Additional functionality to Capture WorkSpaces Cloudwatch Metrics (#305)

Author: chodono-aws

data-collection/deploy/deploy-data-collection.yaml

@@ -30,13 +30,22 @@ Metadata:
           - IncludeInventoryCollectorModule
           - IncludeOrgDataModule
           - IncludeRDSUtilizationModule
+          - IncludeEUCUtilizationModule
           - IncludeRightsizingModule
           - IncludeTAModule
           - IncludeTransitGatewayModule
           - IncludeAWSFeedsModule
           - IncludeLicenseManagerModule
           - IncludeQuickSightModule
           - IncludeServiceQuotasModule
+      - Label:
+          default: 'EUC Module Configuration'
+        Parameters:
+          - IncludeEUCUtilizationModule
+      - Label:
+          default: 'EUC Module Settings'
+        Parameters:
+          - EUCAccountIDs        
     ParameterLabels:
       DestinationBucket:
         default: 'Destination S3 bucket prefix'
@@ -76,6 +85,10 @@ Metadata:
         default: 'Include ECS Chargeback Data Collection Module'
       IncludeRDSUtilizationModule:
         default: 'Include RDS Utilization Data Collection Module'
+      IncludeEUCUtilizationModule:
+        default: 'Include WorkSpaces Utilization Data Collection Module'
+      EUCAccountIDs:
+        default: 'WorkSpaces Account IDs (optional)'
       IncludeOrgDataModule:
         default: 'Include AWS Organization Data Collection Module'
       IncludeBudgetsModule:
@@ -207,6 +220,15 @@ Parameters:
     Description: Collects RDS CloudWatch metrics from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeEUCUtilizationModule:
+    Type: String
+    Description: Collects WorkSpaces CloudWatch metrics from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'  
+  EUCAccountIDs:
+    Type: String
+    Description: "Optional, If you enable EUC Utilization or Inventory module and you use Amazon WorkSpaces, please provide a comma-separated list of account IDs where WorkSpaces are deployed. If left blank, metrics will be collected from all linked accounts in the Organization."
+    Default: ""
   IncludeOrgDataModule:
     Type: String
     Description: Collects AWS Organizations data such as account Id, account name, organization parent and specified tags
@@ -262,6 +284,7 @@ Conditions:
   DeployComputeOptimizerModule: !Equals [ !Ref IncludeComputeOptimizerModule, "yes"]
   DeployEcsChargebackModule: !Equals [ !Ref IncludeECSChargebackModule, "yes"]
   DeployRDSUtilizationModule: !Equals [ !Ref IncludeRDSUtilizationModule, "yes"]
+  DeployEUCUtilizationModule: !Equals [ !Ref IncludeEUCUtilizationModule, "yes"]
   DeployOrgDataModule: !Equals [ !Ref IncludeOrgDataModule, "yes"]
   DeployBudgetsModule: !Equals [ !Ref IncludeBudgetsModule, "yes"]
   DeployTransitGatewayModule: !Equals [ !Ref IncludeTransitGatewayModule, "yes"]
@@ -274,6 +297,7 @@ Conditions:
   DeployPricingModule: !Or
     - !Condition DeployInventoryCollectorModule
     - !Condition DeployRDSUtilizationModule
+    - !Condition DeployEUCUtilizationModule
   DeployAccountCollector: !Or
     - Fn::Or:
       - !Condition DeployTAModule
@@ -293,6 +317,7 @@ Conditions:
       - !Condition DeployLicenseManagerModule
       - !Condition DeployQuickSightModule
       - !Condition DeployServiceQuotasModule
+      - !Condition DeployEUCUtilizationModule 
   RegionsInScopeIsEmpty: !Equals
     - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
     - ""
@@ -1158,6 +1183,33 @@ Resources:
             - !Sub "${AWS::Region}"
             - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
 
+  EUCUsageModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployEUCUtilizationModule
+    Properties:
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/module-workspaces-metrics.yaml"
+      Parameters:
+        DatabaseName: !Ref DatabaseName
+        DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
+        DestinationBucket: !Ref S3Bucket
+        DestinationBucketARN: !GetAtt S3Bucket.Arn
+        GlueRoleARN: !GetAtt GlueRole.Arn
+        MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
+        Schedule: !Ref Schedule
+        ResourcePrefix: !Ref ResourcePrefix
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-v3, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+        EUCAccountIDs: !Ref EUCAccountIDs
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+
   OrgDataModule:
     Type: AWS::CloudFormation::Stack
     Condition: DeployOrgDataModule

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -25,6 +25,7 @@ Metadata:
           - IncludeHealthEventsModule
           - IncludeInventoryCollectorModule
           - IncludeRDSUtilizationModule
+          - IncludeEUCUtilizationModule
           - IncludeRightsizingModule
           - IncludeTAModule
           - IncludeTransitGatewayModule
@@ -59,6 +60,8 @@ Metadata:
         default: "Include Inventory Collector Module"
       IncludeRDSUtilizationModule:
         default: "Include RDS Utilization Data Collection Module"
+      IncludeEUCUtilizationModule:
+        default: "Include WorkSpaces Utilization Data Collection Module"
       IncludeRightsizingModule:
         default: "Include Rightsizing Recommendations Data Collection Module"
       IncludeTAModule:
@@ -138,6 +141,11 @@ Parameters:
     Description: Collects RDS CloudWatch metrics from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeEUCUtilizationModule:
+    Type: String
+    Description: Collects WorkSpaces CloudWatch metrics from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
   IncludeRightsizingModule:
     Type: String
     Description: "Collects AWS Cost Explorer Rightsizing Recommendations"
@@ -208,6 +216,7 @@ Resources:
         IncludeInventoryCollectorModule: !Ref IncludeInventoryCollectorModule
         IncludeECSChargebackModule: !Ref IncludeECSChargebackModule
         IncludeRDSUtilizationModule: !Ref IncludeRDSUtilizationModule
+        IncludeEUCUtilizationModule: !Ref IncludeEUCUtilizationModule       
         IncludeBudgetsModule: !Ref IncludeBudgetsModule
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
@@ -242,6 +251,8 @@ Resources:
           ParameterValue: !Ref IncludeECSChargebackModule
         - ParameterKey: IncludeRDSUtilizationModule
           ParameterValue: !Ref IncludeRDSUtilizationModule
+        - ParameterKey: IncludeEUCUtilizationModule
+          ParameterValue: !Ref IncludeEUCUtilizationModule          
         - ParameterKey: IncludeBudgetsModule
           ParameterValue: !Ref IncludeBudgetsModule
         - ParameterKey: IncludeTransitGatewayModule

data-collection/deploy/deploy-in-linked-account.yaml

@@ -16,6 +16,7 @@ Metadata:
         - IncludeECSChargebackModule
         - IncludeInventoryCollectorModule
         - IncludeRDSUtilizationModule
+        - IncludeEUCUtilizationModule
         - IncludeTAModule
         - IncludeSupportCasesModule
         - IncludeTransitGatewayModule
@@ -37,6 +38,8 @@ Metadata:
         default: 'Include ECS Chargeback Data Collection Module'
       IncludeRDSUtilizationModule:
         default: 'Include RDS Utilization Data Collection Module'
+      IncludeEUCUtilizationModule:
+        default: 'Include WorkSpaces Utilization Data Collection Module'     
       IncludeBudgetsModule:
         default: 'Include Budgets Collection Module'
       IncludeTransitGatewayModule:
@@ -81,6 +84,11 @@ Parameters:
     Description: Collects RDS CloudWatch metrics from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeEUCUtilizationModule:
+    Type: String
+    Description: Collects WorkSpaces CloudWatch metrics from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no' 
   IncludeBudgetsModule:
     Type: String
     Description: Collects budgets from your accounts
@@ -113,6 +121,9 @@ Conditions:
   IncludeRDSUtilizationModulePolicy: !Equals
     - !Ref IncludeRDSUtilizationModule
     - "yes"
+  IncludeEUCUtilizationModulePolicy: !Equals
+    - !Ref IncludeEUCUtilizationModule
+    - "yes"
   IncludeBudgetsModulePolicy: !Equals
     - !Ref IncludeBudgetsModule
     - "yes"
@@ -146,6 +157,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}budgets-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}ecs-chargeback-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}inventory-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}workspaces-metrics-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}rds-usage-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}transit-gateway-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}trusted-advisor-LambdaRole"
@@ -298,6 +310,32 @@ Resources:
         rules_to_suppress:
           - id: W12
             reason: "Policy is used for scanning of a wide range of resources"
+  EUCUtilizationPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeEUCUtilizationModulePolicy
+    Properties:
+      PolicyName: EUCUtilizationPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "workspaces:DescribeWorkspaces"
+            Resource: "*"  ## Policy is used for scanning of a wide range of resources
+          - Effect: "Allow"
+            Action:
+              - "ec2:DescribeRegions"
+              - "cloudwatch:GetMetricStatistics"
+              - "cloudwatch:ListMetrics"
+            Resource: "*" ## Policy is used for scanning of a wide range of resources
+      Roles:
+        - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"
+
   TransitGatewayPolicy:
     Type: 'AWS::IAM::Policy'
     Condition: IncludeTransitGatewayModulePolicy