multi-region beta

BETA-org-member-deployment/02_CFN_DEPLOY_AHA.yml → 02_CFN_DEPLOY_AHA.yml

@@ -34,13 +34,44 @@ Metadata:
           - EventSearchBack
           - Regions
           - ManagementAccountRoleArn
+          - AccountIDs
+    ParameterLabels:
+      AWSOrganizationsEnabled:
+        default: AWS Organizations Enabled?
+      ManagementAccountRoleArn:
+        default: ARN of the AWS Organizations Management Account assume role (if using)
+      AWSHealthEventType:
+        default: The types of events to get alerted on
+      S3Bucket:
+        default: Name of S3 Bucket
+      S3Key:
+        default: Name of .zip file in S3 Bucket
+      SlackWebhookURL:
+        default: Slack Webhook URL
+      MicrosoftTeamsWebhookURL:
+        default: Microsoft Teams Webhook URL
+      AmazonChimeWebhookURL:
+        default: Amazon Chime Webhook URL
+      FromEmail:
+        default: Email From
+      ToEmail:
+        default: Email To
+      Subject:
+        default: Subject of Email
+      HealthAPIFrequency:
+        default: Hours back to search for events
+      Regions:
+        default: Which regions to search for events in
+      AccountIDs:
+        default: Exclude any account numbers?
 Conditions:
   UsingSlack: !Not [!Equals [!Ref SlackWebhookURL, None]]
   UsingTeams: !Not [!Equals [!Ref MicrosoftTeamsWebhookURL, None]]
   UsingChime: !Not [!Equals [!Ref AmazonChimeWebhookURL, None]]
   UsingEventBridge: !Not [!Equals [!Ref EventBusName, None]]
   UsingSecrets: !Or [!Condition UsingSlack, !Condition UsingTeams, !Condition UsingChime, !Condition UsingEventBridge]
   UsingCrossAccountRole: !Not [!Equals [!Ref ManagementAccountRoleArn, None]]
+  UsingAccountIds: !Not [!Equals [!Ref AccountIDs, None]]  
 Parameters:
   AWSOrganizationsEnabled:
     Description: >-
@@ -113,6 +144,13 @@ Parameters:
     AllowedPattern: ".+"
     ConstraintDescription: No regions were entered, please read the documentation about selecting all regions or filtering on some.
     Type: String
+  AccountIDs:
+    Description: >-
+      If you would like to EXCLUDE any accounts from alerting, upload a .csv file of comma-seperated account numbers to the same S3 bucket 
+      where the AHA.zip package is located. Sample AccountIDs file name: aha_account_ids.csv. If not, leave the default of None.
+    Default: None
+    Type: String
+    AllowedPattern: (None)|(.+(\.csv))$    
   EventSearchBack:
     Description: How far back to search for events in hours. Default is 1 hour
     Default: '1'
@@ -186,6 +224,7 @@ Resources:
                   - health:DescribeEventTypes
                   - health:DescribeAffectedEntities
                   - organizations:ListAccounts
+                  - organizations:DescribeAccount  
                 Resource: "*"                               
               - Effect: Allow
                 Action:
@@ -211,6 +250,13 @@ Resources:
                 Action:
                   - events:PutEvents
                 Resource: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${EventBusName}'
+              - !If 
+                - UsingAccountIds
+                - Effect: Allow
+                  Action:
+                    - s3:GetObject
+                  Resource: !Sub 'arn:aws:s3:::${S3Bucket}/${AccountIDs}'
+                - !Ref 'AWS::NoValue'                
               - !If 
                 - UsingCrossAccountRole
                 - Effect: Allow
@@ -321,8 +367,12 @@ Resources:
       Runtime: python3.8
       Environment:
         Variables:
+          ACCOUNT_IDS:
+            Ref: AccountIDs        
           REGIONS:
             Ref: Regions
+          S3_BUCKET:
+            Ref: S3Bucket            
           FROM_EMAIL:
             Ref: FromEmail
           TO_EMAIL:
@@ -342,4 +392,3 @@ Resources:
               - UsingCrossAccountRole
               - !Ref ManagementAccountRoleArn
               - "None"
-

BETA-multi-region/01_CFN_MGMT_ROLE.yml

@@ -0,0 +1,48 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Deploy Cross-Account Role for PHD access
+Parameters:
+  OrgMemberAccountId:
+    Type: String
+    AllowedPattern: '^\d{12}$'
+    Description: AWS Account ID of the AWS Organizations Member Account that will run AWS Health Aware
+Resources:
+  AWSHealthAwareRoleForPHDEvents:
+    Type: "AWS::IAM::Role"
+    Properties:
+      Description: "Grants access to PHD events"
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - sts:AssumeRole
+            Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:aws:iam::${OrgMemberAccountId}:root'
+      Policies:
+        - PolicyName: AllowHealthCalls
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                - health:DescribeAffectedAccountsForOrganization
+                - health:DescribeAffectedEntitiesForOrganization
+                - health:DescribeEventDetailsForOrganization
+                - health:DescribeEventsForOrganization 
+                - health:DescribeEventDetails
+                - health:DescribeEvents
+                - health:DescribeEventTypes
+                - health:DescribeAffectedEntities
+                Resource: "*"
+        - PolicyName: AllowsDescribeOrg
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:              
+                  - organizations:ListAccounts
+                  - organizations:ListAWSServiceAccessForOrganization
+                  - organizations:DescribeAccount
+                Resource: "*"
+Outputs:
+  AWSHealthAwareRoleForPHDEventsArn:
+    Value: !GetAtt AWSHealthAwareRoleForPHDEvents.Arn