Name: BSP_Mode1_Reporting
Owner: U.S. General Services Administration
Description: Lambda functions for creating and Emailing reports for BSP Mode1 AWS Accounts
Created: 2018-02-06 16:44:27.0
Updated: 2018-05-19 17:58:19.0
Pushed: 2018-05-04 16:04:36.0
Homepage: null
Size: 95
Language: HCL
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
AMI report using Lambda functions and Amazon SES
There are two Lambda functions. One does a DescribeImages query for each tenant account, formats the data into CSV and saves the CSV to an S3 bucket. The second Lambda function creates a multi-part MIME Email, attaches the report from the S3 bucket and sends it via Amazon Simple Email Service (SES) to a list of recipients.
Cross-account permissions are required for the Lambda function in the “management” account to query the “tenant” accounts. This is done by creating an IAM role with delegation to the management account. See the Terraform configuration for details.
Attached to the tenant IAM role is a single policy with ec2:DescribeImages
action allowed.
The Lambda function which creates the AMI Report is assinged an IAM role in the management account with a single policy attached that allows it to perform all of its necessary functions.
Allows the Lambda function to query the Images in the management account.
Allows the Lambda function to write the CSV report to an S3 bucket
Allows the Lambda function to assume the delegated tenant IAM role and query
DescribeImages
in the tenant accounts.
Allows the Lambda function to encrypt the CSV report it saves to the S3 bucket.
logs:CreateLogGroup
, logs:CreateLogStream
and logs:PutLogEvents
actions
are required by all Lambda functions to log their actions.
The Lambda function which Emails the AMI Report is assinged an IAM role in the management account with a single policy attached that allows it to perform all of its necessary functions.
Allows Lambda function to send Email via Amazon SES.
Allows Lambda function to read the report from an Amazon S3 bucket.
Allows the Lambda function to decrypt the CSV report.
logs:CreateLogGroup
, logs:CreateLogStream
and logs:PutLogEvents
actions
are required by all Lambda functions to log their actions.
terraform.tfvars.example
file to terraform.tfvars
mgmt_account
variable to the account number of the account where the
AMI reporting Lambda function will run. For instructions on how to find the
AWS account number, see the AWS docs here.mgmt_account_alias
is the name which will appear in the 'Tenant' column
of the AMI report for the AMIs in the management account.tenant_accounts
to a comma separated list of the AWS account numbers
for the tenant accounts you wish to query for the AMI report.tenant_names
to a comma separated list of the tenant names you want
to appear in the first column of the report to identify the tenant account. The
names must be in the exact same order as the corresponding account number in
tenant_accounts
variable.sender
to the Email address you want to use as the sender address.
Note: This address must be verified for use by SES.recipients
to a comma separated list of the Email addresses you wish
to receive the report. Note: These addresses must be verified for use by SES.schedule_expression
to an valid rate or cron schedule expression such as cron(5 3 ? * MON-FRI *)
. For more information, see the AWS Documentation or tutorialIn the tenants
sub-directory, there is a terraform file to configure the
cross-account IAM role and policy. To configure this:
tenants/terraform.tfvars.example
file to tenants/terraform.tfvars
mgmt_account
variable to the account number of the account where the
AMI reporting Lambda function will run. For instructions on how to find the
AWS account number, see the AWS docs here.For each tenant account, you will need to configure your AWS_PROFILE
environment variable and perform a terraform apply for each account. You will
need AWS credentials for each account with administrator privileges to apply
the Terraform configuration.