-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
195 lines (182 loc) · 6.96 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation Template to update config recorder settings in child accounts created by ControlTower.'
Parameters:
ConfigOptOutExcludedAccounts:
Description: Excluded Accounts list. This list should contain Management account, Log Archive and Audit accounts at the minimum
Default: "['111111111111', '222222222222', '333333333333']"
MaxLength: '2000'
MinLength: '36'
Type: String
ConfigOptOutRecorderResourceTypes:
Description: List of all resource types to be excluded from Config Recorder
Default: "AWS::HealthLake::FHIRDatastore,AWS::Pinpoint::Segment,AWS::Pinpoint::ApplicationSettings"
Type: String
CloudFormationVersion:
Type: String
Default: 2
Resources:
LambdaZipsBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ProducerLambda:
Type: AWS::Lambda::Function
# DeletionPolicy: Retain
# DependsOn: CopyZips
Properties:
#FunctionName: ct_configrecorder_override_producer_cf
Code:
S3Bucket: !Sub 'config-custom-${AWS::AccountId}'
S3Key: ct_configrecorder_override_producer.zip
Handler: ct_configrecorder_override_producer.lambda_handler
Role: !GetAtt ProducerLambdaExecutionRole.Arn
Runtime: python3.10
MemorySize: 128
Timeout: 300
Architectures:
- x86_64
ReservedConcurrentExecutions: 1
Environment:
Variables:
EXCLUDED_ACCOUNTS: !Ref ConfigOptOutExcludedAccounts
LOG_LEVEL: INFO
SQS_URL: !Ref SQSConfigRecorder
ProducerLambdaPermissions:
Type: AWS::Lambda::Permission
# DeletionPolicy: Retain
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !Ref ProducerLambda
Principal: 'events.amazonaws.com'
SourceArn: !GetAtt ProducerEventTrigger.Arn
ConsumerLambda:
Type: AWS::Lambda::Function
# DeletionPolicy: Retain
# DependsOn: CopyZips
Properties:
#FunctionName: ct_configrecorder_override_consumer_cf
Code:
S3Bucket: !Sub 'config-custom-${AWS::AccountId}'
S3Key: ct_configrecorder_override_consumer.zip
Handler: ct_configrecorder_override_consumer.lambda_handler
Role: !GetAtt ConsumerLambdaExecutionRole.Arn
Runtime: python3.10
MemorySize: 128
Timeout: 180
Architectures:
- x86_64
ReservedConcurrentExecutions: 10
Environment:
Variables:
LOG_LEVEL: INFO
CONFIG_RECORDER_EXCLUDED_RESOURCE_LIST: !Ref ConfigOptOutRecorderResourceTypes
ConsumerLambdaEventSourceMapping:
Type: AWS::Lambda::EventSourceMapping
# DeletionPolicy: Retain
Properties:
BatchSize: 1
Enabled: true
EventSourceArn: !GetAtt SQSConfigRecorder.Arn
FunctionName: !GetAtt ConsumerLambda.Arn
ProducerLambdaExecutionRole:
Type: 'AWS::IAM::Role'
# DeletionPolicy: Retain
Properties:
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ct_cro_producer
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cloudformation:ListStackInstances
Resource: !Sub 'arn:${AWS::Partition}:cloudformation:*:*:stackset/AWSControlTowerBP-BASELINE-CONFIG:*'
- Effect: Allow
Action:
- sqs:DeleteMessage
- sqs:ReceiveMessage
- sqs:SendMessage
- sqs:GetQueueAttributes
Resource: !GetAtt SQSConfigRecorder.Arn
ConsumerLambdaExecutionRole:
Type: 'AWS::IAM::Role'
# DeletionPolicy: Retain
Properties:
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: policy-sts-all
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource: "*"
- Effect: Allow
Action:
- sqs:DeleteMessage
- sqs:ReceiveMessage
- sqs:SendMessage
- sqs:GetQueueAttributes
Resource: !GetAtt SQSConfigRecorder.Arn
SQSConfigRecorder:
Type: AWS::SQS::Queue
# DeletionPolicy: Retain
Properties:
QueueName: ct_configrecorder_override_cf
VisibilityTimeout: 180
DelaySeconds: 5
KmsMasterKeyId: alias/aws/sqs
ProducerEventTrigger:
Type: AWS::Events::Rule
Properties:
Description: "Rule to trigger config recorder override producer lambda"
EventBusName: default
EventPattern: '{
"source": ["aws.controltower"],
"detail-type": ["AWS Service Event via CloudTrail"],
"detail": {
"eventName": ["UpdateLandingZone", "CreateManagedAccount", "UpdateManagedAccount"]
}
}'
Name: !GetAtt SQSConfigRecorder.QueueName #ct_configrecorder_override_cf
State: ENABLED
Targets:
-
Arn:
Fn::GetAtt:
- "ProducerLambda"
- "Arn"
Id: "ProducerTarget"
ProducerLambdaTrigger:
Type: 'Custom::ExecuteLambda'
Properties:
ServiceToken: !GetAtt "ProducerLambda.Arn"
FunctionName: !Ref ProducerLambda
Version: !Ref CloudFormationVersion