Merge pull request #13 from drem-darios/feature/support-daily-periodic-recording

Added the ability to set the recording frequency for individual resources

Author: vsr2158

ct_configrecorder_override_consumer.py

@@ -24,15 +24,14 @@
 import botocore.exceptions
 import os
 
-def lambda_handler(event, context):
-
 
+def lambda_handler(event, context):
     LOG_LEVEL = os.getenv('LOG_LEVEL')
     logging.getLogger().setLevel(LOG_LEVEL)
 
     try:
 
-        logging.info('Event Body:')
+        logging.info(f'Event: {event}')
 
         body = json.loads(event['Records'][0]['body'])
         account_id = body['Account']
@@ -87,8 +86,13 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
         try:
             role_arn = 'arn:aws:iam::' + account_id + ':role/aws-controltower-ConfigRecorderRole'
 
+            CONFIG_RECORDER_DAILY_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_DAILY_RESOURCE_LIST')
+            CONFIG_RECORDER_DAILY_RESOURCE_LIST = CONFIG_RECORDER_DAILY_RESOURCE_STRING.split(
+                ',') if CONFIG_RECORDER_DAILY_RESOURCE_STRING != '' else []
             CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_EXCLUDED_RESOURCE_LIST')
-            CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING.split(',')
+            CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING.split(
+                ',') if CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING != '' else []
+            CONFIG_RECORDER_RECORDING_FREQUENCY = os.getenv('CONFIG_RECORDER_RECORDING_FREQUENCY')
 
             # Event = Delete is when stack is deleted, we rollback changed made and leave it as ControlTower Intended
             if event == 'Delete':
@@ -104,21 +108,38 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
                 logging.info(f'Response for put_configuration_recorder :{response} ')
 
             else:
-                response = configservice.put_configuration_recorder(
-                    ConfigurationRecorder={
-                        'name': 'aws-controltower-BaselineConfigRecorder',
-                        'roleARN': role_arn,
-                        'recordingGroup': {
-                            'allSupported': False,
-                            'includeGlobalResourceTypes': False,
-                            'exclusionByResourceTypes': {
-                                'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST
-                            },
-                            'recordingStrategy': {
-                                'useOnly': 'EXCLUSION_BY_RESOURCE_TYPES'
-                            }
+                config_recorder = {
+                    'name': 'aws-controltower-BaselineConfigRecorder',
+                    'roleARN': role_arn,
+                    'recordingGroup': {
+                        'allSupported': False,
+                        'includeGlobalResourceTypes': False,
+                        'exclusionByResourceTypes': {
+                            'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST
+                        },
+                        'recordingStrategy': {
+                            'useOnly': 'EXCLUSION_BY_RESOURCE_TYPES'
                         }
-                    })
+                    },
+                    'recordingMode': {
+                        'recordingFrequency': CONFIG_RECORDER_RECORDING_FREQUENCY,
+                        'recordingModeOverrides': [
+                            {
+                                'description': 'DAILY_OVERRIDE',
+                                'resourceTypes': CONFIG_RECORDER_DAILY_RESOURCE_LIST,
+                                'recordingFrequency': 'DAILY'
+                            }
+                        ] if CONFIG_RECORDER_DAILY_RESOURCE_LIST else []
+                    }
+                }
+
+                if not CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST:
+                    config_recorder['recordingGroup'].pop('exclusionByResourceTypes')
+                    config_recorder['recordingGroup'].pop('recordingStrategy')
+                    config_recorder['recordingGroup']['allSupported'] = True
+                    config_recorder['recordingGroup']['includeGlobalResourceTypes'] = True
+                response = configservice.put_configuration_recorder(
+                    ConfigurationRecorder=config_recorder)
                 logging.info(f'Response for put_configuration_recorder :{response} ')
 
             # lets describe for configuration recorder after the update

template.yaml

@@ -14,6 +14,19 @@ Parameters:
     Default: "AWS::HealthLake::FHIRDatastore,AWS::Pinpoint::Segment,AWS::Pinpoint::ApplicationSettings"
     Type: String
 
+  ConfigRecorderDailyResourceTypes:
+    Description: List of all resource types to be set to a daily cadence
+    Default: "AWS::HealthLake::FHIRDatastore,AWS::Pinpoint::Segment,AWS::Pinpoint::ApplicationSettings"
+    Type: String
+
+  ConfigRecorderRecordingFrequency:
+    Description: Frequency of recording configuration changes.
+    Default: CONTINUOUS
+    Type: String
+    AllowedValues:
+      - CONTINUOUS
+      - DAILY
+
   CloudFormationVersion:
     Type: String
     Default: 2
@@ -43,6 +56,7 @@ Resources:
                 Bool:
                   aws:SecureTransport: false
 
+
     ProducerLambda:
         Type: AWS::Lambda::Function
         DeletionPolicy: Retain
@@ -54,7 +68,7 @@ Resources:
                 S3Key: ct-blogs-content/ct_configrecorder_override_producer.zip
             Handler: ct_configrecorder_override_producer.lambda_handler
             Role: !GetAtt ProducerLambdaExecutionRole.Arn
-            Runtime: python3.10
+            Runtime: python3.11
             MemorySize: 128
             Timeout: 300
             Architectures:
@@ -86,7 +100,7 @@ Resources:
                 S3Key: ct-blogs-content/ct_configrecorder_override_consumer_v2.zip
             Handler: ct_configrecorder_override_consumer.lambda_handler
             Role: !GetAtt ConsumerLambdaExecutionRole.Arn
-            Runtime: python3.10
+            Runtime: python3.11
             MemorySize: 128
             Timeout: 180
             Architectures:
@@ -95,7 +109,9 @@ Resources:
             Environment:
                 Variables:
                     LOG_LEVEL: INFO
+                    CONFIG_RECORDER_DAILY_RESOURCE_LIST: !Ref ConfigRecorderDailyResourceTypes
                     CONFIG_RECORDER_EXCLUDED_RESOURCE_LIST: !Ref ConfigRecorderExcludedResourceTypes
+                    CONFIG_RECORDER_RECORDING_FREQUENCY: !Ref ConfigRecorderRecordingFrequency
 
     ConsumerLambdaEventSourceMapping:
         Type: AWS::Lambda::EventSourceMapping