Merge pull request #5 from Baza-86/cloudformation_improvements

Cloudformation improvements
Baza-86 · Jul 19, 2023 · 45dfb39 · 45dfb39
2 parents 68a08d1 + 6a980c3
commit 45dfb39
Showing 1 changed file with 80 additions and 43 deletions.
diff --git a/templates/sg_rule_analysis.yaml b/templates/sg_rule_analysis.yaml
@@ -1,12 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: "Template to create resources for Security Group rules analysis"
 Parameters:
-  scriptsLocation:
-    Type: String
-    Default: ""
-  librariesLocation:
-    Type: String
-    Default: ""
   quicksightUserArn:
     Type: String
     Default: ""
@@ -65,23 +59,82 @@ Resources:
         Properties:
             LogGroupName: "/aws/vendedlogs/states/sg-analysis-step-function-logs"
 
+    DynamoTableSGRules:
+        Type: "AWS::DynamoDB::Table"
+        Properties:
+          TableName: sg-analysis-rules-data
+          AttributeDefinitions:
+            - AttributeName: sg_rule_id
+              AttributeType: S
+            - AttributeName: security_group_id
+              AttributeType: S
+          KeySchema:
+            - AttributeName: sg_rule_id
+              KeyType: HASH
+            - AttributeName: security_group_id
+              KeyType: RANGE
+          ProvisionedThroughput:
+            ReadCapacityUnits: 5
+            WriteCapacityUnits: 5
+
+    DynamoTableSGAnalysis:
+        Type: "AWS::DynamoDB::Table"
+        Properties:
+          TableName: sg-analysis-rules-usage
+          GlobalSecondaryIndexes:
+            - IndexName: protocol
+              KeySchema:
+              - AttributeName: sg_id
+                KeyType: HASH 
+              - AttributeName: protocol
+                KeyType: RANGE
+              Projection:
+                ProjectionType: ALL
+              ProvisionedThroughput:
+                ReadCapacityUnits: 5
+                WriteCapacityUnits: 5
+          AttributeDefinitions:
+            - AttributeName: sg_rule_id
+              AttributeType: S
+            - AttributeName: sg_id
+              AttributeType: S
+            - AttributeName: protocol
+              AttributeType: S
+          KeySchema:
+            - AttributeName: sg_rule_id
+              KeyType: HASH
+          ProvisionedThroughput:
+            ReadCapacityUnits: 5
+            WriteCapacityUnits: 5
+
+    S3BucketAthena:
+      Type: "AWS::S3::Bucket"
+      DeletionPolicy: Retain
+      Properties:
+        BucketName: security-group-monitoring-test-bucket-athena
+
+    S3BucketFlowlogs:
+      Type: "AWS::S3::Bucket"
+      DeletionPolicy: Retain
+      Properties:
+        BucketName: security-group-monitoring-test-bucket-flowlogs
+
+    S3BucketResources:
+      Type: "AWS::S3::Bucket"
+      DeletionPolicy: Retain
+      Properties:
+        BucketName: security-group-monitoring-test-bucket-resources
+
+
     StepFunctionsStateMachine:
         Type: "AWS::StepFunctions::StateMachine"
         Properties:
             StateMachineName: !Ref EventsRule
             DefinitionString: |
                 {
                   "Comment": "A description of my state machine",
-                  "StartAt": "Glue CreateDynamoDBTables",
+                  "StartAt": "Glue GetSGRulesData",
                   "States": {
-                    "Glue CreateDynamoDBTables": {
-                      "Type": "Task",
-                      "Resource": "arn:aws:states:::glue:startJobRun.sync",
-                      "Parameters": {
-                        "JobName": "sg-analysis-dynamodb-tables"
-                      },
-                      "Next": "Glue GetSGRulesData"
-                    },
                     "Glue GetSGRulesData": {
                       "Type": "Task",
                       "Resource": "arn:aws:states:::glue:startJobRun.sync",
@@ -143,15 +196,16 @@ Resources:
                 ScriptLocation: !Join
                                     - ''
                                     - - 's3://'
-                                      - !Ref scriptsLocation
+                                      - !Ref S3BucketResources
+                                      - '/scripts/'
                                       - 'query_athena.py'
                 PythonVersion: "3.9"
             DefaultArguments: 
                 --TempDir: !Join
                                 - ''
                                 - - 's3://'
-                                  - !Ref scriptsLocation
-                                  - 'temporary/'
+                                  - !Ref S3BucketResources
+                                  - '/temporary/'
                 --class: "GlueApp"
                 --enable-glue-datacatalog: "true"
                 --enable-job-insights: "false"
@@ -175,7 +229,8 @@ Resources:
                 ScriptLocation: !Join
                                     - ''
                                     - - 's3://'
-                                      - !Ref scriptsLocation
+                                      - !Ref S3BucketResources
+                                      - '/scripts/'
                                       - 'get_security_groups_data.py'
                 PythonVersion: "3.9"
             DefaultArguments: 
@@ -184,7 +239,8 @@ Resources:
                 --extra-py-files: !Join
                                     - ''
                                     - - 's3://'
-                                      - !Ref librariesLocation
+                                      - !Ref S3BucketResources
+                                      - '/libraries/'
                                       - 'boto3-1.27.1-py3-none-any.whl'
                 --job-language: "python"
             MaxRetries: 1
@@ -205,7 +261,8 @@ Resources:
                 ScriptLocation: !Join
                                     - ''
                                     - - 's3://'
-                                      - !Ref scriptsLocation
+                                      - !Ref S3BucketResources
+                                      - '/scripts/'
                                       - 'flow_logs_parser.py'
                 PythonVersion: "3.9"
             DefaultArguments: 
@@ -214,31 +271,11 @@ Resources:
                 --extra-py-files: !Join
                                     - ''
                                     - - 's3://'
-                                      - !Ref librariesLocation
+                                      - !Ref S3BucketResources
+                                      - '/libraries/'
                                       - 'awswrangler-2.14.0-py3-none-any.whl'
                 --job-language: "python"
             MaxRetries: 1
             Timeout: 2880
             GlueVersion: "1.0"
-            MaxCapacity: 1
-
-    GlueJob5:
-        Type: "AWS::Glue::Job"
-        Properties:
-            Name: "sg-analysis-dynamodb-tables"
-            Description: "Job to create necessary DynamoDB tables to capture rules and usage information"
-            Role: !GetAtt IAMRole2.Arn
-            ExecutionProperty: 
-                MaxConcurrentRuns: 1
-            Command: 
-                Name: "pythonshell"
-                ScriptLocation: !Join
-                                - ''
-                                - - 's3://'
-                                  - !Ref scriptsLocation
-                                  - 'create_dynamodb_tables.py'
-                PythonVersion: "3.9"
-            MaxRetries: 1
-            Timeout: 2880
-            GlueVersion: "1.0"
             MaxCapacity: 1