Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(appconfig-alpha): support for composite alarms #28156

Merged
merged 8 commits into from
Dec 5, 2023
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-appconfig-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -354,11 +354,13 @@ Basic environment with monitors:
```ts
declare const application: appconfig.Application;
declare const alarm: cloudwatch.Alarm;
declare const compositeAlarm: cloudwatch.CompositeAlarm;

new appconfig.Environment(this, 'MyEnvironment', {
application,
monitors: [
appconfig.Monitor.fromCloudWatchAlarm(alarm),
appconfig.Monitor.fromCloudWatchAlarm(compositeAlarm),
],
});
```
Expand Down
26 changes: 23 additions & 3 deletions packages/@aws-cdk/aws-appconfig-alpha/lib/environment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ export class Environment extends EnvironmentBase {
return {
alarmArn: monitor.alarmArn,
...(monitor.monitorType === MonitorType.CLOUDWATCH
? { alarmRoleArn: monitor.alarmRoleArn || this.createAlarmRole(monitor.alarmArn, index).roleArn }
? { alarmRoleArn: monitor.alarmRoleArn || this.createAlarmRole(monitor, index).roleArn }
: { alarmRoleArn: monitor.alarmRoleArn }),
};
}),
Expand All @@ -274,7 +274,21 @@ export class Environment extends EnvironmentBase {
this.application.addExistingEnvironment(this);
}

private createAlarmRole(alarmArn: string, index: number): iam.IRole {
private createAlarmRole(monitor: Monitor, index: number): iam.IRole {
const roleHash = monitor.isCompositeAlarm ? 5 : index;
const logicalId = `Role${roleHash}`;
chenjane-dev marked this conversation as resolved.
Show resolved Hide resolved
const existingRole = this.node.tryFindChild(logicalId) as iam.IRole;
if (existingRole) {
return existingRole;
}
const alarmArn = monitor.isCompositeAlarm
? this.stack.formatArn({
service: 'cloudwatch',
resource: 'alarm',
resourceName: '*',
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
})
: monitor.alarmArn;
const policy = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['cloudwatch:DescribeAlarms'],
Expand All @@ -283,7 +297,7 @@ export class Environment extends EnvironmentBase {
const document = new iam.PolicyDocument({
statements: [policy],
});
const role = new iam.Role(this, `Role${index}`, {
const role = new iam.Role(this, logicalId, {
roleName: PhysicalName.GENERATE_IF_NEEDED,
assumedBy: new iam.ServicePrincipal('appconfig.amazonaws.com'),
inlinePolicies: {
Expand Down Expand Up @@ -325,6 +339,7 @@ export abstract class Monitor {
alarmArn: alarm.alarmArn,
alarmRoleArn: alarmRole?.roleArn,
monitorType: MonitorType.CLOUDWATCH,
isCompositeAlarm: alarm instanceof cloudwatch.CompositeAlarm,
};
}

Expand Down Expand Up @@ -355,6 +370,11 @@ export abstract class Monitor {
* The IAM role ARN for AWS AppConfig to view the alarm state.
*/
public abstract readonly alarmRoleArn?: string;

/**
* Indicates whether a CloudWatch alarm is a composite alarm.
*/
public abstract readonly isCompositeAlarm?: boolean;
}

export interface IEnvironment extends IResource {
Expand Down
181 changes: 180 additions & 1 deletion packages/@aws-cdk/aws-appconfig-alpha/test/environment.test.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import * as cdk from 'aws-cdk-lib';
import { App } from 'aws-cdk-lib';
import { Template } from 'aws-cdk-lib/assertions';
import { Alarm, Metric } from 'aws-cdk-lib/aws-cloudwatch';
import { Alarm, CompositeAlarm, Metric } from 'aws-cdk-lib/aws-cloudwatch';
import * as iam from 'aws-cdk-lib/aws-iam';
import { Application, Environment, Monitor } from '../lib';

Expand Down Expand Up @@ -230,6 +230,185 @@ describe('environment', () => {
});
});

test('environment with composite alarm', () => {
const stack = new cdk.Stack();
const app = new Application(stack, 'MyAppConfig');
const alarm = new Alarm(stack, 'Alarm', {
threshold: 5,
evaluationPeriods: 5,
metric: new Metric(
{
namespace: 'aws',
metricName: 'myMetric',
},
),
});
const compositeAlarm = new CompositeAlarm(stack, 'MyCompositeAlarm', {
alarmRule: alarm,
});
const env = new Environment(stack, 'MyEnvironment', {
name: 'TestEnv',
application: app,
monitors: [
Monitor.fromCloudWatchAlarm(compositeAlarm),
],
});

expect(env).toBeDefined();
Template.fromStack(stack).resourceCountIs('AWS::CloudWatch::Alarm', 1);
Template.fromStack(stack).resourceCountIs('AWS::CloudWatch::CompositeAlarm', 1);
Template.fromStack(stack).hasResourceProperties('AWS::AppConfig::Environment', {
Name: 'TestEnv',
ApplicationId: {
Ref: 'MyAppConfigB4B63E75',
},
Monitors: [
{
AlarmArn: {
'Fn::GetAtt': [
'MyCompositeAlarm0F045229',
'Arn',
],
},
AlarmRoleArn: {
'Fn::GetAtt': [
'MyEnvironmentRole51BFC2F05',
'Arn',
],
},
},
],
});
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
Policies: [
{
PolicyDocument: {
Statement: [
{
Effect: iam.Effect.ALLOW,
Resource: {
'Fn::Join': [
'',
[
'arn:',
{ Ref: 'AWS::Partition' },
':cloudwatch:',
{ Ref: 'AWS::Region' },
':',
{ Ref: 'AWS::AccountId' },
':alarm:*',
],
],
},
Action: 'cloudwatch:DescribeAlarms',
},
],
},
PolicyName: 'AllowAppConfigMonitorAlarmPolicy',
},
],
});
});

test('environment with two composite alarms', () => {
const stack = new cdk.Stack();
const app = new Application(stack, 'MyAppConfig');
const alarm = new Alarm(stack, 'Alarm', {
threshold: 5,
evaluationPeriods: 5,
metric: new Metric(
{
namespace: 'aws',
metricName: 'myMetric',
},
),
});
const compositeAlarm1 = new CompositeAlarm(stack, 'MyCompositeAlarm1', {
alarmRule: alarm,
});
const compositeAlarm2 = new CompositeAlarm(stack, 'MyCompositeAlarm2', {
alarmRule: alarm,
});
const env = new Environment(stack, 'MyEnvironment', {
name: 'TestEnv',
application: app,
monitors: [
Monitor.fromCloudWatchAlarm(compositeAlarm1),
Monitor.fromCloudWatchAlarm(compositeAlarm2),
],
});

expect(env).toBeDefined();
Template.fromStack(stack).resourceCountIs('AWS::CloudWatch::Alarm', 1);
Template.fromStack(stack).resourceCountIs('AWS::CloudWatch::CompositeAlarm', 2);
Template.fromStack(stack).resourceCountIs('AWS::IAM::Role', 1);
Template.fromStack(stack).hasResourceProperties('AWS::AppConfig::Environment', {
Name: 'TestEnv',
ApplicationId: {
Ref: 'MyAppConfigB4B63E75',
},
Monitors: [
{
AlarmArn: {
'Fn::GetAtt': [
'MyCompositeAlarm159A950D0',
'Arn',
],
},
AlarmRoleArn: {
'Fn::GetAtt': [
'MyEnvironmentRole51BFC2F05',
'Arn',
],
},
},
{
AlarmArn: {
'Fn::GetAtt': [
'MyCompositeAlarm2195BFA48',
'Arn',
],
},
AlarmRoleArn: {
'Fn::GetAtt': [
'MyEnvironmentRole51BFC2F05',
'Arn',
],
},
},
],
});
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
Policies: [
{
PolicyDocument: {
Statement: [
{
Effect: iam.Effect.ALLOW,
Resource: {
'Fn::Join': [
'',
[
'arn:',
{ Ref: 'AWS::Partition' },
':cloudwatch:',
{ Ref: 'AWS::Region' },
':',
{ Ref: 'AWS::AccountId' },
':alarm:*',
],
],
},
Action: 'cloudwatch:DescribeAlarms',
},
],
},
PolicyName: 'AllowAppConfigMonitorAlarmPolicy',
},
],
});
});

test('environment with monitors with two alarms', () => {
const stack = new cdk.Stack();
const app = new Application(stack, 'MyAppConfig');
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,27 @@
}
}
},
"MyCompositeAlarm0F045229": {
"Type": "AWS::CloudWatch::CompositeAlarm",
"Properties": {
"AlarmName": "awsappconfigenvironmentMyCompositeAlarm730A7A48",
"AlarmRule": {
"Fn::Join": [
"",
[
"ALARM(\"",
{
"Fn::GetAtt": [
"MyAlarm696658B6",
"Arn"
]
},
"\")"
]
]
}
}
},
"MyEnvironmentRole01C8C013F": {
"Type": "AWS::IAM::Role",
"Properties": {
Expand Down Expand Up @@ -72,6 +93,57 @@
]
}
},
"MyEnvironmentRole51BFC2F05": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appconfig.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": "cloudwatch:DescribeAlarms",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudwatch:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":alarm:*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "AllowAppConfigMonitorAlarmPolicy"
}
]
}
},
"MyEnvironment465E4DEA": {
"Type": "AWS::AppConfig::Environment",
"Properties": {
Expand Down Expand Up @@ -107,6 +179,20 @@
"Arn"
]
}
},
{
"AlarmArn": {
"Fn::GetAtt": [
"MyCompositeAlarm0F045229",
"Arn"
]
},
"AlarmRoleArn": {
"Fn::GetAtt": [
"MyEnvironmentRole51BFC2F05",
"Arn"
]
}
}
],
"Name": "awsappconfigenvironment-MyEnvironment-C8813182"
Expand Down
Loading