AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Anghammarad Lambda and SNS topic Parameters: ArtifactBucket: Description: S3 bucket containing the Lambda's artifact Type: String ArtifactLocation: Description: S3 path to the Lambda's artifact Type: String ConfigBucket: Description: S3 bucket containing the configuration Type: String Stage: Description: Application stage (e.g. PROD, CODE) Type: String AllowedValues: - PROD - CODE - DEV AllowedAWSAccountIDs: Description: List of AWS account IDs to grant SNS Publish permission to Type: CommaDelimitedList SendAlarmNotifications: Type: String Default: TRUE AllowedValues: - TRUE - FALSE Mappings: Constants: Stack: Value: deploy App: Value: anghammarad Resources: DeadLetterQueue: Type: AWS::SQS::Queue Properties: QueueName: !Sub anghammarad-${Stage}-dead-letters KmsMasterKeyId: alias/aws/sqs ProcessorFunction: Type: AWS::Serverless::Function Properties: FunctionName: !Sub anghammarad-${Stage} Description: !Sub Process Anghammarad ${Stage} notifications Policies: - Statement: - Effect: Allow Action: - ses:SendEmail Resource: "*" - Statement: - Effect: Allow Action: - s3:GetObject Resource: !Sub arn:aws:s3:::${ConfigBucket}/* Handler: com.gu.anghammarad.Lambda::handleRequest Runtime: java21 MemorySize: 512 Timeout: 30 CodeUri: Bucket: !Ref ArtifactBucket Key: !Ref ArtifactLocation Events: Notification: Type: SNS Properties: Topic: !Ref NotificationTopic Environment: Variables: Stage: !Ref Stage Tags: Stack: !FindInMap [ Constants, Stack, Value ] App: !FindInMap [ Constants, App, Value ] Stage: !Ref Stage DeadLetterQueue: TargetArn: !GetAtt DeadLetterQueue.Arn Type: SQS NotificationTopic: Type: AWS::SNS::Topic Properties: DisplayName: !Sub Anghammarad ${Stage} notification topic NotificationTopicPolicy: Type: "AWS::SNS::TopicPolicy" Properties: PolicyDocument: Statement: - Effect: Allow Action: - SNS:Publish Principal: AWS: !Ref AllowedAWSAccountIDs Resource: "*" Topics: - !Ref NotificationTopic DlqDepthAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: !Sub | Triggers if Anghammarad failed to process some messages in ${Stage}. For suggested actions, see: https://docs.google.com/document/d/1cDd9mVAKFAYibuBPiCw4HkSCl16dG5zSu0qdSXDPuSE/edit# Namespace: AWS/SQS MetricName: ApproximateNumberOfMessagesVisible Dimensions: - Name: QueueName Value: !GetAtt DeadLetterQueue.QueueName Period: 60 Statistic: Sum EvaluationPeriods: 1 ComparisonOperator: GreaterThanThreshold Threshold: 0 AlarmActions: [ !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:devx-sec-ops-reliability-alerts" ] ActionsEnabled: !Ref SendAlarmNotifications TreatMissingData: notBreaching Outputs: TopicName: Value: !GetAtt NotificationTopic.TopicName