-
Notifications
You must be signed in to change notification settings - Fork 265
/
Copy pathsra-common-cfct-setup-management-account-ou.yaml
305 lines (298 loc) · 12.6 KB
/
sra-common-cfct-setup-management-account-ou.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template moves the management account to an OU in AWS Organizations to satisfy a Customizations for Control Tower (CFCT) prerequisite -
'common_cfct_setup' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples
Metadata:
SRA:
Version: 1.0
Order: 3
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pSRASolutionTagKey
- pSRASolutionName
- pSRAStagingS3BucketName
- pOrganizationId
- pRootOrganizationalUnitId
- Label:
default: Custom Resource Properties
Parameters:
- pMoveManagementAccountToOU
- pManagementAccountOU
- Label:
default: CFCT Org Prerequisites - Lambda Function Properties
Parameters:
- pCFCTOrgLambdaRoleName
- pCFCTOrgLambdaFunctionName
- Label:
default: General Lambda Function Properties
Parameters:
- pCreateLambdaLogGroup
- pLambdaLogGroupRetention
- pLambdaLogGroupKmsKey
- pLambdaLogLevel
ParameterLabels:
pCFCTOrgLambdaFunctionName:
default: CFCT Org - Lambda Function Name
pCFCTOrgLambdaRoleName:
default: CFCT Org - Lambda Role Name
pCreateLambdaLogGroup:
default: Create Lambda Log Group
pLambdaLogGroupKmsKey:
default: (Optional) Lambda Logs KMS Key
pLambdaLogGroupRetention:
default: Lambda Log Group Retention
pLambdaLogLevel:
default: Lambda Log Level
pManagementAccountOU:
default: Management Account OU Name
pMoveManagementAccountToOU:
default: Move Management Account to OU
pOrganizationId:
default: Organization ID
pRootOrganizationalUnitId:
default: Root Organizational Unit ID
pSRASolutionName:
default: SRA Solution Name
pSRASolutionTagKey:
default: SRA Solution Tag Key
pSRAStagingS3BucketName:
default: SRA Staging S3 Bucket Name
Parameters:
pCFCTOrgLambdaFunctionName:
AllowedPattern: '^[\w-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
Default: sra-management-account-ou
Description:
Lambda function name for performing the CFCT Organization prerequisites (move management account to OU, enable CloudFormation StackSets trusted
access)
Type: String
pCFCTOrgLambdaRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
Default: sra-management-account-ou-lambda
Description: Lambda execution role for performing the CFCT Organization prerequisites
Type: String
pCreateLambdaLogGroup:
AllowedValues: ['true', 'false']
Default: 'false'
Description:
Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
Key for encryption.
Type: String
pLambdaLogGroupKmsKey:
AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$'
ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
Description:
(Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side
encryption keys.
Type: String
pLambdaLogGroupRetention:
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
Default: 14
Description: Specifies the number of days you want to retain log events
Type: String
pLambdaLogLevel:
AllowedValues: [INFO, ERROR, DEBUG]
Default: INFO
Description: Lambda Function Logging Level
Type: String
pManagementAccountOU:
AllowedValues: [CFCT-Management, CFCT-Management-Optional, ROOT]
Default: CFCT-Management-Optional
Description:
Name of OU under the root to move Management Account to. If 'ROOT', move account to Root OU. If 'CFCT-Management', move account to
CFCT-Management OU. If 'CFCT-Management-Optional', move account to CFCT-Management OU only if account not already in an OU.
Type: String
pMoveManagementAccountToOU:
AllowedValues: ['true', 'false']
Default: 'true'
Description:
Indicates whether the Management Account should be moved to the OU referenced in 'Management Account OU Name' parameter. If 'false', management
account will not be moved and OU's will not be modified.
Type: String
pOrganizationId:
AllowedPattern: '^o-[a-z0-9]{10,32}$'
ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567)
Description: AWS Organizations ID.
Type: String
pRootOrganizationalUnitId:
AllowedPattern: '^r-[a-z0-9]{4,32}'
ConstraintDescription: Must start with 'r-' followed by from 4 to 32 lowercase letters or digits. (e.g. r-abc123)
Description: Root Organizational Unit ID
Type: String
pSRASolutionName:
AllowedValues: [sra-common-cfct-setup]
Default: sra-common-cfct-setup
Description: The SRA solution name. The default value is the folder name of the solution
Type: String
pSRASolutionTagKey:
AllowedValues: [sra-solution]
Default: sra-solution
Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName.
Type: String
pSRAStagingS3BucketName:
AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)'
ConstraintDescription:
SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Description:
SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include
numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Type: String
Conditions:
cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
cMoveManagementAccountToOU: !Equals [!Ref pMoveManagementAccountToOU, 'true']
cMoveManagementAccountToOUAndCreateLambdaLogGroup: !And
- Condition: cMoveManagementAccountToOU
- Condition: cCreateLambdaLogGroup
cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
Resources:
rCFCTOrgLambdaCustomResource:
Condition: cMoveManagementAccountToOU
Type: Custom::LambdaCustomResource
Version: '1.0'
Properties:
ServiceToken: !GetAtt rCFCTOrgLambdaFunction.Arn
MANAGEMENT_ACCOUNT_OU: !Ref pManagementAccountOU
TAG_KEY: !Ref pSRASolutionTagKey
TAG_VALUE: !Ref pSRASolutionName
rCFCTOrgLambdaFunction:
Condition: cMoveManagementAccountToOU
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: Lambda role provides access to CloudWatch Logs
- id: W89
reason: Lambda does not need to communicate with VPC resources.
- id: W92
reason: Lambda does not need reserved concurrent executions.
checkov:
- checkov:skip=CKV_AWS_116:DLQ not needed, as Lambda function only triggered by CloudFormation events.
- checkov:skip=CKV_AWS_173:Environment variables are not sensitive
Type: AWS::Lambda::Function
Properties:
FunctionName: !Ref pCFCTOrgLambdaFunctionName
Description: Performs the CFCT Organization prerequisites
Architectures: [arm64]
Handler: app.lambda_handler
Role: !GetAtt rCFCTOrgLambdaRole.Arn
Runtime: python3.9
Timeout: 300
Code:
S3Bucket: !Ref pSRAStagingS3BucketName
S3Key: !Sub ${pSRASolutionName}/lambda_code/${pSRASolutionName}.zip
Environment:
Variables:
LOG_LEVEL: !Ref pLambdaLogLevel
Tags:
- Key: !Ref pSRASolutionTagKey
Value: !Ref pSRASolutionName
rCFCTOrgLambdaLogGroup:
Condition: cMoveManagementAccountToOUAndCreateLambdaLogGroup
DeletionPolicy: Retain
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
Properties:
LogGroupName: !Sub /aws/lambda/${pCFCTOrgLambdaFunctionName}
KmsKeyId: !If
- cUseKmsKey
- !Ref pLambdaLogGroupKmsKey
- !Ref AWS::NoValue
RetentionInDays: !Ref pLambdaLogGroupRetention
rCFCTOrgLambdaRole:
Condition: cMoveManagementAccountToOU
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: Allow * in resource when required
- id: W28
reason: The role name is defined to identify automation resources
Properties:
RoleName: !Ref pCFCTOrgLambdaRoleName
Description: !Sub Role for '${pCFCTOrgLambdaRoleName}' Lambda function
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Tags:
- Key: !Ref pSRASolutionTagKey
Value: !Ref pSRASolutionName
Policies:
- PolicyName: sra-cfct-org-prerequisites
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: OrganizationRead
Effect: Allow
Action:
- organizations:DescribeAccount
- organizations:DescribeOrganization
- organizations:DescribeOrganizationalUnit
- organizations:ListRoots
- organizations:ListParents
- organizations:ListChildren
Resource: '*'
- Sid: OrganizationCreateOU
Effect: Allow
Action: organizations:CreateOrganizationalUnit
Resource: !Sub arn:${AWS::Partition}:organizations::${AWS::AccountId}:root/${pOrganizationId}/${pRootOrganizationalUnitId}
- Sid: OrganizationsTagOU
Effect: Allow
Action: organizations:TagResource
Resource: !Sub arn:${AWS::Partition}:organizations::${AWS::AccountId}:ou/*
- Sid: OrganizationMoveAccount
Effect: Allow
Action: organizations:MoveAccount
Resource:
- !Sub arn:${AWS::Partition}:organizations::${AWS::AccountId}:account/${pOrganizationId}/${AWS::AccountId}
- !Sub arn:${AWS::Partition}:organizations::${AWS::AccountId}:root/${pOrganizationId}/${pRootOrganizationalUnitId}
- !Sub arn:${AWS::Partition}:organizations::${AWS::AccountId}:ou/${pOrganizationId}/ou-*
- PolicyName: CloudWatchLogGroup
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: CloudWatchLogs
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pCFCTOrgLambdaFunctionName}:log-stream:*
Outputs:
oManagementAccountId:
Condition: cMoveManagementAccountToOU
Description: Management Account ID
Value: !GetAtt rCFCTOrgLambdaCustomResource.ManagementAccountId
oOrganizationId:
Condition: cMoveManagementAccountToOU
Description: Organization ID
Value: !GetAtt rCFCTOrgLambdaCustomResource.OrganizationId
oRootOrganizationalUnitId:
Condition: cMoveManagementAccountToOU
Description: Root Organizational Unit ID
Value: !GetAtt rCFCTOrgLambdaCustomResource.RootOrganizationalUnitId
oCFCTOrgLambdaFunctionArn:
Condition: cMoveManagementAccountToOU
Description: CFCT Org Lambda Function ARN
Value: !GetAtt rCFCTOrgLambdaFunction.Arn
oCFCTOrgLambdaLogGroupArn:
Condition: cMoveManagementAccountToOUAndCreateLambdaLogGroup
Description: CFCT Org Lambda Log Group ARN
Value: !GetAtt rCFCTOrgLambdaLogGroup.Arn
oCFCTOrgLambdaRoleArn:
Condition: cMoveManagementAccountToOU
Description: CFCT Org Lambda Role ARN
Value: !GetAtt rCFCTOrgLambdaRole.Arn