-
Notifications
You must be signed in to change notification settings - Fork 265
/
Copy pathsra-common-prerequisites-member-account-parameters.yaml
276 lines (264 loc) · 9.94 KB
/
sra-common-prerequisites-member-account-parameters.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template creates the pre-requisite SSM parameters for staging the SRA solutions in the member accounts by resolving the corresponding SSM
parameters in the management account. - 'common_prerequisites' solution in the repo,
https://github.com/aws-samples/aws-security-reference-architecture-examples
Metadata:
SRA:
Version: 1.0
Order: 5
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
Description: General Properties
Parameters:
- pSRASolutionName
- Label:
Description: Control Tower SSM Parameters
Parameters:
- pAuditAccountId
- pLogArchiveAccountId
- pManagementAccountId
- pRootOrganizationalUnitId
- pOrganizationId
- pHomeRegion
- Label:
Description: Region SSM Parameters
Parameters:
- pCustomerControlTowerRegions
- pCustomerControlTowerRegionsWithoutHomeRegion
- pEnabledRegions
- pEnabledRegionsWithoutHomeRegion
ParameterLabels:
pAuditAccountId:
default: Audit Account ID
pCustomerControlTowerRegions:
default: Customer Control Tower Regions
pCustomerControlTowerRegionsWithoutHomeRegion:
default: Customer Control Tower Regions without Home Region
pEnabledRegions:
default: Enabled Regions
pEnabledRegionsWithoutHomeRegion:
default: Enabled Regions without Home Region
pHomeRegion:
default: Control Tower Home Region
pLogArchiveAccountId:
default: Log Archive Account ID
pManagementAccountId:
default: Management Account ID
pOrganizationId:
default: Organization ID
pRootOrganizationalUnitId:
default: Root Organizational Unit ID
pSRASolutionName:
default: SRA Solution Name
Parameters:
pAuditAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Control Tower Audit account.
Type: String
pCustomerControlTowerRegions:
AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
ConstraintDescription:
Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
us-east-1,ap-southeast-2)
Description: Customer Control Tower regions (2+ regions, separate by commas)
Type: String
pCustomerControlTowerRegionsWithoutHomeRegion:
AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
ConstraintDescription:
Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
us-east-1,ap-southeast-2)
Description: Customer Control Tower regions without Home Region (2+ regions, separate by commas)
Type: String
pEnabledRegions:
AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
ConstraintDescription:
Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
us-east-1,ap-southeast-2)
Description: Enabled regions (2+ regions, separate by commas)
Type: String
pEnabledRegionsWithoutHomeRegion:
AllowedPattern: '^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
ConstraintDescription:
Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
us-east-1,ap-southeast-2)
Description: Enabled regions without Home Region (2+ regions, separate by commas)
Type: String
pHomeRegion:
AllowedPattern: '^[a-z0-9-]{1,64}$'
ConstraintDescription: AWS Region Example - 'us-east-1', 'ap-southeast-2'
Description: Name of the Control Tower home region
Type: String
pLogArchiveAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Control Tower Log Archive account.
Type: String
pManagementAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Control Tower Management account.
Type: String
pOrganizationId:
AllowedPattern: '^$|^o-[a-z0-9]{10,32}$'
ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567)
Description: AWS Organizations ID
Type: String
pRootOrganizationalUnitId:
AllowedPattern: '^r-[0-9a-z]{4,32}$'
ConstraintDescription: Must start with 'r-' followed by from 4 to 32 lowercase letters or digits. (e.g. r-abc123)
Description: Root Organizational Unit ID
Type: String
pSRASolutionName:
AllowedValues: [sra-common-prerequisites]
Default: sra-common-prerequisites
Description: The SRA solution name. The Description value is the folder name of the solution
Type: String
Resources:
rSSMParameterAuditAccountId:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/control-tower/audit-account-id
Type: String
Value: !Ref pAuditAccountId
Description: Audit Account ID SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterCustomerControlTowerRegions:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/regions/customer-control-tower-regions
Type: StringList
Value: !Ref pCustomerControlTowerRegions
Description: Customer Control Tower Regions SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterCustomerControlTowerRegionsWithoutHomeRegion:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/regions/customer-control-tower-regions-without-home-region
Type: StringList
Value: !Ref pCustomerControlTowerRegionsWithoutHomeRegion
Description: Customer Control Tower Regions without Home Region SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterEnabledRegions:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/regions/enabled-regions
Type: StringList
Value: !Ref pEnabledRegions
Description: Enabled Regions SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterEnabledRegionsWithoutHomeRegion:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/regions/enabled-regions-without-home-region
Type: StringList
Value: !Ref pEnabledRegionsWithoutHomeRegion
Description: Enabled Regions without Home Region SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterHomeRegion:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/control-tower/home-region
Type: String
Value: !Ref pHomeRegion
Description: Home Region SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterLogArchiveAccountId:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/control-tower/log-archive-account-id
Type: String
Value: !Ref pLogArchiveAccountId
Description: Log Archive Account ID SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterManagementAccountId:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/control-tower/management-account-id
Type: String
Value: !Ref pManagementAccountId
Description: Management Account ID SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterOrganizationId:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/control-tower/organization-id
Type: String
Value: !Ref pOrganizationId
Description: Organization ID SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
rSSMParameterRootOrganizationalUnitId:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::SSM::Parameter
Properties:
Name: /sra/control-tower/root-organizational-unit-id
Type: String
Value: !Ref pRootOrganizationalUnitId
Description: Root Organizational Unit ID SSM parameter
Tags:
sra-solution: !Ref pSRASolutionName
Outputs:
oAuditAccountId:
Description: Audit Account ID
Value: !Ref pAuditAccountId
oCustomerRegions:
Description: Customer Regions
Value: !Ref pCustomerControlTowerRegions
oCustomerRegionsWithoutHomeRegion:
Description: Customer Regions without Home Region
Value: !Ref pCustomerControlTowerRegionsWithoutHomeRegion
oEnabledRegions:
Description: Enabled Regions
Value: !Ref pEnabledRegionsWithoutHomeRegion
oEnabledRegionsWithoutHomeRegion:
Description: Enabled Regions without Home Region
Value: !Ref pEnabledRegionsWithoutHomeRegion
oHomeRegion:
Description: Control Tower Home Region
Value: !Ref pHomeRegion
oLogArchiveAccountId:
Description: Log Archive Account ID
Value: !Ref pLogArchiveAccountId
oManagementAccountId:
Description: Management Account ID
Value: !Ref pManagementAccountId
oOrganizationId:
Description: Organization ID
Value: !Ref pOrganizationId
oRootOrganizationalUnitId:
Description: Root Organizational Unit ID
Value: !Ref pRootOrganizationalUnitId