-
Notifications
You must be signed in to change notification settings - Fork 2
/
control-tower-customization.yml
117 lines (114 loc) · 4.63 KB
/
control-tower-customization.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
AWSTemplateFormatVersion: 2010-09-09
Description: Control Tower customization that adds in New Relic integration to your aws accounts enrolled using AWS Control Tower.
Resources:
NewRelicControlTowerEvents:
Type: AWS::Events::Rule
Properties:
Description: Capture Control Tower LifeCycle Events and Trigger an Action
EventPattern:
detail:
eventName:
- CreateManagedAccount
- UpdateManagedAccount
eventSource:
- controltower.amazonaws.com
detail-type:
- AWS Service Event via CloudTrail
source:
- aws.controltower
Name: NewRelicControlTowerEvents
State: ENABLED
Targets:
- Arn: !GetAtt "NewRelicControlTowerCustomizations.Arn"
Id: IDNewRelicControlTowerEvents
NewRelicControlTowerCustomizationsRole:
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: "New Relic needs to name IAM roles to help uniquely identify them."
Properties:
RoleName: NewRelicControlTowerCustomizationsRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Condition: {}
Path: /
Policies:
- PolicyName: Cloudformation-Ops
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'cloudformation:CreateStackInstances'
Resource: !Join [':',['arn:aws:cloudformation', !Ref 'AWS::Region', !Ref 'AWS::AccountId', 'stackset/*:*']]
- PolicyName: Pass-Role
PolicyDocument:
Version: 2012-10-17
Statement:
Effect: Allow
Action:
- iam:PassRole
Resource: !Join [':', ['arn:aws:iam:', !Ref "AWS::AccountId", 'role/service-role/AWSControlTowerExecution']]
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
NewRelicControlTowerCustomizations:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile: |
import json
import boto3
import logging
LOGGER = logging.getLogger()
LOGGER.setLevel(logging.INFO)
stackset_list = ['NewRelic-Integration']
result = {"ResponseMetadata":{"HTTPStatusCode":"400"}}
def lambda_handler(event, context):
# TODO implement
masterAcct = event['account']
eventDetails = event['detail']
regionName = eventDetails['awsRegion']
eventName = eventDetails['eventName']
srvEventDetails = eventDetails['serviceEventDetails']
if eventName == 'CreateManagedAccount':
newAccInfo = srvEventDetails['createManagedAccountStatus']
cmdStatus = newAccInfo['state']
if cmdStatus == 'SUCCEEDED':
'''Sucessful event recieved'''
ouInfo = newAccInfo['organizationalUnit']
ouName = ouInfo['organizationalUnitName']
odId = ouInfo['organizationalUnitId']
accId = newAccInfo['account']['accountId']
accName = newAccInfo['account']['accountName']
CFT = boto3.client('cloudformation')
for item in stackset_list:
try:
result = CFT.create_stack_instances(StackSetName=item, Accounts=[accId], Regions=[regionName])
LOGGER.info('Processed {} Sucessfully'.format(item))
except Exception as e:
LOGGER.error('Unable to launch in:{}, REASON: {}'.format(item, e))
else:
'''Unsucessful event recieved'''
LOGGER.info('Unsucessful Event Recieved. SKIPPING :{}'.format(event))
return(False)
else:
LOGGER.info('Control Tower Event Captured :{}'.format(event))
Handler: index.lambda_handler
MemorySize: 128
Role: !GetAtt "NewRelicControlTowerCustomizationsRole.Arn"
Runtime: python3.7
Timeout: 60
NewRelicControlTowerCustomizationsPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt "NewRelicControlTowerCustomizations.Arn"
Principal: events.amazonaws.com
SourceArn: !GetAtt "NewRelicControlTowerEvents.Arn"