AWSTemplateFormatVersion: 2010-09-09
Description: >
  Automatically enable Enterprise Support on newly created accounts in your organization
Resources:
  EnableESRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
          Action:
            - sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: AutoES
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
              - 'support:*'
            Resource: '*'
  EnableESFunction:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: python3.9
      Timeout: 15
      Handler: index.lambda_handler
      Role: !GetAtt EnableESRole.Arn
      Code:
        ZipFile: |
          import os
          import boto3
          import json

          def create_case(event):
              # Support endpoint is only available on us-east-1 - https://docs.aws.amazon.com/general/latest/gr/awssupport.html
              client = boto3.setup_default_session(region_name='us-east-1')
              
              # Creates the client to connect to the Support API
              client = boto3.client('support')
              
              # Saving the account ID of new account into $new_account
              new_account = event["detail"]["serviceEventDetails"]["createAccountStatus"]["accountId"]
              
              # For the record on logs
              print(f'New account ID is: { new_account }')
              
              # Gets the New Account ID from the event and submit the support case
              
              try:
                  response = client.create_case(
                      subject=f'Please enable Enterprise Support for account { new_account }',
                      severityCode='high',
                      communicationBody=f'Please enable Enterprise Support on newly created account { new_account }',
                      issueType='customer-service'
                  )
              
                  print(f"Support case created for account {new_account}")

              except:
                  print("Something went wrong and support case was not created.")
              
          def lambda_handler(event, context):
              # Starting execution
              create_case(event)
  NewAccountRule:
    Type: 'AWS::Events::Rule'
    Properties:
      Description: Capture newly created accounts in the organization
      Name: NewAccountRule
      EventBusName: default
      EventPattern:
        detail:
          eventName:
            - CreateAccountResult
          serviceEventDetails:
            createAccountStatus:
              state:
                - SUCCEEDED
      State: ENABLED
      Targets:
        - Arn: !GetAtt EnableESFunction.Arn
          Id: SubmitSupportCase
  PermissionForEventsToInvokeLambda: 
    Type: AWS::Lambda::Permission
    Properties: 
      FunctionName: 
        Ref: "EnableESFunction"
      Action: "lambda:InvokeFunction"
      Principal: "events.amazonaws.com"
      SourceArn: 
        Fn::GetAtt: 
          - "NewAccountRule"
          - "Arn"