Skip to content

Commit cbff778

Browse files
cyphronixcyphronix
committed
kms key state records
1 parent ebac544 commit cbff778

File tree

1 file changed

+71
-0
lines changed
  • aws_sra_examples/solutions/genai/bedrock_org/lambda/src

1 file changed

+71
-0
lines changed

aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -723,6 +723,76 @@ def deploy_metric_filters_and_alarms(region, accounts, resource_properties):
723723
DRY_RUN_DATA["KMSAliasCreate"] = "DRY_RUN: Create SRA alarm KMS key alias"
724724
else:
725725
LOGGER.info(f"Found SRA alarm KMS key: {alarm_key_id}")
726+
727+
if DRY_RUN is False:
728+
# Add KMS resource records to sra state table
729+
# TODO(liamschn): move dynamodb resource to the dynamo class object/module
730+
dynamodb_resource = sts.assume_role_resource(ssm_params.SRA_SECURITY_ACCT, sts.CONFIGURATION_ROLE, "dynamodb", sts.HOME_REGION)
731+
732+
item_found, find_result = dynamodb.find_item(
733+
STATE_TABLE,
734+
dynamodb_resource,
735+
SOLUTION_NAME,
736+
{
737+
"arn": f"arn:aws:kms:{region}:{acct}:key/{alarm_key_id}",
738+
},
739+
)
740+
if item_found is False:
741+
kms_key_record_id, iam_date_time = dynamodb.insert_item(STATE_TABLE, dynamodb_resource, SOLUTION_NAME)
742+
else:
743+
kms_key_record_id = find_result["record_id"]
744+
745+
dynamodb.update_item(
746+
STATE_TABLE,
747+
dynamodb_resource,
748+
SOLUTION_NAME,
749+
kms_key_record_id,
750+
{
751+
"aws_service": "kms",
752+
"component_state": "implemented",
753+
"account": acct,
754+
"description": "secrets kms key",
755+
"component_region": region,
756+
"component_type": "key",
757+
"component_name": alarm_key_id,
758+
"key_id": alarm_key_id,
759+
"arn": f"arn:aws:kms:{region}:{acct}:key/{alarm_key_id}",
760+
"date_time": dynamodb.get_date_time(),
761+
},
762+
)
763+
764+
item_found, find_result = dynamodb.find_item(
765+
STATE_TABLE,
766+
dynamodb_resource,
767+
SOLUTION_NAME,
768+
{
769+
"arn": f"arn:aws:kms:{region}:{acct}:{ALARM_SNS_KEY_ALIAS}",
770+
},
771+
)
772+
if item_found is False:
773+
kms_alias_record_id, iam_date_time = dynamodb.insert_item(STATE_TABLE, dynamodb_resource, SOLUTION_NAME)
774+
else:
775+
kms_alias_record_id = find_result["record_id"]
776+
777+
dynamodb.update_item(
778+
STATE_TABLE,
779+
dynamodb_resource,
780+
SOLUTION_NAME,
781+
kms_alias_record_id,
782+
{
783+
"aws_service": "kms",
784+
"component_state": "implemented",
785+
"account": acct,
786+
"description": "secrets kms alias",
787+
"component_region": region,
788+
"component_type": "alias",
789+
"component_name": ALARM_SNS_KEY_ALIAS,
790+
"key_id": alarm_key_id,
791+
"arn": f"arn:aws:kms:{region}:{acct}:{ALARM_SNS_KEY_ALIAS}",
792+
"date_time": dynamodb.get_date_time(),
793+
},
794+
)
795+
726796

727797
# 4b) SNS topics for alarms
728798
sns.SNS_CLIENT = sts.assume_role(acct, sts.CONFIGURATION_ROLE, "sns", region)
@@ -766,6 +836,7 @@ def deploy_metric_filters_and_alarms(region, accounts, resource_properties):
766836
SRA_ALARM_TOPIC_ARN = topic_search
767837

768838
# 4c) Cloudwatch metric filters and alarms
839+
# arn:aws:logs:<region>:<account-id>:metric-filter:<filter-name>
769840
if DRY_RUN is False:
770841
if filter_deploy is True:
771842
cloudwatch.CWLOGS_CLIENT = sts.assume_role(acct, sts.CONFIGURATION_ROLE, "logs", region)

0 commit comments

Comments
 (0)