artem-hatchenko · January 5, 2023 13:29
diff --git a/stop_aws_resources.yaml b/stop_aws_resources.yaml
 AWSTemplateFormatVersion: "2010-09-09"
 Description: 'Template for Lambda Fuction for stopping AWS resources (EC2, RDS, ASG)'
 
 ### OUTPUT ###
 Outputs:
  LambdaRoleARN:
    Description: Role for Lambda execution.
    Value:
      Fn::GetAtt:
        - LambdaRole
        - Arn
    Export:
      Name:
        Fn::Sub: LambdaRole
  LambdaFunctionName:
    Value:
      Ref: LambdaFunction
  LambdaFunctionARN:
    Description: Lambda function ARN.
    Value:
      Fn::GetAtt:
        - LambdaFunction
        - Arn
    Export:
      Name:
        Fn::Sub: LambdaARN

 ### RESOURCES ###
 Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
        Fn::Sub: Stop-AWS-Resources-Lambda-Role
      AssumeRolePolicyDocument:
        Statement:
          - Action:
            - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
              - lambda.amazonaws.com
        Version: 2012-10-17
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSLambdaExecute
      Path: /
      Policies:
        - PolicyName: 
            Fn::Sub: Stop-AWS-Resources-Lambda-Policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - iam:GetRole
                  - iam:ListAttachedRolePolicies
                  - iam:AttachRolePolicy
                  - ec2:DescribeRegions
                  - ec2:DescribeInstances
                  - ec2:StopInstances
                  - rds:DescribeDBInstances 
                  - rds:StopDBInstance
                  - rds:ListTagsForResource
                  - autoscaling:DescribeAutoScalingGroups
                  - autoscaling:UpdateAutoScalingGroup
                Resource: "*"

  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties: 
      Code:
        S3Bucket: "control-tower-playground"
        S3Key: "lambda_source/stop_aws_resources.zip"
      Description: Lambda Function checks the attached policy on newly created IAM roles.
      FunctionName: "Stop-AWS-Resources"
      Handler: main.main
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - LambdaRole
          - Arn
      Runtime: python3.8
      Timeout: 300

  ScheduledRule: 
    Type: AWS::Events::Rule
    Properties:
      Name: "Stop-AWS-Resources"
      Description: "ScheduledRule for stopping AWS resources (EC2, RDS, ASG) at 20 p.m. by UTC"
      ScheduleExpression: "cron(0 20 * * ? *)"
      State: "ENABLED"
      Targets: 
        - 
          Arn: 
            Fn::GetAtt: 
              - "LambdaFunction"
              - "Arn"
          Id: "TargetFunctionV1"

  PermissionForEventsToInvokeLambda: 
    Type: AWS::Lambda::Permission
    Properties: 
      FunctionName: !Ref "LambdaFunction"
      Action: "lambda:InvokeFunction"
      Principal: "events.amazonaws.com"
      SourceArn: 
        Fn::GetAtt: 
          - "ScheduledRule"
          - "Arn"
	AWSTemplateFormatVersion: "2010-09-09"
	Description: 'Template for Lambda Fuction for stopping AWS resources (EC2, RDS, ASG)'

	### OUTPUT ###
	Outputs:
	LambdaRoleARN:
	Description: Role for Lambda execution.
	Value:
	Fn::GetAtt:
	- LambdaRole
	- Arn
	Export:
	Name:
	Fn::Sub: LambdaRole
	LambdaFunctionName:
	Value:
	Ref: LambdaFunction
	LambdaFunctionARN:
	Description: Lambda function ARN.
	Value:
	Fn::GetAtt:
	- LambdaFunction
	- Arn
	Export:
	Name:
	Fn::Sub: LambdaARN

	### RESOURCES ###
	Resources:
	LambdaRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName:
	Fn::Sub: Stop-AWS-Resources-Lambda-Role
	AssumeRolePolicyDocument:
	Statement:
	- Action:
	- sts:AssumeRole
	Effect: Allow
	Principal:
	Service:
	- lambda.amazonaws.com
	Version: 2012-10-17
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/AWSLambdaExecute
	Path: /
	Policies:
	- PolicyName:
	Fn::Sub: Stop-AWS-Resources-Lambda-Policy
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- iam:GetRole
	- iam:ListAttachedRolePolicies
	- iam:AttachRolePolicy
	- ec2:DescribeRegions
	- ec2:DescribeInstances
	- ec2:StopInstances
	- rds:DescribeDBInstances
	- rds:StopDBInstance
	- rds:ListTagsForResource
	- autoscaling:DescribeAutoScalingGroups
	- autoscaling:UpdateAutoScalingGroup
	Resource: "*"

	LambdaFunction:
	Type: AWS::Lambda::Function
	Properties:
	Code:
	S3Bucket: "control-tower-playground"
	S3Key: "lambda_source/stop_aws_resources.zip"
	Description: Lambda Function checks the attached policy on newly created IAM roles.
	FunctionName: "Stop-AWS-Resources"
	Handler: main.main
	MemorySize: 128
	Role:
	Fn::GetAtt:
	- LambdaRole
	- Arn
	Runtime: python3.8
	Timeout: 300

	ScheduledRule:
	Type: AWS::Events::Rule
	Properties:
	Name: "Stop-AWS-Resources"
	Description: "ScheduledRule for stopping AWS resources (EC2, RDS, ASG) at 20 p.m. by UTC"
	ScheduleExpression: "cron(0 20 * * ? *)"
	State: "ENABLED"
	Targets:
	-
	Arn:
	Fn::GetAtt:
	- "LambdaFunction"
	- "Arn"
	Id: "TargetFunctionV1"

	PermissionForEventsToInvokeLambda:
	Type: AWS::Lambda::Permission
	Properties:
	FunctionName: !Ref "LambdaFunction"
	Action: "lambda:InvokeFunction"
	Principal: "events.amazonaws.com"
	SourceArn:
	Fn::GetAtt:
	- "ScheduledRule"
	- "Arn"