-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yml
executable file
·102 lines (100 loc) · 3.22 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Tools to regularly trigger drift detection on AWS CloudFormation Stacks
Transform:
- AWS::Serverless-2016-10-31
Parameters:
Regions:
Type: String
Default: all
Description: >-
Comma-separated list of regions to scan for CloudFormation stacks, e.g. ap-southeast-2,us-west-2.
"all" means scan all available regions.
DriftDetectionMinAgeHours:
Type: Number
Default: 24
Description: >-
The minimum age of a drift detection result in hours to be marked for drift detection. The system will trigger a new
drift detection after this time has passed from the previously completed drift detection. From 24 hours to
168 hours (1 week).
MinValue: 24
MaxValue: 168
ScanFrequencyHours:
Type: Number
Default: 1
Description: >-
The number of hours between scans. Each scan triggers as many drift detections in a region as DriftDetectionBatchSize.
From 1 hour to 24 hours.
MinValue: 1
MaxValue: 24
DriftDetectionBatchSize:
Type: Number
Default: 20
Description: >-
Maximum number of drift detections to be triggered per region by the system in every scan. Adjust this value in combination
with ScanFrequencyHours based on the number of Stacks you have.
MinValue: 1
MaxValue: 200
ExcludedStackArns:
Type: String
Default: ""
Description: >-
Comma-separated list of CloudFormation Stack ARNs to be excluded by the system. Each item can be a regular expression
without the comma character or a full CloudFormation Stack ARN.
LogRetentionDays:
Type: String
Default: "1"
Description: >-
Retention in days to keep the Lambda log files in Cloudwatch Logs
AllowedValues:
- 1
- 3
- 5
- 7
- 14
- 30
- 60
- 90
- 120
- 150
- 180
- 365
- 400
- 545
- 731
- 1827
- 3653
Resources:
TriggerCloudFormationDriftDetection:
Type: AWS::Serverless::Function
Properties:
FunctionName: triggerCloudFormationDriftDetection
Description: A Lambda function that triggers CloudFormation drift detection on all eligible Stacks.
Runtime: nodejs14.x
Handler: src/handlers/triggerDriftDetection.handler
Events:
CloudWatchEvent:
Type: Schedule
Name: CloudFormationDriftDetectionSchedule
Properties:
Schedule: !Sub "cron(0 */${ScanFrequencyHours} * * ? *)"
Description: CloudFormation drift detection trigger Lambda function execution frequency
Enabled: True
Input: !Sub >-
{
"regions": "${Regions}",
"driftDetectionMinAgeHours": "${DriftDetectionMinAgeHours}",
"batchSize": "${DriftDetectionBatchSize}",
"excludedStackIds": "${ExcludedStackArns}"
}
Policies:
- ReadOnlyAccess
MemorySize: 256
Timeout: 300
Tags:
Name: triggerCloudFormationDriftDetection
LambdaLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ["", ["/aws/lambda/", !Ref TriggerCloudFormationDriftDetection]]
RetentionInDays: !Ref LogRetentionDays