-
Notifications
You must be signed in to change notification settings - Fork 0
/
sra-common-prerequisites-management-account-parameters.yaml
302 lines (295 loc) · 12.5 KB
/
sra-common-prerequisites-management-account-parameters.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template creates AWS Control Tower Account SSM Parameters. - 'common_prerequisites' solution in the repo,
https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h)
Metadata:
SRA:
Version: 1.0
Order: 4
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pSRASolutionTagKey
- pSRASolutionName
- pSRAStagingS3BucketName
- Label:
default: Management Account Parameters - Lambda Function Properties
Parameters:
- pManagementAccountParametersLambdaRoleName
- pManagementAccountParametersLambdaFunctionName
- Label:
default: General Lambda Function Properties
Parameters:
- pCreateLambdaLogGroup
- pLambdaLogGroupRetention
- pLambdaLogGroupKmsKey
- pLambdaLogLevel
ParameterLabels:
pCreateLambdaLogGroup:
default: Create Lambda Log Group
pLambdaLogGroupKmsKey:
default: (Optional) Lambda Logs KMS Key
pLambdaLogGroupRetention:
default: Lambda Log Group Retention
pLambdaLogLevel:
default: Lambda Log Level
pManagementAccountParametersLambdaFunctionName:
default: Management Account Parameters - Lambda Function Name
pManagementAccountParametersLambdaRoleName:
default: Management Account Parameters - Lambda Role Name
pSRASolutionName:
default: SRA Solution Name
pSRASolutionTagKey:
default: SRA Solution Tag Key
pSRAStagingS3BucketName:
default: (Optional) SRA Staging S3 Bucket Name
Parameters:
pCreateLambdaLogGroup:
AllowedValues: ['true', 'false']
Default: 'false'
Description:
Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
Key for encryption.
Type: String
pLambdaLogGroupKmsKey:
AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$'
ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
Default: ''
Description:
(Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side
encryption keys.
Type: String
pLambdaLogGroupRetention:
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
Default: 14
Description: Specifies the number of days you want to retain log events
Type: String
pLambdaLogLevel:
AllowedValues: [INFO, ERROR, DEBUG]
Default: INFO
Description: Lambda Function Logging Level
Type: String
pManagementAccountParametersLambdaFunctionName:
AllowedPattern: '^[\w-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
Default: sra-management-account-parameters
Description: Lambda function name for creating Control Tower account SSM parameters.
Type: String
pManagementAccountParametersLambdaRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
Default: sra-management-account-parameters-lambda
Description: Lambda execution role for creating Control Tower account SSM parameters.
Type: String
pSRASolutionName:
AllowedValues: [sra-common-prerequisites]
Default: sra-common-prerequisites
Description: The SRA solution name. The default value is the folder name of the solution
Type: String
pSRASolutionTagKey:
AllowedValues: [sra-solution]
Default: sra-solution
Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName.
Type: String
pSRAStagingS3BucketName:
AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
ConstraintDescription:
S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Default: ''
Description:
(Optional) SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates). If empty, the SRA
Staging S3 bucket name will be resolved from the SSM Parameter '/sra/staging-s3-bucket-name'.
Type: String
Conditions:
cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
cUseSRAStagingS3BucketNameSSMParameter: !Equals [!Ref pSRAStagingS3BucketName, '']
cUseGraviton: !Or
- !Equals [!Ref 'AWS::Region', ap-northeast-1]
- !Equals [!Ref 'AWS::Region', ap-south-1]
- !Equals [!Ref 'AWS::Region', ap-southeast-1]
- !Equals [!Ref 'AWS::Region', ap-southeast-2]
- !Equals [!Ref 'AWS::Region', eu-central-1]
- !Equals [!Ref 'AWS::Region', eu-west-1]
- !Equals [!Ref 'AWS::Region', eu-west-2]
- !Equals [!Ref 'AWS::Region', us-east-1]
- !Equals [!Ref 'AWS::Region', us-east-2]
- !Equals [!Ref 'AWS::Region', us-west-2]
Resources:
rManagementAccountParametersLambdaCustomResource:
Type: Custom::LambdaCustomResource
Version: '1.0'
Properties:
ServiceToken: !GetAtt rManagementAccountParametersLambdaFunction.Arn
TAG_KEY: !Ref pSRASolutionTagKey
TAG_VALUE: !Ref pSRASolutionName
rManagementAccountParametersLambdaFunction:
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: Lambda role provides access to CloudWatch Logs
- id: W89
reason: Lambda does not need to communicate with VPC resources.
- id: W92
reason: Lambda does not need reserved concurrent executions.
checkov:
skip:
- id: CKV_AWS_116
comment: DLQ not needed, as Lambda function only triggered by CloudFormation events.
- id: CKV_AWS_173
comment: Environment variables are not sensitive
Type: AWS::Lambda::Function
Properties:
FunctionName: !Ref pManagementAccountParametersLambdaFunctionName
Description: Creates Control Tower account SSM Parameters in the Management Account
Architectures: !If
- cUseGraviton
- [arm64]
- !Ref AWS::NoValue
Handler: app.lambda_handler
Role: !GetAtt rManagementAccountParametersLambdaRole.Arn
Runtime: python3.9
Timeout: 300
Code:
S3Bucket: !If
- cUseSRAStagingS3BucketNameSSMParameter
- '{{resolve:ssm:/sra/staging-s3-bucket-name}}'
- !Ref pSRAStagingS3BucketName
S3Key: !Sub ${pSRASolutionName}/lambda_code/${pSRASolutionName}.zip
Environment:
Variables:
LOG_LEVEL: !Ref pLambdaLogLevel
Tags:
- Key: !Ref pSRASolutionTagKey
Value: !Ref pSRASolutionName
rManagementAccountParametersLambdaLogGroup:
Condition: cCreateLambdaLogGroup
DeletionPolicy: Retain
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
Properties:
LogGroupName: !Sub /aws/lambda/${pManagementAccountParametersLambdaFunctionName}
KmsKeyId: !If
- cUseKmsKey
- !Ref pLambdaLogGroupKmsKey
- !Ref AWS::NoValue
RetentionInDays: !Ref pLambdaLogGroupRetention
rManagementAccountParametersLambdaRole:
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: Allow * in resource when required
- id: W28
reason: The role name is defined to identify automation resources
Properties:
RoleName: !Ref pManagementAccountParametersLambdaRoleName
Description: !Sub Role for '${pManagementAccountParametersLambdaRoleName}' Lambda function
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Tags:
- Key: !Ref pSRASolutionTagKey
Value: !Ref pSRASolutionName
Policies:
- PolicyName: ssm-account-parameter-creator
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: STSOrganizationRead
Effect: Allow
Action:
- organizations:DescribeOrganization
- organizations:ListAccounts
- organizations:ListRoots
Resource: '*'
- Sid: CloudFormationRead
Effect: Allow
Action:
- cloudformation:DescribeStackSet
- cloudformation:ListStackInstances
Resource: '*'
- Sid: SSMParameterRead
Effect: Allow
Action: ssm:DescribeParameters
Resource: '*'
- Sid: SSMParameterReadValues
Effect: Allow
Action: ssm:GetParameters
Resource: !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/sra/*
- Sid: SSMParameterWrite
Effect: Allow
Action:
- ssm:AddTagsToResource
- ssm:DeleteParameters
- ssm:PutParameter
Resource: !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/sra/*
- Sid: TagsRead
Effect: Allow
Action: tag:GetResources
Resource: '*'
- PolicyName: CloudWatchLogGroup
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: CloudWatchLogs
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pManagementAccountParametersLambdaFunctionName}:log-stream:*
Outputs:
oAuditAccountId:
Description: Audit Account ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.AuditAccountId
oCustomerControlTowerRegions:
Description: Customer Control Tower Regions
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.CustomerControlTowerRegions]
oCustomerControlTowerRegionsWithoutHomeRegion:
Description: Customer Control Tower Regions without Home Region
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.CustomerControlTowerRegionsWithoutHomeRegion]
oEnabledRegions:
Description: Enabled Regions
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.EnabledRegions]
oEnabledRegionsWithoutHomeRegion:
Description: Enabled Regions without Home Region
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.EnabledRegionsWithoutHomeRegion]
oHomeRegion:
Description: Control Tower Home Region
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.HomeRegion
oLogArchiveAccountId:
Description: Log Archive Account ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.LogArchiveAccountId
oManagementAccountId:
Description: Management Account ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.ManagementAccountId
oOrganizationId:
Description: Organization ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.OrganizationId
oRootOrganizationalUnitId:
Description: Root Organizational Unit ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.RootOrganizationalUnitId
oManagementAccountParametersLambdaFunctionArn:
Description: Management Account Parameters Lambda Function ARN
Value: !GetAtt rManagementAccountParametersLambdaFunction.Arn
oManagementAccountParametersLambdaLogGroupArn:
Condition: cCreateLambdaLogGroup
Description: Management Account Parameters Lambda Log Group ARN
Value: !GetAtt rManagementAccountParametersLambdaLogGroup.Arn
oManagementAccountParametersLambdaRoleArn:
Description: Management Account Parameters Lambda Role ARN
Value: !GetAtt rManagementAccountParametersLambdaRole.Arn