takehiro1111 · takehiro1111 · Mar 2, 2025
diff --git a/sam/monitor-lambda/README.md b/sam/monitor-lambda/README.md
@@ -0,0 +1,11 @@
+## 目的
+- Lambda監視に必要な`CloudwatchLogs SubscriptionFilter`と`Cloudwatch Alarm`をTerraformで管理しているが、追加や削除対応を開発チーム内で完結させるためLambdaでの管理に移行する。
+  - コミュニケーションコストの削減により、双方でより重要なタスクへ時間を割くことができる。
+
+## 処理内容
+- 作成時
+  - `CloudwatchLogs SubscriptionFilter`と`Cloudwatch Alarm`の既存リソースとconfig内のjsonのキー(lambda関数名)を比較し、差分のみにフィルターしてリソースを作成する。
+
+## 懸念点
+- 削除対応時にどうするか
+  - 別プロジェクトで管理する
diff --git a/sam/monitor-lambda/config/mapping.json b/sam/monitor-lambda/config/mapping.json
@@ -0,0 +1,6 @@
+{
+  "account_mapping": {
+    "685339645368": "master",
+    "650251692423": "development"
+  }
+}
diff --git a/sam/monitor-lambda/config/master/lambda.json b/sam/monitor-lambda/config/master/lambda.json
@@ -0,0 +1,5 @@
+{
+  "lambda": {
+    "monitor-waf-regionallimit":{"filter_pattern": "?ERROR ?Exception"}
+  }
+}
diff --git a/sam/monitor-lambda/samconfig.toml → ...nitor-lambda/config/master/samconfig.toml b/sam/monitor-lambda/samconfig.toml → ...nitor-lambda/config/master/samconfig.toml
@@ -4,7 +4,7 @@ version = 0.1
 
 [default]
 [default.global.parameters]
-stack_name = "monitor-lambda"
+stack_name = "add-monitor-lambda-resources"
 
 [default.build.parameters]
 cached = true
@@ -14,9 +14,14 @@ parallel = true
 lint = true
 
 [default.deploy.parameters]
-capabilities = "CAPABILITY_IAM"
+capabilities = "CAPABILITY_NAMED_IAM"
 confirm_changeset = true
-resolve_s3 = true
+resolve_s3 = false
+s3_bucket = "sam-deploy-685339645368"
+s3_prefix = "add-monitor-lambda-resources"
+region = "ap-northeast-1"
+disable_rollback = true
+image_repositories = []
 
 [default.package.parameters]
 resolve_s3 = true

diff --git a/sam/monitor-lambda/config/master/template.yaml b/sam/monitor-lambda/config/master/template.yaml
@@ -0,0 +1,116 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: Monitor Lambda
+
+Parameters:
+  Env:
+    Type: String
+
+Globals:
+  Function:
+    CodeUri: ../../function/
+    Runtime: python3.12
+    Architectures:
+        - arm64
+    LoggingConfig:
+      LogFormat: JSON
+    Environment:
+        Variables:
+          ACCOUNT_ID: !Ref AWS::AccountId
+          FUNCTION_ARN:
+          DEFAULT_REGION: !Ref AWS::Region
+
+
+Resources:
+###########################################################
+# Lambda
+###########################################################
+  AddMonitorLambdaFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      FunctionName: add-monitor-lambda-resources
+      Handler: handler.lambda_habdler
+      Role: !GetAtt LambdaExecutionRole.Arn
+      MemorySize: 256
+      Timeout: 600
+      Environment:
+        Variables:
+          DEFAULT_REGION: !Ref AWS::Region
+          SSM_PARAMETER_NAME: !GetAtt SlackWebhookParameter.Name
+
+###########################################################
+# CloudWatch Logs
+###########################################################
+  MonitorECSCapacityProviderLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Sub /aws/lambda/${AddMonitorLambdaFunction}
+      RetentionInDays: 14
+
+##########################################################
+# SSM ParameterStore
+##########################################################
+  SlackWebhookParameter:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: /serverless/monitor-ecs-capaciry-provider/SLACK_WEBHOOK_URL
+      Type: String # CloudFromationでは、SecureStringがサポートされていないため。
+      Value: '画面上で設定する'
+
+##########################################################
+# IAM
+##########################################################
+  LambdaExecutionRole:
+      Type: AWS::IAM::Role
+      Properties:
+        RoleName: monitor-ecs-lambda-execution-role
+        AssumeRolePolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+            - Effect: Allow
+              Principal:
+                Service: lambda.amazonaws.com
+              Action: sts:AssumeRole
+
+        Policies:
+          - PolicyName: logs_policy
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - logs:CreateLogGroup
+                    - logs:CreateLogStream
+                    - logs:PutLogEvents
+                  Resource: !Sub 'arn:aws:logs:${DEFAULT_REGION}:${AWS::AccountId}:log-group:*:*'
+
+          - PolicyName: ssm_policy
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - ssm:GetParameter
+                  Resource: !Sub 'arn:aws:ssm:${DEFAULT_REGION}:${AWS::AccountId}:*'
+
+          - PolicyName: add_cloudwatch_logs_subscription_filter
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - logs:PutSubscriptionFilter
+                    - logs:DeleteSubscriptionFilter
+                    - logs:DescribeSubscriptionFilters
+                  Resource: !Sub 'arn:aws:logs:${DEFAULT_REGION}:${AWS::AccountId}:log-group:*:*'
+
+          - PolicyName: add_cloudwatch_logs_subscription_filter
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - cloudwatch:PutMetricAlarm
+                    - cloudwatch:DescribeAlarms
+                    - cloudwatch:DeleteAlarms
+                  Resource: !Sub 'arn:aws:cloudwatch:${DEFAULT_REGION}:${AWS::AccountId}:alarm:*'
diff --git a/sam/monitor-lambda/events/event.json b/sam/monitor-lambda/events/event.json
diff --git a/sam/monitor-lambda/__init__.py → sam/monitor-lambda/function/__init__.py b/sam/monitor-lambda/__init__.py → sam/monitor-lambda/function/__init__.py
diff --git a/sam/monitor-lambda/function/add_resources.py b/sam/monitor-lambda/function/add_resources.py
@@ -0,0 +1,3 @@
+import boto3
+
+#
diff --git a/sam/monitor-lambda/hello_world/__init__.py → sam/monitor-lambda/function/handler.py b/sam/monitor-lambda/hello_world/__init__.py → sam/monitor-lambda/function/handler.py
diff --git a/sam/monitor-lambda/function/notify_slack.py b/sam/monitor-lambda/function/notify_slack.py
diff --git a/sam/monitor-lambda/function/setting.py b/sam/monitor-lambda/function/setting.py
@@ -0,0 +1,45 @@
+"""This module sets up the configuration."""
+
+import datetime
+import json
+import os
+from pathlib import Path
+
+# environment variables
+DEFAULT_REGION = os.environ.get("AWS_REGION")
+SSM_PARAMETER_NAME = os.environ.get("SSM_PARAMETER_NAME")
+# ACCOUNT_ID = os.environ.get("ACCOUNT_ID")
+ACCOUNT_ID = "685339645368"
+
+print(ACCOUNT_ID)
+
+# setting.pyの絶対パスを取得
+current_file = Path(__file__).resolve()
+print(current_file)
+
+# setting.pyのディレクトリ（function/）を取得
+current_dir = current_file.parent
+print(current_dir)
+
+# 親ディレクトリ（プロジェクトルート）に移動してからconfigディレクトリに移動
+config_dir = current_dir.parent / "config"
+print(config_dir)
+
+# アカウント名の取得
+with open(f"{config_dir}/mapping.json") as f:
+    config = json.load(f)
+print(config)
+ACCOUNT_NAME = config["account_mapping"].get(str(ACCOUNT_ID))
+print(ACCOUNT_NAME)
+
+# lambda関数名を設定しているjsonファイルの読み込み
+with open(f"{config_dir}/{ACCOUNT_NAME}/lambda.json") as f:
+    functions = json.load(f)
+FUNCTIONS = functions["lambda"]
+print(FUNCTIONS)
+
+
+# Get date for slack notification
+today = datetime.datetime.now()
+weekday = today.strftime("%a")
+day_format = today.strftime("%Y/%-m/%-d") + f"({weekday})"
diff --git a/sam/monitor-lambda/hello_world/app.py b/sam/monitor-lambda/hello_world/app.py
diff --git a/sam/monitor-lambda/hello_world/requirements.txt b/sam/monitor-lambda/hello_world/requirements.txt
diff --git a/sam/monitor-lambda/template.yaml b/sam/monitor-lambda/template.yaml