Add Service Quotas Module (#233)

Author: jklobo

data-collection/deploy/deploy-data-collection.yaml

@@ -35,6 +35,7 @@ Metadata:
           - IncludeAWSFeedsModule
           - IncludeLicenseManagerModule
           - IncludeQuickSightModule
+          - IncludeServiceQuotasModule
     ParameterLabels:
       DestinationBucket:
         default: 'Destination S3 bucket prefix'
@@ -86,6 +87,8 @@ Metadata:
         default: 'Include AWS Health Events Module'
       IncludeLicenseManagerModule:
         default: 'Include Marketplace Licensing Collection'
+      IncludeServiceQuotasModule:
+        default: 'Include Service Quota Data Collection'
       IncludeQuickSightModule:
         default: 'Include QuickSight User Collection Module'
 
@@ -237,6 +240,11 @@ Parameters:
     Description: Collects Marketplace Licenses and Grants
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeServiceQuotasModule:
+   Type: String
+   Description: Collects AWS Service Quotas data
+   AllowedValues: ['yes', 'no']
+   Default: 'no'
 
 Conditions:
   DeployTAModule: !Equals [ !Ref IncludeTAModule, "yes"]
@@ -255,6 +263,7 @@ Conditions:
   DeployHealthEventsModule: !Equals [ !Ref IncludeHealthEventsModule, "yes"]
   DeployLicenseManagerModule: !Equals [ !Ref IncludeLicenseManagerModule, "yes"]
   DeployQuickSightModule: !Equals [ !Ref IncludeQuickSightModule, "yes"]
+  DeployServiceQuotasModule: !Equals [ !Ref IncludeServiceQuotasModule, "yes"]
   DeployPricingModule: !Or
     - !Condition DeployInventoryCollectorModule
     - !Condition DeployRDSUtilizationModule
@@ -276,6 +285,7 @@ Conditions:
       - !Condition DeployHealthEventsModule
       - !Condition DeployLicenseManagerModule
       - !Condition DeployQuickSightModule
+      - !Condition DeployServiceQuotasModule
   RegionsInScopeIsEmpty: !Equals
     - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
     - ""
@@ -1223,6 +1233,31 @@ Resources:
         StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
         SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
 
+  ServiceQuotasModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployServiceQuotasModule
+    Properties:
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.amazonaws.com/cfn/data-collection/module-service-quotas.yaml"
+      Parameters:
+        DatabaseName: !Ref DatabaseName
+        DestinationBucket: !Ref S3Bucket
+        DestinationBucketARN: !GetAtt S3Bucket.Arn
+        MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
+        Schedule: !Ref ScheduleFrequent
+        GlueRoleARN: !GetAtt GlueRole.Arn
+        ResourcePrefix: !Ref ResourcePrefix
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-v3, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+
   QuickSightModule:
     Type: AWS::CloudFormation::Stack
     Condition: DeployQuickSightModule

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -29,6 +29,7 @@ Metadata:
           - IncludeTAModule
           - IncludeTransitGatewayModule
           - IncludeLicenseManagerModule
+          - IncludeServiceQuotasModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -70,6 +71,8 @@ Metadata:
         default: "Include AWS Health Events Module"
       IncludeLicenseManagerModule:
         default: "Include Marketplace Licensing Module"
+      IncludeServiceQuotasModule:
+        default: "Include Service Quotas Module"
 Parameters:
   ManagementAccountRole:
     Type: String
@@ -165,6 +168,11 @@ Parameters:
     Description: Collects Marketplace Licensing information
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeServiceQuotasModule:
+    Type: String
+    Description: Collects Service Quotas information
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   DeployModuleReadInMgmt: !Equals [!Ref AllowModuleReadInMgmt, "yes"]
@@ -185,6 +193,7 @@ Resources:
         IncludeBackupModule: !Ref IncludeBackupModule
         IncludeHealthEventsModule: !Ref IncludeHealthEventsModule
         IncludeLicenseManagerModule: !Ref IncludeLicenseManagerModule
+        IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
   DataCollectorMgmtAccountModulesReadStack:
     Type: AWS::CloudFormation::Stack
     Condition: DeployModuleReadInMgmt
@@ -201,6 +210,7 @@ Resources:
         IncludeRDSUtilizationModule: !Ref IncludeRDSUtilizationModule
         IncludeBudgetsModule: !Ref IncludeBudgetsModule
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
+        IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
@@ -236,6 +246,8 @@ Resources:
           ParameterValue: !Ref IncludeBudgetsModule
         - ParameterKey: IncludeTransitGatewayModule
           ParameterValue: !Ref IncludeTransitGatewayModule
+        - ParameterKey: IncludeServiceQuotasModule
+          ParameterValue: !Ref IncludeServiceQuotasModule
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [",", !Ref OrganizationalUnitIds]

data-collection/deploy/deploy-in-linked-account.yaml

@@ -19,6 +19,7 @@ Metadata:
         - IncludeTAModule
         - IncludeSupportCasesModule
         - IncludeTransitGatewayModule
+        - IncludeServiceQuotasModule
     ParameterLabels:
       DataCollectionAccountID:
         default: 'Data Collection Account ID'
@@ -40,6 +41,8 @@ Metadata:
         default: 'Include Budgets Collection Module'
       IncludeTransitGatewayModule:
         default: 'Include Transit Gateway Module'
+      IncludeServiceQuotasModule:
+        default: 'Include Service Quotas Module'
 
 Parameters:
   DataCollectionAccountID:
@@ -88,6 +91,11 @@ Parameters:
     Description: Collects TransitGateway from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeServiceQuotasModule:
+    Type: String
+    Description: Collects Service Quotas from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   IncludeTAModulePolicy: !Equals
@@ -111,6 +119,9 @@ Conditions:
   IncludeTransitGatewayModulePolicy: !Equals
     - !Ref IncludeTransitGatewayModule
     - "yes"
+  IncludeServiceQuotasModulePolicy: !Equals
+    - !Ref IncludeServiceQuotasModule
+    - "yes"
 
 Outputs:
   LambdaRole:
@@ -139,6 +150,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}transit-gateway-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}trusted-advisor-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}support-cases-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
       Path: /
     Metadata:
       cfn_nag:
@@ -298,6 +310,33 @@ Resources:
             Resource: "*" ## Policy is used for scanning of a wide range of resources
       Roles:
         - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"
+  ServiceQuotasReadOnlyPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeServiceQuotasModulePolicy
+    Properties:
+      PolicyName: ServiceQuotasReadOnlyPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "servicequotas:ListRequestedServiceQuotaChangeHistory"
+              - "servicequotas:GetServiceQuota"
+              - "servicequotas:GetAWSDefaultServiceQuota"
+              - "rds:DescribeAccountAttributes"
+              - "elasticloadbalancing:DescribeAccountLimits"
+              - "dynamodb:DescribeLimits"
+              - "cloudformation:DescribeAccountLimits"
+              - "autoscaling:DescribeAccountLimits"
+              - "route53:GetAccountLimit"
+            Resource: "*" ## Policy is used for scanning a wide range of resources. All service quotas in this case. All of them.
+      Roles:
+        - Ref: LambdaRole
     Metadata:
       cfn_nag:
         rules_to_suppress:

data-collection/deploy/deploy-in-management-account.yaml

@@ -19,6 +19,7 @@ Metadata:
           - IncludeHealthEventsModule
           - IncludeRightsizingModule
           - IncludeLicenseManagerModule
+          - IncludeServiceQuotasModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -40,6 +41,8 @@ Metadata:
         default: "Include Health Events Module"
       IncludeLicenseManagerModule:
         default: "Include Marketplace Licensing Module"
+      IncludeServiceQuotasModule:
+        default: "Include Service Quotas Module"
 Parameters:
   DataCollectionAccountID:
     Type: String
@@ -87,6 +90,11 @@ Parameters:
     Description: Collects Marketplace Licensing Information from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeServiceQuotasModule:
+    Type: String
+    Description: Collects Service Quotas Information from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   EnableComputeOptimizerModule: !Equals [!Ref IncludeComputeOptimizerModule, "yes"]
@@ -96,6 +104,7 @@ Conditions:
   EnableBackupModule: !Equals [!Ref IncludeBackupModule, "yes"]
   EnableHealthEventsModule: !Equals [!Ref IncludeHealthEventsModule, "yes"]
   EnableLicenseManagerModule: !Equals [!Ref IncludeLicenseManagerModule, "yes"]
+  EnableServiceQuotasModule: !Equals [!Ref IncludeServiceQuotasModule, "yes"]
 
 Outputs:
   LambdaRole:
@@ -129,6 +138,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}health-events-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}license-manager-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}RLS-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
       Path: /
     Metadata:
       cfn_nag:
@@ -348,6 +358,33 @@ Resources:
             Resource: "*"
       Roles:
         - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"
+  ServiceQuotasPolicy:
+    Type: "AWS::IAM::Policy"
+    Condition: EnableServiceQuotasModule
+    Properties:
+      PolicyName: ServiceQuotasPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "servicequotas:ListRequestedServiceQuotaChangeHistory"
+              - "servicequotas:GetServiceQuota"
+              - "servicequotas:GetAWSDefaultServiceQuota"
+              - "rds:DescribeAccountAttributes"
+              - "elasticloadbalancing:DescribeAccountLimits"
+              - "dynamodb:DescribeLimits"
+              - "cloudformation:DescribeAccountLimits"
+              - "autoscaling:DescribeAccountLimits"
+              - "route53:GetAccountLimit"
+            Resource: "*" ## Policy is used for scanning a wide range of resources. All service quotas in this case. All of them.
+      Roles:
+        - Ref: LambdaRole
     Metadata:
       cfn_nag:
         rules_to_suppress: