{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Service Catalog CT Post Actions-BASE", "Outputs": { "OutAPIGateMethodPOST": { "Description": "APIGateMethodPOST", "Value": { "Ref": "APIGateMethodPOST" } }, "OutAPIGateway": { "Description": "APIGateway", "Value": { "Ref": "APIGateway" } }, "OutAPIGatewayDeployment": { "Description": "APIGatewayDeployment", "Value": { "Ref": "APIGatewayDeployment" } }, "OutAPIGatewayKey": { "Description": "APIGatewayKey", "Value": { "Ref": "APIGatewayKey" } }, "OutAPIGatewayLambdaPermission": { "Description": "APIGatewayLambdaPermission", "Value": { "Ref": "APIGatewayLambdaPermission" } }, "OutAPIGatewayStage": { "Description": "APIGatewayStage", "Value": { "Ref": "APIGatewayStage" } }, "OutCTpostactionPortfolio": { "Description": "CTpostactionPortfolio", "Value": { "Ref": "CTpostactionPortfolio" } }, "OutCTstepfunctionLambda": { "Description": "CTstepfunctionLambda", "Value": { "Ref": "CTstepfunctionLambda" } }, "OutCopyZipsFunctionDefine": { "Description": "CopyZipsFunctionDefine", "Value": { "Ref": "CopyZipsFunctionDefine" } }, "OutCopyZipsRoleDefine": { "Description": "CopyZipsRoleDefine", "Value": { "Ref": "CopyZipsRoleDefine" } }, "OutCopyZipsRun": { "Description": "CopyZipsRun", "Value": { "Ref": "CopyZipsRun" } }, "OutDynamodbCTpostactionsConfig": { "Description": "DynamodbCTpostactionsConfig", "Value": { "Ref": "DynamodbCTpostactionsConfig" } }, "OutDynamodbCTpostactionsDetails": { "Description": "DynamodbCTpostactionsDetails", "Value": { "Ref": "DynamodbCTpostactionsDetails" } }, "OutLambdaDBquery": { "Description": "LambdaDBquery", "Value": { "Ref": "LambdaDBquery" } }, "OutLambdaLifeCycleEvent": { "Description": "LambdaLifeCycleEvent", "Value": { "Ref": "LambdaLifeCycleEvent" } }, "OutLambdaZipsBucket": { "Description": "LambdaZipsBucket", "Value": { "Ref": "LambdaZipsBucket" } }, "OutLctpostaction": { "Description": "Lctpostaction", "Value": { "Ref": "Lctpostaction" } }, "OutLctpostactionRole": { "Description": "LctpostactionRole", "Value": { "Ref": "LctpostactionRole" } }, "OutLctpostactionRun": { "Description": "LctpostactionRun", "Value": { "Ref": "LctpostactionRun" } }, "OutParCTstepfunctionLambda": { "Description": "ParCTstepfunctionLambda", "Value": { "Ref": "ParCTstepfunctionLambda" } }, "OutParDatabases": { "Description": "ParDatabases", "Value": { "Ref": "ParDatabases" } }, "OutParLambdaZipsBucket": { "Description": "ParLambdaZipsBucket", "Value": { "Ref": "ParLambdaZipsBucket" } }, "OutParLctpostaction": { "Description": "ParLctpostaction", "Value": { "Ref": "ParLctpostaction" } }, "OutParLctpostactionRole": { "Description": "ParLctpostactionRole", "Value": { "Ref": "ParLctpostactionRole" } }, "OutParSCproductCTAddConfigItem": { "Description": "ParSCproductCTAddConfigItem", "Value": { "Ref": "ParSCproductCTAddConfigItem" } }, "OutParStepFunction001": { "Description": "ParStepFunction001", "Value": { "Ref": "ParStepFunction001" } }, "OutPermissionLifeCycleEvent": { "Description": "PermissionLifeCycleEvent", "Value": { "Ref": "PermissionLifeCycleEvent" } }, "OutPortfolioAssocEnduserRole": { "Description": "PortfolioAssocEnduserRole", "Value": { "Ref": "PortfolioAssocEnduserRole" } }, "OutProd": { "Description": "Prod", "Value": { "Ref": "Prod" } }, "OutProdAssociateCTAddConfigItem": { "Description": "ProdAssociateCTAddConfigItem", "Value": { "Ref": "ProdAssociateCTAddConfigItem" } }, "OutRuleLifeCycleEvents": { "Description": "RuleLifeCycleEvents", "Value": { "Ref": "RuleLifeCycleEvents" } }, "OutSCproductCTAddConfigItem": { "Description": "SCproductCTAddConfigItem", "Value": { "Ref": "SCproductCTAddConfigItem" } }, "OutStepFunction001": { "Description": "StepFunction001", "Value": { "Ref": "StepFunction001" } }, "OutStepfunctionRole": { "Description": "StepfunctionRole", "Value": { "Ref": "StepfunctionRole" } } }, "Parameters": { "SCenduserRole": { "Default": "user/username", "Description": "Witch Group,Role or user [type/name] will have access to the add config item SC product", "Type": "String" }, "SourceBucket": { "Default": "kwdem0s", "Description": "Sourcebucket", "Type": "String" } }, "Resources": { "APIGateMethodPOST": { "Properties": { "AuthorizationType": "NONE", "HttpMethod": "POST", "Integration": { "IntegrationHttpMethod": "POST", "IntegrationResponses": [ { "StatusCode": 200 } ], "Type": "AWS", "Uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaDBquery.Arn}/invocations" } }, "MethodResponses": [ { "StatusCode": 200 } ], "ResourceId": { "Fn::GetAtt": [ "APIGateway", "RootResourceId" ] }, "RestApiId": { "Ref": "APIGateway" } }, "Type": "AWS::ApiGateway::Method" }, "APIGateway": { "Properties": { "Description": "CT postaction Lambda API GW", "Name": { "Fn::Join": [ "", [ "ct-postactRestAPI", { "Fn::Select": [ 1, { "Fn::Split": [ "-", { "Fn::Select": [ 2, { "Fn::Split": [ "/", { "Ref": "AWS::StackId" } ] } ] } ] } ] } ] ] } }, "Type": "AWS::ApiGateway::RestApi" }, "APIGatewayDeployment": { "DependsOn": [ "APIGateMethodPOST" ], "Properties": { "RestApiId": { "Ref": "APIGateway" } }, "Type": "AWS::ApiGateway::Deployment" }, "APIGatewayKey": { "Properties": { "CustomerId": { "Fn::Sub": "${AWS::AccountId}" }, "Enabled": "True" }, "Type": "AWS::ApiGateway::ApiKey" }, "APIGatewayLambdaPermission": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "LambdaDBquery", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${APIGateway}/*/POST/" } }, "Type": "AWS::Lambda::Permission" }, "APIGatewayStage": { "Properties": { "DeploymentId": { "Ref": "APIGatewayDeployment" }, "Description": "Prod Stage", "MethodSettings": [ { "DataTraceEnabled": "true", "HttpMethod": "POST", "MetricsEnabled": "true", "ResourcePath": "/stack", "ThrottlingBurstLimit": "999" } ], "RestApiId": { "Ref": "APIGateway" }, "StageName": "v1", "Variables": { "Stack": "Prod" } }, "Type": "AWS::ApiGateway::Stage" }, "CTpostactionPortfolio": { "DependsOn": "CopyZipsRun", "Properties": { "AcceptLanguage": "en", "Description": "AWS MP Sample CT poastaction portfolio", "DisplayName": "SC CT poastaction", "ProviderName": "AWS MP" }, "Type": "AWS::ServiceCatalog::Portfolio" }, "CTstepfunctionLambda": { "DependsOn": "LctpostactionRole", "Properties": { "Code": { "S3Bucket": { "Ref": "LambdaZipsBucket" }, "S3Key": { "Fn::Sub": "content/postaction/l_sf_postaction_mgt.zip" } }, "Description": "Make Requestqs", "Handler": "lambda_function.lambda_handler", "Role": { "Fn::GetAtt": [ "LctpostactionRole", "Arn" ] }, "Runtime": "python3.7", "Timeout": 300 }, "Type": "AWS::Lambda::Function" }, "CopyZipsFunctionDefine": { "Properties": { "Code": { "ZipFile": "import json\nimport logging\nimport urllib3\nimport threading\nimport boto3\nhttp = urllib3.PoolManager()\ns3_client = boto3.client('s3')\nlogger = logging.getLogger()\ndef cfnresponse(event, context, responseStatus, responseData={}, physicalResourceId=None, noEcho=False): \n responseBody = {}\n responseBody['Status'] = responseStatus\n responseBody['Reason'] = 'See the details in CloudWatch Log Stream: ' + context.log_stream_name\n responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name\n responseBody['StackId'] = event['StackId']\n responseBody['RequestId'] = event['RequestId']\n responseBody['LogicalResourceId'] = event['LogicalResourceId']\n responseBody['NoEcho'] = noEcho\n responseBody['Data'] = responseData\n json_responseBody = json.dumps(responseBody) \n headers = {'content-type' : '','content-length' : str(len(json_responseBody))}\n try:\n response = http.request('PUT',event['ResponseURL'],body=json_responseBody.encode('utf-8'),headers=headers)\n logger.debug('Status code: ' + response.reason)\n except Exception as e:\n logger.error('cfnresponse(..) failed executing requests.put(..): ' + str(e))\ndef emptydbucket(bucket):\n s3 = boto3.resource('s3') \n bucketi = s3.Bucket(bucket)\n for obj in bucketi.objects.all():\n s3_client.delete_object(Bucket=bucket,Key=obj.key) \ndef copy_objects(source_bucket, dest_bucket, prefix, objects): \n for o in objects:\n key = prefix + o\n copy_source = {\n 'Bucket': source_bucket,\n 'Key': key\n }\n print('copy_source: %s' % copy_source)\n print('dest_bucket = %s'%dest_bucket)\n print('key = %s' %key)\n s3_client.copy_object(CopySource=copy_source, Bucket=dest_bucket,Key=key)\ndef timeout(event, context):\n logging.error('Execution is about to time out, sending failure response to CloudFormation')\n cfnresponse(event, context, 'FAILED') \ndef handler(event, context):\n # make sure we send a failure to CloudFormation if the function\n # is going to timeout \n timer = threading.Timer((context.get_remaining_time_in_millis()\n / 1000.00) - 0.5, timeout, args=[event, context])\n timer.start() \n status = 'SUCCESS'\n try:\n source_bucket = event['ResourceProperties']['SourceBucket']\n dest_bucket = event['ResourceProperties']['DestBucket']\n prefix = event['ResourceProperties']['Prefix']\n objects = event['ResourceProperties']['Objects']\n if event['RequestType'] == 'Delete': \n emptydbucket(event['ResourceProperties']['DestBucket']) \n else:\n copy_objects(source_bucket, dest_bucket, prefix, objects)\n except Exception as e:\n logging.error('Exception: %s' % e, exc_info=True)\n status = 'FAILED'\n finally:\n timer.cancel()\n cfnresponse(event, context, status)" }, "Description": "Copies objects from a source S3 bucket to a destination", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "CopyZipsRoleDefine", "Arn" ] }, "Runtime": "python2.7", "Timeout": 240 }, "Type": "AWS::Lambda::Function" }, "CopyZipsRoleDefine": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ], "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:s3:::${SourceBucket}/*" } ] }, { "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:s3:::${LambdaZipsBucket}/*" }, { "Fn::Sub": "arn:aws:s3:::${LambdaZipsBucket}" } ] } ], "Version": "2012-10-17" }, "PolicyName": "lambda-copier" } ] }, "Type": "AWS::IAM::Role" }, "CopyZipsRun": { "Properties": { "DestBucket": { "Ref": "LambdaZipsBucket" }, "Objects": [ "l_ct_lc_update.zip", "l_ctpostaction.zip", "l_sf_postaction_mgt.zip", "l_dbquery.zip", "ct_supported_regions.json", "s3_choice_sc_ez_portfolio.json", "s3_choice_setup_ctpostaction_spoke_base.json", "setup_ctpostaction_add_config.json", "setup_ctpostaction_base.json" ], "Prefix": "content/postaction/", "ServiceToken": { "Fn::GetAtt": [ "CopyZipsFunctionDefine", "Arn" ] }, "SourceBucket": { "Ref": "SourceBucket" } }, "Type": "Custom::CopyZipsRun" }, "DynamodbCTpostactionsConfig": { "Properties": { "AttributeDefinitions": [ { "AttributeName": "configkey", "AttributeType": "S" }, { "AttributeName": "OrgUnits", "AttributeType": "S" } ], "KeySchema": [ { "AttributeName": "configkey", "KeyType": "HASH" }, { "AttributeName": "OrgUnits", "KeyType": "RANGE" } ], "ProvisionedThroughput": { "ReadCapacityUnits": "5", "WriteCapacityUnits": "5" }, "TableName": { "Fn::Sub": "sc-ct-postactions-config-${AWS::Region}-${AWS::AccountId}" } }, "Type": "AWS::DynamoDB::Table" }, "DynamodbCTpostactionsDetails": { "Properties": { "AttributeDefinitions": [ { "AttributeName": "detailskey", "AttributeType": "S" } ], "KeySchema": [ { "AttributeName": "detailskey", "KeyType": "HASH" } ], "ProvisionedThroughput": { "ReadCapacityUnits": "5", "WriteCapacityUnits": "5" }, "TableName": { "Fn::Sub": "sc-ct-postactions-details-${AWS::Region}-${AWS::AccountId}" } }, "Type": "AWS::DynamoDB::Table" }, "LambdaDBquery": { "DependsOn": "CopyZipsRun", "Properties": { "Code": { "S3Bucket": { "Ref": "LambdaZipsBucket" }, "S3Key": { "Fn::Sub": "content/postaction/l_dbquery.zip" } }, "Description": "Query CT config DB", "Handler": "lambda_function.lambda_handler", "Role": { "Fn::GetAtt": [ "LctpostactionRole", "Arn" ] }, "Runtime": "python3.7", "Timeout": 300 }, "Type": "AWS::Lambda::Function" }, "LambdaLifeCycleEvent": { "DependsOn": "LctpostactionRole", "Properties": { "Code": { "S3Bucket": { "Ref": "LambdaZipsBucket" }, "S3Key": { "Fn::Sub": "content/postaction/l_ct_lc_update.zip" } }, "Description": "Make Requestqs", "Handler": "lambda_function.lambda_handler", "Role": { "Fn::GetAtt": [ "LctpostactionRole", "Arn" ] }, "Runtime": "python3.7", "Timeout": 300 }, "Type": "AWS::Lambda::Function" }, "LambdaZipsBucket": { "Type": "AWS::S3::Bucket" }, "Lctpostaction": { "DependsOn": "LctpostactionRole", "Properties": { "Code": { "S3Bucket": { "Ref": "LambdaZipsBucket" }, "S3Key": { "Fn::Sub": "content/postaction/l_ctpostaction.zip" } }, "Description": "Make Requestqs", "Handler": "lambda_function.lambda_handler", "Role": { "Fn::GetAtt": [ "LctpostactionRole", "Arn" ] }, "Runtime": "python3.7", "Timeout": 300 }, "Type": "AWS::Lambda::Function" }, "LctpostactionRole": { "DependsOn": "CopyZipsRun", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" ], "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": { "Action": [ "states:CreateActivity", "states:CreateStateMachine", "states:DescribeActivity", "states:DescribeExecution", "states:DescribeStateMachine", "states:DescribeStateMachineForExecution", "states:GetActivityTask", "states:GetExecutionHistory", "states:ListActivities", "states:ListExecutions", "states:ListStateMachines", "states:ListTagsForResource", "states:SendTaskFailure", "states:SendTaskHeartbeat", "states:SendTaskSuccess", "states:StartExecution", "states:StopExecution", "states:TagResource", "states:UntagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:states:${AWS::Region}:${AWS::AccountId}:*:*" } ] }, "Version": "2012-10-17" }, "PolicyName": "stepfunction_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole" } ], "Sid": "VisualEditor3" }, "Version": "2012-10-17" }, "PolicyName": "CtpostactionPassRole" }, { "PolicyDocument": { "Statement": { "Action": [ "ssm:GetParameter" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*" } }, "Version": "2012-10-17" }, "PolicyName": "ssm_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:s3:::${LambdaZipsBucket}/*" }, { "Fn::Sub": "arn:aws:s3:::${LambdaZipsBucket}" } ] }, "Version": "2012-10-17" }, "PolicyName": "zipbucket_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, "Version": "2012-10-17" }, "PolicyName": "cloudwatchlog_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "ses:ListVerifiedEmailAddresses", "ses:SendEmail", "ses:ListTemplates", "ses:VerifyEmailIdentity" ], "Effect": "Allow", "Resource": { "Fn::Sub": "*" } }, "Version": "2012-10-17" }, "PolicyName": "ses_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "servicecatalog:AcceptPortfolioShare", "servicecatalog:AssociatePrincipalWithPortfolio", "servicecatalog:AssociateProductWithPortfolio", "servicecatalog:DescribePortfolio", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisionedProduct", "servicecatalog:DescribeProvisionedProductPlan", "servicecatalog:DescribeProvisioningArtifact", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductAsAdmin", "servicecatalog:DescribeProvisionedProduct", "servicecatalog:DescribeProvisioningArtifact", "servicecatalog:DisassociateProductFromPortfolio", "servicecatalog:SearchProducts", "servicecatalog:SearchProductsAsAdmin", "servicecatalog:SearchProvisionedProducts", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:CreateProvisioningArtifact" ], "Effect": "Allow", "Resource": "*" }, "Version": "2012-10-17" }, "PolicyName": "servicecatalog_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:ListStackResources", "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances", "cloudformation:TagResource" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } }, "Version": "2012-10-17" }, "PolicyName": "CloudFormation_stackmgt" }, { "PolicyDocument": { "Statement": [ { "Action": [ "lambda:InvokeFunction" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*" } } ], "Version": "2012-10-17" }, "PolicyName": "lambda_mgt" }, { "PolicyDocument": { "Statement": [ { "Action": [ "iam:ListRoles" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:*" }, { "Action": [ "organizations:List*", "organizations:Describe*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "oranization_mgt" }, { "PolicyDocument": { "Statement": { "Action": [ "cloudformation:CreateStackSet", "cloudformation:CreateStackInstances", "cloudformation:DescribeStackSetOperation", "cloudformation:DescribeStackSet", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperationResults", "cloudformation:DeleteStackInstances", "cloudformation:DeleteStackSet", "cloudformation:TagResource" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/*:*" }, "Sid": "VisualEditor2" }, "Version": "2012-10-17" }, "PolicyName": "CloudFormation_stacksetmgt" }, { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:s3:::${SourceBucket}/*" }, { "Fn::Sub": "arn:aws:s3:::${SourceBucket}" } ] }, { "Action": [ "dynamodb:GetItem", "dynamodb:CreateTable", "dynamodb:DeleteItem", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:UpdateItem", "dynamodb:UpdateTable" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DynamodbCTpostactionsConfig}" }, { "Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DynamodbCTpostactionsDetails}" } ] } ], "Version": "2012-10-17" }, "PolicyName": "dynamosessc_mgt" } ] }, "Type": "AWS::IAM::Role" }, "LctpostactionRun": { "DependsOn": "APIGatewayStage", "Properties": { "DestBucket": { "Ref": "LambdaZipsBucket" }, "InitialSetup": "yes", "ServiceToken": { "Fn::GetAtt": [ "Lctpostaction", "Arn" ] }, "req_apistage": { "Fn::Sub": "https://${APIGateway}.execute-api.${AWS::Region}.amazonaws.com/${APIGatewayStage}" } }, "Type": "Custom::LctpostactionRun" }, "ParCTstepfunctionLambda": { "Properties": { "Description": "CTstepfunctionLambda", "Name": "/postaction/CTstepfunctionLambda", "Type": "String", "Value": { "Fn::GetAtt": [ "CTstepfunctionLambda", "Arn" ] } }, "Type": "AWS::SSM::Parameter" }, "ParDatabases": { "Properties": { "Description": "Database", "Name": "/postaction/Databases", "Type": "String", "Value": { "Fn::Sub": "${DynamodbCTpostactionsConfig}" } }, "Type": "AWS::SSM::Parameter" }, "ParLambdaZipsBucket": { "Properties": { "Description": "LambdaZipsBucket", "Name": "/postaction/LambdaZipsBucket", "Type": "String", "Value": { "Ref": "LambdaZipsBucket" } }, "Type": "AWS::SSM::Parameter" }, "ParLctpostaction": { "Properties": { "Description": "Lctpostaction", "Name": "/postaction/Lctpostaction", "Type": "String", "Value": { "Fn::GetAtt": [ "Lctpostaction", "Arn" ] } }, "Type": "AWS::SSM::Parameter" }, "ParLctpostactionRole": { "Properties": { "Description": "LctpostactionRole", "Name": "/postaction/LctpostactionRole", "Type": "String", "Value": { "Ref": "LctpostactionRole" } }, "Type": "AWS::SSM::Parameter" }, "ParSCproductCTAddConfigItem": { "Properties": { "Description": "SCproductCTAddConfigItem", "Name": "/postaction/SCproductCTAddConfigItem", "Type": "String", "Value": { "Ref": "SCproductCTAddConfigItem" } }, "Type": "AWS::SSM::Parameter" }, "ParStepFunction001": { "Properties": { "Description": "StepFunction001arn", "Name": "/postaction/StepFunction", "Type": "String", "Value": { "Ref": "StepFunction001" } }, "Type": "AWS::SSM::Parameter" }, "PermissionLifeCycleEvent": { "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "LambdaLifeCycleEvent", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "RuleLifeCycleEvents", "Arn" ] } }, "Type": "AWS::Lambda::Permission" }, "PortfolioAssocEnduserRole": { "Properties": { "PortfolioId": { "Ref": "CTpostactionPortfolio" }, "PrincipalARN": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:${SCenduserRole}" }, "PrincipalType": "IAM" }, "Type": "AWS::ServiceCatalog::PortfolioPrincipalAssociation" }, "Prod": { "Properties": { "DeploymentId": { "Ref": "APIGatewayDeployment" }, "Description": "Prod Stage", "MethodSettings": [ { "DataTraceEnabled": "true", "HttpMethod": "GET", "MetricsEnabled": "true", "ResourcePath": "/" }, { "DataTraceEnabled": "true", "HttpMethod": "POST", "MetricsEnabled": "true", "ResourcePath": "/stack", "ThrottlingBurstLimit": "999" }, { "DataTraceEnabled": "true", "HttpMethod": "GET", "MetricsEnabled": "true", "ResourcePath": "/stack", "ThrottlingBurstLimit": "555" } ], "RestApiId": { "Ref": "APIGateway" }, "StageName": "Prod", "Variables": { "Stack": "Prod" } }, "Type": "AWS::ApiGateway::Stage" }, "ProdAssociateCTAddConfigItem": { "DependsOn": [ "CTpostactionPortfolio", "SCproductCTAddConfigItem" ], "Properties": { "AcceptLanguage": "en", "PortfolioId": { "Ref": "CTpostactionPortfolio" }, "ProductId": { "Ref": "SCproductCTAddConfigItem" } }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation" }, "RuleLifeCycleEvents": { "DependsOn": [ "LambdaLifeCycleEvent" ], "Properties": { "Description": "Capture Control Tower LifeCycle Events and Trigger an Action", "EventPattern": { "detail": { "eventName": [ "CreateManagedAccount", "UpdateManagedAccount", "RegisterOrganizationalUnit", "DeregisterOrganizationalUnit" ], "eventSource": [ "controltower.amazonaws.com" ] }, "detail-type": [ "AWS Service Event via CloudTrail" ], "source": [ "aws.controltower" ] }, "Name": "RuleLifeCycleEvents", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "LambdaLifeCycleEvent", "Arn" ] }, "Id": "IDRuleLifeCycleEvents" } ] }, "Type": "AWS::Events::Rule" }, "SCproductCTAddConfigItem": { "DependsOn": "CopyZipsRun", "Properties": { "AcceptLanguage": "en", "Description": "SCproductCTAddConfigItem ", "Distributor": "AWS MP Team", "Name": "SCproductCTAddConfigItem", "Owner": "MP Team", "ProvisioningArtifactParameters": [ { "Description": "v1.0", "Info": { "LoadTemplateFromURL": { "Fn::GetAtt": [ "LctpostactionRun", "CtaddCft" ] } }, "Name": "v1.0" } ], "SupportDescription": "Support Description", "SupportEmail": "awsmp@example.com", "SupportUrl": "https://support.com" }, "Type": "AWS::ServiceCatalog::CloudFormationProduct" }, "StepFunction001": { "Properties": { "DefinitionString": { "Fn::Sub": "{\n \"Comment\": \"An example of the Amazon States Language using a choice state.\",\n \"StartAt\": \"AddToDB\",\n \"States\": {\n \"AddToDB\": {\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${CTstepfunctionLambda}\",\n \"Next\": \"DeployToOrgUnit\"\n },\n \"DeployToOrgUnit\": {\n \"Type\": \"Choice\",\n \"Choices\": [\n {\n \"Variable\": \"$.ActionMethod\",\n \"StringEquals\": \"MasterPush\",\n \"Next\": \"StartStackSet\"\n },\n {\n \"Variable\": \"$.ActionMethod\",\n \"StringEquals\": \"SpokePull\",\n \"Next\":\"UpdateDB\"\n }\n ]\n },\n \"StartStackSet\": {\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${CTstepfunctionLambda}\",\n \"Next\": \"GetStackStatus\"\n },\n \"GetStackStatus\": {\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${CTstepfunctionLambda}\",\n \"Next\": \"Status\"\n },\n \"Status\": {\n \"Type\": \"Choice\",\n \"Choices\": [\n {\n \"Variable\": \"$.ssStatus\",\n \"StringEquals\": \"RUNNING\",\n \"Next\": \"RUNNING\"\n },\n {\n \"Variable\": \"$.ssStatus\",\n \"StringEquals\": \"SUCCEEDED\",\n \"Next\": \"SUCCEEDED\"\n },\n {\n \"Variable\": \"$.ssStatus\",\n \"StringEquals\": \"FAILED\",\n \"Next\": \"FAILED\"\n }\n ]\n },\n \"ChkFailCount\": {\n \"Type\": \"Choice\",\n \"Choices\": [\n {\n \"Variable\": \"$.FailCount\",\n \"NumericGreaterThanEquals\": 3,\n \"Next\": \"Notify\"\n },\n {\n \"Variable\": \"$.FailCount\",\n \"NumericLessThan\": 3,\n \"Next\": \"Wait1min\"\n }\n \n ]\n },\n \"FAILED\":{\n \"Type\": \"Pass\",\n \n \"Next\": \"ChkFailCount\"\n },\n \"SUCCEEDED\":{\n \"Type\": \"Pass\",\n \n \"Next\": \"UpdateDB\"\n },\n \"RUNNING\": {\n \"Type\": \"Pass\",\n \n \"Next\": \"Wait1min\"\n },\n \"Wait1min\": {\n \"Type\": \"Wait\",\n \"Seconds\": 60,\n \"Next\": \"GetStackStatus\"\n },\n \n \"Notify\":{\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${CTstepfunctionLambda}\",\n \"Next\": \"UpdateDB\"\n },\n \"UpdateDB\": {\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${CTstepfunctionLambda}\",\n \"End\": true\n }\n }\n}" }, "RoleArn": { "Fn::GetAtt": [ "StepfunctionRole", "Arn" ] }, "StateMachineName": "sf_CTpostactionmgt310479", "StateMachineType": "STANDARD" }, "Type": "AWS::StepFunctions::StateMachine" }, "StepfunctionRole": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "states.amazonaws.com" ] } } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "lambda:InvokeFunction" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "Lctpostaction", "Arn" ] }, { "Fn::GetAtt": [ "CTstepfunctionLambda", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "stepfunction_mgt" } ] }, "Type": "AWS::IAM::Role" } } }