merge main

Author: iakov-gan

data-collection/deploy/deploy-data-collection.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection Stack v3.6.1
+Description: CID Data Collection Stack v3.7.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: "2010-09-09"
-Description: CID Data Collection - All-in-One for Management Account v3.6.1
+Description: CID Data Collection - All-in-One for Management Account v3.7.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -214,7 +214,7 @@ Resources:
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
-      Description: "StackSet in charge of deploying read roles across organization accounts v3.6.1"
+      Description: "StackSet in charge of deploying read roles across organization accounts v3.7.0"
       PermissionModel: SERVICE_MANAGED
       AutoDeployment:
         Enabled: true

data-collection/deploy/deploy-in-linked-account.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Linked Account v3.6.1
+Description: CID Data Collection - Role for Linked Account v3.7.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -241,6 +241,9 @@ Resources:
               - "eks:ListNodegroups"
               - "eks:DescribeNodegroup"
               - "lambda:ListFunctions"
+              - "workspaces:DescribeWorkspaces"
+              - "workspaces:DescribeWorkspaceDirectories"
+              - "workspaces:DescribeWorkspacesConnectionStatus"            
             Resource: "*" ## Policy is used for scanning of a wide range of resources
       Roles:
         - Ref: LambdaRole

data-collection/deploy/deploy-in-management-account.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Management Account v3.6.1
+Description: CID Data Collection - Role for Management Account v3.7.0
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -313,11 +313,6 @@ Resources:
               - "rds:DescribeDBInstances"
               - "rds:DescribeDBClusters"
             Resource: "*"
-          - Effect: "Allow"
-            Action:
-              - "compute-optimizer:GetIdleRecommendations"
-              - "compute-optimizer:ExportIdleRecommendations"
-            Resource: "*"
       Roles:
         - Ref: LambdaRole
     Metadata:

data-collection/deploy/module-compute-optimizer.yaml

@@ -142,6 +142,7 @@ Resources:
                   - iam:GetRolePolicy
                   - iam:PutRolePolicy
                   - iam:TagRole
+                  - iam:UntagRole
                 Resource:
                   - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${ResourcePrefix}Compute-Optimizer-Replication-*'
                   - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/StackSet-${ResourcePrefix}ComputeOptimizer*' # For Compatibility with older versions: Shorter version of StackSetName
@@ -278,17 +279,17 @@ Resources:
                     - s3:GetObjectVersionTagging
                     Effect: 'Allow'
                     Resource: !Sub arn:${AWS::Partition}:s3:::${DestinationBucket}/*
-                  - !If
-                    - NeedDataBucketsKms
-                    - PolicyName: "KMS"
-                      PolicyDocument:
-                        Version: "2012-10-17"
-                        Statement:
-                          - Effect: "Allow"
-                            Action:
-                              - "kms:GenerateDataKey"
-                            Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
-                    - !Ref AWS::NoValue
+              - !If
+                - NeedDataBucketsKms
+                - PolicyName: "KMS"
+                  PolicyDocument:
+                    Version: "2012-10-17"
+                    Statement:
+                      - Effect: "Allow"
+                        Action:
+                          - "kms:GenerateDataKey"
+                        Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
+                - !Ref AWS::NoValue
           S3Bucket:
             Type: AWS::S3::Bucket
             DeletionPolicy: Delete
@@ -329,7 +330,6 @@ Resources:
                     Status: Enabled
                     NoncurrentVersionExpiration:
                       NoncurrentDays: 1
-                      NewerNoncurrentVersions: 1
       Tags: # Hacky way to manage dependencies
         - Key: IgnoreMeIamOnlyWorkaround
           Value: !GetAtt StackSetExecutionRole.Arn
@@ -385,7 +385,6 @@ Resources:
           import logging
           from datetime import date
           from functools import partial
-          import boto3
 
           BUCKET_PREFIX = os.environ["BUCKET_PREFIX"]
           INCLUDE_MEMBER_ACCOUNTS = os.environ.get("INCLUDE_MEMBER_ACCOUNTS", 'yes').lower() == 'yes'
@@ -395,6 +394,12 @@ Resources:
 
           logger = logging.getLogger(__name__)
           logger.setLevel(getattr(logging, os.environ.get('LOG_LEVEL', 'INFO').upper(), logging.INFO))
+          #ensure we get latest boto3
+          from pip._internal.cli.main import main, sys
+          logging.getLogger('pip').setLevel(logging.ERROR) # Silence pip's logger
+          main(['install', '-I', 'boto3', '--target', '/tmp/', '--no-cache-dir', '--disable-pip-version-check'])
+          sys.path.insert(0,'/tmp/')
+          import boto3 #pylint: disable=wrong-import-position
 
           def lambda_handler(event, context): #pylint: disable=unused-argument
               logger.info(f"Event data {json.dumps(event)}")

data-collection/deploy/module-health-events.yaml

@@ -143,6 +143,7 @@ Resources:
           from datetime import date, datetime, timedelta, timezone
 
           import boto3
+          from botocore.config import Config
 
           logger = logging.getLogger()
           logger.setLevel(getattr(logging, os.environ.get('LOG_LEVEL', 'INFO').upper(), logging.INFO))
@@ -156,6 +157,9 @@ Resources:
           LOOKBACK = int(os.environ['LOOKBACK'])
           DETAIL_SM_ARN = os.environ['DETAIL_SM_ARN']
           TMP_FILE = "/tmp/data.json"
+          MAX_RETRIES = int(os.environ.get('MAX_RETRIES', "10"))
+
+          config = Config(retries={"max_attempts": MAX_RETRIES, "mode": "adaptive"})
 
           mapping = {
               'payer_account_id': 'payer_account_id',
@@ -341,6 +345,7 @@ Resources:
               )['Credentials']
               health_client = boto3.client(
                   'health',
+                  config=config,
                   region_name=region,
                   aws_access_key_id=creds['AccessKeyId'],
                   aws_secret_access_key=creds['SecretAccessKey'],
@@ -349,7 +354,7 @@ Resources:
 
               count = 0
               if is_summary_mode:
-                  start_from, start_to = calculate_dates(BUCKET_NAME, f"{PREFIX}/{PREFIX}-summary-data/payer_id={account_id}")
+                  start_from, start_to = calculate_dates(BUCKET_NAME, f"{PREFIX}/{PREFIX}-detail-data/payer_id={account_id}")
                   logger.info(f"Collecting events from {start_from} to {start_to}")
                   args = {
                       'maxResults':100,
@@ -415,7 +420,7 @@ Resources:
                   if count > 0:
                       rand = uuid.uuid4()
                       key = ingestion_time.strftime(f"{PREFIX}/{PREFIX}-detail-data/payer_id={account_id}/year=%Y/month=%m/day=%d/%Y-%m-%d-%H-%M-%S-{rand}.json")
-                      boto3.client('s3').upload_file(TMP_FILE, BUCKET_NAME, key)
+                      boto3.client('s3', config=config).upload_file(TMP_FILE, BUCKET_NAME, key)
                       logger.info(f'Uploaded {count} summary records to s3://{BUCKET_NAME}/{key}')
               return {"status":"200","Recorded":f'"{count}"'}
       Handler: "index.lambda_handler"

data-collection/deploy/module-inventory.yaml

@@ -56,7 +56,7 @@ Parameters:
     Description: ARN of a Lambda for Managing GlueTable
   AwsObjects:
     Type: CommaDelimitedList
-    Default: OpensearchDomains, ElasticacheClusters, RdsDbInstances, EBS, AMI, Snapshot, Ec2Instances, VpcInstances, RdsDbSnapshots, EKSClusters, LambdaFunctions, RdsDbClusters
+    Default: OpensearchDomains, ElasticacheClusters, RdsDbInstances, EBS, AMI, Snapshot, Ec2Instances, VpcInstances, RdsDbSnapshots, EKSClusters, LambdaFunctions, RdsDbClusters, WorkSpaces
     Description: Services for pulling price data
   DataBucketsKmsKeysArns:
     Type: String
@@ -1011,6 +1011,73 @@ Mappings:
               SerializationLibrary: org.openx.data.jsonserde.JsonSerDe
           TableType: EXTERNAL_TABLE
 
+    WorkSpaces:
+      path: workspaces
+      table:
+        - Name: inventory_workspaces_data
+          Parameters:
+            classification: json
+            compressionType: none
+          PartitionKeys:
+            - Name: payer_id
+              Type: string
+            - Name: year
+              Type: string
+            - Name: month
+              Type: string
+            - Name: day
+              Type: string
+          StorageDescriptor:
+            Columns:
+              - Name: workspaceid
+                Type: string
+              - Name: username
+                Type: string
+              - Name: computetype
+                Type: string
+              - Name: directoryid
+                Type: string
+              - Name: directoryname
+                Type: string
+              - Name: directorytype
+                Type: string
+              - Name: directoryalias
+                Type: string 
+              - Name: directorymaintenance
+                Type: string
+              - Name: state
+                Type: string
+              - Name: connectionstatus
+                Type: string
+              - Name: lastconnected
+                Type: string
+              - Name: lastinventoryrun
+                Type: string
+              - Name: runningmode
+                Type: string
+              - Name: operatingsystemname
+                Type: string
+              - Name: protocol
+                Type: string
+              - Name: computername
+                Type: string
+              - Name: ipaddress
+                Type: string
+              - Name: accountid
+                Type: string
+              - Name: collection_date
+                Type: string
+              - Name: region
+                Type: string
+            InputFormat: org.apache.hadoop.mapred.TextInputFormat
+            Location: !Sub s3://${DestinationBucket}/inventory/inventory-workspaces-data/
+            OutputFormat: org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat
+            SerdeInfo:
+              Parameters:
+                paths: WorkspaceId,UserName,ComputeType,DirectoryId,DirectoryName,DirectoryType,DirectoryAlias,DirectoryMaintenance,State,ConnectionStatus,LastConnected,LastInventoryRun,RunningMode,OperatingSystemName,Protocol,ComputerName,IPAddress,accountid,collection_date,region
+              SerializationLibrary: org.openx.data.jsonserde.JsonSerDe
+          TableType: EXTERNAL_TABLE
+
 Resources:
   LambdaRole:
     Type: AWS::IAM::Role
@@ -1196,6 +1263,68 @@ Resources:
                   logger.error(f"Cannot get info from {account_id}/{region}: {type(exc)}-{exc}")
               return []
 
+          def workspaces_scan(account_id, region):
+              """Special function to scan AWS WorkSpaces resources"""
+              # Define WorkSpaces supported regions
+              WORKSPACES_REGIONS = [
+                  'us-east-1', 'us-west-2', 'ap-south-1', 'ap-northeast-2', 
+                  'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'ca-central-1',
+                  'eu-central-1', 'eu-west-1', 'eu-west-2', 'sa-east-1']
+              # Skip if region is not supported by WorkSpaces
+              if region not in WORKSPACES_REGIONS:
+                  logger.info(f"WorkSpaces not supported in region {region}. Skipping.")
+                  return
+              try:
+                  session = assume_session(account_id, region)
+                  client = session.client('workspaces', region_name=region)
+                  # Get WorkSpaces data
+                  workspaces_data = list(client.get_paginator('describe_workspaces').paginate().search('Workspaces[*]'))
+                  if not workspaces_data:
+                    logger.info(f"No WorkSpaces found in {account_id}/{region}")
+                    return
+                  # Get connection status and directories for lookup
+                  connection_status = client.describe_workspaces_connection_status()['WorkspacesConnectionStatus']
+                  directories = client.describe_workspace_directories()['Directories']
+                  # Create lookup dictionaries
+                  connection_lookup = {conn['WorkspaceId']: conn for conn in connection_status}
+                  directory_lookup = {d['DirectoryId']: d for d in directories}
+                  # Process workspaces
+                  for workspace in workspaces_data:
+                    workspace_id = workspace['WorkspaceId']
+                    dir_id = workspace['DirectoryId']
+            
+                    connection_info = connection_lookup.get(workspace_id, {})
+                    dir_info = directory_lookup.get(dir_id, {})
+            
+                    workspace_info = {
+                        'accountid': account_id,
+                        'region': region,
+                        'ResourceType': 'WorkSpace',
+                        'WorkspaceId': workspace_id,
+                        'UserName': workspace['UserName'],
+                        'DirectoryId': dir_id,
+                        'State': workspace['State'],
+                        'ConnectionStatus': connection_info.get('ConnectionState', 'N/A'),
+                        'LastConnected': connection_info.get('LastKnownUserConnectionTimestamp', 'Never').isoformat() if isinstance(connection_info.get('LastKnownUserConnectionTimestamp'), datetime) else "01/01/01 00:00:00",
+                        'LastInventoryRun': time.strftime('%x %X'),
+                        'RunningMode': workspace.get("WorkspaceProperties", {}).get("RunningMode", "N/A"),
+                        'ComputeType': workspace.get("WorkspaceProperties", {}).get("ComputeTypeName", "N/A"),
+                        'OperatingSystem': workspace.get("WorkspaceProperties", {}).get("OperatingSystemName", "N/A"),
+                        'Protocol': ''.join(
+                            c for c in str(workspace.get("WorkspaceProperties", {}).get("Protocols", "N/A")) 
+                            if c.isalnum() or c.isspace()
+                        ),
+                        'DirectoryName': dir_info.get('DirectoryName', 'N/A'),
+                        'DirectoryAlias': dir_info.get('Alias', 'N/A'),
+                        'DirectoryType': dir_info.get('DirectoryType', 'N/A'),
+                        'DirectoryMaintenance': dir_info.get("WorkspaceCreationProperties", {}).get("EnableMaintenanceMode", "N/A"),
+                        'ComputerName': workspace.get("ComputerName", ""),
+                        'IPAddress': workspace.get("IpAddress", "")
+                    }            
+                    yield workspace_info
+              except Exception as exc:
+                  logger.error(f"Cannot get WorkSpaces info from {account_id}/{region}: {type(exc)}-{exc}")
+
           def lambda_handler(event, context): #pylint: disable=unused-argument
               """ this lambda collects ami, snapshots and volumes from linked accounts
               and must be called from the corresponding Step Function to orchestrate
@@ -1270,7 +1399,8 @@ Resources:
                     function_name='list_functions',
                     obj_name='Functions[*]'
                   ),
-                  'eks': eks_clusters_scan
+                  'eks': eks_clusters_scan,
+                  'workspaces': workspaces_scan
               }
 
               account = json.loads(event["account"])
@@ -1799,6 +1929,37 @@ Resources:
               gp3_gb_cost + gp3_iops_cost + gp3_throughput_cost AS gp3_total_cost,
               (current_gb_cost + current_iops_cost) - (gp3_gb_cost + gp3_iops_cost + gp3_throughput_cost) as gp3_saving
           FROM inventory_ebs_data
+  
+  EUCInventoryView:
+    Type: AWS::Athena::NamedQuery
+    Properties:
+      Database: !Ref DatabaseName
+      Description: EUC Inventory View for WorkSpaces inventory data
+      Name: create_euc_inventory_view
+      QueryString: !Sub |
+        CREATE OR REPLACE VIEW "euc_inventory_view" AS
+          SELECT
+          "workspaceid"
+          , "username"
+          , "accountid"
+          , "computetype"
+          , "directoryid"
+          , "directoryname"
+          , "directoryalias"
+          , "directorytype"
+          , "directorymaintenance"
+          , "region"
+          , "state"
+          , "connectionstatus"
+          , CAST(parse_datetime(lastconnected, 'MM/dd/yy HH:mm:ss') AS timestamp) lastconnected
+          , "lastinventoryrun"
+          , "runningmode"
+          , "operatingsystemname"
+          , "protocol"
+          , "computername"
+          , "ipaddress"
+          FROM
+            "inventory_workspaces_data"
 
   AthenaBackwardCompatPricingRegionNames:
     Type: AWS::Athena::NamedQuery