aws-solutions-library-samples · korravin · Jun 2, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 14, 2025
diff --git a/data-collection/deploy/deploy-data-collection.yaml b/data-collection/deploy/deploy-data-collection.yaml
@@ -40,6 +40,7 @@ Metadata:
           - IncludeQuickSightModule
           - IncludeServiceQuotasModule
           - IncludeEUCUtilizationModule
+          - IncludeResilienceHubModule
       - Label:
           default: 'EUC (End User Compute) Module Configuration'
         Parameters:
@@ -107,6 +108,8 @@ Metadata:
         default: 'Include Service Quota Data Collection'
       IncludeQuickSightModule:
         default: 'Include QuickSight User Collection Module'
+      IncludeResilienceHubModule:
+        default: 'Include Resilience Hub Data Collection Module'
 
 Mappings:
   RegionMap:
@@ -279,7 +282,11 @@ Parameters:
    Description: Collects AWS Service Quotas data
    AllowedValues: ['yes', 'no']
    Default: 'no'
-
+  IncludeResilienceHubModule:
+   Type: String
+   Description: Collects AWS Resilience Hub data
+   AllowedValues: ['yes', 'no']
+   Default: 'no'
 Conditions:
   DeployTAModule: !Equals [ !Ref IncludeTAModule, "yes"]
   DeployRightsizingModule: !Equals [ !Ref IncludeRightsizingModule, "yes"]
@@ -300,6 +307,7 @@ Conditions:
   DeployLicenseManagerModule: !Equals [ !Ref IncludeLicenseManagerModule, "yes"]
   DeployQuickSightModule: !Equals [ !Ref IncludeQuickSightModule, "yes"]
   DeployServiceQuotasModule: !Equals [ !Ref IncludeServiceQuotasModule, "yes"]
+  DeployResilienceHubModule: !Equals [ !Ref IncludeResilienceHubModule, "yes"]
   DeployPricingModule: !Or
     - !Condition DeployInventoryCollectorModule
     - !Condition DeployRDSUtilizationModule
@@ -311,11 +319,11 @@ Conditions:
       - !Condition DeployCostAnomalyModule
       - !Condition DeploySupportCasesModule
       - !Condition DeployInventoryCollectorModule
-      - !Condition DeployComputeOptimizerModule
       - !Condition DeployEcsChargebackModule
       - !Condition DeployRDSUtilizationModule
       - !Condition DeployOrgDataModule
       - !Condition DeployBudgetsModule
+      - !Condition DeployResilienceHubModule
     - Fn::Or:
       - !Condition DeployBackupModule
       - !Condition DeployTransitGatewayModule
@@ -324,6 +332,7 @@ Conditions:
       - !Condition DeployQuickSightModule
       - !Condition DeployServiceQuotasModule
       - !Condition DeployEUCUtilizationModule 
+      - !Condition DeployComputeOptimizerModule
   RegionsInScopeIsEmpty: !Equals
     - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
     - ""
@@ -1417,6 +1426,31 @@ Resources:
         StepFunctionTemplate: !FindInMap [StepFunctionCode, standalone-v1, TemplatePath]
         StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
         SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+
+  ResilienceHubModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployResilienceHubModule
+    Properties:
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.10.0/module-resilience-hub.yaml"
+      Parameters:
+        DestinationBucket: !Ref S3Bucket
+        ManagementRoleName: !Sub "${ResourcePrefix}${ManagementAccountRole}"
+        ManagementAccountID: !Ref ManagementAccountID
+        DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
+        Schedule: !Ref ScheduleFrequent
+        ResourcePrefix: !Ref ResourcePrefix
+        BucketPrefix:  !Ref DestinationBucket
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-v3, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
 
   AccountCollector:
     Type: AWS::CloudFormation::Stack

diff --git a/data-collection/deploy/deploy-data-read-permissions.yaml b/data-collection/deploy/deploy-data-read-permissions.yaml
@@ -32,6 +32,7 @@ Metadata:
           - IncludeTransitGatewayModule
           - IncludeLicenseManagerModule
           - IncludeServiceQuotasModule
+          - IncludeResilienceHubModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -77,6 +78,9 @@ Metadata:
         default: "Include Marketplace Licensing Module"
       IncludeServiceQuotasModule:
         default: "Include Service Quotas Module"
+      IncludeResilienceHubModule:
+        default: "Include ResilienceHub Module"
+
 Parameters:
   ManagementAccountRole:
     Type: String
@@ -182,6 +186,11 @@ Parameters:
     Description: Collects Service Quotas information
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeResilienceHubModule:
+    Type: String
+    Description: Collects Resilience Hub information
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   DeployModuleReadInMgmt: !Equals [!Ref AllowModuleReadInMgmt, "yes"]
@@ -202,6 +211,7 @@ Resources:
         IncludeHealthEventsModule: !Ref IncludeHealthEventsModule
         IncludeLicenseManagerModule: !Ref IncludeLicenseManagerModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
+
   DataCollectorMgmtAccountModulesReadStack:
     Type: AWS::CloudFormation::Stack
     Condition: DeployModuleReadInMgmt
@@ -220,6 +230,8 @@ Resources:
         IncludeBudgetsModule: !Ref IncludeBudgetsModule
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
+        IncludeResilienceHubModule: !Ref IncludeResilienceHubModule
+
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
@@ -259,6 +271,8 @@ Resources:
           ParameterValue: !Ref IncludeTransitGatewayModule
         - ParameterKey: IncludeServiceQuotasModule
           ParameterValue: !Ref IncludeServiceQuotasModule
+        - ParameterKey: IncludeResilienceHubModule
+          ParameterValue: !Ref IncludeResilienceHubModule
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [",", !Ref OrganizationalUnitIds]

diff --git a/data-collection/deploy/deploy-in-linked-account.yaml b/data-collection/deploy/deploy-in-linked-account.yaml
@@ -21,6 +21,7 @@ Metadata:
         - IncludeSupportCasesModule
         - IncludeTransitGatewayModule
         - IncludeServiceQuotasModule
+        - IncludeResilienceHubModule
     ParameterLabels:
       DataCollectionAccountID:
         default: 'Data Collection Account ID'
@@ -46,6 +47,8 @@ Metadata:
         default: 'Include Transit Gateway Module'
       IncludeServiceQuotasModule:
         default: 'Include Service Quotas Module'
+      IncludeResilienceHubModule:
+        default: 'Include Resilience Hub Module'
 
 Parameters:
   DataCollectionAccountID:
@@ -104,6 +107,11 @@ Parameters:
     Description: Collects Service Quotas from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeResilienceHubModule:
+    Type: String
+    Description: Collects Resilience Hub data from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   IncludeTAModulePolicy:                 !Equals [!Ref IncludeTAModule, "yes"]
@@ -145,6 +153,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}trusted-advisor-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}support-cases-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}resilience-hub-LambdaRole"
       Path: /
     Metadata:
       cfn_nag:
@@ -420,3 +429,36 @@ Resources:
         rules_to_suppress:
           - id: W12
             reason: "Policy is used for scanning of a wide range of resources"
+
+  # Resilience Hub policy
+  ResilienceHubPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeResilienceHubModulePolicy
+    Properties:
+      PolicyName: ResilienceHubPolicy
+      PolicyDocument: 
+        Version: "2012-10-17"
+        Statement:
+          - Sid: VisualEditor0
+            Effect: Allow
+            Action:
+              - resiliencehub:ListSopRecommendations
+              - resiliencehub:DescribeAppAssessment
+              - resiliencehub:ListAppComponentRecommendations
+              - resiliencehub:ListAlarmRecommendations
+            Resource: !Sub "arn:${AWS::Partition}:resiliencehub:*:${AWS::AccountId}:app/*"
+          - Sid: VisualEditor1
+            Effect: Allow
+            Action:
+              - resiliencehub:ListApps
+              - resiliencehub:DescribeMetricsExport
+              - resiliencehub:ListAppAssessments
+              - resiliencehub:StartMetricsExport
+            Resource: '*'
+      Roles:
+        - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"