# /* # * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. # * # * Permission is hereby granted, free of charge, to any person obtaining a copy of this # * software and associated documentation files (the "Software"), to deal in the Software # * without restriction, including without limitation the rights to use, copy, modify, # * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # * permit persons to whom the Software is furnished to do so. # * # * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # */ AWSTemplateFormatVersion: 2010-09-09 Description: This template sets up the infrastructure required for an AWS Service Catalog based Account Bootstrap Product. (fdp-1qjtom7jr) Parameters: SourceBucket: Description: "Bucket name of the S3 bucket holding all the files for the Account Bootstrap Product set up" Type: String Default: "" AccountBootstrapLambdaZip: Description: "File name of the zipped lambda function for Account Bootstrap Product. (Must be in the S3 bucket mentioned above)" Type: String Default: "" SourceTemplate: Description: "Enter the template URL for the cloudformation template to create the Account Bootstrap Product product in AWS Service Catalog" Type: String Default: "/govcloud-account-avm-product.yaml" AccountAdministrator: Description: "Enter the ARN of the IAM entity (role or user or group) that will be performing account creation from AWS Service Catalog" Type: String AllowedPattern: ".+" Resources: AccountBootstrapLambda: Type: "AWS::Lambda::Function" DependsOn: LambdaExecuteRole Properties: Handler: "AccountBootstrapLambda.lambda_handler" Runtime: "python3.9" Role: !GetAtt LambdaExecuteRole.Arn Timeout: 800 TracingConfig: Mode: "Active" Code: S3Bucket: !Ref SourceBucket S3Key: "AccountBootstrapLambda.zip" LambdaExecuteRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSOrganizationsFullAccess - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: !Sub "LambdaAllowWriteToLogGroup" PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - "logs:CreateLogGroup" Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:* - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/OrganizationsChildAccountEnrollment:* - PolicyName: !Sub "LambdaAllowGetOrgAccountRole" PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: !Sub arn:${AWS::Partition}:iam::*:role/OrganizationAccountAccessRole - Effect: Allow Action: - iam:GetRole Resource: '*' AccountBootstrapPortfolio: Type: "AWS::ServiceCatalog::Portfolio" Properties: DisplayName: "Account Bootstrap Portfolio" AcceptLanguage: "en" ProviderName: "AWS" AccountBootstrapProduct: Type: "AWS::ServiceCatalog::CloudFormationProduct" Properties: AcceptLanguage: "en" Description: "This product is an Account Bootstrap Product builds a new account" Distributor: "Amazon" Name: "Account Bootstrap Product" Owner: "AWS" SupportEmail: "support@yourcompany.com" SupportUrl: "https://www.amazon.com" SupportDescription: "Support Description" ProvisioningArtifactParameters: - Description: "April 2020" Name: "April 2020 v1.0" Info: LoadTemplateFromURL : !Ref SourceTemplate AVMAssociation: Type: "AWS::ServiceCatalog::PortfolioProductAssociation" Properties: ProductId: !Ref AccountBootstrapProduct PortfolioId: !Ref AccountBootstrapPortfolio PortfolioPrincipalAssociation: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Properties: PrincipalARN: !Ref AccountAdministrator PortfolioId: !Ref AccountBootstrapPortfolio PrincipalType: IAM ServiceCatalogLaunchRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: Effect: "Allow" Principal: Service: - "servicecatalog.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess" Path: "/" ServiceCatalogLaunchConstraint: Type: "AWS::ServiceCatalog::LaunchRoleConstraint" DependsOn: ServiceCatalogLaunchRole Properties: Description: This is a launch constraint created for the account vending portfolio AcceptLanguage: en PortfolioId: !Ref AccountBootstrapPortfolio ProductId: !Ref AccountBootstrapProduct RoleArn: !GetAtt ServiceCatalogLaunchRole.Arn ServiceCatalogTagOption: Type: "AWS::ServiceCatalog::TagOption" Properties: Active: true Value: "avm-reference-architecture" Key: "Name" ServiceCatalogTagOptionAssociation: Type: "AWS::ServiceCatalog::TagOptionAssociation" Properties: TagOptionId: !Ref ServiceCatalogTagOption ResourceId: !Ref AccountBootstrapPortfolio Outputs: AccountLambda: Description: ARN of the account creation lambda function Value: !GetAtt AccountBootstrapLambda.Arn Export: Name: AccountBootstrapLambda