config_management_account solution, and small updates to common_prerequisites solution

Author: tekdj7

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2021-12-13](#2021-12-13)
 - [2021-12-10](#2021-12-10)
 - [2021-11-22](#2021-11-22)
 - [2021-11-20](#2021-11-20)
@@ -18,11 +19,27 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2021-12-13
+
+### Added<!-- omit in toc -->
+
+- [Config Management Account](aws_sra_examples/config/config_management_account) solution
+
+### Changed<!-- omit in toc -->
+
+- In [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution:
+  - Removed `TAG_KEY/TAG_VALUE` as environment variables and only kept them as Custom Resource Properties, since CloudWatch event is no longer needed in this solution.
+  - Removed `pManagementAccountId` from multiple templates, and instead used as needed `AWS::AccountId`.
+
+### Fixed<!-- omit in toc -->
+
+- Nothing Fixed
+
 ## 2021-12-10
 
 ### Added<!-- omit in toc -->
 
-- [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites/) solution
+- [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution
 - [Deployment Methods](aws_sra_examples/docs/DEPLOYMENT-METHODS.md) documentation
 - [Staging Script](aws_sra_examples/utils/packaging_scripts/) - `stage_solution.sh`
 
@@ -93,9 +110,9 @@ All notable changes to this project will be documented in this file.
 
 ### Added<!-- omit in toc -->
 
-- [AWS IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer/) solution
-- [Organization AWS Config Aggregator](aws_sra_examples/solutions/config/config_aggregator_org/) solution
-- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator/) solution
+- [AWS IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer) solution
+- [Organization AWS Config Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) solution
+- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator) solution
 
 ### Changed<!-- omit in toc -->
 

README.md

@@ -31,6 +31,7 @@ The examples within this repository have been deployed and tested using the corr
   - [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites)
   - [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)
 - Config
+  - [Config Management Account](aws_sra_examples/solutions/config/config_management_account)
   - [Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org)
   - [Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org)
 - EC2

aws_sra_examples/docs/DEPLOYMENT-METHODS.md

@@ -52,12 +52,12 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 1. Copy the files to the Customizations for AWS Control Tower configuration `custom-control-tower-configuration`
      - parameters [**required for manifest version 2020-01-01**]
        - Copy the parameter files from the `parameters` folder
-       - Only one of the main parameter files is required. We recommend using the main-ssm file.
+       - Only one of the main parameter files is required. We recommend using the `main-ssm` file.
      - policies [optional]
        - service control policies files (\*.json)
      - templates [**required**]
-       - Copy the template files from the `templates` folder
-       - Only one of the main template files is required. We recommend using the main-ssm file.
+       - Copy the template files from the `templates` folder that are referenced in the `manifest.yaml`
+       - Only one of the main template files is required. We recommend using the `main-ssm` file.
      - `manifest.yaml` [**required**]
 2. Verify and update the parameters within each of the parameter json files to match the target environment
 3. Update the manifest.yaml file with the `organizational unit names`, `account names` and `SSM parameters` for the target environment
@@ -69,7 +69,8 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
      - policies [optional]
        - service control policies files (\*.json)
      - templates [**required**]
-       - Copy the template files from the `templates` folder
+       - Copy the template files from the `templates` folder that are referenced in the `manifest-v2.yaml`
+       - Only one of the main template files is required. We recommend using the `main-ssm` file.
      - `manifest-v2.yaml` [**required**]
 2. Rename the `manifest-v2.yaml` to `manifest.yaml`
 3. Update the manifest.yaml file with the `parameters`, `organizational unit names`, `account names` and `SSM parameters` for the target environment

aws_sra_examples/solutions/common/common_prerequisites/README.md

@@ -11,7 +11,12 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 
 ## Introduction
 
-The `SRA Prerequisites Solution` creates the resources (`Staging S3 Buckets` and `Execution IAM Role`) and configuration (`SSM Parameters`) for simplifying the deployment of SRA solutions within an AWS Control Tower environment. All resources that support tags are provided a tag keypair of `sra-solution: sra-common-prerequisites`.
+The `SRA Prerequisites Solution` creates the resources (`Staging S3 Buckets` and `Execution IAM Role`) and configuration AWS Systems Manager Parameters (`SSM Parameters`) for simplifying the deployment of SRA solutions within an AWS Control Tower
+environment. All resources that support tags are provided a tag keypair of `sra-solution: sra-common-prerequisites`.
+
+[AWS Systems Manager](https://aws.amazon.com/systems-manager/) (SSM) has a [Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) capability that provides secure, hierarchical storage for
+configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can
+reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.
 
 ## Deployed Resource Details
 
@@ -31,7 +36,7 @@ The `SRA Prerequisites Solution` creates the resources (`Staging S3 Buckets` and
 
 #### 1.3 Org ID AWS Lambda Function<!-- omit in toc -->
 
-- An external deployment package is used in the AWS Lambda Function in the [sra-common-prerequisites-staging-s3-bucket.yaml](templates/sra-common-prerequisites-staging-s3-bucket.yaml) that contains the logic to determine the AWS Organization ID
+- An inline AWS Lambda Function in the [sra-common-prerequisites-staging-s3-bucket.yaml](templates/sra-common-prerequisites-staging-s3-bucket.yaml) template contains the logic to determine the AWS Organization ID
 - The function is triggered by CloudFormation Create, Update, and Delete events.
 
 #### 1.4 AWS Lambda CloudWatch Log Group<!-- omit in toc -->
@@ -61,8 +66,8 @@ The `SRA Prerequisites Solution` creates the resources (`Staging S3 Buckets` and
 
 #### 1.8 Parameter AWS Lambda Function<!-- omit in toc -->
 
-- An inline AWS Lambda Function in the [sra-common-prerequisites-management-account-parameters.yaml](templates/sra-common-prerequisites-management-account-parameters.yaml) contains the logic for discovering common values in your Control Tower landing
-  zone. (e.g., Root Organizational Unit ID, Control Tower Home Region, Audit Account ID)
+- An external deployment package is used in the AWS Lambda Function in the [sra-common-prerequisites-management-account-parameters.yaml](templates/sra-common-prerequisites-management-account-parameters.yaml) template contains the logic for
+  discovering common values in your Control Tower landing zone. (e.g., Root Organizational Unit ID, Control Tower Home Region, Audit Account ID)
 - The function is triggered by CloudFormation Create, Update, and Delete events.
 
 #### 1.9 AWS Lambda CloudWatch Log Group<!-- omit in toc -->
@@ -155,3 +160,4 @@ The `SRA Prerequisites Solution` creates the resources (`Staging S3 Buckets` and
 - [How AWS Control Tower works with roles to create and manage accounts](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html)
 - [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
 - [Working with AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
+- [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)

aws_sra_examples/solutions/common/common_prerequisites/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -20,7 +20,7 @@ resources:
       - parameter_key: pLambdaLogLevel
         parameter_value: INFO
       - parameter_key: pSRAStagingS3BucketName
-        parameter_value:
+        parameter_value: '' # Leave blank to use SSM parameter
     deploy_method: stack_set
     deployment_targets:
       accounts:
@@ -79,8 +79,6 @@ resources:
   #       parameter_value: INFO
   #     - parameter_key: pLogArchiveAccountId
   #       parameter_value: ''
-  #     - parameter_key: pManagementAccountId
-  #       parameter_value: ''
   #     - parameter_key: pOrganizationId
   #       parameter_value: ''
   #     - parameter_key: pRootOrganizationalUnitId

aws_sra_examples/solutions/common/common_prerequisites/customizations_for_aws_control_tower/parameters/sra-common-prerequisites-main.json

@@ -55,10 +55,6 @@
         "ParameterKey": "pLogArchiveAccountId",
         "ParameterValue": ""
     },
-    {
-        "ParameterKey": "pManagementAccountId",
-        "ParameterValue": ""
-    },
     {
         "ParameterKey": "pOrganizationId",
         "ParameterValue": ""

aws_sra_examples/solutions/common/common_prerequisites/lambda/src/app.py

@@ -1,4 +1,5 @@
 """Custom Resource to gather data and create SSM paramters in the Control Tower management account.
+
 Version: 1.0
 
 'common_prerequisites' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples
@@ -354,19 +355,20 @@ def parameter_pattern_validator(parameter_name: str, parameter_value: Union[str,
         raise ValueError(f"'{parameter_name}' parameter with value of '{parameter_value}' does not follow the allowed pattern: {pattern}.")
 
 
-def get_validated_parameters() -> dict:
+def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict:
     """Validate AWS CloudFormation parameters.
 
+    Args:
+        event: event data
+
     Returns:
         Validated parameters
     """
-    tag_key = os.getenv("TAG_KEY", "sra-solution")
-    tag_value = os.getenv("TAG_VALUE", "sra-common-prerequisites")
-
-    parameter_pattern_validator("TAG_KEY", tag_key, pattern=r"^.{1,128}$")
-    parameter_pattern_validator("TAG_VALUE", tag_value, pattern=r"^.{1,256}$")
+    params = event["ResourceProperties"].copy()
+    parameter_pattern_validator("TAG_KEY", params["TAG_KEY"], pattern=r"^.{1,128}$")
+    parameter_pattern_validator("TAG_VALUE", params["TAG_VALUE"], pattern=r"^.{1,256}$")
 
-    return {"TAG_KEY": tag_key, "TAG_VALUE": tag_value}
+    return params
 
 
 @helper.create
@@ -384,7 +386,7 @@ def create_update_event(event: CloudFormationCustomResourceEvent, context: Conte
     event_info = {"Event": event}
     LOGGER.info(event_info)
 
-    params = get_validated_parameters()
+    params = get_validated_parameters(event)
     tags: Sequence[TagTypeDef] = [{"Key": params["TAG_KEY"], "Value": params["TAG_VALUE"]}]
 
     ssm_data1 = get_org_ssm_parameter_info(path=SRA_CONTROL_TOWER_SSM_PATH)

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-control-tower-execution-role.yaml

@@ -8,17 +8,15 @@ Description:
   https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: '1.0'
-    Order: '1'
-
+    Version: 1.0
+    Order: 2
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
           default: General Properties
         Parameters:
           - pSRASolutionTagKey
           - pSRASolutionName
-          - pManagementAccountId
       - Label:
           default: Control Tower Role Attributes
         Parameters:
@@ -29,8 +27,6 @@ Metadata:
         default: AWS Control Tower Execution Role Name
       pCreateAWSControlTowerExecutionRole:
         default: Create AWS Control Tower Execution Role
-      pManagementAccountId:
-        default: Management Account ID
       pSRASolutionName:
         default: SRA Solution Name
       pSRASolutionTagKey:
@@ -47,11 +43,6 @@ Parameters:
     Default: 'true'
     Description: Indicates whether the AWS Control Tower Execution role should be created.
     Type: String
-  pManagementAccountId:
-    AllowedPattern: '^\d{12}$'
-    ConstraintDescription: Must be 12 digits.
-    Description: AWS Account ID of the Control Tower Management account.
-    Type: String
   pSRASolutionName:
     AllowedValues: [sra-common-prerequisites]
     Default: sra-common-prerequisites
@@ -88,7 +79,7 @@ Resources:
             Effect: Allow
             Principal:
               AWS:
-                - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root
+                - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
       ManagedPolicyArns:
         - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess
       Tags:

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml

@@ -8,9 +8,9 @@ Description:
   repo, https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: '1.0'
-    Order: '1'
-
+    Version: 1.0
+    Entry: Parameters for deploying solution resolving SSM parameters
+    Order: 1
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
@@ -25,7 +25,6 @@ Metadata:
         Parameters:
           - pAuditAccountId
           - pLogArchiveAccountId
-          - pManagementAccountId
           - pRootOrganizationalUnitId
           - pOrganizationId
           - pHomeRegion
@@ -77,8 +76,6 @@ Metadata:
         default: Lambda Log Level
       pLogArchiveAccountId:
         default: Log Archive Account ID
-      pManagementAccountId:
-        default: Management Account ID
       pOrganizationId:
         default: Organization ID
       pRootOrganizationalUnitId:
@@ -177,13 +174,6 @@ Parameters:
     Default: /sra/control-tower/log-archive-account-id
     Description: SSM Parameter for AWS Account ID of the Control Tower Log Archive account.
     Type: AWS::SSM::Parameter::Value<String>
-  pManagementAccountId:
-    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
-    ConstraintDescription:
-      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
-    Default: /sra/control-tower/management-account-id
-    Description: SSM Parameter for AWS Account ID of the Control Tower Management account.
-    Type: AWS::SSM::Parameter::Value<String>
   pOrganizationId:
     AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
     ConstraintDescription:
@@ -227,7 +217,6 @@ Resources:
           Value: !Ref pSRASolutionName
       Parameters:
         pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
-        pManagementAccountId: !Ref pManagementAccountId
 
   rSSMParametersMemberAccountsStackSet:
     Condition: cCreateSSMParametersInMemberAccounts
@@ -272,7 +261,7 @@ Resources:
         - ParameterKey: pLogArchiveAccountId
           ParameterValue: !Ref pLogArchiveAccountId
         - ParameterKey: pManagementAccountId
-          ParameterValue: !Ref pManagementAccountId
+          ParameterValue: !Ref AWS::AccountId
         - ParameterKey: pOrganizationId
           ParameterValue: !Ref pOrganizationId
         - ParameterKey: pRootOrganizationalUnitId

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml

@@ -8,9 +8,9 @@ Description:
   https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: '1.0'
-    Order: '1'
-
+    Version: 1.0
+    Entry: Parameters for deploying solution without resolving SSM parameters
+    Order: 1
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
@@ -25,7 +25,6 @@ Metadata:
         Parameters:
           - pAuditAccountId
           - pLogArchiveAccountId
-          - pManagementAccountId
           - pRootOrganizationalUnitId
           - pOrganizationId
           - pHomeRegion
@@ -77,8 +76,6 @@ Metadata:
         default: Lambda Log Level
       pLogArchiveAccountId:
         default: Log Archive Account ID
-      pManagementAccountId:
-        default: Management Account ID
       pOrganizationId:
         default: Organization ID
       pRootOrganizationalUnitId:
@@ -171,11 +168,6 @@ Parameters:
     ConstraintDescription: Must be 12 digits.
     Description: AWS Account ID of the Control Tower Log Archive account.
     Type: String
-  pManagementAccountId:
-    AllowedPattern: '^\d{12}$'
-    ConstraintDescription: Must be 12 digits.
-    Description: AWS Account ID of the Control Tower Management account.
-    Type: String
   pOrganizationId:
     AllowedPattern: '^o-[a-z0-9]{10,32}$'
     ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567)
@@ -215,7 +207,6 @@ Resources:
           Value: !Ref pSRASolutionName
       Parameters:
         pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
-        pManagementAccountId: !Ref pManagementAccountId
 
   rSSMParametersMemberAccountsStackSet:
     Condition: cCreateSSMParametersInMemberAccounts
@@ -260,7 +251,7 @@ Resources:
         - ParameterKey: pLogArchiveAccountId
           ParameterValue: !Ref pLogArchiveAccountId
         - ParameterKey: pManagementAccountId
-          ParameterValue: !Ref pManagementAccountId
+          ParameterValue: !Ref AWS::AccountId
         - ParameterKey: pOrganizationId
           ParameterValue: !Ref pOrganizationId
         - ParameterKey: pRootOrganizationalUnitId

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml

@@ -8,9 +8,8 @@ Description:
   https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: '1.0'
-    Order: '1'
-
+    Version: 1.0
+    Order: 4
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
@@ -152,8 +151,6 @@ Resources:
       Environment:
         Variables:
           LOG_LEVEL: !Ref pLambdaLogLevel
-          TAG_KEY: !Ref pSRASolutionTagKey
-          TAG_VALUE: !Ref pSRASolutionName
       Tags:
         - Key: !Ref pSRASolutionTagKey
           Value: !Ref pSRASolutionName

aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-member-account-parameters.yaml

@@ -9,9 +9,8 @@ Description:
   https://github.com/aws-samples/aws-security-reference-architecture-examples
 Metadata:
   SRA:
-    Version: '1.0'
-    Order: '2'
-
+    Version: 1.0
+    Order: 5
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label: