Merge branch 'main' into instrumentation

Author: esc1144

data-collection/deploy/deploy-data-collection.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection Stack v3.6.4
+Description: CID Data Collection Stack v3.8.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -30,13 +30,22 @@ Metadata:
           - IncludeInventoryCollectorModule
           - IncludeOrgDataModule
           - IncludeRDSUtilizationModule
+          - IncludeEUCUtilizationModule
           - IncludeRightsizingModule
           - IncludeTAModule
           - IncludeTransitGatewayModule
           - IncludeAWSFeedsModule
           - IncludeLicenseManagerModule
           - IncludeQuickSightModule
           - IncludeServiceQuotasModule
+      - Label:
+          default: 'EUC Module Configuration'
+        Parameters:
+          - IncludeEUCUtilizationModule
+      - Label:
+          default: 'EUC Module Settings'
+        Parameters:
+          - EUCAccountIDs        
     ParameterLabels:
       DestinationBucket:
         default: 'Destination S3 bucket prefix'
@@ -76,6 +85,10 @@ Metadata:
         default: 'Include ECS Chargeback Data Collection Module'
       IncludeRDSUtilizationModule:
         default: 'Include RDS Utilization Data Collection Module'
+      IncludeEUCUtilizationModule:
+        default: 'Include WorkSpaces Utilization Data Collection Module'
+      EUCAccountIDs:
+        default: 'WorkSpaces Account IDs (optional)'
       IncludeOrgDataModule:
         default: 'Include AWS Organization Data Collection Module'
       IncludeBudgetsModule:
@@ -140,11 +153,11 @@ Parameters:
     Default: "Optimization-Data-Multi-Account-Role"
   Schedule:
     Type: String
-    Description: EventBridge schedule to trigger data collection for Trusted Advisor, Compute Optimizer, Organizations Data, Rightsizing, RDS Utilization, Inventory Collector, Transit Gateway, Backup, and ECS Chargeback modules (see docs for tailoring the schedule for each module).
+    Description: "EventBridge schedule to trigger data collection for Trusted Advisor, Compute Optimizer, Organizations Data, Rightsizing, RDS Utilization, Inventory Collector, Transit Gateway, Backup, and ECS Chargeback modules (see docs for tailoring the schedule for each module). Recommended value: rate(14 days). Increasing data collection frequency will trigger additional cost, avoid setting the data collection schedule to more than once per day."
     Default: "rate(14 days)"
   ScheduleFrequent:
     Type: String
-    Description: EventBridge schedule to trigger data collection for Cost Anomalies, Budgets, Support Cases and Health Events modules (see docs for tailoring the schedule for each module).
+    Description: "EventBridge schedule to trigger data collection for Cost Anomalies, Budgets, Support Cases and Health Events modules (see docs for tailoring the schedule for each module). Recommended value: rate(1 day).  Increasing data collection frequency will trigger additional cost, avoid setting the data collection schedule to more than once per day."
     Default: "rate(1 day)"
   RegionsInScope:
     Type: String
@@ -208,6 +221,15 @@ Parameters:
     Description: Collects RDS CloudWatch metrics from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeEUCUtilizationModule:
+    Type: String
+    Description: Collects WorkSpaces CloudWatch metrics from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'  
+  EUCAccountIDs:
+    Type: String
+    Description: "Optional, If you enable EUC Utilization or Inventory module and you use Amazon WorkSpaces, please provide a comma-separated list of account IDs where WorkSpaces are deployed. If left blank, metrics will be collected from all linked accounts in the Organization."
+    Default: ""
   IncludeOrgDataModule:
     Type: String
     Description: Collects AWS Organizations data such as account Id, account name, organization parent and specified tags
@@ -263,6 +285,7 @@ Conditions:
   DeployComputeOptimizerModule: !Equals [ !Ref IncludeComputeOptimizerModule, "yes"]
   DeployEcsChargebackModule: !Equals [ !Ref IncludeECSChargebackModule, "yes"]
   DeployRDSUtilizationModule: !Equals [ !Ref IncludeRDSUtilizationModule, "yes"]
+  DeployEUCUtilizationModule: !Equals [ !Ref IncludeEUCUtilizationModule, "yes"]
   DeployOrgDataModule: !Equals [ !Ref IncludeOrgDataModule, "yes"]
   DeployBudgetsModule: !Equals [ !Ref IncludeBudgetsModule, "yes"]
   DeployTransitGatewayModule: !Equals [ !Ref IncludeTransitGatewayModule, "yes"]
@@ -275,6 +298,7 @@ Conditions:
   DeployPricingModule: !Or
     - !Condition DeployInventoryCollectorModule
     - !Condition DeployRDSUtilizationModule
+    - !Condition DeployEUCUtilizationModule
   DeployAccountCollector: !Or
     - Fn::Or:
       - !Condition DeployTAModule
@@ -294,6 +318,7 @@ Conditions:
       - !Condition DeployLicenseManagerModule
       - !Condition DeployQuickSightModule
       - !Condition DeployServiceQuotasModule
+      - !Condition DeployEUCUtilizationModule 
   RegionsInScopeIsEmpty: !Equals
     - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
     - ""
@@ -1214,6 +1239,60 @@ Resources:
             - !Sub "${AWS::Region}"
             - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
 
+  EUCUsageModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployEUCUtilizationModule
+    Properties:
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-workspaces-metrics.yaml"
+      Parameters:
+        DatabaseName: !Ref DatabaseName
+        DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
+        DestinationBucket: !Ref S3Bucket
+        DestinationBucketARN: !GetAtt S3Bucket.Arn
+        GlueRoleARN: !GetAtt GlueRole.Arn
+        MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
+        Schedule: !Ref Schedule
+        ResourcePrefix: !Ref ResourcePrefix
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-v4-3, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+        EUCAccountIDs: !Ref EUCAccountIDs
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+
+  EUCUsageModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployEUCUtilizationModule
+    Properties:
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-workspaces-metrics.yaml"
+      Parameters:
+        DatabaseName: !Ref DatabaseName
+        DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
+        DestinationBucket: !Ref S3Bucket
+        DestinationBucketARN: !GetAtt S3Bucket.Arn
+        GlueRoleARN: !GetAtt GlueRole.Arn
+        MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
+        Schedule: !Ref Schedule
+        ResourcePrefix: !Ref ResourcePrefix
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-v3, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+        EUCAccountIDs: !Ref EUCAccountIDs
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+
   OrgDataModule:
     Type: AWS::CloudFormation::Stack
     Condition: DeployOrgDataModule

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: "2010-09-09"
-Description: CID Data Collection - All-in-One for Management Account v3.6.4
+Description: CID Data Collection - All-in-One for Management Account v3.8.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -25,6 +25,7 @@ Metadata:
           - IncludeHealthEventsModule
           - IncludeInventoryCollectorModule
           - IncludeRDSUtilizationModule
+          - IncludeEUCUtilizationModule
           - IncludeRightsizingModule
           - IncludeTAModule
           - IncludeTransitGatewayModule
@@ -59,6 +60,8 @@ Metadata:
         default: "Include Inventory Collector Module"
       IncludeRDSUtilizationModule:
         default: "Include RDS Utilization Data Collection Module"
+      IncludeEUCUtilizationModule:
+        default: "Include WorkSpaces Utilization Data Collection Module"
       IncludeRightsizingModule:
         default: "Include Rightsizing Recommendations Data Collection Module"
       IncludeTAModule:
@@ -138,6 +141,11 @@ Parameters:
     Description: Collects RDS CloudWatch metrics from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeEUCUtilizationModule:
+    Type: String
+    Description: Collects WorkSpaces CloudWatch metrics from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
   IncludeRightsizingModule:
     Type: String
     Description: "Collects AWS Cost Explorer Rightsizing Recommendations"
@@ -208,13 +216,14 @@ Resources:
         IncludeInventoryCollectorModule: !Ref IncludeInventoryCollectorModule
         IncludeECSChargebackModule: !Ref IncludeECSChargebackModule
         IncludeRDSUtilizationModule: !Ref IncludeRDSUtilizationModule
+        IncludeEUCUtilizationModule: !Ref IncludeEUCUtilizationModule       
         IncludeBudgetsModule: !Ref IncludeBudgetsModule
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
-      Description: "StackSet in charge of deploying read roles across organization accounts v3.6.4"
+      Description: "StackSet in charge of deploying read roles across organization accounts v3.8.0"
       PermissionModel: SERVICE_MANAGED
       AutoDeployment:
         Enabled: true
@@ -242,6 +251,8 @@ Resources:
           ParameterValue: !Ref IncludeECSChargebackModule
         - ParameterKey: IncludeRDSUtilizationModule
           ParameterValue: !Ref IncludeRDSUtilizationModule
+        - ParameterKey: IncludeEUCUtilizationModule
+          ParameterValue: !Ref IncludeEUCUtilizationModule          
         - ParameterKey: IncludeBudgetsModule
           ParameterValue: !Ref IncludeBudgetsModule
         - ParameterKey: IncludeTransitGatewayModule

data-collection/deploy/deploy-in-linked-account.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Linked Account v3.6.4
+Description: CID Data Collection - Role for Linked Account v3.8.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -16,6 +16,7 @@ Metadata:
         - IncludeECSChargebackModule
         - IncludeInventoryCollectorModule
         - IncludeRDSUtilizationModule
+        - IncludeEUCUtilizationModule
         - IncludeTAModule
         - IncludeSupportCasesModule
         - IncludeTransitGatewayModule
@@ -37,6 +38,8 @@ Metadata:
         default: 'Include ECS Chargeback Data Collection Module'
       IncludeRDSUtilizationModule:
         default: 'Include RDS Utilization Data Collection Module'
+      IncludeEUCUtilizationModule:
+        default: 'Include WorkSpaces Utilization Data Collection Module'     
       IncludeBudgetsModule:
         default: 'Include Budgets Collection Module'
       IncludeTransitGatewayModule:
@@ -81,6 +84,11 @@ Parameters:
     Description: Collects RDS CloudWatch metrics from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeEUCUtilizationModule:
+    Type: String
+    Description: Collects WorkSpaces CloudWatch metrics from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no' 
   IncludeBudgetsModule:
     Type: String
     Description: Collects budgets from your accounts
@@ -113,6 +121,9 @@ Conditions:
   IncludeRDSUtilizationModulePolicy: !Equals
     - !Ref IncludeRDSUtilizationModule
     - "yes"
+  IncludeEUCUtilizationModulePolicy: !Equals
+    - !Ref IncludeEUCUtilizationModule
+    - "yes"
   IncludeBudgetsModulePolicy: !Equals
     - !Ref IncludeBudgetsModule
     - "yes"
@@ -146,6 +157,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}budgets-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}ecs-chargeback-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}inventory-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}workspaces-metrics-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}rds-usage-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}transit-gateway-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}trusted-advisor-LambdaRole"
@@ -241,6 +253,9 @@ Resources:
               - "eks:ListNodegroups"
               - "eks:DescribeNodegroup"
               - "lambda:ListFunctions"
+              - "workspaces:DescribeWorkspaces"
+              - "workspaces:DescribeWorkspaceDirectories"
+              - "workspaces:DescribeWorkspacesConnectionStatus"            
             Resource: "*" ## Policy is used for scanning of a wide range of resources
       Roles:
         - Ref: LambdaRole
@@ -295,6 +310,32 @@ Resources:
         rules_to_suppress:
           - id: W12
             reason: "Policy is used for scanning of a wide range of resources"
+  EUCUtilizationPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeEUCUtilizationModulePolicy
+    Properties:
+      PolicyName: EUCUtilizationPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "workspaces:DescribeWorkspaces"
+            Resource: "*"  ## Policy is used for scanning of a wide range of resources
+          - Effect: "Allow"
+            Action:
+              - "ec2:DescribeRegions"
+              - "cloudwatch:GetMetricStatistics"
+              - "cloudwatch:ListMetrics"
+            Resource: "*" ## Policy is used for scanning of a wide range of resources
+      Roles:
+        - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"
+
   TransitGatewayPolicy:
     Type: 'AWS::IAM::Policy'
     Condition: IncludeTransitGatewayModulePolicy

data-collection/deploy/deploy-in-management-account.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Management Account v3.6.4
+Description: CID Data Collection - Role for Management Account v3.8.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:

data-collection/deploy/module-compute-optimizer.yaml

@@ -330,7 +330,6 @@ Resources:
                     Status: Enabled
                     NoncurrentVersionExpiration:
                       NoncurrentDays: 1
-                      NewerNoncurrentVersions: 1
       Tags: # Hacky way to manage dependencies
         - Key: IgnoreMeIamOnlyWorkaround
           Value: !GetAtt StackSetExecutionRole.Arn