWS_LAMBDA" }, "DependsOn": [ "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/cwlMonitorLambdaDS/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryListLogStreamsResolver0C154100": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "cwlMonitorLambdaDS", "FieldName": "listLogStreams", "Kind": "UNIT", "RequestMappingTemplate": "#if($ctx.args.count<1 or $ctx.args.count>1000)\n $util.error(\"Count (per page) must between 1 and 1000\")\n#end\n\n#if($ctx.args.page<1 or $ctx.args.page>1000)\n $util.error(\"Page must between 1 and 1000\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301cwlMonitorLambdaDS4E68C937", "APIApiEndpoint202301Schema845E352C", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryListLogStreamsResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryGetLogEventsResolver22CEECC0": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "cwlMonitorLambdaDS", "FieldName": "getLogEvents", "Kind": "UNIT", "RequestMappingTemplate": "#if($ctx.args.limit<1)\n $util.error(\"Limit must be greater than 1\")\n#end\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301cwlMonitorLambdaDS4E68C937", "APIApiEndpoint202301Schema845E352C", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryGetLogEventsResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIApiEndpoint202301QueryGetMetricHistoryDataResolverABA3DD15": { "Type": "AWS::AppSync::Resolver", "Properties": { "ApiId": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "ApiId" ] }, "DataSourceName": "cwlMonitorLambdaDS", "FieldName": "getMetricHistoryData", "Kind": "UNIT", "RequestMappingTemplate": "#if($ctx.args.period<1)\n $util.error(\"Period must be greater than 1\")\n#end\n\n$util.validate($util.matches(\"^\\d{10,}$\", $ctx.args.startTime), \"Invalid Start Time\")\n$util.validate($util.matches(\"^\\d{10,}$\", $ctx.args.endTime), \"Invalid End Time\")\n\n{\"version\": \"2017-02-28\", \"operation\": \"Invoke\", \"payload\": $util.toJson($ctx)}", "ResponseMappingTemplate": "$util.toJson($ctx.result)", "TypeName": "Query" }, "DependsOn": [ "APIApiEndpoint202301cwlMonitorLambdaDS4E68C937", "APIApiEndpoint202301Schema845E352C", "APIappSyncServiceLinkRoleFnTrigger535D3D40" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/ApiEndpoint202301/QueryGetMetricHistoryDataResolver/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskHandlerFnServiceRole2FFB622E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskHandlerFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskHandlerFnServiceRoleDefaultPolicy96C1AD2F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": "states:StartExecution", "Effect": "Allow", "Resource": { "Ref": "APICfnWorkflowCfnDeploymentStateMachineFC154A5B" } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APITaskHandlerFnServiceRoleDefaultPolicy96C1AD2F", "Roles": [ { "Ref": "APITaskHandlerFnServiceRole2FFB622E" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskHandlerFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskHandlerFnE5AB3CEB": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/45daa8c5191ecc51acf3264bcd1f6a069648b8448f1b0e59663bdc22a9a3faa8.zip" }, "Description": "Data Transfer Hub - API V1", "Environment": { "Variables": { "STATE_MACHINE_ARN": { "Ref": "APICfnWorkflowCfnDeploymentStateMachineFC154A5B" }, "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" }, "PLUGIN_TEMPLATE_S3EC2": "https://solutions-reference.s3.amazonaws.com/data-transfer-hub/v2.6.6/DataTransferS3Stack.template", "PLUGIN_TEMPLATE_ECR": "https://solutions-reference.s3.amazonaws.com/data-transfer-hub/v2.6.6/DataTransferECRStack.template", "DRY_RUN": "False" } }, "Handler": "api_task_v2.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "APITaskHandlerFnServiceRole2FFB622E", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APITaskHandlerFnServiceRoleDefaultPolicy96C1AD2F", "APITaskHandlerFnServiceRole2FFB622E" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskHandlerFn/Resource", "aws:asset:path": "asset.45daa8c5191ecc51acf3264bcd1f6a069648b8448f1b0e59663bdc22a9a3faa8", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APISecretManagerHandlerFnServiceRole4E7690CB": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/SecretManagerHandlerFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APISecretManagerHandlerFnDECAB7F6": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/787f358962b46c78fc03fd43983d4181c2e2caa2cf5efaa2e455c320ce8687b2.zip" }, "Description": "Data Transfer Hub - Secrets Manager API", "Handler": "api_sm_param.lambda_handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "APISecretManagerHandlerFnServiceRole4E7690CB", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APISecretManagerHandlerFnServiceRole4E7690CB" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/SecretManagerHandlerFn/Resource", "aws:asset:path": "asset.787f358962b46c78fc03fd43983d4181c2e2caa2cf5efaa2e455c320ce8687b2", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APIsecretManagerReadOnlyPolicyC8A33065": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "secretsmanager:ListSecrets", "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APIsecretManagerReadOnlyPolicyC8A33065", "Roles": [ { "Ref": "APISecretManagerHandlerFnServiceRole4E7690CB" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/secretManagerReadOnlyPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Need to be able to list all secrets in Secrets Manager" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskV2HandlerFnServiceRoleAD95CD94": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskV2HandlerFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskV2HandlerFnServiceRoleDefaultPolicyD609D8F8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudformation:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":stack/DTH*" ] ] } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "APITaskV2HandlerFnServiceRoleDefaultPolicyD609D8F8", "Roles": [ { "Ref": "APITaskV2HandlerFnServiceRoleAD95CD94" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskV2HandlerFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APITaskV2HandlerFn8B121876": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/45daa8c5191ecc51acf3264bcd1f6a069648b8448f1b0e59663bdc22a9a3faa8.zip" }, "Description": "Data Transfer Hub - Task Handler API V2", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "api_task_v2.lambda_handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "APITaskV2HandlerFnServiceRoleAD95CD94", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APITaskV2HandlerFnServiceRoleDefaultPolicyD609D8F8", "APITaskV2HandlerFnServiceRoleAD95CD94" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/TaskV2HandlerFn/Resource", "aws:asset:path": "asset.45daa8c5191ecc51acf3264bcd1f6a069648b8448f1b0e59663bdc22a9a3faa8", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICWLMonitorHandlerFnServiceRole4BC2E157": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CWLMonitorHandlerFn/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICWLMonitorHandlerFnServiceRoleDefaultPolicy8F69DD43": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "APITaskTable658DE9FE", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeLogStreams", "logs:GetLogEvents", "cloudwatch:GetMetricStatistics", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "APICWLMonitorHandlerFnServiceRoleDefaultPolicy8F69DD43", "Roles": [ { "Ref": "APICWLMonitorHandlerFnServiceRole4BC2E157" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CWLMonitorHandlerFn/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "APICWLMonitorHandlerFnB32D44EE": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/f6f8b8ad6742407b86f63fed9df2021e63964e1d0fddc14ceb0d408d44ed4040.zip" }, "Description": "Data Transfer Hub - CloudWatch Monitoring Handler", "Environment": { "Variables": { "TRANSFER_TASK_TABLE": { "Ref": "APITaskTable658DE9FE" } } }, "Handler": "lambda_function.lambda_handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "APICWLMonitorHandlerFnServiceRole4BC2E157", "Arn" ] }, "Runtime": "python3.9", "Timeout": 60 }, "DependsOn": [ "APICWLMonitorHandlerFnServiceRoleDefaultPolicy8F69DD43", "APICWLMonitorHandlerFnServiceRole4BC2E157" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/API/CWLMonitorHandlerFn/Resource", "aws:asset:path": "asset.f6f8b8ad6742407b86f63fed9df2021e63964e1d0fddc14ceb0d408d44ed4040", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "customer can enable MFA by their own, we do not need to enable it", "id": "AwsSolutions-COG2" } ] } } }, "PortalResponseHeadersPolicy1EA4E542": { "Type": "AWS::CloudFront::ResponseHeadersPolicy", "Properties": { "ResponseHeadersPolicyConfig": { "Comment": "Security Headers Policy", "Name": { "Fn::Join": [ "", [ "SecHdr", { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" } ] ] }, "SecurityHeadersConfig": { "ContentSecurityPolicy": { "ContentSecurityPolicy": { "Fn::Join": [ "", [ "default-src 'self'; upgrade-insecure-requests; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ", { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "GraphQLUrl" ] }, " https://cognito-idp.", { "Ref": "AWS::Region" }, ".amazonaws.com/" ] ] }, "Override": true }, "ContentTypeOptions": { "Override": true }, "FrameOptions": { "FrameOption": "DENY", "Override": true }, "ReferrerPolicy": { "Override": true, "ReferrerPolicy": "no-referrer" }, "StrictTransportSecurity": { "AccessControlMaxAgeSec": 600, "IncludeSubdomains": true, "Override": true }, "XSSProtection": { "ModeBlock": true, "Override": true, "Protection": true } } } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/ResponseHeadersPolicy/Resource" } }, "PortalWebS3LoggingBucket0955B8B2": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/S3LoggingBucket/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the access logging bucket for another bucket" } ] } } }, "PortalWebS3LoggingBucketPolicyFA081916": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "PortalWebS3LoggingBucket0955B8B2" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "PortalWebS3LoggingBucket0955B8B2", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PortalWebS3LoggingBucket0955B8B2", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PortalWebS3LoggingBucket0955B8B2", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/S3LoggingBucket/Policy/Resource" } }, "PortalWebS3Bucket93628CD2": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LifecycleConfiguration": { "Rules": [ { "NoncurrentVersionTransitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90 } ], "Status": "Enabled" } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "PortalWebS3LoggingBucket0955B8B2" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "aws-cdk:cr-owned:dc32bf6f", "Value": "true" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/S3Bucket/Resource" } }, "PortalWebS3BucketPolicy9555B982": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "PortalWebS3Bucket93628CD2" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "PortalWebCloudFrontDistributionOrigin1S3Origin8C13B5F0", "S3CanonicalUserId" ] } }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/S3Bucket/Policy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F16", "reason": "Public website bucket policy requires a wildcard principal" } ] } } }, "PortalWebCloudfrontLoggingBucket6561051E": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter" } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/CloudfrontLoggingBucket/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution" } ] } } }, "PortalWebCloudfrontLoggingBucketPolicy07A1704A": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "PortalWebCloudfrontLoggingBucket6561051E" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "PortalWebCloudfrontLoggingBucket6561051E", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PortalWebCloudfrontLoggingBucket6561051E", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/CloudfrontLoggingBucket/Policy/Resource" } }, "PortalWebCloudFrontDistributionOrigin1S3Origin8C13B5F0": { "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Identity for DataTransferHubcognitoPortalWebCloudFrontDistributionOrigin198971CA5" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/CloudFrontDistribution/Origin1/S3Origin/Resource" } }, "PortalWebCloudFrontDistribution3C837830": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "Comment": { "Fn::Join": [ "", [ "Data Transfer Hub Portal Distribution (", { "Ref": "AWS::Region" }, ")" ] ] }, "CustomErrorResponses": [ { "ErrorCode": 403, "ResponseCode": 200, "ResponsePagePath": "/index.html" } ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "FunctionAssociations": [ { "EventType": "viewer-response", "FunctionARN": { "Fn::GetAtt": [ "PortalDataTransferHubSecurityHeader12BA3780", "FunctionARN" ] } } ], "ResponseHeadersPolicyId": { "Ref": "PortalResponseHeadersPolicy1EA4E542" }, "TargetOriginId": "DataTransferHubcognitoPortalWebCloudFrontDistributionOrigin198971CA5", "ViewerProtocolPolicy": "redirect-to-https" }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": false, "Logging": { "Bucket": { "Fn::GetAtt": [ "PortalWebCloudfrontLoggingBucket6561051E", "RegionalDomainName" ] } }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "RegionalDomainName" ] }, "Id": "DataTransferHubcognitoPortalWebCloudFrontDistributionOrigin198971CA5", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "PortalWebCloudFrontDistributionOrigin1S3Origin8C13B5F0" } ] ] } } } ], "PriceClass": "PriceClass_All" } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/Web/CloudFrontDistribution/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W70", "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" } ] }, "cdk_nag": { "rules_to_suppress": [ { "reason": "Use case does not warrant CloudFront Geo restriction", "id": "AwsSolutions-CFR1" }, { "reason": "Use case does not warrant CloudFront integration with AWS WAF", "id": "AwsSolutions-CFR2" }, { "reason": "CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name", "id": "AwsSolutions-CFR4" } ] } } }, "PortalDataTransferHubSecurityHeader12BA3780": { "Type": "AWS::CloudFront::Function", "Properties": { "AutoPublish": true, "FunctionCode": { "Fn::Join": [ "", [ "\nfunction handler(event) {\n var response = event.response;\n var headers = response.headers;\n headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload' };\n headers['content-security-policy'] = { value: \"default-src 'self'; upgrade-insecure-requests; frame-ancestors 'none'; frame-src 'none'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ", { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "GraphQLUrl" ] }, " https://cognito-idp.", { "Ref": "AWS::Region" }, ".amazonaws.com/\" };\n headers['x-content-type-options'] = { value: 'nosniff' };\n headers['x-frame-options'] = { value: 'DENY' };\n headers['x-xss-protection'] = { value: '1; mode=block' };\n\n // Set the cache-control header\n headers['cache-control'] = { value: 'public, max-age=604800;' };\n return response;\n}" ] ] }, "FunctionConfig": { "Comment": { "Fn::Join": [ "", [ "DTHSecHdr", { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" } ] ] }, "Runtime": "cloudfront-js-1.0" }, "Name": { "Fn::Join": [ "", [ "DTHSecHdr", { "Ref": "AWS::Region" }, { "Ref": "AWS::StackName" } ] ] } }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/DataTransferHubSecurityHeader/Resource" } }, "CustomResourceRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Path": "/" }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/CustomResourceRole/Resource" } }, "CustomResourcePolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/*" ] ] } }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/", { "Ref": "PortalWebCloudFrontDistribution3C837830" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, "CustomResourcePolicy" ] ] }, "Roles": [ { "Ref": "CustomResourceRole" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/CustomResourcePolicy/Resource" } }, "PortalDeployWebsiteAwsCliLayer82C5B798": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" }, "Description": "/opt/awscli/aws" }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/DeployWebsite/AwsCliLayer/Resource", "aws:asset:path": "asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "PortalDeployWebsiteCustomResource0C413B06": { "Type": "Custom::CDKBucketDeployment", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn" ] }, "SourceBucketNames": [ { "Fn::Sub": "solutions-${AWS::Region}" } ], "SourceObjectKeys": [ "data-transfer-hub/v2.6.6/71e52e5d6e20bdf544496ede3563e6d8de136da49746e033a24abba0aa1db3b0.zip" ], "DestinationBucketName": { "Ref": "PortalWebS3Bucket93628CD2" }, "Prune": false }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/DeployWebsite/CustomResource/Default" } }, "PortalCustomHandler77BD3212": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/fbab5d805e19c1d4b0316206a45ac61a82909503638f9496f56aee6a140ff368.zip" }, "Description": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName" }, " - - Custom resource" ] ] }, "Environment": { "Variables": { "WEB_BUCKET_NAME": { "Ref": "PortalWebS3Bucket93628CD2" }, "SRC_PREFIX_LIST_BUCKET_NAME": { "Ref": "PortalWebS3LoggingBucket0955B8B2" }, "API_ENDPOINT": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "GraphQLUrl" ] }, "OIDC_PROVIDER": "", "OIDC_CLIENT_ID": "", "OIDC_CUSTOMER_DOMAIN": "", "CLOUDFRONT_URL": { "Fn::GetAtt": [ "PortalWebCloudFrontDistribution3C837830", "DomainName" ] }, "CLOUDFRONT_DISTRIBUTION_ID": { "Ref": "PortalWebCloudFrontDistribution3C837830" }, "AUTHENTICATION_TYPE": "AMAZON_COGNITO_USER_POOLS", "USER_POOL_ID": { "Ref": "DataTransferHubUserPool" }, "USER_POOL_CLIENT_ID": { "Ref": "APIUserPoolClientF836008A" }, "SOLUTION_VERSION": "v2.6.6", "ECS_VPC_ID": { "Ref": "TaskClusterTaskVPCE5385B4D" }, "ECS_CLUSTER_NAME": { "Ref": "TaskCluster" }, "ECS_SUBNETS": { "Fn::Join": [ "", [ { "Ref": "TaskClusterTaskVPCpublicSubnet1SubnetB3F44AEF" }, ",", { "Ref": "TaskClusterTaskVPCpublicSubnet2Subnet9FB6145A" } ] ] } } }, "Handler": "lambda_function.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "CustomResourceRole", "Arn" ] }, "Runtime": "python3.9", "Timeout": 30 }, "DependsOn": [ "CustomResourceRole" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/CustomHandler/Resource", "aws:asset:path": "asset.fbab5d805e19c1d4b0316206a45ac61a82909503638f9496f56aee6a140ff368", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "Lambda function already has permission to write CloudWatch Logs" } ] } } }, "PortalCustomResourceConfig812281B1": { "Type": "Custom::AWS", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AWS679f53fac002430cb0da5b7982bd22872D164C4C", "Arn" ] }, "Create": { "Fn::Join": [ "", [ "{\"service\":\"Lambda\",\"action\":\"invoke\",\"parameters\":{\"FunctionName\":\"", { "Ref": "PortalCustomHandler77BD3212" }, "\",\"InvocationType\":\"Event\"},\"physicalResourceId\":{\"id\":\"1732300497796\"}}" ] ] }, "Update": { "Fn::Join": [ "", [ "{\"service\":\"Lambda\",\"action\":\"invoke\",\"parameters\":{\"FunctionName\":\"", { "Ref": "PortalCustomHandler77BD3212" }, "\",\"InvocationType\":\"Event\"},\"physicalResourceId\":{\"id\":\"1732300497796\"}}" ] ] }, "InstallLatestAwsSdk": false }, "DependsOn": [ "PortalCustomHandler77BD3212", "PortalCustomResourceConfigCustomResourcePolicy9197C5C9" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/CustomResourceConfig/Resource/Default" } }, "PortalCustomResourceConfigCustomResourcePolicy9197C5C9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "PortalCustomHandler77BD3212", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "PortalCustomResourceConfigCustomResourcePolicy9197C5C9", "Roles": [ { "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" } ] }, "DependsOn": [ "PortalCustomHandler77BD3212" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Portal/CustomResourceConfig/CustomResourcePolicy/Resource" } }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource" } }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Fn::Sub": "solutions-${AWS::Region}" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Fn::Sub": "solutions-${AWS::Region}" }, "/*" ] ] } ] }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PortalWebS3Bucket93628CD2", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource" } }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/2d56e153cac88d3e0c2f842e8e6f6783b8725bf91f95e0673b4725448a56e96d.zip" }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" } }, "Handler": "index.handler", "Layers": [ { "Ref": "PortalDeployWebsiteAwsCliLayer82C5B798" } ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn" ] }, "Runtime": "python3.9", "Timeout": 900 }, "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource", "aws:asset:path": "asset.2d56e153cac88d3e0c2f842e8e6f6783b8725bf91f95e0673b4725448a56e96d", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource" } }, "AWS679f53fac002430cb0da5b7982bd22872D164C4C": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "data-transfer-hub/v2.6.6/cb92a348b5b60bcbbe3888108f15e75877121eb402b4a74526927300fcc54975.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2", "Arn" ] }, "Runtime": "nodejs18.x", "Timeout": 900 }, "DependsOn": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" ], "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/AWS679f53fac002430cb0da5b7982bd2287/Resource", "aws:asset:path": "asset.cb92a348b5b60bcbbe3888108f15e75877121eb402b4a74526927300fcc54975", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/3VUwW7bMAz9lt4VtWvWYbstTdCuWIplddcdA1pmEzWy6IlSg0Dwvw+S7TjFuhMf+WhKJJ98KeOH6Sd5cQZ7nqhqNzG6lLHwoHZi/mxX4KBGjy4599A02m4E7HkdUV3K+NSoRDyt5mIVSqNVEUqLPsVG9EDB4yOUBsf4GJsxk9LgNdljcgJ31qOz6G/B4x4O/TG9N/Me1LZG68WNof2SNonvYSs01DI+UHdgtisyWuUiHWqFoQ3LuKTNraPQJGbArUDFMs5N4L7xHrbCQF1WIONNsGq48SlewgHdEzpOfqHtxqCnY0YreLqOwIye5SwZUWFj6JAakddB7dAvjoGULWMXvQZG0cF0TI86M7Z26reiOlioqSplPM4+g1bsapbxO+ZvkpkZDZycDFrBlmV8pEbn5XagCCUrp5uh01O/Feyxee675LUH3rFc5lnd2Vfa4dsEGX+D9qIISiFWYr4lrVAUHjzeg9pq2wnl1L8BbVqhaGO1Jxl/MboVkUl5RzyAudFJGCfUv5Fkjx8sqAZtT+ku0gpoGj5YJeP82d46aLY/l7NGi9Er1BZrSIEFeCgoONWJDpnMa5KMMhSqZ0fWy/iA3JBl/IZQoeNxc+8TC83e6TLkmf9weqPtTClkvqvQeu0PnTYpVDep/v8y3pR5T7ltK9J9892zLAsPm/TQVWBP9dr1JMu4cvSqK3Ritud5ZocvW/HWH6Yw4B/BN8H3L2ht0kNZw56V0TLVMjq/ndwR2Up3urr6Ii8mYJotyIuzr/0v6jzZfjM9GfM6/pi0nEXW/aI8WciwDdFpcmRa8fFqqMxk8oh4osiyd0F5zkeNG5zwVI7zfqRi2gpLFcoXPn/98FleXsjp2QtrPXHBel2jfOjsX0eR3zVmBQAA" }, "Metadata": { "aws:cdk:path": "DataTransferHub-cognito/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "APICfnWorkflowCfnDeploymentStateMachineArn08C07E97": { "Description": "StateMachine Arn", "Value": { "Ref": "APICfnWorkflowCfnDeploymentStateMachineFC154A5B" }, "Export": { "Name": "StateMachineArn" } }, "APICentralAlarmTopicNameBFED604E": { "Description": "Central Alarm Topic Name", "Value": { "Fn::GetAtt": [ "DTHCentralAlarmTopic", "TopicName" ] } }, "TaskClusterVpc": { "Description": "Task VPC ID", "Value": { "Ref": "TaskClusterTaskVPCE5385B4D" }, "Export": { "Name": "TaskVpcId" } }, "TaskClusterName": { "Description": "Task Cluster Name", "Value": { "Ref": "TaskCluster" }, "Export": { "Name": "TaskClusterName" } }, "UserPoolId": { "Description": "User Pool Id", "Value": { "Ref": "DataTransferHubUserPool" } }, "UserPoolApiClientId": { "Description": "API Client Id", "Value": { "Ref": "APIUserPoolClientF836008A" } }, "UserPoolDomain": { "Description": "User pool domain", "Value": { "Ref": "APIUserPoolDomain18D47904" } }, "AdminUsername": { "Description": "Admin username", "Value": { "Ref": "AdminEmail" } }, "ApiEndpoint": { "Value": { "Fn::GetAtt": [ "APIApiEndpoint2023018D2D2AB5", "GraphQLUrl" ] } }, "PortalUrl": { "Value": { "Fn::GetAtt": [ "PortalWebCloudFrontDistribution3C837830", "DomainName" ] } } }, "Conditions": { "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "il-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } ] } }, "Rules": {} }