aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml

########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
  This template deploys Customizations for Control Tower (CFCT), including satisfying CFCT prerequisites. (e.g., moving the `management account` to an
  OU). - 'common_cfct_setup' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples
Metadata:
  SRA:
    Version: 1.0
    Entry: Parameters for deploying CFCT solution without resolving SSM parameters
    Order: 1
  cfn-lint:
    config:
      ignore_checks:
        - W6001
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Properties
        Parameters:
          - pSRASolutionName
          - pSRAStagingS3BucketNamePrefix
          - pOrganizationId
          - pRootOrganizationalUnitId
      - Label:
          default: Control Tower Properties
        Parameters:
          - pMoveManagementAccountToOU
          - pManagementAccountOU
      - Label:
          default: General Lambda Function Properties
        Parameters:
          - pCreateLambdaLogGroup
          - pLambdaLogGroupRetention
          - pLambdaLogGroupKmsKey
          - pLambdaLogLevel
      - Label:
          default: CFCT - Pipeline Configuration
        Parameters:
          - pDeployCustomizationsForAWSControlTower
          - pPipelineApprovalStage
          - pPipelineApprovalEmail
          - pCodePipelineSource
      - Label:
          default: CFCT - AWS CodeCommit Setup (Applicable if 'AWS CodeCommit' was selected as the CodePipeline Source)
        Parameters:
          - pExistingRepository
          - pCodeCommitRepositoryName
          - pCodeCommitBranchName
      - Label:
          default: CFCT - AWS CloudFormation StackSets Configuration
        Parameters:
          - pRegionConcurrencyType
          - pMaxConcurrentPercentage
          - pFailureTolerancePercentage

    ParameterLabels:
      pCodeCommitBranchName:
        default: CodeCommit Branch Name
      pCodeCommitRepositoryName:
        default: CodeCommit Repository Name
      pCodePipelineSource:
        default: AWS CodePipeline Source
      pCreateLambdaLogGroup:
        default: Create Lambda Log Group
      pDeployCustomizationsForAWSControlTower:
        default: Deploy Customizations for AWS Control Tower
      pExistingRepository:
        default: Existing CodeCommit Repository?
      pFailureTolerancePercentage:
        default: Failure Tolerance Percentage
      pLambdaLogGroupRetention:
        default: Lambda Log Group Retention
      pLambdaLogGroupKmsKey:
        default: (Optional) Lambda Logs KMS Key
      pLambdaLogLevel:
        default: Lambda Log Level
      pMaxConcurrentPercentage:
        default: Max Concurrent Percentage
      pManagementAccountOU:
        default: Management Account OU Name
      pMoveManagementAccountToOU:
        default: Move Management Account to OU
      pOrganizationId:
        default: Organization ID
      pPipelineApprovalEmail:
        default: Pipeline Approval Email Address
      pPipelineApprovalStage:
        default: Pipeline Approval Stage
      pRegionConcurrencyType:
        default: Region Concurrency Type
      pRootOrganizationalUnitId:
        default: Root Organizational Unit ID
      pSRASolutionName:
        default: SRA Solution Name
      pSRAStagingS3BucketNamePrefix:
        default: SRA Staging S3 Bucket Name Prefix

Parameters:
  pCodeCommitBranchName:
    Default: main
    Description: Name of the branch in CodeCommit repository that contains custom Control Tower configuration.
    MaxLength: 256
    MinLength: 1
    Type: String
  pCodeCommitRepositoryName:
    AllowedPattern: '^[\w-.]{1,100}(?<!\.git)$'
    ConstraintDescription: Max 100 alphanumeric characters. Also special characters supported [_. -]. Name cannot end in '.git'.
    Default: custom-control-tower-configuration
    Description: Name of the CodeCommit repository that contains custom Control Tower configuration.
    Type: String
  pCodePipelineSource:
    AllowedValues: [Amazon S3, AWS CodeCommit]
    Default: AWS CodeCommit
    Description: Which AWS CodePipeline source provider do you want to select?
    Type: String
  pCreateLambdaLogGroup:
    AllowedValues: ['true', 'false']
    Default: 'false'
    Description:
      Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
      Key for encryption.
    Type: String
  pDeployCustomizationsForAWSControlTower:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Indicates whether Customizations for AWS Control Tower (CFCT) should be deployed.
    Type: String
  pExistingRepository:
    AllowedValues: ['Yes', 'No']
    Default: 'No'
    Description: Are you using an existing CodeCommit repository that already contains custom Control Tower configuration?
    Type: String
  pFailureTolerancePercentage:
    Default: 0
    Description:
      The percentage of accounts, per Region, for which this stack operation can fail before AWS CloudFormation stops the operation in that Region.
    MaxValue: 100
    MinValue: 0
    Type: Number
  pLambdaLogGroupKmsKey:
    AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$'
    ConstraintDescription: 'Key ARN example:  arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
    Description:
      (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side
      encryption keys.
    Type: String
  pLambdaLogGroupRetention:
    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
    Default: 14
    Description: Specifies the number of days you want to retain log events
    Type: String
  pLambdaLogLevel:
    AllowedValues: [INFO, ERROR, DEBUG]
    Default: INFO
    Description: Lambda Function Logging Level
    Type: String
  pMaxConcurrentPercentage:
    Default: 100
    Description: The maximum percentage of accounts in which to perform this operation at one time.
    MaxValue: 100
    MinValue: 1
    Type: Number
  pManagementAccountOU:
    AllowedValues: [CFCT-Management, CFCT-Management-Optional, ROOT]
    Default: CFCT-Management-Optional
    Description:
      Name of OU under the root to move Management Account to. If 'ROOT', move account to Root OU.  If 'CFCT-Management', move account to
      CFCT-Management OU. If 'CFCT-Management-Optional', move account to CFCT-Managemnet OU only if account not already in an OU.
    Type: String
  pMoveManagementAccountToOU:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description:
      Indicates whether the Management Account should be moved to the OU referenced in 'Management Account OU Name' parameter. If 'false', management
      account will not be moved and OU's will not be modified.
    Type: String
  pOrganizationId:
    AllowedPattern: '^o-[a-z0-9]{10,32}$'
    ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567)
    Description: AWS Organizations ID
    Type: String
  pPipelineApprovalEmail:
    AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
    ConstraintDescription: Must be a valid email address.
    Description: (Not required if Pipeline Approval Stage = 'No') Email for notifying that the CustomControlTower pipeline is waiting for an Approval
    Type: String
  pPipelineApprovalStage:
    AllowedValues: ['Yes', 'No']
    Default: 'No'
    Description: Do you want to add a manual approval stage to the Custom Control Tower Configuration Pipeline?
    Type: String
  pRegionConcurrencyType:
    AllowedValues: [PARALLEL, SEQUENTIAL]
    Default: 'PARALLEL'
    Description: Select the the concurrency type of deploying StackSets operations in Regions.
    Type: String
  pRootOrganizationalUnitId:
    AllowedPattern: '^r-[0-9a-z]{4,32}$'
    ConstraintDescription: Must start with 'r-' followed by from 4 to 32 lowercase letters or digits. (e.g. r-abc123)
    Description: Root Organizational Unit ID
    Type: String
  pSRASolutionName:
    AllowedValues: [sra-common-cfct-setup]
    Default: sra-common-cfct-setup
    Description: The SRA solution name. The Description value is the folder name of the solution
    Type: String
  pSRAStagingS3BucketNamePrefix:
    AllowedValues: [sra-staging]
    Default: sra-staging
    Description:
      SRA Staging S3 bucket name prefix for the SRA artifacts relevant to the solutions. (e.g., lambda zips, CloudFormation templates). The account
      and region are added to the prefix <bucket-name-prefix>-<account-id>-<region>. Example = sra-staging-123456789012-us-east-1.
    Type: String

Rules:
  PipelineApprovalEmailValidation:
    RuleCondition: !Equals [!Ref pPipelineApprovalEmail, '']
    Assertions:
      - AssertDescription: "'Pipeline Approval Email Address' parameter is required if the 'Pipeline Approval Stage' parameter is set to 'Yes'."
        Assert: !Equals [!Ref pPipelineApprovalStage, 'No']

Conditions:
  cDeployCustomizationsForAWSControlTower: !Equals [!Ref pDeployCustomizationsForAWSControlTower, 'true']

Resources:
  rCFCTOrgOUStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub
        - https://${SRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-common-cfct-setup-management-account-ou.yaml
        - SRAStagingS3BucketName: !Sub ${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}
      Tags:
        - Key: sra-solution
          Value: !Ref pSRASolutionName
      Parameters:
        pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup
        pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
        pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
        pLambdaLogLevel: !Ref pLambdaLogLevel
        pManagementAccountOU: !Ref pManagementAccountOU
        pMoveManagementAccountToOU: !Ref pMoveManagementAccountToOU
        pOrganizationId: !Ref pOrganizationId
        pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId
        pSRAStagingS3BucketName: !Sub ${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}

  rCFCTStack:
    Condition: cDeployCustomizationsForAWSControlTower
    DependsOn: rCFCTOrgOUStack
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.template
      Tags:
        - Key: sra-solution
          Value: !Ref pSRASolutionName
      Parameters:
        CodeCommitBranchName: !Ref pCodeCommitBranchName
        CodeCommitRepositoryName: !Ref pCodeCommitRepositoryName
        CodePipelineSource: !Ref pCodePipelineSource
        ExistingRepository: !Ref pExistingRepository
        FailureTolerancePercentage: !Ref pFailureTolerancePercentage
        MaxConcurrentPercentage: !Ref pMaxConcurrentPercentage
        PipelineApprovalEmail: !Ref pPipelineApprovalEmail
        PipelineApprovalStage: !Ref pPipelineApprovalStage
        RegionConcurrencyType: !Ref pRegionConcurrencyType