# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: '2010-09-09' Description: IPAM Delegation CloudFormation Parameters: pNetworkHubAccountId: Description: NetworkHub Account ID for IPAM delegation Type: String Default: 123456789012 Resources: rIPAM: Type: 'Custom::IPAM' Version: '1.0' Properties: accountid: !Ref pNetworkHubAccountId ServiceToken: !GetAtt rIPAMLambdaDelegate.Arn rIPAMLambdaRoleDelegate: Type: 'AWS::IAM::Role' Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: "Resource * acceptable for this policy." Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Policies: - PolicyName: ipampolicy PolicyDocument: Statement: - Effect: Allow Action: - 'ec2:EnableIpamOrganizationAdminAccount' - 'organizations:RegisterDelegatedAdministrator' - 'organizations:EnableAWSServiceAccess' - 'iam:CreateServiceLinkedRole' Resource: '*' rIPAMLambdaDelegate: Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: | import json,boto3 import cfnresponse from botocore.exceptions import ClientError def handler(event, context): print('this is the event ' + json.dumps(event)) StackName = event['StackId'] LogicalResourceId = event['LogicalResourceId'] UniqueId = event['RequestId'] print("Boto3 version: " + boto3.__version__) print("Parameters:\n" + (event['ResourceProperties']['accountid']) ) props = event['ResourceProperties'] client = boto3.client('ec2') if (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'): try: response = client.enable_ipam_organization_admin_account(DryRun = False, DelegatedAdminAccountId = (event['ResourceProperties']['accountid'])) print(response) if response['Success'] == True: print("IPAM configured") print("Respond: SUCCESS") cfnresponse.send(event, context, cfnresponse.SUCCESS, {}) else: print("Respond: FAILED") cfnresponse.send(event, context, cfnresponse.FAILED, {}) except Exception as ex: print("failed executing requests.put(..): " + str(ex)) cfnresponse.send(event, context, cfnresponse.FAILED, {}) else: cfnresponse.send(event, context, cfnresponse.SUCCESS, {}) Handler: index.handler MemorySize: 128 Role: !GetAtt 'rIPAMLambdaRoleDelegate.Arn' Runtime: 'python3.8' Timeout: 60