* add resilience hub module

Co-authored-by: korravin <[email protected]>

Author: iakov-aws

data-collection/README.md

@@ -42,6 +42,7 @@ List of modules and objects collected:
 | `licence-manager`            |  [AWS License Manager](https://aws.amazon.com/license-manager/)  | Management Accounts  | Collect Licenses and Grants |
 | `aws-feeds`                  |  N/A                  | Data Collection Account | Collects Blog posts and News Feeds |
 | `quicksight`                 |  [Amazon QuickSight](https://aws.amazon.com/quicksight/)    | Data Collection Account | Collects QuickSight User and Group information in the Data Collection Account only |
+| `resilience-hub`                 |   [AWS Resilince Hub](https://aws.amazon.com/resilience-hub/) | Linked Accounts |  |
 
 
 ### Deployment Overview

data-collection/deploy/deploy-data-collection.yaml

@@ -40,6 +40,7 @@ Metadata:
           - IncludeQuickSightModule
           - IncludeServiceQuotasModule
           - IncludeEUCUtilizationModule
+          - IncludeResilienceHubModule
       - Label:
           default: 'EUC (End User Compute) Module Configuration'
         Parameters:
@@ -107,6 +108,8 @@ Metadata:
         default: 'Include Service Quota Data Collection'
       IncludeQuickSightModule:
         default: 'Include QuickSight User Collection Module'
+      IncludeResilienceHubModule:
+        default: 'Include Resilience Hub Data Collection Module'
 
 Mappings:
   RegionMap:
@@ -280,7 +283,11 @@ Parameters:
    Description: Collects AWS Service Quotas data
    AllowedValues: ['yes', 'no']
    Default: 'no'
-
+  IncludeResilienceHubModule:
+   Type: String
+   Description: Collects AWS Resilience Hub data
+   AllowedValues: ['yes', 'no']
+   Default: 'no'
 Conditions:
   DeployTAModule: !Equals [ !Ref IncludeTAModule, "yes"]
   DeployRightsizingModule: !Equals [ !Ref IncludeRightsizingModule, "yes"]
@@ -301,6 +308,7 @@ Conditions:
   DeployLicenseManagerModule: !Equals [ !Ref IncludeLicenseManagerModule, "yes"]
   DeployQuickSightModule: !Equals [ !Ref IncludeQuickSightModule, "yes"]
   DeployServiceQuotasModule: !Equals [ !Ref IncludeServiceQuotasModule, "yes"]
+  DeployResilienceHubModule: !Equals [ !Ref IncludeResilienceHubModule, "yes"]
   DeployPricingModule: !Or
     - !Condition DeployInventoryCollectorModule
     - !Condition DeployRDSUtilizationModule
@@ -312,11 +320,11 @@ Conditions:
       - !Condition DeployCostAnomalyModule
       - !Condition DeploySupportCasesModule
       - !Condition DeployInventoryCollectorModule
-      - !Condition DeployComputeOptimizerModule
       - !Condition DeployEcsChargebackModule
       - !Condition DeployRDSUtilizationModule
       - !Condition DeployOrgDataModule
       - !Condition DeployBudgetsModule
+      - !Condition DeployResilienceHubModule
     - Fn::Or:
       - !Condition DeployBackupModule
       - !Condition DeployTransitGatewayModule
@@ -325,6 +333,7 @@ Conditions:
       - !Condition DeployQuickSightModule
       - !Condition DeployServiceQuotasModule
       - !Condition DeployEUCUtilizationModule 
+      - !Condition DeployComputeOptimizerModule
   RegionsInScopeIsEmpty: !Equals
     - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
     - ""
@@ -1464,6 +1473,31 @@ Resources:
         StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
         SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
 
+  ResilienceHubModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployResilienceHubModule
+    Properties:
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.11.0/module-resilience-hub.yaml"
+      Parameters:
+        DatabaseName: !Ref DatabaseName
+        DestinationBucket: !Ref S3Bucket
+        MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
+        DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
+        GlueRoleARN: !GetAtt GlueRole.Arn
+        Schedule: !Ref ScheduleFrequent
+        ResourcePrefix: !Ref ResourcePrefix
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-state-machine, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+
   AccountCollector:
     Type: AWS::CloudFormation::Stack
     Condition: DeployAccountCollector

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -32,6 +32,7 @@ Metadata:
           - IncludeTransitGatewayModule
           - IncludeLicenseManagerModule
           - IncludeServiceQuotasModule
+          - IncludeResilienceHubModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -77,6 +78,9 @@ Metadata:
         default: "Include Marketplace Licensing Module"
       IncludeServiceQuotasModule:
         default: "Include Service Quotas Module"
+      IncludeResilienceHubModule:
+        default: "Include ResilienceHub Module"
+
 Parameters:
   ManagementAccountRole:
     Type: String
@@ -182,7 +186,11 @@ Parameters:
     Description: Collects Service Quotas information
     AllowedValues: ['yes', 'no']
     Default: 'no'
-
+  IncludeResilienceHubModule:
+    Type: String
+    Description: Collects Resilience Hub information
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 Conditions:
   DeployModuleReadInMgmt: !Equals [!Ref AllowModuleReadInMgmt, "yes"]
 
@@ -202,6 +210,7 @@ Resources:
         IncludeHealthEventsModule: !Ref IncludeHealthEventsModule
         IncludeLicenseManagerModule: !Ref IncludeLicenseManagerModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
+
   DataCollectorMgmtAccountModulesReadStack:
     Type: AWS::CloudFormation::Stack
     Condition: DeployModuleReadInMgmt
@@ -220,6 +229,8 @@ Resources:
         IncludeBudgetsModule: !Ref IncludeBudgetsModule
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
+        IncludeResilienceHubModule: !Ref IncludeResilienceHubModule
+        
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
@@ -259,6 +270,8 @@ Resources:
           ParameterValue: !Ref IncludeTransitGatewayModule
         - ParameterKey: IncludeServiceQuotasModule
           ParameterValue: !Ref IncludeServiceQuotasModule
+        - ParameterKey: IncludeResilienceHubModule
+          ParameterValue: !Ref IncludeResilienceHubModule
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [",", !Ref OrganizationalUnitIds]

data-collection/deploy/deploy-in-linked-account.yaml

@@ -21,6 +21,7 @@ Metadata:
         - IncludeSupportCasesModule
         - IncludeTransitGatewayModule
         - IncludeServiceQuotasModule
+        - IncludeResilienceHubModule
     ParameterLabels:
       DataCollectionAccountID:
         default: 'Data Collection Account ID'
@@ -46,6 +47,8 @@ Metadata:
         default: 'Include Transit Gateway Module'
       IncludeServiceQuotasModule:
         default: 'Include Service Quotas Module'
+      IncludeResilienceHubModule:
+        default: 'Include Resilience Hub Module'
 
 Parameters:
   DataCollectionAccountID:
@@ -104,6 +107,11 @@ Parameters:
     Description: Collects Service Quotas from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeResilienceHubModule:
+    Type: String
+    Description: Collects Resilience Hub data from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   IncludeTAModulePolicy:                 !Equals [!Ref IncludeTAModule, "yes"]
@@ -115,6 +123,7 @@ Conditions:
   IncludeBudgetsModulePolicy:            !Equals [!Ref IncludeBudgetsModule, "yes"]
   IncludeTransitGatewayModulePolicy:     !Equals [!Ref IncludeTransitGatewayModule, "yes"]
   IncludeServiceQuotasModulePolicy:      !Equals [!Ref IncludeServiceQuotasModule, "yes"]
+  IncludeResilienceHubModulePolicy:      !Equals [!Ref IncludeResilienceHubModule, "yes"]
 
 Outputs:
   LambdaRole:
@@ -145,6 +154,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}trusted-advisor-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}support-cases-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}resilience-hub-LambdaRole"
       Path: /
     Metadata:
       cfn_nag:
@@ -420,3 +430,38 @@ Resources:
         rules_to_suppress:
           - id: W12
             reason: "Policy is used for scanning of a wide range of resources"
+  # Resilience Hub policy
+  ResilienceHubPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeResilienceHubModulePolicy
+    Properties:
+      PolicyName: ResilienceHubPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: ResilienceHubRestricted
+            Effect: Allow
+            Action:
+              - "resiliencehub:DescribeAppAssessment"
+              - "resiliencehub:ListSopRecommendations"
+              - "resiliencehub:ListAppComponentRecommendations"
+              - "resiliencehub:ListAlarmRecommendations"
+            Resource: !Sub "arn:${AWS::Partition}:resiliencehub:*:${AWS::AccountId}:app/*"
+          - Sid: ResilienceHubNonRestricted
+            Effect: Allow
+            Action:
+              - "resiliencehub:ListApps"
+              - "resiliencehub:DescribeApp"
+              - "resiliencehub:ListAppAssessments"
+              - "resiliencehub:ListAppAssessmentComplianceDrifts"
+              - "resiliencehub:ListTestRecommendations"
+              - "resiliencehub:DescribeResiliencyPolicy"
+              - "resiliencehub:ListAppVersionResources"
+            Resource: "*" # Wildcard required as actions do not support   resource-level permissions
+      Roles:
+        - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"