Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support cross-account CloudWatch events #2005

Merged
merged 2 commits into from
Feb 8, 2018

Conversation

cplee
Copy link
Contributor

@cplee cplee commented Feb 7, 2018

Address #1415 by assuming a member role from LambdaMode

  • Call assume_member from within the LambdaMode resolve_resources
  • Allow override of how to extract account_id from the event for subclasses of LambdaMode
  • Allow override of how to extract region from the event for subclasses of LambdaMode
  • Update existing SessionFactory rather than creating a new one since references have already been established to the old SessionFactory

…low mode to override parsing account_id from event
@cplee cplee changed the title fix #1415 by calling assume_member from LambdaRole. fix #1415 by calling assume_member from LambdaMode. Feb 7, 2018
@cplee cplee changed the title fix #1415 by calling assume_member from LambdaMode. Support cross-account CloudWatch events Feb 7, 2018
Copy link
Collaborator

@kapilt kapilt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm convinced, thanks for the pr.

@kapilt kapilt merged commit 80cb785 into cloud-custodian:master Feb 8, 2018
@kapilt
Copy link
Collaborator

kapilt commented Feb 14, 2018

based on #2001

@stevelaver
Copy link

Please can someone provide a simple of example policy of this change?does it mean I can run one lambda across multiple accounts? if so is there only periodic support or event too?

@cplee
Copy link
Contributor Author

cplee commented Feb 26, 2018

@stevelaver this is intended to work for events. Here's a sample policy to autotag all buckets from member accounts. The lambda is deployed once in a central account.

- name: s3-event-create-bucket-autotag
  mode:
    type: cloudtrail
    events:
      - source: s3.amazonaws.com
        ids: requestParameters.bucketName
        event: CreateBucket
    timeout: 300
    runtime: python3.6
    member-role: arn:aws:iam::{account_id}:role/cloud-custodian-action
  resource: s3
  description: |
    Tag new S3 buckets withowner
  filters:
    - tag:OwnerContact: absent
  actions:
    - type: auto-tag-user
      tag: OwnerContact

In order for this to work, you also need to deploy the following snippet of CloudFormation into each member account to send events back to the central account:

  EventForwarder:
    Type: AWS::Events::Rule
    Properties:
      Name: cloud-custodian-forwarder
      EventPattern:
        source:
          - aws.ec2
          - aws.s3
      State: ENABLED
      Targets:
        - Id: ToolsAccountEventBus
          Arn: !Sub arn:aws:events:${ToolsRegion}:${ToolsAccount}:event-bus/default

@rsandhu2
Copy link

rsandhu2 commented Nov 16, 2018

@kapilt @cplee Does this also work for periodic mode? I would like to invoke a lambda deployed in the central account and pass the account id in the payload for the child accounts. If there is an example/doc somewhere that would be really helpful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants