|
234 | 234 | blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, |
235 | 235 | }); |
236 | 236 |
|
| 237 | + // Execution role for AWS Lambda function to use |
| 238 | + // To get logs and ship them to the Admin account. |
| 239 | + // This role is referenced in the Admin stack configuration. |
| 240 | + // Modifying it will sever cross-account connection. |
237 | 241 | const executionRole = new iam.Role(this, "CloudWatchExecutionRole", { |
238 | 242 | assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"), |
239 | 243 | description: "Allows Lambda function to get logs from CloudWatch", |
|
245 | 249 | ], |
246 | 250 | }); |
247 | 251 |
|
| 252 | + // Update bucket permissions to allow Lambda |
248 | 253 | const statement = new iam.PolicyStatement({ |
249 | 254 | actions: [ |
250 | 255 | "s3:PutObject", |
|
261 | 266 | statement.addArnPrincipal(`arn:aws:iam::${cdk.Aws.ACCOUNT_ID}:root`); |
262 | 267 | bucket.addToResourcePolicy(statement); |
263 | 268 |
|
| 269 | + // Attach custom policy to allow Lambda to get logs from CloudWatch. |
264 | 270 | executionRole.addToPolicy( |
265 | 271 | new iam.PolicyStatement({ |
266 | 272 | actions: ["logs:GetLogEvents", "logs:DescribeLogStreams"], |
267 | 273 | resources: [`arn:aws:logs:${this.awsRegion}:${cdk.Aws.ACCOUNT_ID}:*`], |
268 | 274 | }), |
269 | 275 | ); |
270 | 276 |
|
| 277 | + // Attach custom policy to allow Lambda to get and put to local logs bucket. |
271 | 278 | executionRole.addToPolicy( |
272 | 279 | new iam.PolicyStatement({ |
273 | 280 | actions: [ |
|
297 | 304 | }), |
298 | 305 | ); |
299 | 306 |
|
| 307 | + // Define the Lambda function. |
300 | 308 | const lambdaFunction = new lambda.Function(this, "BatchJobCompleteLambda", { |
301 | 309 | runtime: lambda.Runtime.PYTHON_3_8, |
302 | 310 | handler: "export_logs.handler", |
|
310 | 318 | }, |
311 | 319 | }); |
312 | 320 |
|
| 321 | + // CloudWatch Event Rule to trigger the Lambda function. |
313 | 322 | const batchRule = new events.Rule(this, "BatchAllEventsRule", { |
314 | 323 | eventPattern: { |
315 | 324 | source: ["aws.batch"], |
316 | 325 | }, |
317 | 326 | }); |
318 | 327 |
|
| 328 | + // Add the Lambda function as a target for the CloudWatch Event Rule. |
319 | 329 | batchRule.addTarget(new targets.LambdaFunction(lambdaFunction)); |
320 | 330 | } |
321 | 331 | } |
|
0 commit comments