diff --git a/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml b/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml deleted file mode 100644 index e2c4fb48..00000000 --- a/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# This template is downloaded from the AWS Console (from org-sagebase-monitorcentral account) -# Cloudwatch -> Settings -> Share your CloudWatch data -> Create CloudFormation stack -# It should be deployed to all member accounts except for the org-sagebase-monitorcentral account - -AWSTemplateFormatVersion: '2010-09-09' -Description: Enables CloudWatch in central monitoring accounts to assume permissions to view CloudWatch data in the current account - -Parameters: - MonitoringAccountIds: - Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list - Type: CommaDelimitedList - - Policy: - Description: The level of access to give to the Monitoring accounts - Type: String - Default: CloudWatch-and-AutomaticDashboards - AllowedValues: - - CloudWatch-and-AutomaticDashboards - - CloudWatch-and-ServiceLens - - CloudWatch-AutomaticDashboards-and-ServiceLens - - CloudWatch-core-permissions - - View-Access-for-all-services - -Conditions: - DoFullReadOnly: !Equals [ !Ref Policy, View-Access-for-all-services ] - DoAutomaticDashboards: !Equals [ !Ref Policy, CloudWatch-and-AutomaticDashboards ] - DoServiceLens: !Equals [ !Ref Policy, CloudWatch-and-ServiceLens ] - DoServiceLensAndAutomaticDashboards: !Equals [ !Ref Policy, CloudWatch-AutomaticDashboards-and-ServiceLens ] - DoCWReadOnly: !Equals [ !Ref Policy, CloudWatch-core-permissions ] - -Resources: - CWCrossAccountSharingRole: - Type: AWS::IAM::Role - Properties: - RoleName: CloudWatch-CrossAccountSharingRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - AWS: !Split - - ',' - - !Sub - - 'arn:aws:iam::${inner}:root' - - inner: !Join - - ':root,arn:aws:iam::' - - Ref: MonitoringAccountIds - Action: - - sts:AssumeRole - Path: "/" - ManagedPolicyArns: !If - - DoFullReadOnly - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess - - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess - - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess - - !If - - DoAutomaticDashboards - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess - - !If - - DoServiceLens - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess - - !If - - DoServiceLensAndAutomaticDashboards - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess - - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess diff --git a/org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml b/org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml deleted file mode 100644 index 9bc8b4f9..00000000 --- a/org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# This template is downloaded from the AWS Console (from org-sagebase-monitorcentral account) -# Cloudwatch -> Settings -> Determine how to link your source accounts -# It should be deployed to all member accounts except for the org-sagebase-monitorcentral account - -AWSTemplateFormatVersion: 2010-09-09 - -Parameters: - MonitoringAccountId: - Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list - Type: String - SinkIdentifier: - Description: ID of the attachment point in the cloudwatch monitoring account. - Type: String - -Resources: - Link: - Type: AWS::Oam::Link - Properties: - LabelTemplate: "$AccountName" - ResourceTypes: - - "AWS::CloudWatch::Metric" - - "AWS::Logs::LogGroup" - - "AWS::XRay::Trace" - - "AWS::ApplicationInsights::Application" - SinkIdentifier: !Sub "arn:aws:oam:us-east-1:${MonitoringAccountId}:sink/${SinkIdentifier}" diff --git a/org-formation/740-cloudwatch-dashboard/_tasks.yaml b/org-formation/740-cloudwatch-dashboard/_tasks.yaml index 90ff8d21..d24ec6e1 100644 --- a/org-formation/740-cloudwatch-dashboard/_tasks.yaml +++ b/org-formation/740-cloudwatch-dashboard/_tasks.yaml @@ -19,7 +19,7 @@ CrossAccountListAccountRole: # Link cloudwatch in member accounts to MonitorCentral LinkManagementAccount: Type: update-stacks - Template: ./Cloudwatch-Link-Management-Account.yaml + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/Link-Management-Account.yaml StackName: !Sub '${resourcePrefix}-${appName}-LinkManagementAccount' DefaultOrganizationBindingRegion: !Ref primaryRegion DefaultOrganizationBinding: @@ -32,7 +32,7 @@ LinkManagementAccount: # Allow member accounts to share cloudwatch data with MonitorCentral CrossAccountSharingRole: Type: update-stacks - Template: ./CloudWatch-CrossAccountSharingRole-AccountList.yaml + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/CrossAccountSharingRole-AccountList.yaml StackName: !Sub '${resourcePrefix}-${appName}-CrossAccountSharingRole' DefaultOrganizationBindingRegion: !Ref primaryRegion DefaultOrganizationBinding: diff --git a/sceptre/aws-opendata/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml b/sceptre/aws-opendata/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml new file mode 100644 index 00000000..5d8ca735 --- /dev/null +++ b/sceptre/aws-opendata/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml @@ -0,0 +1,10 @@ +template: + type: "http" + url: "https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/CrossAccountSharingRole-AccountList.yaml" +stack_name: sagebase-CloudWatcDashboard-CrossAccountSharingRole' +stack_tags: + OwnerEmail: "it@sagebase.org" +dependencies: + - "prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml" +parameters: + MonitoringAccountIds: "767397888168" diff --git a/sceptre/aws-opendata/config/prod/Cloudwatch-Link-Management-Account.yaml b/sceptre/aws-opendata/config/prod/Cloudwatch-Link-Management-Account.yaml new file mode 100644 index 00000000..f2618682 --- /dev/null +++ b/sceptre/aws-opendata/config/prod/Cloudwatch-Link-Management-Account.yaml @@ -0,0 +1,11 @@ +template: + type: "http" + url: "https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/Link-Management-Account.yaml" +stack_name: "sagebase-CloudWatcDashboard-CrossAccountSharingRole" +stack_tags: + OwnerEmail: "it@sagebase.org" +dependencies: + - "prod/bootstrap.yaml" +parameters: + MonitoringAccountId: !Ref MonitorCentralAccount + SinkIdentifier: "6046cc13-135d-4e41-ae56-63327a7a7b8c" diff --git a/sceptre/strides-ampad-workflows/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml b/sceptre/strides-ampad-workflows/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml new file mode 100644 index 00000000..5d8ca735 --- /dev/null +++ b/sceptre/strides-ampad-workflows/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml @@ -0,0 +1,10 @@ +template: + type: "http" + url: "https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/CrossAccountSharingRole-AccountList.yaml" +stack_name: sagebase-CloudWatcDashboard-CrossAccountSharingRole' +stack_tags: + OwnerEmail: "it@sagebase.org" +dependencies: + - "prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml" +parameters: + MonitoringAccountIds: "767397888168" diff --git a/sceptre/strides-ampad-workflows/config/prod/Cloudwatch-Link-Management-Account.yaml b/sceptre/strides-ampad-workflows/config/prod/Cloudwatch-Link-Management-Account.yaml new file mode 100644 index 00000000..f2618682 --- /dev/null +++ b/sceptre/strides-ampad-workflows/config/prod/Cloudwatch-Link-Management-Account.yaml @@ -0,0 +1,11 @@ +template: + type: "http" + url: "https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/Link-Management-Account.yaml" +stack_name: "sagebase-CloudWatcDashboard-CrossAccountSharingRole" +stack_tags: + OwnerEmail: "it@sagebase.org" +dependencies: + - "prod/bootstrap.yaml" +parameters: + MonitoringAccountId: !Ref MonitorCentralAccount + SinkIdentifier: "6046cc13-135d-4e41-ae56-63327a7a7b8c" diff --git a/sceptre/strides/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml b/sceptre/strides/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml new file mode 100644 index 00000000..5d8ca735 --- /dev/null +++ b/sceptre/strides/config/prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml @@ -0,0 +1,10 @@ +template: + type: "http" + url: "https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/CrossAccountSharingRole-AccountList.yaml" +stack_name: sagebase-CloudWatcDashboard-CrossAccountSharingRole' +stack_tags: + OwnerEmail: "it@sagebase.org" +dependencies: + - "prod/CloudWatch-CrossAccountSharingRole-AccountList.yaml" +parameters: + MonitoringAccountIds: "767397888168" diff --git a/sceptre/strides/config/prod/Cloudwatch-Link-Management-Account.yaml b/sceptre/strides/config/prod/Cloudwatch-Link-Management-Account.yaml new file mode 100644 index 00000000..f2618682 --- /dev/null +++ b/sceptre/strides/config/prod/Cloudwatch-Link-Management-Account.yaml @@ -0,0 +1,11 @@ +template: + type: "http" + url: "https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.8.6/templates/Cloudwatch/Link-Management-Account.yaml" +stack_name: "sagebase-CloudWatcDashboard-CrossAccountSharingRole" +stack_tags: + OwnerEmail: "it@sagebase.org" +dependencies: + - "prod/bootstrap.yaml" +parameters: + MonitoringAccountId: !Ref MonitorCentralAccount + SinkIdentifier: "6046cc13-135d-4e41-ae56-63327a7a7b8c"