Changed the way secrets are retrieved

kcantrel · kcantrel · commit 1b023a80d428 · 2025-04-29T19:31:20.000-05:00
diff --git a/Monitoring/ingest_nas_audit_logs_into_cloudwatch/README.md b/Monitoring/ingest_nas_audit_logs_into_cloudwatch/README.md
@@ -39,15 +39,18 @@ systems that you want to ingest the audit logs from.
 
 **You can either create the following items before running the CloudFormation script, or allow it to create the items for you.**
 
-- AWS Endpoints. Since the Lambda function runs within your VPC it will not have access to the Internet, even if you can access the Internet
-from the Subnet it runs from. Although, if you are using an AWS Transit Gateway, you can configure it to allow the Lambda function to access the Internet.
-If you don't have a Transit Gateway then there needs to be an VPC endpoint for all the AWS services that the Lambda function uses.
+- AWS Endpoints. Since the Lambda function runs within your VPC it will have restrictions as to how it can access the Internet.
+It will not be able to access the Internet from a "Public" subnet (i.e. one that has a Internet gateway attached it it.) It will, however,
+be able to access the Internet through a Transit or a NAT gateway. So, if the subnets you plan to run this Lambda function from
+don't have a Transit or NAT gateway then there needs to be an VPC AWS service endpoint for all the AWS services that this Lambda function uses.
 Specifically, the Lambda function needs to be able to access the following AWS services:
   - FSx.
   - Secrets Manager.
   - CloudWatch Logs.
   - S3 - Note that typically there is a Gateway type VPC endpoint for S3, therefore you typically you don't need to create a VPC endpoint for S3.
 
+   **NOTE**: That if you specify to have the CloudFormation template create an endpoint and one already exist, it will cause the CloudFormation script to fail.
+
 - Role for the Lambda function. Create a role with the necessary permissions to allow the Lambda function to do the following:
 
 <!--- Using HTML to create a table that has rowspan attributes since the markdown table syntax does not support that. --->
@@ -69,7 +72,9 @@ Where:
 
 - &lt;accountID&gt; -  is your AWS account ID.
 - &lt;region&gt; - is the region where the FSx for ONTAP file systems are located.
-- &lt;secretName&gt; - is the name of the secret that contains the credentials for the fsxadmin accounts.
+- &lt;secretName&gt; - is the name of the secret that contains the credentials for the fsxadmin accounts. Note that this
+resource string, through wild card characters, must include all the secrets that the Lambda function will access. Or
+must list each secret ARN individually.
 
 Notes:
 - Since the Lambda function runs within your VPC it needs to be able to create and delete network interfaces.
@@ -96,6 +101,8 @@ and `DeleteNetworkInterface` actions. The correct resource line is `arn:aws:ec2:
     |s3BucketName|Yes|The name of the S3 bucket where the stats file is stored. This bucket must already exist.|
     |s3BucketRegion|Yes|The region of the S3 bucket resides.|
     |copyToS3|No|If set to `true` it will copy the audit logs to the S3 bucket specified in `s3BucketName`.|
+    |createWatchdogAlarm|No|If set to `true` it will create a CloudWatch alarm that will alert you if the Lambda function throws in error.|
+    |snsTopicArn|No|The ARN of the SNS topic to send the alarm to. This is required if `createWatchdogAlarm` is set to `true`.|
     |fsxnSecretARNsFile|No|The name of a file within the S3 bucket that contains the Secret ARNs for each for the FSxN file systems. The format of the file should be just `<fsID>=<secretARN>`. For example: `fs-0e8d9172fa5411111=arn:aws:secretsmanager:us-east-1:123456789012:secret:fsxadmin-abc123`|
     |fileSystem1ID|No|The ID of the first FSxN file system to ingest the audit logs from.|
     |fileSystem1SecretARN|No|The ARN of the secret that contains the credentials for the first FSx for Data ONTAP file system.|
@@ -107,8 +114,6 @@ and `DeleteNetworkInterface` actions. The correct resource line is `arn:aws:ec2:
     |fileSystem4SecretARN|No|The ARN of the secret that contains the credentials for the forth FSx for Data ONTAP file system.|
     |fileSystem5ID|No|The ID of the fifth FSx for Data ONTAP file system to ingest the audit logs from.|
     |fileSystem5SecretARN|No|The ARN of the secret that contains the credentials for the fifth FSx for Data ONTAP file system.|
-    |createWatchdogAlarm|No|If set to `true` it will create a CloudWatch alarm that will alert you if the Lambda function throws in error.|
-    |snsTopicArn|No|The ARN of the SNS topic to send the alarm to. This is required if `createWatchdogAlarm` is set to `true`.|
     |lambdaRoleArn|No|The ARN of the role that the Lambda function will use. If not provided, the CloudFormation script will create a role for you.|
     |schedulerRoleArn|No|The ARN of the role that the EventBridge scheduler will run as. If not provided, the CloudFormation script will create a role for you.|
     |createFsxEndpoint|No|If set to `true` it will create the VPC endpoints for the FSx service|
diff --git a/Monitoring/ingest_nas_audit_logs_into_cloudwatch/cloudformation-template.yaml b/Monitoring/ingest_nas_audit_logs_into_cloudwatch/cloudformation-template.yaml
@@ -16,6 +16,7 @@ Metadata:
           - s3BucketRegion
           - copyToS3
           - createWatchdogAlarm
+          - snsTopicArn
 
       - Label:
           default: "Secrets Manager specifications"
@@ -33,10 +34,14 @@ Metadata:
           - fileSystem5SecretARN
 
       - Label:
-          default: "Network Configuration"
-          - snsTopicArn
+          default: "Security Configuration"
+        Parameters:
           - lambdaRoleArn
           - schedulerRoleArn
+
+      - Label:
+          default: "VPC Endpoint Configuration"
+        Parameters:
           - createFSxEndpoint
           - createCloudWatchEndpoint
           - createSecretManagerEndpoint
@@ -45,9 +50,29 @@ Metadata:
           - vpcId
           - endpointSecurityGroupIds
 
-    ParameterLabels
-      ParamterFileWithListOfFileSystemIDsWithSecretARNs:
-        default: "File with list of FSxN file systems and their secret ARNs"
+    ParameterLabels:
+      volumeName:
+        default: "Volume Name"
+      checkInterval:
+        default: "Check Interval (minutes)"
+      logGroupName:
+        default: "CloudWatch Log Group Name"
+      subNetIds:
+        default: "Subnets for Lambda Function"
+      lambdaSecurityGroupIds:
+        default: "Security Groups for Lambda Function"
+      s3BucketName:
+        default: "S3 Bucket Name"
+      s3BucketRegion:
+        default: "S3 Bucket Region"
+      copyToS3:
+        default: "Copy to S3"
+      createWatchdogAlarm:
+        default: "Create Watchdog Alarm"
+      snsTopicArn:
+        default: "SNS Topic ARN"
+      fsxnSecretARNsFile:
+        default: "File with the list of FSxN file systems and their secret ARNs"
       fileSystem1ID:
         default: "File System 1 ID"
       fileSystem1SecretARN:
@@ -68,6 +93,24 @@ Metadata:
         default: "File System 5 ID"
       fileSystem5SecretARN:
         default: "File System 5 Secret ARN" 
+      lambdaRoleArn:
+        default: "Lambda Role ARN"
+      schedulerRoleArn:
+        default: "Scheduler Role ARN"
+      createFSxEndpoint:
+        default: "Create FSx Endpoint"
+      createCloudWatchEndpoint:
+        default: "Create CloudWatch Endpoint"
+      createSecretManagerEndpoint:
+        default: "Create Secrets Manager Endpoint"
+      createS3Endpoint:
+        default: "Create S3 Endpoint"
+      routeTableIds:
+        default: "Route Table IDs"
+      vpcId:
+        default: "VPC ID"
+      endpointSecurityGroupIds:
+        default: "Security Groups for VPC Endpoints"
 
 Parameters:
   volumeName:
@@ -78,35 +121,36 @@ Parameters:
     Description: "The interval, in minutes, to check for new audit logs to process."
     Type: Number
     Default: 5
+    MinValue: 1
 
   logGroupName:
-    Description: "The name of the CloudWatch log group to use to store the audit logs. This Log Group must already exist."
+    Description: "The name of the CloudWatch log group to store the audit logs to. This Log Group must already exist. It must be in the same region as this CloudFormation stack."
     Type: String
 
   subNetIds:
-    Description: "The subnet IDs where you want the Lambda function to run. There must be connectivity to all the FSxN management endpoints from these subnets. If creating VPC endpoints, the endpionts will be created in these subnets."
+    Description: "The subnet IDs where you want the Lambda function to run. There must be connectivity to all the FSxN management endpoints from these subnets. If creating VPC endpoints, the endpoints will be created in these subnets."
     Type: List<AWS::EC2::Subnet::Id>
 
   lambdaSecurityGroupIds:
     Description: "The security group IDs, comma separated list, to associate with the Lambda function. Must allow traffic outbound from the Lambda function over TCP port 443.to the FSxN management endpoints and AWS endpoints."
     Type: List<AWS::EC2::SecurityGroup::Id>
 
   s3BucketName:
-    Description: "The name of the s3 bucket to use to store the last message processed stats file."
+    Description: "The name of the S3 bucket where the last audit file processed stats file will be stored. Also, where the Lambda layer file should already be stored."
     Type: String
 
   s3BucketRegion:
-    Description: "The AWS region where the s3 bucket resides."
+    Description: "The AWS region where the S3 bucket resides."
     Type: String
 
   copyToS3:
-    Description: "Set to 'true' if you to copy the audit log files to the S3 bucket as well as sending the individual events to the CloudWatch log stream."
+    Description: "Set to 'true' if you want to copy the audit log files to the S3 bucket as well as sending the individual events to the CloudWatch log stream."
     Type: String
     Default: "false"
     AllowedValues: ["true", "false"]
 
   fsxnSecretARNsFile:
-    Description: "The name of the file that contains the list of FSxN file systems and their secret ARNs. Either provide this file or the individual file system IDs and secret ARNs below."
+    Description: "The name of the file that contains the list of FSxN file systems and their secret ARNs. It should already be stored in the S3 bucket. Either provide this file or the individual file system IDs and secret ARNs below."
     Type: String
     Default: ""
 
@@ -116,7 +160,7 @@ Parameters:
     Default: ""
 
   fileSystem1SecretARN:
-    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system."
+    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system specified above."
     Type: String
     Default: ""
 
@@ -126,7 +170,7 @@ Parameters:
     Default: ""
 
   fileSystem2SecretARN:
-    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system."
+    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system specified above."
     Type: String
     Default: ""
 
@@ -136,7 +180,7 @@ Parameters:
     Default: ""
 
   fileSystem3SecretARN:
-    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system."
+    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system specified above."
     Type: String
     Default: ""
 
@@ -146,7 +190,7 @@ Parameters:
     Default: ""
 
   fileSystem4SecretARN:
-    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system."
+    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system specified above."
     Type: String
     Default: ""
 
@@ -155,14 +199,19 @@ Parameters:
     Type: String
     Default: ""
 
+  fileSystem5SecretARN:
+    Description: "The ARN of the secret in Secrets Manager that holds the credentials for the FSxN file system specified above."
+    Type: String
+    Default: ""
+
   createWatchdogAlarm:
-    Description: "Create a CloudWatch alarm to monitor the Lambda function. It will send an alert to the SNS topic set below if the function throws an error."
+    Description: "Create a CloudWatch alarm to monitor the Lambda function. It will send an alert to the SNS topic set below if the Lambda function throws an error."
     Type: String
-    Default: "false"
+    Default: "true"
     AllowedValues: ["true", "false"]
 
   snsTopicArn:
-    Description: "The ARN of the SNS topic to use to send Watchdog alerts to. Only needed if you are creating a Watchdog alarm."
+    Description: "The ARN of the SNS topic where the Watchdog should send alerts to. Only needed if you are creating a Watchdog alarm. The topic must be in the same region as this CloudFormation stack."
     Type: String
     Default: ""
 
@@ -311,11 +360,15 @@ Resources:
               - Effect: "Allow"
                 Action:
                   - "secretsManager:GetSecretValue"
+                Resource: 
+                  - !Sub "arn:aws:secretsmanager:*:${AWS::AccountId}:secret:*"
+
+              - Effect: "Allow"
+                Action:
                   - "s3:GetObject"
                   - "s3:PutObject"
                   - "s3:ListBucket"
-                Resource: 
-                  - !Ref secretArn
+                Resource:
                   - !Sub "arn:aws:s3:::${s3BucketName}"
                   - !Sub "arn:aws:s3:::${s3BucketName}/*"
 
