limit-monitor.yml

---
AWSTemplateFormatVersion: '2010-09-09'
Description: "(SO0005) - AWS Limits Monitor - This templates creates and schedules
  Lambda functions to notify you of approaching limits"
Parameters:
  TopicEmail:
    Default: your.address@here.com
    Description: E-Mail address to subscribe to alerts
    Type: String
  AccountList:
    Default: '000000000000|999999999999'
    Description: Pipe Delimited List of Account Numbers to Scan for Limits, if not changed the default will use your local account.
    Type: String
  CheckRoleName:
    Default: LimitCheckRole
    Description: Name of IAM Role created to check limits
    Type: String
  SendAnonymousData:
    Description: Send anonymous data to AWS
    Type: String
    Default: 'Yes'
    AllowedValues:
    - 'Yes'
    - 'No'
  CronSchedule:
      Default: rate(1 day)
      Description: 'Schedule to execute Lambda. e.g:.cron(* * * * *) or rate(1 hour/day/etc...).
        See: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html'
      Type: String
  LambdaMemorySize:
    Default: '256'
    Description: Memory to allocate to the Master and Child Lambda's. In most cases,
      256MB should be enough, but larger accounts may need more. Please increase this
      value if your lambda's are failing. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-memorysize
    Type: String
Conditions:
  DefaultAccount: !Equals [ !Ref AccountList, '000000000000|999999999999' ]
Resources:
  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: AWS Limits SNS
      Subscription:
      - Endpoint:
          Ref: TopicEmail
        Protocol: email
    Metadata:
      Comment: Create an SNS Topic to Publish Alerts to, subscribe e-mail parameter
  MasterLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Function which evaluates list of accounts passed by the CloudWatch
        Event and calls the Child Lambda to scan each account
      Code:
        #S3Bucket: !Join [ '', [ solutions-, !Ref AWS::Region ] ]
        S3Bucket: isco-cloudtrail
        S3Key: limit-monitor/v2/limits.zip
      Handler: limit-master.lambda_handler
      Role:
        Fn::GetAtt:
        - MasterRole
        - Arn
      Runtime: python2.7
      Timeout: '300'
      Environment:
        Variables:
          Region: !Ref AWS::Region
          AccountList: !If [ DefaultAccount, !Ref "AWS::AccountId", !Ref AccountList ] 
          InitiateCheckLambda: !Ref InitiateCheckLambda
    DependsOn: MasterRole
    Metadata:
      Comment: Function which evaluates list of accounts passed by the CloudWatch
        Event and calls the Child Lambda to scan each account
  InitiateCheckLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Function which assumes a role in each account to initiate TA refresh and
        creates recurring CWE to check for updated results
      Code:
        #S3Bucket: !Join [ '', [ solutions-, !Ref AWS::Region ] ]
        S3Bucket: isco-cloudtrail
        S3Key: limit-monitor/v2/limits.zip
      Handler: limit-initiate.lambda_handler
      Role: !GetAtt InitiateCheckLambdaRole.Arn
      Runtime: python2.7
      MemorySize: !Ref LambdaMemorySize
      Timeout: '300'
      Environment:
        Variables:
          CheckRoleName: !Ref CheckRoleName
          RetrieveResultsLambda: !GetAtt RetrieveResultsLambda.Arn
          Region: !Ref AWS::Region
    DependsOn: InitiateCheckLambdaRole
    Metadata:
      Comment: Function which assumes a role in each account to scan for approaching
        limits and sends an alert to the SNS topic
  RetrieveResultsLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Function which assumes a role in each account to scan for approaching
        limits and sends an alert to the SNS topic
      Code:
        #S3Bucket: !Join [ '', [ solutions-, !Ref AWS::Region ] ]
        S3Bucket: isco-cloudtrail
        S3Key: limit-monitor/v2/limits.zip
      Handler: limit-check.lambda_handler
      Role: !GetAtt RetrieveResultsLambdaRole.Arn
      Runtime: python2.7
      MemorySize: !Ref LambdaMemorySize
      Timeout: '300'
      Environment:
        Variables:
          CheckRoleName: !Ref CheckRoleName
          UUID: !GetAtt CheckRole.UUID
          SNSArn: !Ref SNSTopic
          Region: !Ref AWS::Region
          SendAnonymousData: !Ref SendAnonymousData
    DependsOn: RetrieveResultsLambdaRole
    Metadata:
      Comment: Function which assumes a role in each account to scan for approaching
        limits and sends an alert to the SNS topic
  ConfigLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Custom Resource Lambda to create the cross-account role assumed
        by the Child Lambda
      Code:
        #S3Bucket: !Join [ '', [ solutions-, !Ref AWS::Region ] ]
        S3Bucket: isco-cloudtrail
        S3Key: limit-monitor/v2/limits.zip
      Handler: configuration.lambda_handler
      Role: !GetAtt ConfigRole.Arn
      Runtime: python2.7
      Timeout: '300'
    DependsOn: ConfigRole
    Metadata:
      Comment: Custom Resource Lambda to create the cross-account role assumed by
        the Child Lambda
  CheckRole:
    Type: Custom::CheckRole
    Properties:
      ServiceToken: !GetAtt ConfigLambda.Arn
      Region: !Ref AWS::Region
      CheckRoleName: !Ref CheckRoleName
      AccountNumber: !Ref AWS::AccountId
    Metadata:
      Comment: Invoke the Configuration Lambda Function with the specified parameters
        for creating the role to assume
  InitiateCheckLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: Limits-AssumeRole
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Resource: arn:aws:logs:*:*:log-group:/aws/lambda/*
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Resource: !Join [ '', [ "arn:aws:iam::*:role/", !Ref CheckRoleName ] ]
          - Effect: Allow
            Action:
            - lambda:Invoke*
            Resource: !GetAtt RetrieveResultsLambda.Arn
    Metadata:
      Comment: Invocation role for the Lambda functions to use
  RetrieveResultsLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: Limits-AssumeRole
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Resource: arn:aws:logs:*:*:log-group:/aws/lambda/*
          - Effect: Allow
            Action:
            - sns:Publish
            Resource:
            - Ref: SNSTopic
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Resource: !Join [ '', [ "arn:aws:iam::*:role/", !Ref CheckRoleName ] ]
          - Effect: Allow
            Action:
            - ec2:DescribeRegions
            Resource:
            - "*"
    Metadata:
      Comment: Invocation role for the Lambda functions to use
  MasterRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: Limits-AssumeRole
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Resource: arn:aws:logs:*:*:log-group:/aws/lambda/*
          - Effect: Allow
            Action:
            - lambda:Invoke*
            Resource: !GetAtt InitiateCheckLambda.Arn
    Metadata:
      Comment: Invocation role for the Lambda functions to use
  ConfigRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: Limits-AssumeRole
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Resource: arn:aws:logs:*:*:log-group:/aws/lambda/*
          - Effect: Allow
            Action:
            - iam:AttachRolePolicy
            - iam:DetachRolePolicy
            - iam:CreateRole
            - iam:DeleteRole
            - iam:PutRolePolicy
            - iam:DeleteRolePolicy
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:iam::'
                - Ref: AWS::AccountId
                - ":role/"
                - Ref: CheckRoleName
    Metadata:
      Comment: Invocation role for the Lambda functions to use
  MasterRule:
    Type: AWS::Events::Rule
    Properties:
      ScheduleExpression: !Ref CronSchedule
      State: ENABLED
      Targets:
      - Arn: !GetAtt MasterLambda.Arn
        Id: LimitsRule
    DependsOn: CheckRole
  MasterLambdaInvokePermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt MasterLambda.Arn
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt MasterRule.Arn
Outputs:
  CreateRole:
    Description: Run this in each sub-account you wish to monitor to create a role
      for the primary account to assume
    Value: !Sub |
      aws iam create-role --role-name ${CheckRoleName} --assume-role-policy-document "{\"Version\": \"2012-10-17\",\"Statement\":[{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"${AWS::AccountId}\"},\"Action\": \"sts:AssumeRole\"}]}"
  AttachPolicy1:
    Description: Add Read Only Access
    Value: !Sub |
      aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name ${CheckRoleName}
  AttachPolicy2:
    Description: Add Support API for TrustedAdvisor access
    Value: !Sub |
      aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name ${CheckRoleName}
  AttachPolicy3:
    Description: Add Support API for TrustedAdvisor access
    Value: !Sub |
      aws iam put-role-policy --role-name ${CheckRoleName} --policy-name CloudFormationDescribe --policy-document "{\"Version\": \"2012-10-17\",\"Statement\":[{\"Sid\": \"Stmt1455149881000\",\"Effect\": \"Allow\",\"Action\": [\"cloudformation:DescribeAccountLimits\",\"dynamodb:DescribeLimits\"],\"Resource\": [\"*\"]}]}"
  AttachPolicy4:
    Description: Add permissions to create CloudWatch Events and invoke child Lambda function
    Value: !Sub |
      aws iam put-role-policy --role-name ${CheckRoleName} --policy-name ChildLambdaPermissions --policy-document "{\"Version\": \"2012-10-17\",\"Statement\":[{\"Sid\": \"Stmt1455149881000\",\"Effect\": \"Allow\",\"Action\": [\"events:DeleteRule\", \"events:PutRule\", \"events:PutTargets\", \"events:RemoveTargets\", \"lambda:AddPermission\", \"lambda:RemovePermission\"],\"Resource\": [\"*\"]}]}"
  UUID:
    Description: Newly created random UUID.
    Value: !GetAtt CheckRole.UUID