Add rds multitenant module

README.md

@@ -24,7 +24,7 @@ This repository is a part of [Cloud Intelligence Dashboards](https://docs.aws.am
 
 This repository contains following elements:
 * [data-exports](/data-exports) - a Cloud Formation Templates for AWS Data Exports, such as Cost and Usage Report 2.0 and others. This allows a replication of Exports from your Management Account(s) to a Dedicated Data Collection Accounts as well as aggregation of multiple Exports from a set of Linked Accounts.
-* [data-collection](/data-collection) - a set of Cloud Formation Templates for collecting infrastructure operational data from Management and Linked Accounts. Such as data from AWS Trusted Advisor, AWS Compute Optimizer, Inventories, Pricing, AWS Health, AWS Support Cases etc. See more about types of data collected [here](/data-collection).
+* [data-collection](/data-collection) - a set of Cloud Formation Templates for collecting infrastructure operational data from Management and Linked Accounts. Such as data from AWS Trusted Advisor, AWS Compute Optimizer, Inventories, Pricing, AWS Health, AWS Support Cases, CloudWatch Database Insights, etc. See more about types of data collected [here](/data-collection).
 * [case-summarization](/case-summarization) - an additional Cloud Formation Template for deploying the AWS Support Case Summarization plugin that offers the capability to summarize cases through Generative AI powered by Amazon Bedrock.
 * [rls](/rls) - a stack for managing Row Level Security for CID Dashboards.
 * [security-hub](/security-hub) - Collection of data from AWS Security Hub.

data-collection/README.md

@@ -44,6 +44,7 @@ List of modules and objects collected:
 | `quicksight`                 |  [Amazon QuickSight](https://aws.amazon.com/quicksight/)    | Data Collection Account | Collects QuickSight User and Group information in the Data Collection Account only |
 | `resilience-hub`                 |   [AWS Resilince Hub](https://aws.amazon.com/resilience-hub/) | Linked Accounts |  |
 | `reference`                 |   Various services      | Data Collection Account | Collects reference data for other modules and dashboard to function |
+| `rds-multitenant`           |  [Amazon RDS](https://aws.amazon.com/rds/) | Data Collection Account | Collects CloudWatch Database Insights metrics for multi-tenant RDS instances to enable cost allocation by tenant |
 
 ### Deployment Overview
 
@@ -58,6 +59,5 @@ For deployment and further information please reference to this [documentation](
 
 [![Documentation](/.images/documentation.svg)](https://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/data-exports.html)
 
-
 ### Contributing
 See [CONTRIBUTING.md](CONTRIBUTING.md)

data-collection/deploy/deploy-data-collection.yaml

@@ -41,7 +41,8 @@ Metadata:
           - IncludeServiceQuotasModule
           - IncludeEUCUtilizationModule
           - IncludeResilienceHubModule
-          - IncludeReferenceModule          
+          - IncludeReferenceModule
+          - IncludeRdsMultitenantModule
       - Label:
           default: 'EUC (End User Compute) Module Configuration'
         Parameters:
@@ -294,6 +295,11 @@ Parameters:
     Description: Collects Reference data for other modules
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeRdsMultitenantModule:
+    Type: String
+    Description: Collects RDS Performance Insights data for multi-tenant cost allocation
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 Conditions:
   DeployTAModule: !Equals [ !Ref IncludeTAModule, "yes"]
   DeployRightsizingModule: !Equals [ !Ref IncludeRightsizingModule, "yes"]
@@ -315,6 +321,7 @@ Conditions:
   DeployQuickSightModule: !Equals [ !Ref IncludeQuickSightModule, "yes"]
   DeployServiceQuotasModule: !Equals [ !Ref IncludeServiceQuotasModule, "yes"]
   DeployResilienceHubModule: !Equals [ !Ref IncludeResilienceHubModule, "yes"]
+  DeployRdsMultitenantModule: !Equals [ !Ref IncludeRdsMultitenantModule, "yes"]
   DeployPricingModule: !Or
     - !Condition DeployInventoryCollectorModule
     - !Condition DeployRDSUtilizationModule
@@ -340,6 +347,7 @@ Conditions:
       - !Condition DeployServiceQuotasModule
       - !Condition DeployEUCUtilizationModule 
       - !Condition DeployComputeOptimizerModule
+      - !Condition DeployRdsMultitenantModule
   RegionsInScopeIsEmpty: !Equals
     - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
     - ""
@@ -1528,6 +1536,32 @@ Resources:
             - RegionsInScopeIsEmpty
             - !Sub "${AWS::Region}"
             - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
+
+  RdsMultitenantModule:
+    Type: AWS::CloudFormation::Stack
+    Condition: DeployRdsMultitenantModule
+    Properties:
+      TemplateURL: "https://dcoccia-test-static-website.s3.eu-central-1.amazonaws.com/module-rds-multitenant.yaml" 
+      Parameters:
+        DatabaseName: !Ref DatabaseName
+        DataBucketsKmsKeysArns: !Ref DataBucketsKmsKeysArns
+        DestinationBucket: !Ref S3Bucket
+        DestinationBucketARN: !GetAtt S3Bucket.Arn
+        Schedule: !Ref Schedule
+        GlueRoleARN: !GetAtt GlueRole.Arn
+        ResourcePrefix: !Ref ResourcePrefix
+        LambdaAnalyticsARN: !GetAtt LambdaAnalytics.Arn
+        MultiAccountRoleName: !Sub "${ResourcePrefix}${MultiAccountRoleName}"
+        AccountCollectorLambdaARN: !Sub "${AccountCollector.Outputs.LambdaFunctionARN}"
+        CodeBucket: !If [ ProdCFNTemplateUsed, !FindInMap [RegionMap, !Ref "AWS::Region", CodeBucket], !Ref CFNSourceBucket ]
+        StepFunctionTemplate: !FindInMap [StepFunctionCode, main-state-machine, TemplatePath]
+        StepFunctionExecutionRoleARN: !GetAtt StepFunctionExecutionRole.Arn
+        SchedulerExecutionRoleARN: !GetAtt SchedulerExecutionRole.Arn
+        RegionsInScope:
+          Fn::If:
+            - RegionsInScopeIsEmpty
+            - !Sub "${AWS::Region}"
+            - !Join [ '', !Split [ ' ', !Ref RegionsInScope  ] ] # remove spaces
 
   AccountCollector:
     Type: AWS::CloudFormation::Stack

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -33,6 +33,7 @@ Metadata:
           - IncludeLicenseManagerModule
           - IncludeServiceQuotasModule
           - IncludeResilienceHubModule
+          - IncludeRdsMultitenantModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -191,6 +192,11 @@ Parameters:
     Description: Collects Resilience Hub information
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeRdsMultitenantModule:
+    Type: String
+    Description: Collects RDS Performance Insights data for multi-tenant cost allocation
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 Conditions:
   DeployModuleReadInMgmt: !Equals [!Ref AllowModuleReadInMgmt, "yes"]
 
@@ -230,6 +236,7 @@ Resources:
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
         IncludeResilienceHubModule: !Ref IncludeResilienceHubModule
+
 
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
@@ -272,6 +279,8 @@ Resources:
           ParameterValue: !Ref IncludeServiceQuotasModule
         - ParameterKey: IncludeResilienceHubModule
           ParameterValue: !Ref IncludeResilienceHubModule
+        - ParameterKey: IncludeRdsMultitenantModule
+          ParameterValue: !Ref IncludeRdsMultitenantModule
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [",", !Ref OrganizationalUnitIds]

data-collection/deploy/deploy-in-linked-account.yaml

@@ -22,6 +22,7 @@ Metadata:
         - IncludeTransitGatewayModule
         - IncludeServiceQuotasModule
         - IncludeResilienceHubModule
+        - IncludeRdsMultitenantModule
     ParameterLabels:
       DataCollectionAccountID:
         default: 'Data Collection Account ID'
@@ -49,6 +50,8 @@ Metadata:
         default: 'Include Service Quotas Module'
       IncludeResilienceHubModule:
         default: 'Include Resilience Hub Module'
+      IncludeRdsMultitenantModule:
+        default: 'Include RDS Multitenant Module'
 
 Parameters:
   DataCollectionAccountID:
@@ -112,6 +115,11 @@ Parameters:
     Description: Collects Resilience Hub data from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeRdsMultitenantModule:
+    Type: String
+    Description: Collects RDS Performance Insights data for multi-tenant cost allocation
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   IncludeTAModulePolicy:                 !Equals [!Ref IncludeTAModule, "yes"]
@@ -124,6 +132,7 @@ Conditions:
   IncludeTransitGatewayModulePolicy:     !Equals [!Ref IncludeTransitGatewayModule, "yes"]
   IncludeServiceQuotasModulePolicy:      !Equals [!Ref IncludeServiceQuotasModule, "yes"]
   IncludeResilienceHubModulePolicy:      !Equals [!Ref IncludeResilienceHubModule, "yes"]
+  IncludeRdsMultitenantModulePolicy:     !Equals [!Ref IncludeRdsMultitenantModule, "yes"]
 
 Outputs:
   LambdaRole:
@@ -155,6 +164,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}support-cases-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}resilience-hub-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}RDSMultitenant-Lambda-Role"
       Path: /
     Metadata:
       cfn_nag:
@@ -460,6 +470,31 @@ Resources:
             Resource: "*" # Wildcard required as actions do not support   resource-level permissions
       Roles:
         - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"
+  # RDS Multitenant policy
+  RdsMultitenantPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeRdsMultitenantModulePolicy
+    Properties:
+      PolicyName: RdsMultitenantPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "rds:DescribeDBInstances"
+            Resource: !Sub "arn:${AWS::Partition}:rds:*:${AWS::AccountId}:db:*"
+          - Effect: "Allow"
+            Action:
+              - "pi:GetResourceMetrics"
+              - "ec2:DescribeRegions"
+            Resource: "*"
+      Roles:
+        - Ref: LambdaRole
     Metadata:
       cfn_nag:
         rules_to_suppress:

data-collection/deploy/deploy-in-management-account.yaml

@@ -18,6 +18,7 @@ Metadata:
           - IncludeHealthEventsModule
           - IncludeRightsizingModule
           - IncludeLicenseManagerModule
+          - IncludeRdsMultitenantModule
           - IncludeServiceQuotasModule
     ParameterLabels:
       ManagementAccountRole:
@@ -38,6 +39,8 @@ Metadata:
         default: "Include Health Events Module"
       IncludeLicenseManagerModule:
         default: "Include Marketplace Licensing Module"
+      IncludeRdsMultitenantModule:
+        default: "Include RDS Multi-tenant Module"
       IncludeServiceQuotasModule:
         default: "Include Service Quotas Module"
 Parameters:
@@ -82,6 +85,11 @@ Parameters:
     Description: Collects Marketplace Licensing Information from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeRdsMultitenantModule:
+    Type: String
+    Description: Collects RDS Multi-tenant Performance Insights data from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
   IncludeServiceQuotasModule:
     Type: String
     Description: Collects Service Quotas Information from your accounts
@@ -95,6 +103,7 @@ Conditions:
   EnableBackupModule: !Equals [!Ref IncludeBackupModule, "yes"]
   EnableHealthEventsModule: !Equals [!Ref IncludeHealthEventsModule, "yes"]
   EnableLicenseManagerModule: !Equals [!Ref IncludeLicenseManagerModule, "yes"]
+  EnableRdsMultitenantModule: !Equals [!Ref IncludeRdsMultitenantModule, "yes"]
   EnableServiceQuotasModule: !Equals [!Ref IncludeServiceQuotasModule, "yes"]
 
 Outputs:
@@ -128,6 +137,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}backup-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}health-events-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}license-manager-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}rds-multitenant-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}RLS-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
       Path: /
@@ -339,6 +349,29 @@ Resources:
         rules_to_suppress:
           - id: W12
             reason: "Policy is used for scanning of a wide range of resources"
+  RdsMultitenantPolicy:
+    Type: "AWS::IAM::Policy"
+    Condition: EnableRdsMultitenantModule
+    Properties:
+      PolicyName: RdsMultitenantPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "pi:GetResourceMetrics"
+              - "pi:DescribeDimensionKeys"
+              - "pi:GetDimensionKeyDetails"
+              - "rds:DescribeDBInstances"
+              - "rds:DescribeDBClusters"
+            Resource: "*"
+      Roles:
+        - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of resources"
   ServiceQuotasPolicy:
     Type: "AWS::IAM::Policy"
     Condition: EnableServiceQuotasModule