add link creation; add sink/link deletes

cyphronix · cyphronix · commit ed14a727d8fc · 2024-10-17T11:17:23.000-06:00
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py
@@ -632,9 +632,35 @@ def create_event(event, context):
             "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess",
             "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
         ]
-        
-
+        for policy_arn in cross_account_policies:
+            search_attached_policies = iam.check_iam_policy_attached(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, policy_arn)
+            if search_attached_policies is False:
+                LOGGER.info(f"Attaching {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role...")
+                if DRY_RUN is False:
+                    iam.attach_policy(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, policy_arn)
+                    LIVE_RUN_DATA["OAMCrossAccountRolePolicyAttach"] = f"Attached {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
+                    CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
+                    CFN_RESPONSE_DATA["deployment_info"]["configuration_changes"] += 1
+                    LOGGER.info(f"Attached {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role")
+                else:
+                    DRY_RUN_DATA["OAMCrossAccountRolePolicyAttach"] = f"DRY_RUN: Attach {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
 
+        # 5d) OAM link
+        cloudwatch.CWOAM_CLIENT = sts.assume_role(bedrock_account, sts.CONFIGURATION_ROLE, "cloudwatch", region)
+        search_oam_link = cloudwatch.find_oam_link(oam_sink_arn)
+        if search_oam_link[0] is False:
+            if DRY_RUN is False:
+                LOGGER.info("CloudWatch observability access manager link not found, creating...")
+                cloudwatch.create_oam_link(oam_sink_arn)
+                LIVE_RUN_DATA["OAMLinkCreate"] = "Created CloudWatch observability access manager link"
+                CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
+                CFN_RESPONSE_DATA["deployment_info"]["resources_deployed"] += 1
+                LOGGER.info("Created CloudWatch observability access manager link")
+            else:
+                LOGGER.info("DRY_RUN: CloudWatch observability access manager link not found, creating...")
+                DRY_RUN_DATA["OAMLinkCreate"] = "DRY_RUN: Create CloudWatch observability access manager link"
+        else:
+            LOGGER.info("CloudWatch observability access manager link found")
 
     # End
     # TODO(liamschn): Consider the 256 KB limit for any cloudwatch log message
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_cloudwatch.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_cloudwatch.py
@@ -46,6 +46,7 @@ class sra_cloudwatch:
     SOLUTION_NAME: str = "sra-set-solution-name"
     SINK_POLICY = ""
     CROSS_ACCOUNT_ROLE_NAME = "CloudWatch-CrossAccountSharingRole"
+    CROSS_ACCOUNT_TRUST_POLICY = ""
 
     try:
         MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
@@ -317,6 +318,22 @@ def put_oam_sink_policy(self, sink_arn: str, sink_policy: dict) -> None:
         except ClientError as e:
             self.LOGGER.info(self.UNEXPECTED)
             raise ValueError(f"Unexpected error executing Lambda function. {e}") from None
+    
+    def delete_oam_sink(self, sink_arn: str) -> None:
+        """Delete the Observability Access Manager sink for SRA in the organization.
+
+        Args:
+            sink_arn (str): ARN of the sink
+
+        Returns:
+            None
+        """
+        try:
+            self.CWOAM_CLIENT.delete_sink(Identifier=sink_arn)
+            self.LOGGER.info(f"Observability access manager sink {sink_arn} deleted")
+        except ClientError as e:
+            self.LOGGER.info(self.UNEXPECTED)
+            raise ValueError(f"Unexpected error executing Lambda function. {e}") from None
 
     def find_oam_link(self, sink_arn: str) -> tuple[bool, str]:
         """Find the Observability Access Manager link for SRA in the organization.
@@ -341,4 +358,52 @@ def find_oam_link(self, sink_arn: str) -> tuple[bool, str]:
                 return False, ""
             else:
                 self.LOGGER.info(self.UNEXPECTED)
-                raise ValueError(f"Unexpected error executing Lambda function. {error}") from None
+                raise ValueError(f"Unexpected error executing Lambda function. {error}") from None
+    
+    def create_oam_link(self, sink_arn: str) -> str:
+        """Create the Observability Access Manager link for SRA in the organization.
+
+        Args:
+            sink_arn (str): ARN of the sink
+
+        Returns:
+            str: ARN of the created link
+        """
+        try:
+            response = self.CWOAM_CLIENT.create_link(
+                LabelTemplate='$AccountName',
+                ResourceTypes=[
+                    "AWS::ApplicationInsights::Application",
+                    "AWS::InternetMonitor::Monitor",
+                    "AWS::Logs::LogGroup",
+                    "AWS::CloudWatch::Metric",
+                    "AWS::XRay::Trace"
+                ],
+                SinkIdentifier=sink_arn,
+                Tags={"sra-solution": self.SOLUTION_NAME}
+            )
+            self.LOGGER.info(f"Observability access manager link for {sink_arn} created: {response['Arn']}")
+            return response["Arn"]
+        except ClientError as error:
+            if error.response["Error"]["Code"] == "ConflictException":
+                self.LOGGER.info(f"Observability access manager link for {sink_arn} already exists")
+                return self.find_oam_link(sink_arn)[1]
+            else:
+                self.LOGGER.info(self.UNEXPECTED)
+                raise ValueError(f"Unexpected error executing Lambda function. {error}") from None
+    
+    def delete_oam_link(self, link_arn: str) -> None:
+        """Delete the Observability Access Manager link for SRA in the organization.
+
+        Args:
+            link_arn (str): ARN of the link
+
+        Returns:
+            None
+        """
+        try:
+            self.CWOAM_CLIENT.delete_link(Identifier=link_arn)
+            self.LOGGER.info(f"Observability access manager link for {link_arn} deleted")
+        except ClientError as e:
+            self.LOGGER.info(self.UNEXPECTED)
+            raise ValueError(f"Unexpected error executing Lambda function. {e}") from None
