--- AWSTemplateFormatVersion: 2010-09-09 Description: 'Deployment marketplace portfolio and management lambda fn' Parameters: bucketName: Type: String Description: S3 bucket where lambda zip file is stored bucketKey: Type: String Description: S3 key for asset version Resources: awslambdaservicecatalogroleA355D6BF: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" Policies: - PolicyName: LicenseManagerPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'license-manager:ListReceivedLicenses' - 'license-manager:CreateGrant' - 'license-manager:CreateGrantVersion' Resource: "*" - PolicyName: CTAssumeRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'sts:AssumeRole' Resource: "arn:aws:iam::*:role/AWSControlTowerExecution" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/AWSServiceCatalogAdminFullAccess - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/AWSOrganizationsReadOnlyAccess - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole awslambdaservicecatalogroleDefaultPolicy356A4C65: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: catalog:DescribePortfolioShares Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: awslambdaservicecatalogroleDefaultPolicy356A4C65 Roles: - Ref: awslambdaservicecatalogroleA355D6BF PrivateMarketplace: Type: AWS::ServiceCatalog::Portfolio Properties: DisplayName: PrivateMarketplace ProviderName: CCoE PrivateMarketplaceProductFunctionD9CC0428: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: bucketName S3Key: Fn::Join: - '' - - Ref: bucketKey - "/" - Ref: bucketKey - ".zip" Role: Fn::GetAtt: - awslambdaservicecatalogroleA355D6BF - Arn Environment: Variables: PORTFOLIO_ID: Ref: PrivateMarketplace Handler: handler.handler Runtime: python3.6 Timeout: 300 DependsOn: - awslambdaservicecatalogroleDefaultPolicy356A4C65 - awslambdaservicecatalogroleA355D6BF PrivateMarketplaceProductRuleA13B00FA: Type: AWS::Events::Rule Properties: Description: Triggered when Marketplace product is added EventPattern: detail: eventSource: - servicecatalog.amazonaws.com eventName: - ImportProductFromMarketplace responseElements: productViewDetail: productViewSummary: type: - MARKETPLACE status: - CREATED source: - aws.servicecatalog Name: PrivateMarketplaceProductRule State: ENABLED Targets: - Arn: Fn::GetAtt: - PrivateMarketplaceProductFunctionD9CC0428 - Arn Id: Target0 PrivateMarketplaceProductRuleAllowEventRuleprivatemarketplacePrivateMarketplaceProductRule654C15E95197EB07: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - PrivateMarketplaceProductFunctionD9CC0428 - Arn Principal: events.amazonaws.com SourceArn: Fn::GetAtt: - PrivateMarketplaceProductRuleA13B00FA - Arn