Common-TagFunctions.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Common-TagFunctions Template.
  This creates Lambda Functions related to Tagging Resources.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Stack Dependencies
        Parameters:
          - LayersStackName
          - BucketsStackName
          - TopicsStackName
      - Label:
          default: Function Configuration
        Parameters:
          - VpcDefaultResourceTaggerFunctionKey
          - VpcDefaultResourceTaggerFunctionObjectVersion
          - VpcDefaultResourceTaggerLogRetention
    ParameterLabels:
      LayersStackName:
        default: Layers Stack Name
      BucketsStackName:
        default: Buckets Stack Name
      TopicsStackName:
        default: Topics Stack Name
      VpcDefaultResourceTaggerFunctionKey:
        default: VpcDefaultResourceTagger Function S3 Key
      VpcDefaultResourceTaggerFunctionObjectVersion:
        default: VpcDefaultResourceTagger Function S3 Object Version
      VpcDefaultResourceTaggerLogRetention:
        default: VpcDefaultResourceTagger Log Retention
Parameters:
  LayersStackName:
    Description: Name of the CloudFormation Stack containing Layers
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: Layers
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
  BucketsStackName:
    Description: Name of the CloudFormation Stack containing Buckets
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: Buckets
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
  TopicsStackName:
    Description: Name of the CloudFormation Stack containing Topics
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: Topics
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
  VpcDefaultResourceTaggerFunctionKey:
    Description: Key of Object within the S3 Bucket containing the VpcDefaultResourceTagger Lambda Function zipfile
    Type: String
    MinLength: 2
    MaxLength: 64
    Default: VpcDefaultResourceTagger.zip
    AllowedPattern: ^[-_.a-zA-Z0-9]*\.zip$
    ConstraintDescription: must be a valid zipfilename, not containing slashes.
  VpcDefaultResourceTaggerFunctionObjectVersion:
    Description: Version of Object within the S3 Bucket containing the VpcDefaultResourceTagger Lambda Function zipfile
    Type: String
    MaxLength: 32
    Default: ''
    ConstraintDescription: must be a valid S3 Object Version.
  VpcDefaultResourceTaggerLogRetention:
    Description: Number of days to retain CloudWatch Log Events for the VpcDefaultResourceTagger Lambda Function
    Type: Number
    Default: 30
    AllowedValues:
      - 1
      - 3
      - 5
      - 7
      - 14
      - 30
      - 60
      - 90
    ConstraintDescription: must be 1, 3, 5, 7, 14, 30, 60 or 90.
Conditions:
  ConfigureVpcDefaultResourceTaggerFunctionObjectVersion: !Not [ !Equals [ !Ref VpcDefaultResourceTaggerFunctionObjectVersion, '' ]]
Resources:
  VpcDefaultResourceTaggerRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: TagVpcDefaultResourcesPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DescribeRouteTables
                  - ec2:DescribeNetworkAcls
                  - ec2:DescribeSecurityGroups
                  - ec2:DescribeTags
                  - ec2:CreateTags
                Resource: '*'
  VpcDefaultResourceTaggerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/VpcDefaultResourceTagger
      RetentionInDays: !Ref VpcDefaultResourceTaggerLogRetention
  VpcDefaultResourceTaggerFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: VpcDefaultResourceTagger
      Description: A Lambda function that tags the default resources created along with a VPC, which are otherwise untagged.
      Role: !GetAtt VpcDefaultResourceTaggerRole.Arn
      Runtime: nodejs10.x
      Timeout: 30
      Layers:
        - !ImportValue
            Fn::Sub: ${LayersStackName}-AsyncCustomResourceLayerVersionArn
      Handler: VpcDefaultResourceTagger.handler
      Code:
        S3Bucket: !ImportValue
          Fn::Sub: ${BucketsStackName}-FunctionsBucket
        S3Key: !Ref VpcDefaultResourceTaggerFunctionKey
        S3ObjectVersion: !If [ ConfigureVpcDefaultResourceTaggerFunctionObjectVersion, !Ref VpcDefaultResourceTaggerFunctionObjectVersion, !Ref 'AWS::NoValue' ]
    DependsOn: VpcDefaultResourceTaggerLogGroup
Outputs:
  VpcDefaultResourceTaggerFunctionArn:
    Description: The VpcDefaultResourceTagger Lambda Function ARN
    Value: !GetAtt VpcDefaultResourceTaggerFunction.Arn
    Export:
      Name: !Sub ${AWS::StackName}-VpcDefaultResourceTaggerFunctionArn