-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yml
297 lines (291 loc) · 11.3 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: A collection of utilities that integrate with Slack
Parameters:
SlackSigningSecet: { Type: String, NoEcho: true }
SlackAccessToken: { Type: String, NoEcho: true }
DevOpsSlackUserIds: { Type: String }
AwsOrganizationCrossAccountSharingRoleArn: { Type: String, Default: PRX-Organization-CrossAccountSharingRole }
DevOpsCrossAccountAccessRoleName: { Type: String, Default: PRX-DevOps-CrossAccountAccessRole }
Resources:
SlackSdkLambdaLayer:
Type: AWS::Serverless::LayerVersion
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Metadata:
BuildMethod: makefile
Properties:
Description: node-slack-sdk NPM module
ContentUri: lib/node-slack-sdk
CompatibleRuntimes:
- nodejs22.x
# This is an _organization sink_ custom EventBridge event bus. It's intended
# to exist once within an AWS Organization (i.e., in a single region in a
# single account).
#
# Slack data, such as Slack message, from organization are expected to be sent
# to this event bus. Generally this is done by creating rules on all default
# event buses within the organization, which forward all Slack data to this
# bus.
#
# Any tooling that responds to Slack data can subscribe to the relevant
# events on this bus.
#
# This bus should always be called `Slack-org-sink`, as that is what
# the rules on all default buses expect.
OrgSinkEventBus:
Type: AWS::Events::EventBus
Properties:
Name: Slack-org-sink
OrgSinkEventBusPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
EventBusName: !Ref OrgSinkEventBus
StatementId: AllowEventsToSlackOrgSink
Statement:
Action: events:PutEvents
Condition:
StringEquals:
aws:ResourceOrgID: ${aws:PrincipalOrgID}
Effect: Allow
Principal: "*"
Resource: !GetAtt OrgSinkEventBus.Arn
# Receives events off the custom Slack event bus which are fully-formed Slack
# message payloads, and sends those messsages to Slack via the Slack API,
# using credentials from the PRX DevOps (A01G05GKW0K) Slack app. Does not
# create or alter messages in any way.
MessageRelayFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/message-relay
Description: Relays messages to Slack
Environment:
Variables:
SLACK_SIGNING_SECRET: !Ref SlackSigningSecet
SLACK_ACCESS_TOKEN: !Ref SlackAccessToken
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
EventInvokeConfig:
DestinationConfig:
OnFailure:
Destination: !Ref MessageRelayFunctionFailureSnsTopic
Type: SNS
MaximumRetryAttempts: 2
Events:
OrgSinkEventBus:
Properties:
EventBusName: !GetAtt OrgSinkEventBus.Name
InputPath: $.detail
Pattern:
detail-type:
- Slack Message Relay Message Payload
Type: EventBridgeRule
PrimarySns:
# This is the primary SNS topic use for relaying Slack messages.
# Prior to the custom event bus (released in 2024-03), this handled
# nearly all Slack messages. As of 2024-04 is still handles some
# critical messages that have not been migrated to EventBridge.
Properties:
Topic: arn:aws:sns:us-east-2:578003269847:prx-devops-slack-app-SlackMessageRelaySnsTopic-14AFJNBAFLSEC
Type: SNS
LegacySns:
# This is an SNS topic that was previously used. It has very little
# traffic, but as of 2024-04 it is still in use.
Properties:
Region: us-east-1
Topic: arn:aws:sns:us-east-1:561178107736:infrastructure-notifications-SlackMessageRelaySnsTopic-T55GFH6DAK8W
Type: SNS
Handler: index.handler
Layers:
- !Ref SlackSdkLambdaLayer
MemorySize: 128
Runtime: nodejs22.x
Tags:
prx:meta:tagging-version: "2021-04-07"
prx:cloudformation:stack-name: !Ref AWS::StackName
prx:cloudformation:stack-id: !Ref AWS::StackId
prx:ops:environment: Production
prx:dev:application: Slack Toolkit
Timeout: 8
MessageRelayLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
LogGroupName: !Sub /aws/lambda/${MessageRelayFunction}
RetentionInDays: 14
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
MessageRelayErrorAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Sub ERROR [Slack] Message Relay <prod> INVOCATION ERRORS (${AWS::StackName})
AlarmDescription: >-
Slack relay function has encountered several invocation errors, which
will be retried.
ComparisonOperator: GreaterThanOrEqualToThreshold
EvaluationPeriods: 1
MetricName: Errors
Namespace: AWS/Lambda
Period: 120
Statistic: Sum
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
Threshold: 5
TreatMissingData: notBreaching
Dimensions:
- Name: FunctionName
Value: !Ref MessageRelayFunction
MessageRelayFunctionFailureSnsTopic:
Type: AWS::SNS::Topic
Properties:
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
MessageRelayFunctionFailureAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Sub ERROR [Slack] Message Relay <prod> INVOCATION FAILURES (${AWS::StackName})
AlarmDescription: >-
Slack relay function has failed to send some messages, even after
retrying several times.
ComparisonOperator: GreaterThanThreshold
Dimensions:
- Name: TopicName
Value: !GetAtt MessageRelayFunctionFailureSnsTopic.TopicName
EvaluationPeriods: 1
MetricName: NumberOfMessagesPublished
Namespace: AWS/SNS
Period: 60
Statistic: Sum
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
Threshold: 0
TreatMissingData: notBreaching
#
DevopsHttpApi:
Type: AWS::Serverless::HttpApi
Properties:
Tags:
prx:meta:tagging-version: "2021-04-07"
prx:cloudformation:stack-name: !Ref AWS::StackName
prx:cloudformation:stack-id: !Ref AWS::StackId
prx:ops:environment: Production
prx:dev:application: Slack Toolkit
DevopsAppRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: StsPolicy
PolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Resource:
- arn:aws:iam::*:role/*Oganization-CrossAccountSharingRole
- !Sub arn:aws:iam::*:role/*${DevOpsCrossAccountAccessRoleName}
Version: "2012-10-17"
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
DevopsAppFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/devops-app
Description: Handles Slack api requests
Environment:
Variables:
SLACK_SIGNING_SECRET: !Ref SlackSigningSecet
SLACK_ACCESS_TOKEN: !Ref SlackAccessToken
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
AWS_ORGANIZATION_CROSS_ACCOUNT_SHARING_ROLE_ARN: !Ref AwsOrganizationCrossAccountSharingRoleArn
DEVOPS_CROSS_ACCOUNT_ACCESS_ROLE_NAME: !Ref DevOpsCrossAccountAccessRoleName
DEVOPS_SLACK_USER_IDS: !Ref DevOpsSlackUserIds
Events:
EventRequest:
Properties:
ApiId: !Ref DevopsHttpApi
Method: post
Path: /v1/slack/events
Type: HttpApi
InteractiveRequest:
Properties:
ApiId: !Ref DevopsHttpApi
Method: post
Path: /v1/slack/interactive
Type: HttpApi
Handler: index.handler
Layers:
- !Ref SlackSdkLambdaLayer
MemorySize: 512
Role: !GetAtt DevopsAppRole.Arn
Runtime: nodejs22.x
Tags:
prx:meta:tagging-version: "2021-04-07"
prx:cloudformation:stack-name: !Ref AWS::StackName
prx:cloudformation:stack-id: !Ref AWS::StackId
prx:ops:environment: Production
prx:dev:application: Slack Toolkit
Timeout: 8
DevopsAppLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
LogGroupName: !Sub /aws/lambda/${DevopsAppFunction}
RetentionInDays: 14
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
DevopsAppErrorAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Sub ERROR [Slack] DevOps App <prod> INVOCATION ERRORS (${AWS::StackName})
AlarmDescription: >-
Slack DevOps app has encountered several invocation errors.
ComparisonOperator: GreaterThanThreshold
Dimensions:
- Name: FunctionName
Value: !Ref DevopsAppFunction
EvaluationPeriods: 1
MetricName: Errors
Namespace: AWS/Lambda
Period: 60
Statistic: Sum
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:ops:environment, Value: Production }
- { Key: prx:dev:application, Value: Slack Toolkit }
Threshold: 0
TreatMissingData: notBreaching