giuseppeborgese/devops.yml

## devops.yml
---
AWSTemplateFormatVersion: "2010-09-09"
Description: this is the notification project with ms teams

Parameters:
   ProjectName:
     Description: this name will prefix many names
     Type: String
     Default: notif

Resources:
  MSTLegendsParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub '${ProjectName}-arc-devops-msteams-legends'
      Type: String
      Value: "https://mycompany.webhook.office.com/webhookb2/xxxxxxxxxx"
      Description: teams url to send notifications

  MSTAvengersParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub '${ProjectName}-arc-devops-msteams-avengers'
      Type: String
      Value: "https://mycompany.webhook.office.com/webhookb2/yyyyyyyyyy"
      Description: teams url to send notifications


  MSTeamsNotiica:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub '${ProjectName}-arc-devops-msteams-notifications'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: 'lambda.amazonaws.com'
          Action: 'sts:AssumeRole'
      Policies:
      - PolicyName: 'logs-parameter-xray'
        PolicyDocument:
          Statement:
          - Effect: Allow
            Action:
            - 'ssm:GetParameter'
            Resource: '*'
          - Effect: Allow
            Action:
            - 'logs:CreateLogGroup'
            - 'logs:CreateLogStream'
            - 'logs:PutLogEvents'
            Resource: '*'

  NotificationLambdaFunction:
    Type: 'AWS::Lambda::Function'
    Properties:
      FunctionName: !Sub '${ProjectName}-arc-devops-msteams-notifications'
      Handler: index.lambda_handler
      Code:
        ZipFile: |
          import urllib3
          import json
          import os
          import boto3
          http = urllib3.PoolManager()

          def lambda_handler(event, context):
              #### recover the info from the message event, it was not an easy one :)
              message = json.loads(event['Records'][0]['Sns']['Message'])
              alarm_description = json.loads(message['AlarmDescription'])
              lambda_name = alarm_description['lambda_name']
              team = alarm_description['Team']
              kind_of_problem = alarm_description['kind_of_problem']

              ### find the account alias from the account id
              account_id = alarm_description['account_id']
              account_alias = "empty"
              if account_id == "000000000000":
                account_alias = "devops"
              if account_id == "111111111111":
                account_alias = "dev"
              if account_id == "222222222222":
                account_alias = "test"
              if account_id == "333333333333":
                account_alias = "prod"

              #### find the url for the team
              ssm_client = boto3.client('ssm')
              param_string_prefix = "notif-arc-devops-msteams-"
              param_response = ssm_client.get_parameter(Name=param_string_prefix+team)
              url_to_call = param_response['Parameter']['Value']

              ### send the message using https

              name = "For the account: "+account_alias+ " there was a problem of type " + kind_of_problem +  " on the lambda function: " + lambda_name

              msg = {
                  "text": f"Alarm: {name}"
              }
              print(name)
              encoded_msg = json.dumps(msg).encode('utf-8')
              resp = http.request('POST',url_to_call, body=encoded_msg)
      MemorySize: 128
      Runtime: 'python3.7'
      Timeout: 30
      Role: !GetAtt MSTeamsNotiica.Arn

  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Endpoint:
            Fn::GetAtt:
              - "NotificationLambdaFunction"
              - "Arn"
          Protocol: "lambda"
      TopicName: !Sub '${ProjectName}-arc-devops-msteams-notifications'  #if you change this name here you also need to change in the policy

#to allow sns topic to invoke the lambda function we need to setup this permissions
#if you do from webconosle this one is added automatically from the console but with iam
#you need to setup. https://docs.aws.amazon.com/lambda/latest/dg/with-sns-example.html#with-sns-create-x-account-permissions
  LambdaPermissionFromSNS:
    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref NotificationLambdaFunction
      Principal: "sns.amazonaws.com"
      SourceArn: !Ref SNSTopic

  SNSPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref SNSTopic
      PolicyDocument: |-
        {
          "Version": "2008-10-17",
          "Id": "accee_multiple_accounts",
          "Statement": [
          {
              "Sid": "Allow_Publish_Alarms",
              "Effect": "Allow",
              "Principal": {
                  "Service": [
                      "cloudwatch.amazonaws.com"
                  ]
              },
              "Action": "sns:Publish",
              "Resource": "arn:aws:sns:eu-west-1:000000000000:notif-arc-devops-msteams-notifications",
              "Condition": {
                  "ArnLike": {
                      "aws:SourceArn": [
                          "arn:aws:cloudwatch:eu-west-1:000000000000:*",
                          "arn:aws:cloudwatch:eu-west-1:111111111111:*",
                          "arn:aws:cloudwatch:eu-west-1:222222222222:*",
                          "arn:aws:cloudwatch:eu-west-1:333333333333:*"
                       ]
                  }
              }
          }]
        }
	---
	AWSTemplateFormatVersion: "2010-09-09"
	Description: this is the notification project with ms teams

	Parameters:
	ProjectName:
	Description: this name will prefix many names
	Type: String
	Default: notif

	Resources:
	MSTLegendsParameter:
	Type: AWS::SSM::Parameter
	Properties:
	Name: !Sub '${ProjectName}-arc-devops-msteams-legends'
	Type: String
	Value: "https://mycompany.webhook.office.com/webhookb2/xxxxxxxxxx"
	Description: teams url to send notifications

	MSTAvengersParameter:
	Type: AWS::SSM::Parameter
	Properties:
	Name: !Sub '${ProjectName}-arc-devops-msteams-avengers'
	Type: String
	Value: "https://mycompany.webhook.office.com/webhookb2/yyyyyyyyyy"
	Description: teams url to send notifications


	MSTeamsNotiica:
	Type: 'AWS::IAM::Role'
	Properties:
	RoleName: !Sub '${ProjectName}-arc-devops-msteams-notifications'
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Principal:
	Service: 'lambda.amazonaws.com'
	Action: 'sts:AssumeRole'
	Policies:
	- PolicyName: 'logs-parameter-xray'
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- 'ssm:GetParameter'
	Resource: '*'
	- Effect: Allow
	Action:
	- 'logs:CreateLogGroup'
	- 'logs:CreateLogStream'
	- 'logs:PutLogEvents'
	Resource: '*'

	NotificationLambdaFunction:
	Type: 'AWS::Lambda::Function'
	Properties:
	FunctionName: !Sub '${ProjectName}-arc-devops-msteams-notifications'
	Handler: index.lambda_handler
	Code:
	ZipFile: \|
	import urllib3
	import json
	import os
	import boto3
	http = urllib3.PoolManager()

	def lambda_handler(event, context):
	#### recover the info from the message event, it was not an easy one :)
	message = json.loads(event['Records'][0]['Sns']['Message'])
	alarm_description = json.loads(message['AlarmDescription'])
	lambda_name = alarm_description['lambda_name']
	team = alarm_description['Team']
	kind_of_problem = alarm_description['kind_of_problem']

	### find the account alias from the account id
	account_id = alarm_description['account_id']
	account_alias = "empty"
	if account_id == "000000000000":
	account_alias = "devops"
	if account_id == "111111111111":
	account_alias = "dev"
	if account_id == "222222222222":
	account_alias = "test"
	if account_id == "333333333333":
	account_alias = "prod"

	#### find the url for the team
	ssm_client = boto3.client('ssm')
	param_string_prefix = "notif-arc-devops-msteams-"
	param_response = ssm_client.get_parameter(Name=param_string_prefix+team)
	url_to_call = param_response['Parameter']['Value']

	### send the message using https

	name = "For the account: "+account_alias+ " there was a problem of type " + kind_of_problem + " on the lambda function: " + lambda_name

	msg = {
	"text": f"Alarm: {name}"
	}
	print(name)
	encoded_msg = json.dumps(msg).encode('utf-8')
	resp = http.request('POST',url_to_call, body=encoded_msg)
	MemorySize: 128
	Runtime: 'python3.7'
	Timeout: 30
	Role: !GetAtt MSTeamsNotiica.Arn

	SNSTopic:
	Type: AWS::SNS::Topic
	Properties:
	Subscription:
	- Endpoint:
	Fn::GetAtt:
	- "NotificationLambdaFunction"
	- "Arn"
	Protocol: "lambda"
	TopicName: !Sub '${ProjectName}-arc-devops-msteams-notifications' #if you change this name here you also need to change in the policy

	#to allow sns topic to invoke the lambda function we need to setup this permissions
	#if you do from webconosle this one is added automatically from the console but with iam
	#you need to setup. https://docs.aws.amazon.com/lambda/latest/dg/with-sns-example.html#with-sns-create-x-account-permissions
	LambdaPermissionFromSNS:
	Type: AWS::Lambda::Permission
	Properties:
	Action: "lambda:InvokeFunction"
	FunctionName: !Ref NotificationLambdaFunction
	Principal: "sns.amazonaws.com"
	SourceArn: !Ref SNSTopic

	SNSPolicy:
	Type: AWS::SNS::TopicPolicy
	Properties:
	Topics:
	- !Ref SNSTopic
	PolicyDocument: \|-
	{
	"Version": "2008-10-17",
	"Id": "accee_multiple_accounts",
	"Statement": [
	{
	"Sid": "Allow_Publish_Alarms",
	"Effect": "Allow",
	"Principal": {
	"Service": [
	"cloudwatch.amazonaws.com"
	]
	},
	"Action": "sns:Publish",
	"Resource": "arn:aws:sns:eu-west-1:000000000000:notif-arc-devops-msteams-notifications",
	"Condition": {
	"ArnLike": {
	"aws:SourceArn": [
	"arn:aws:cloudwatch:eu-west-1:000000000000:*",
	"arn:aws:cloudwatch:eu-west-1:111111111111:*",
	"arn:aws:cloudwatch:eu-west-1:222222222222:*",
	"arn:aws:cloudwatch:eu-west-1:333333333333:*"
	]
	}
	}
	}]
	}