attaching policies to oam cross account role; add oam link creation

cyphronix · cyphronix · commit 9e57911b6fe8 · 2024-10-16T22:09:17.000-06:00
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py
@@ -625,6 +625,15 @@ def create_event(event, context):
                 DRY_RUN_DATA["OAMCrossAccountRoleCreate"] = f"DRY_RUN: Create {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
         else:
             LOGGER.info(f"CloudWatch observability access manager cross-account role found: {cloudwatch.CROSS_ACCOUNT_ROLE_NAME}")
+        
+        # 5d) Attach managed policies to CloudWatch-CrossAccountSharingRole IAM role
+        cross_account_policies = [
+            "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess",
+            "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess",
+            "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
+        ]
+        
+
 
 
     # End
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_cloudwatch.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_cloudwatch.py
@@ -317,3 +317,28 @@ def put_oam_sink_policy(self, sink_arn: str, sink_policy: dict) -> None:
         except ClientError as e:
             self.LOGGER.info(self.UNEXPECTED)
             raise ValueError(f"Unexpected error executing Lambda function. {e}") from None
+
+    def find_oam_link(self, sink_arn: str) -> tuple[bool, str]:
+        """Find the Observability Access Manager link for SRA in the organization.
+
+        Args:
+            sink_arn (str): ARN of the sink
+
+        Returns:
+            tuple[bool, str]: True if the link is found, False if not, and the link ARN
+        """
+        try:
+            response = self.CWOAM_CLIENT.list_links()
+            for link in response["Items"]:
+                if link["SinkArn"] == sink_arn:
+                    self.LOGGER.info(f"Observability access manager link for {sink_arn} found: {link['Arn']}")
+                    return True, link["Arn"]
+            self.LOGGER.info(f"Observability access manager link for {sink_arn} not found")
+            return False, ""
+        except ClientError as error:
+            if error.response["Error"]["Code"] == "ResourceNotFoundException":
+                self.LOGGER.info(f"Observability access manager link for {sink_arn} not found. Error code: {error.response['Error']['Code']}")
+                return False, ""
+            else:
+                self.LOGGER.info(self.UNEXPECTED)
+                raise ValueError(f"Unexpected error executing Lambda function. {error}") from None
