AWSTemplateFormatVersion: 2010-09-09 Description: Create service catalog product to register SCP account. Metadata: AWS::CloudFormation::Interface: - Label: default: Mandatory Variables Parameters: - SCPCatalogAdministrator - Label: default: Optional Variables Parameters: - SCPPortfolioName - SourceTemplate - SCPPortfolioName - SCPProductName - SCPProductDescription Parameters: SourceTemplate: Description: > Enter the CloudFormation template path stored in S3 bucket in Security Account. The template is used for the SCP Service Catalog. Type: String Default: scp-service-catalog-product-template.yaml SCPCatalogAdministrator: Description: > Enter the ARN Suffix of the IAM entity (role or user or group) that will be performing SCP account register from AWS Service Catalog E.g: role/Admin, user/abc Type: String Default: role/Admin AllowedPattern: ".+" SCPPortfolioName: Description: "Enter the name for SCP Acount Register Portfolio." Type: String Default: "SCP Account Register Portfolio." SCPProductName: Type: String Description: "Enter the name for SCP Account Register Product." Default: "SCP Account Register Product." SCPProductDescription: Description: "Enter the description for SCP Account Register Product." Type: String Default: "This product to register new account to apply SCP Policy in the SCP Alternative Solution." Resources: # SCP Service Catalog SCPPortfolio: Type: "AWS::ServiceCatalog::Portfolio" Properties: DisplayName: !Ref SCPPortfolioName AcceptLanguage: "en" ProviderName: "security" SCPProduct: Type: "AWS::ServiceCatalog::CloudFormationProduct" Properties: AcceptLanguage: "en" Description: !Ref SCPProductDescription Distributor: "Security Team" Name: !Ref SCPProductName Owner: "Security Team" SupportEmail: "scp@security.com" SupportUrl: "https://www.security.com" SupportDescription: "Security team" ProvisioningArtifactParameters: - Description: "Aug 2021" Name: "Aug 2021 v1.0" Info: LoadTemplateFromURL: !Sub - 'https://s3.${Region}.amazonaws.com.cn/${BucketName}/${TemplatePath}' - Region: !Ref AWS::Region BucketName: !ImportValue CloudFormationBucketName TemplatePath: !Ref SourceTemplate SCPAssociation: Type: "AWS::ServiceCatalog::PortfolioProductAssociation" Properties: ProductId: !Ref SCPProduct PortfolioId: !Ref SCPPortfolio PortfolioPrincipalAssociation: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Properties: PrincipalARN: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:${SCPCatalogAdministrator}" PortfolioId: !Ref SCPPortfolio PrincipalType: IAM ServiceCatalogLaunchRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: Effect: "Allow" Principal: Service: - "servicecatalog.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess" Path: "/" ServiceCatalogLaunchConstraint: Type: "AWS::ServiceCatalog::LaunchRoleConstraint" DependsOn: SCPAssociation Properties: Description: This is a launch constraint created for SCP portfolio AcceptLanguage: en PortfolioId: !Ref SCPPortfolio ProductId: !Ref SCPProduct RoleArn: !GetAtt ServiceCatalogLaunchRole.Arn ServiceCatalogTagOption: Type: "AWS::ServiceCatalog::TagOption" Properties: Active: true Value: !Sub "scp-${AWS::StackName}" Key: "Name" ServiceCatalogTagOptionAssociation: Type: "AWS::ServiceCatalog::TagOptionAssociation" Properties: TagOptionId: !Ref ServiceCatalogTagOption ResourceId: !Ref SCPPortfolio