Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(scheduler-targets-alpha): InspectorStartAssessmentRun Target #27850

Merged
merged 11 commits into from
Nov 30, 2023
19 changes: 19 additions & 0 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ The following targets are supported:
4. `targets.SqsSendMessage`: [Send a Message to an Amazon SQS Queue](#send-a-message-to-sqs-queue)
5. `targets.SnsPublish`: [Publish messages to an Amazon SNS topic](#publish-messages-to-an-amazon-sns-topic)
6. `targets.EventBridgePutEvents`: [Put Events on EventBridge](#send-events-to-an-eventbridge-event-bus)
7. `targets.InspectorStartAssessmentRun`: [Start an Amazon Inspector assessment run](#start-an-amazon-inspector-assessment-run)

## Invoke a Lambda function

Expand Down Expand Up @@ -206,3 +207,21 @@ new Schedule(this, 'Schedule', {
target: new targets.EventBridgePutEvents(eventEntry, {}),
});
```

## Start an Amazon Inspector assessment run

Use the `InspectorStartAssessmentRun` target to start an Inspector assessment run.

The code snippet below creates an event rule with an assessment template as target which is
called every hour by Event Bridge Scheduler.

```ts
import * as inspector from 'aws-cdk-lib/aws-inspector';

declare const assessmentTemplate: inspector.CfnAssessmentTemplate;

new Schedule(this, 'Schedule', {
schedule: ScheduleExpression.rate(Duration.minutes(60)),
target: new targets.InspectorStartAssessmentRun(assessmentTemplate),
});
```
5 changes: 3 additions & 2 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/index.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
export * from './codebuild-start-build';
export * from './event-bridge-put-events';
export * from './target';
export * from './inspector-start-assessment-run';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please order these alphabetically?

export * from './lambda-invoke';
export * from './sns-publish';
export * from './sqs-send-message';
export * from './stepfunctions-start-execution';
export * from './sqs-send-message';
export * from './target';
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
import { ISchedule, IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
import { Names } from 'aws-cdk-lib';
import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
import { sameEnvDimension } from './util';

/**
* Use an Amazon Inspector as a target for AWS EventBridge Scheduler.
*/
export class InspectorStartAssessmentRun extends ScheduleTargetBase implements IScheduleTarget {
constructor(
private readonly template: CfnAssessmentTemplate,
private readonly props: ScheduleTargetBaseProps = {},
) {
super(props, template.attrArn);
}

protected addTargetActionToRole(schedule: ISchedule, role: IRole): void {
if (!sameEnvDimension(this.template.stack.region, schedule.env.region)) {
throw new Error(`Cannot assign assessment template in region ${this.template.stack.region} to the schedule ${Names.nodeUniqueId(schedule.node)} in region ${schedule.env.region}. Both the schedule and the assessment template must be in the same region.`);
}

if (!sameEnvDimension(this.template.stack.account, schedule.env.account)) {
throw new Error(`Cannot assign assessment template in account ${this.template.stack.account} to the schedule ${Names.nodeUniqueId(schedule.node)} in account ${schedule.env.region}. Both the schedule and the assessment template must be in the same account.`);
}

if (this.props.role && !sameEnvDimension(this.props.role.env.account, this.template.stack.account)) {
throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.template.node)} in account ${this.template.stack.account}. Both the target and the execution role must be in the same account.`);
}

role.addToPrincipalPolicy(new PolicyStatement({
actions: ['inspector:StartAssessmentRun'],
resources: ['*'],
}));
}
}
Loading
Loading