diff --git a/apps/stack/template.yaml b/apps/stack/template.yaml index 3cbb9ed2..e64b76f1 100644 --- a/apps/stack/template.yaml +++ b/apps/stack/template.yaml @@ -37,6 +37,11 @@ Metadata: default: CloudWatch Metrics Parameters: - MetricStreamFilterUri + - Label: + default: Cloudwatch Metrics Poller Role + Parameters: + - ObserveAwsAccountId + - DatastreamIds - Label: default: Forwarder Options Parameters: @@ -150,6 +155,18 @@ Parameters: Description: >- The token used to retrieve metric configuration. Default: '' + ObserveAwsAccountId: + Type: String + Description: Observe AWS Account ID which will be allowed to assume role. + AllowedPattern: '\d*' + Default: '' + DatastreamIds: + Type: CommaDelimitedList + Description: Datastream IDs where data will be ingested to. + This ensures Observe cannot assume this role outside + of this context. + AllowedPattern: \d* + Default: '' SourceBucketNames: Type: CommaDelimitedList Description: >- @@ -214,7 +231,10 @@ Conditions: - !Equals - !Ref DatasourceID - "" - + EnableMetricsPollerRole: !Not + - !Equals + - !Ref ObserveAwsAccountId + - "" Resources: Topic: Type: "AWS::SNS::Topic" @@ -378,6 +398,22 @@ Resources: - UseStackName - !Sub "${AWS::StackName}-MetricStream" - !Sub "${NameOverride}-MetricStream" + MetricsPollerRole: + Type: AWS::Serverless::Application + Condition: EnableMetricsPollerRole + Properties: + Location: ../externalrole/template.yaml + NotificationARNs: + - !Ref Topic + Parameters: + ObserveAwsAccountId: !Ref ObserveAwsAccountId + AllowedActions: >- + cloudwatch:GetMetricData,cloudwatch:ListMetrics,tag:GetResources + DatastreamIds: !Join [",", !Ref DatastreamIds] + NameOverride: !If + - UseStackName + - !Sub "${AWS::StackName}-MetricsPollerRole" + - !Sub "${NameOverride}-MetricsPollerRole" Outputs: BucketName: Description: >-