Runbooks (#24)

* Update README.md Signed-off-by: James Pether Sörling <pethers@users.noreply.github.com> * setup disaster recovery stack --------- Signed-off-by: James Pether Sörling <pethers@users.noreply.github.com>
Hack23 · Feb 28, 2023 · 11d1a88 · 11d1a88
1 parent 82a882d
commit 11d1a88
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 20 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -89,6 +89,8 @@ jobs:
             echo "AliasTargetHostedZoneId2=$AliasTargetHostedZoneId"  >> $GITHUB_ENV
             AliasTargetDNSName=`aws cloudformation describe-stacks --stack-name lambda-vpc --query "Stacks[0].Outputs[?OutputKey == 'AliasTargetDNSName'].OutputValue" | grep aws | xargs`
             echo "AliasTargetDNSName2=$AliasTargetDNSName"  >> $GITHUB_ENV
+            ApiRoleName=`aws cloudformation describe-stacks --stack-name lambda-vpc --query "Stacks[0].Outputs[?OutputKey == 'ApiRoleName'].OutputValue" | grep -v '\[' | grep -v '\]' | xargs`
+            echo "ApiRoleName=$ApiRoleName"  >> $GITHUB_ENV
       - name: Show Output Irland
         run: |
             echo "${{ env.HealthCheckId }}"
@@ -100,16 +102,11 @@ jobs:
           name: lambda-vpc-route53
           template: cloudformation/route53.yml
           capabilities: CAPABILITY_NAMED_IAM
-          parameter-overrides: "DomainNamePrefix=api,HealthCheckId=${{ env.HealthCheckId }},RestApiDomainNameRegionalHostedZoneId=${{ env.AliasTargetHostedZoneId }},RestApiDomainNameRegionalDomainName=${{ env.AliasTargetDNSName }},HealthCheckId2=${{ env.HealthCheckId2 }},RestApiDomainNameRegionalHostedZoneId2=${{ env.AliasTargetHostedZoneId2 }},RestApiDomainNameRegionalDomainName2=${{ env.AliasTargetDNSName2 }}"
-
-
-
-
-
-
-
-
-
-
-
-
+          parameter-overrides: "DomainNamePrefix=api,HealthCheckId=${{ env.HealthCheckId }},RestApiDomainNameRegionalHostedZoneId=${{ env.AliasTargetHostedZoneId }},RestApiDomainNameRegionalDomainName=${{ env.AliasTargetDNSName }},HealthCheckId2=${{ env.HealthCheckId2 }},RestApiDomainNameRegionalHostedZoneId2=${{ env.AliasTargetHostedZoneId2 }},RestApiDomainNameRegionalDomainName2=${{ env.AliasTargetDNSName2 }}"          
+      - name: Deploy to AWS CloudFormation Disaster Recovery
+        uses: aws-actions/aws-cloudformation-github-deploy@v1
+        with:
+          name: lambda-vpc-disaster-recovery
+          template: cloudformation/disaster-recovery.yml
+          capabilities: CAPABILITY_NAMED_IAM
+          parameter-overrides: "ApiRole=${{ env.ApiRoleName }}"
diff --git a/README.md b/README.md
@@ -18,6 +18,15 @@ Badges
 
 https://docs.aws.amazon.com/resilience-hub/latest/userguide/concepts-terms.html
 
+
+# Runbooks
+
+https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-ref-ddb.html
+https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-ref-lam.html
+https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-ref-abp.html
+https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-ref-iam.html
+
+
 ![Policy](ResilienceHubPolicy.png)
 
 ![Route53 Policy](route53-policy.png)

diff --git a/cloudformation/disaster-recovery.png b/cloudformation/disaster-recovery.png
diff --git a/cloudformation/disaster-recovery.yml b/cloudformation/disaster-recovery.yml
@@ -4,17 +4,18 @@ Parameters:
   ApiRole:
     Description: ApiRole Name
     Type: String
-    Default: ''
   FaultInjectionExperimentDuration:
     Type: String
     Description: 'Enter the Duration of the Access Denied Injection in ISO 8601 Format, e.g. PT2M = 2 Minutes'
-    Default: PT2M
+    Default: PT5M
   DynamoDBSourceTableBackupArn:
     Type: String
     Description: 'DynamoDBSourceTableBackupArn to restore from backup'
+    Default: ''
   RecoveryPointDateTime:
     Type: String
     Description: 'RecoveryPointDateTime to restore from pitr in time in format YYYY-MM-DDTHH:MM:SSZ'
+    Default: ''    
 Resources:
   AWSResilienceHubSwitchLambdaVersionInAliasSOPAssumeRole:
     Type: AWS::IAM::Role
@@ -431,7 +432,7 @@ Resources:
               {
                 "DynamoDBTableSourceName":"global-table",
                 "DynamoDBSourceTableBackupArn":"${DynamoDBSourceTableBackupArn}",
-                "DynamoDBTableTargetName":"global-table",
+                "DynamoDBTableTargetName":"global-table-backup",
                 "CopyAllProperties":true,
                 "AutomationAssumeRole":"arn:aws:iam::${AWS::AccountId}:role/${SsmAutomationRole}"
               }
@@ -498,8 +499,17 @@ Resources:
               Effect: Allow
               Action: 'iam:PassRole'
               Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${SsmAutomationRole}'
-
-
+  HealthCheckApi: 
+    Type: 'AWS::Route53::HealthCheck'
+    Properties: 
+      HealthCheckConfig: 
+        Port: 443
+        Type: HTTPS
+        EnableSNI: True
+        ResourcePath: "v1/healthcheck"
+        FullyQualifiedDomainName: "api.hack23.com"
+        RequestInterval: 10
+        FailureThreshold: 2
 Outputs:
   AWSResilienceHubSwitchLambdaVersionInAliasSOPAssumeRole:
     Description: AWSResilienceHub-SwitchLambdaVersionInAliasSOP_2020-10-26 Automation Assume Role ARN

diff --git a/cloudformation/template.yml b/cloudformation/template.yml
@@ -768,8 +768,8 @@ Resources:
         EnableSNI: True
         ResourcePath: !Sub "${ApiStage}/healthcheck"
         FullyQualifiedDomainName: !Sub "${RestApi}.execute-api.${AWS::Region}.amazonaws.com"
-        RequestInterval: 30
-        FailureThreshold: 3
+        RequestInterval: 10
+        FailureThreshold: 2
 Metadata: {}
 Outputs:
   HealthCheckId: