Parameters: CloudWatchLogsTargetLogGroupName: Type: String Description: The AWS CloudWatch Logs "log group" name for Border0 to write logs to. Default: border0-events-sink AssumeRoleName: Type: String Description: The name for the Border0 cloudwatch integration role (for Border0 to assume). MinLength: 5 AllowedPattern: ^[\w+=,.@:\/-]*$ Default: Border0CloudWatchIntegrationRole AssumeRoleExternalId: Type: String Description: A (secret) string that Border0 must present in order to assume a role in the account. MinLength: 20 AllowedPattern: ^[\w+=,.@:\/-]*$ Resources: Border0CloudWatchIntegrationTargetLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Ref CloudWatchLogsTargetLogGroupName Border0CloudWatchIntegrationRole: Type: AWS::IAM::Role Properties: RoleName: !Ref AssumeRoleName AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - !Sub arn:aws:iam::774169227652:root # border0 staging - !Sub arn:aws:iam::235487987553:root # border0 production Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: !Ref AssumeRoleExternalId Border0CloudWatchIntegrationRolePolicy: Type: AWS::IAM::Policy Properties: PolicyName: Border0CloudWatchIntegrationRolePolicy Roles: - !Ref Border0CloudWatchIntegrationRole PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowManagingAllLogStreamsInLogGroup Effect: Allow Action: - logs:CreateLogStream - logs:DescribeLogStreams - logs:PutLogEvents Resource: - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${Border0CloudWatchIntegrationTargetLogGroup}' - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${Border0CloudWatchIntegrationTargetLogGroup}:log-stream:*' Outputs: Border0CloudWatchIntegrationLogGroupARN: Description: "The ARN of the AWS CloudWatch Logs log group in this account for Border0 to manage." Value: !GetAtt Border0CloudWatchIntegrationTargetLogGroup.Arn Border0CloudWatchIntegrationRoleARN: Description: "The ARN of the AWS IAM Role in this account for Border0 to assume." Value: !GetAtt Border0CloudWatchIntegrationRole.Arn ExternalID: Description: "The (secret) string that Border0 must present in order to assume a role in the account." Value: !Ref AssumeRoleExternalId