Config Organization Solution

aws_sra_examples/solutions/config/config_org/lambda/src/app.py

@@ -509,7 +509,10 @@ def orchestrator(event: Dict[str, Any], context: Any) -> None:
         event: event data
         context: runtime information
     """
-    if event.get("RequestType"):
+    if event.get("Terraform"):
+        LOGGER.info("...calling terraform handler...")
+        process_event_cloudformation(event, context)
+    elif event.get("RequestType"):
         LOGGER.info("...calling helper...")
         helper(event, context)
     elif event.get("Records") and event["Records"][0]["EventSource"] == "aws:sns":

aws_sra_examples/terraform/common/main.tf

@@ -123,7 +123,8 @@ resource "local_file" "config_file_creation" {
     enable_cloudtrail_org      = false
     enable_iam_password_policy = false
     enable_inspector           = false
-
+    enable_config_org          = false
+
     ########################################################################
     # Guard Duty Settings
     ########################################################################

aws_sra_examples/terraform/common/variables.tf

@@ -2,9 +2,15 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 ########################################################################
+variable "account_region" {
+  type = string
+  description = "Default Account Region to deploy in"
+  default     = "us-east-1"
+}
+
 variable "control_tower" {
   description = "AWS Control Tower landing zone deployed/in-use"
-  default     = "true"
+  default     = "false"
 }
 
 variable "governed_regions" {

aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf

@@ -289,7 +289,7 @@ resource "aws_lambda_function" "cloudtrail_org_lambda_function" {
   #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
   #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
   #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
-  
+
   description   = "Creates an Organization CloudTrail"
   function_name = var.cloudtrail_lambda_function_name
   role          = aws_iam_role.cloudtrail_lambda_role.arn

aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf

@@ -144,7 +144,7 @@ resource "aws_s3_bucket_policy" "org_trail_bucket_policy" {
 resource "aws_secretsmanager_secret" "org_trail_s3_bucket_secret" {
   #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
   #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
-  
+
   count = var.sra_secrets_key_alias_arn != "" ? 1 : 0
 
   name        = "sra/cloudtrail_org_s3_bucket"

aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/data.tf

@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}

aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/main.tf

@@ -0,0 +1,36 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+resource "aws_iam_role" "r_config_aggregator_role" {
+  name = var.p_aggregator_role_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "config.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+  ]
+
+  tags = {
+    "${var.p_sra_solution_name_key}" = var.p_sra_solution_name
+  }
+}
+
+resource "aws_config_configuration_aggregator" "r_organization_config_aggregator" {
+  name = var.p_aggregator_name
+
+  account_aggregation_source {
+    account_ids = [data.aws_caller_identity.current.account_id]
+    all_regions = true
+  }
+}

aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/providers.tf

@@ -0,0 +1,13 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+    }
+  }
+}

aws_sra_examples/terraform/solutions/config_org/aggregator_org_configuration/variables.tf

@@ -0,0 +1,27 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+variable "p_aggregator_name" {
+  type        = string
+  description = "Config Aggregator Name"
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_aggregator_role_name" {
+  type        = string
+  description = "Config Aggregator Role Name"
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_sra_solution_name" {
+  type        = string
+  description = "The SRA solution name. The default value is the folder name of the solution"
+  default     = "sra-config-aggregator-org"
+}
+
+variable "p_sra_solution_name_key" {
+  type        = string
+  description = "The key used for tagging resources with the SRA solution name."
+  default     = "sra-solution"
+}

aws_sra_examples/terraform/solutions/config_org/configuration/data.tf

@@ -0,0 +1,9 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_organizations_organization" "current" {}

aws_sra_examples/terraform/solutions/config_org/configuration/invoke.tf

@@ -0,0 +1,31 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+resource "aws_lambda_invocation" "new_lambda_invoke" {
+  function_name = aws_lambda_function.r_config_org_lambda_function.function_name
+
+  input = jsonencode({
+    "Terraform" : "true",
+    "RequestType" : "Create",
+    "ResourceType" : "Custom::LambdaCustomResource",
+    "ResourceProperties" : {
+      "ServiceToken" : "${aws_lambda_function.r_config_org_lambda_function.arn}",
+      "AUDIT_ACCOUNT" : "${var.p_audit_account_id}",
+      "CONFIGURATION_ROLE_NAME" : "${var.p_config_configuration_role_name}",
+      "CONTROL_TOWER_REGIONS_ONLY" : "${var.p_control_tower_regions_only}",
+      "ENABLED_REGIONS" : "${var.p_enabled_regions}",
+      "ALL_SUPPORTED" : "${var.p_all_supported}",
+      "INCLUDE_GLOBAL_RESOURCE_TYPES" : "${var.p_include_global_resource_types}",
+      "DELIVERY_CHANNEL_NAME" : "${var.p_delivery_channel_name}",
+      "FREQUENCY" : "${var.p_frequency}",
+      "RESOURCE_TYPES" : "${var.p_resource_types}",
+      "RECORDER_NAME" : "${var.p_recorder_name}",
+      "KMS_KEY_SECRET_NAME" : "${var.p_kms_key_arn_secret_name}",
+      "HOME_REGION" : "${var.p_home_region}",
+      "SNS_TOPIC_ARN_FANOUT" : "${aws_sns_topic.r_config_org_topic.arn}",
+      "PUBLISHING_DESTINATION_BUCKET_ARN" : "arn:aws:s3:::${var.p_publishing_destination_bucket_name}"
+    }
+  })
+}