diff --git a/.github/ISSUE_TEMPLATE/bug-report---deployed-functionality.md b/.github/ISSUE_TEMPLATE/bug-report---deployed-functionality.md index a4e784bd2..d1043cc3f 100644 --- a/.github/ISSUE_TEMPLATE/bug-report---deployed-functionality.md +++ b/.github/ISSUE_TEMPLATE/bug-report---deployed-functionality.md @@ -1,40 +1,40 @@ ---- -name: Bug report - Deployed Functionality -about: Used to report bugs with the environment deployment by the Accelerator -title: "[BUG][Functional] Meaningful bug description" -labels: bug -assignees: Brian969 - ---- - -Bug reports which fail to provide the required information will be closed without action. - -**Required Basic Info** -- Accelerator Version: (eg. v1.1.6) -- Install Type: (Clean or Upgrade) -- Install Branch: (ALZ or Standalone) -- Upgrade from version: (N/A or v1.x.y) - -**Describe the bug** -(A clear and concise description of what the bug is.) - -**Failure Info** -- What error messages have you identified, if any: -- What symptoms have you identified, if any: - -**Required files** -- Please provide a copy of your config.json file (sanitize if required) - -**Steps To Reproduce** -1. Go to '...' -2. Click on '....' -3. See error - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Additional context** -Add any other context about the problem here. +--- +name: Bug report - Deployed Functionality +about: Used to report bugs with the environment deployment by the Accelerator +title: "[BUG][Functional] Meaningful bug description" +labels: bug +assignees: Brian969 + +--- + +Bug reports which fail to provide the required information will be closed without action. + +**Required Basic Info** +- Accelerator Version: (eg. v1.1.6) +- Install Type: (Clean or Upgrade) +- Install Branch: (ALZ or Standalone) +- Upgrade from version: (N/A or v1.x.y) + +**Describe the bug** +(A clear and concise description of what the bug is.) + +**Failure Info** +- What error messages have you identified, if any: +- What symptoms have you identified, if any: + +**Required files** +- Please provide a copy of your config.json file (sanitize if required) + +**Steps To Reproduce** +1. Go to '...' +2. Click on '....' +3. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/bug-report---documentation.md b/.github/ISSUE_TEMPLATE/bug-report---documentation.md index 2eccfe8e2..054739d09 100644 --- a/.github/ISSUE_TEMPLATE/bug-report---documentation.md +++ b/.github/ISSUE_TEMPLATE/bug-report---documentation.md @@ -1,25 +1,25 @@ ---- -name: Bug report - Documentation -about: Used to report documentation errors -title: "[BUG][DOCS] Meaningful bug description" -labels: documentation -assignees: Brian969 - ---- - -Bug reports which fail to provide the required information will be closed without action. - -**Required Basic Info** -- Accelerator Version: (eg. v1.1.6) -- Install Type: (Clean or Upgrade) -- Install Branch: (ALZ or Standalone) -- Document filename: (eg. /docs/installation/index.md) - -**Describe the bug** -(A clear and concise description as to the concern or problem with the documentation) - -**Expected update** -If you have a desired outcome, please provide details as to suggested updates - -**Additional context** -Add any other context about the problem here. +--- +name: Bug report - Documentation +about: Used to report documentation errors +title: "[BUG][DOCS] Meaningful bug description" +labels: documentation +assignees: Brian969 + +--- + +Bug reports which fail to provide the required information will be closed without action. + +**Required Basic Info** +- Accelerator Version: (eg. v1.1.6) +- Install Type: (Clean or Upgrade) +- Install Branch: (ALZ or Standalone) +- Document filename: (eg. /docs/installation/index.md) + +**Describe the bug** +(A clear and concise description as to the concern or problem with the documentation) + +**Expected update** +If you have a desired outcome, please provide details as to suggested updates + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/bug-report---other.md b/.github/ISSUE_TEMPLATE/bug-report---other.md index aa03fb021..6e2cdaae2 100644 --- a/.github/ISSUE_TEMPLATE/bug-report---other.md +++ b/.github/ISSUE_TEMPLATE/bug-report---other.md @@ -1,48 +1,48 @@ ---- -name: Bug report - Other -about: Used to report bugs not covered by a specific bug category -title: "[BUG][OTHER] Meaningful bug description" -labels: bug -assignees: Brian969 - ---- - -Bug reports which fail to provide the required information will be closed without action. - -**Required Basic Info** -- Accelerator Version: (eg. v1.1.6) -- Install Type: (Clean or Upgrade) -- Install Branch: (ALZ or Standalone) -- Upgrade from version: (N/A or v1.x.y) -- Which State did the Main State Machine Fail in: (e.g. N/A, Phase 0) - -**INTERNAL ONLY - TEMPORARY** -- please place the account in a group named Accel-Issue -- please provide bmycroft@ access to your internal failed master AWS account - -**Describe the bug** -(A clear and concise description of what the bug is.) - -**Failure Info** -- What error messages have you identified, if any: -- What symptoms have you identified, if any: - -**Required files** -- Please provide a copy of your config.json file (sanitize if required) -- If a CodeBuild step failed- please provide the full CodeBuild Log -- If a Lambda step failed - please provide the full Lambda CloudWatch Log -- In many cases it would be helpful if you went into the failed sub-account and region, CloudFormation, and provided a screenshot of the Events section of the failed, deleted, or rolled back stack including the last successful item, including the first couple of error messages (bottom up) - -**Steps To Reproduce** -1. Go to '...' -2. Click on '....' -3. See error - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Additional context** -Add any other context about the problem here. +--- +name: Bug report - Other +about: Used to report bugs not covered by a specific bug category +title: "[BUG][OTHER] Meaningful bug description" +labels: bug +assignees: Brian969 + +--- + +Bug reports which fail to provide the required information will be closed without action. + +**Required Basic Info** +- Accelerator Version: (eg. v1.1.6) +- Install Type: (Clean or Upgrade) +- Install Branch: (ALZ or Standalone) +- Upgrade from version: (N/A or v1.x.y) +- Which State did the Main State Machine Fail in: (e.g. N/A, Phase 0) + +**INTERNAL ONLY - TEMPORARY** +- please place the account in a group named Accel-Issue +- please provide bmycroft@ access to your internal failed master AWS account + +**Describe the bug** +(A clear and concise description of what the bug is.) + +**Failure Info** +- What error messages have you identified, if any: +- What symptoms have you identified, if any: + +**Required files** +- Please provide a copy of your config.json file (sanitize if required) +- If a CodeBuild step failed- please provide the full CodeBuild Log +- If a Lambda step failed - please provide the full Lambda CloudWatch Log +- In many cases it would be helpful if you went into the failed sub-account and region, CloudFormation, and provided a screenshot of the Events section of the failed, deleted, or rolled back stack including the last successful item, including the first couple of error messages (bottom up) + +**Steps To Reproduce** +1. Go to '...' +2. Click on '....' +3. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/bug-report---state-machine-failure.md b/.github/ISSUE_TEMPLATE/bug-report---state-machine-failure.md index 2dc20f4a8..61747c54e 100644 --- a/.github/ISSUE_TEMPLATE/bug-report---state-machine-failure.md +++ b/.github/ISSUE_TEMPLATE/bug-report---state-machine-failure.md @@ -1,44 +1,44 @@ ---- -name: Bug report - State Machine Failure -about: Use to report bugs related to state machine failures -title: "[BUG] [SM] Meaningful bug description" -labels: bug -assignees: Brian969 - ---- - -Bug reports which fail to provide the required information will be closed without action. - -**Required Basic Info** -- Accelerator Version: (eg. v1.1.6) -- Install Type: (Clean or Upgrade) -- Install Branch: (ALZ or Standalone) -- Upgrade from version: (N/A or v1.x.y) -- Which State did the Main State Machine Fail in: (e.g. Phase 0) - -**Describe the bug** -(A clear and concise description of what the bug is.) - -**Failure Info** -- What error messages have you identified, if any: -- What symptoms have you identified, if any: - -**Required files** -- Please provide a copy of your config.json file (sanitize if required) -- If a CodeBuild step failed- please provide the full CodeBuild Log -- If a Lambda step failed - please provide the full Lambda CloudWatch Log -- In many cases it would be helpful if you went into the failed sub-account and region, CloudFormation, and provided a screenshot of the Events section of the failed, deleted, or rolled back stack including the last successful item, including the first couple of error messages (bottom up) - -**Steps To Reproduce** -1. Go to '...' -2. Click on '....' -3. See error - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Additional context** -Add any other context about the problem here. +--- +name: Bug report - State Machine Failure +about: Use to report bugs related to state machine failures +title: "[BUG] [SM] Meaningful bug description" +labels: bug +assignees: Brian969 + +--- + +Bug reports which fail to provide the required information will be closed without action. + +**Required Basic Info** +- Accelerator Version: (eg. v1.1.6) +- Install Type: (Clean or Upgrade) +- Install Branch: (ALZ or Standalone) +- Upgrade from version: (N/A or v1.x.y) +- Which State did the Main State Machine Fail in: (e.g. Phase 0) + +**Describe the bug** +(A clear and concise description of what the bug is.) + +**Failure Info** +- What error messages have you identified, if any: +- What symptoms have you identified, if any: + +**Required files** +- Please provide a copy of your config.json file (sanitize if required) +- If a CodeBuild step failed- please provide the full CodeBuild Log +- If a Lambda step failed - please provide the full Lambda CloudWatch Log +- In many cases it would be helpful if you went into the failed sub-account and region, CloudFormation, and provided a screenshot of the Events section of the failed, deleted, or rolled back stack including the last successful item, including the first couple of error messages (bottom up) + +**Steps To Reproduce** +1. Go to '...' +2. Click on '....' +3. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 9593097d9..30aaa7b89 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -1,27 +1,27 @@ ---- -name: Feature request -about: Suggest an idea for enhancements to the Accelerator -title: "[FEATURE] Meaningful enhancement description" -labels: enhancement -assignees: Brian969 - ---- - -**Required Basic Info** -To properly assess the enhancement request, we require information on the version of the Accelerator you based this request upon: -- Accelerator Version: (eg. v1.1.6) -- Install Type: (Clean or Upgrade) -- Install Branch: (ALZ or Standalone) -- Upgrade from version: (N/A or v1.x.y) - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. +--- +name: Feature request +about: Suggest an idea for enhancements to the Accelerator +title: "[FEATURE] Meaningful enhancement description" +labels: enhancement +assignees: Brian969 + +--- + +**Required Basic Info** +To properly assess the enhancement request, we require information on the version of the Accelerator you based this request upon: +- Accelerator Version: (eg. v1.1.6) +- Install Type: (Clean or Upgrade) +- Install Branch: (ALZ or Standalone) +- Upgrade from version: (N/A or v1.x.y) + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE b/.github/PULL_REQUEST_TEMPLATE index 6ea45d616..d85ad21df 100644 --- a/.github/PULL_REQUEST_TEMPLATE +++ b/.github/PULL_REQUEST_TEMPLATE @@ -1 +1 @@ -By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. +By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1d513569..6a8e0d3f3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,43 +1,43 @@ -name: Build -on: - push: - branches: - - master - pull_request: - branches: - - master - -jobs: - test: - name: Test - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v1 - with: - node-version: 12 - - name: Cache Node.js modules - uses: actions/cache@v1 - with: - path: ~/.pnpm-store - key: ${{ runner.OS }}-node-${{ hashFiles('**/package.json') }} - restore-keys: | - ${{ runner.OS }}-node- - ${{ runner.OS }}- - - name: Install Node.js modules - run: | - npm install -g pnpm - pnpm install --unsafe-perm - - name: Fix nasty bug in CDK - run: | - # This fix is needed in order to run initial-setup/templates tests - # Without the fix, SynthUtils.toCloudFormation fails - find node_modules -name runtime-info.js -exec sed -i 's/mod.paths/(mod.paths || [])/g' {} \; - - name: Build all workspaces - run: | - pnpm recursive run build -- --noEmit - - name: Run tests in all workspaces - run: | - pnpm recursive run test -- --pass-with-no-tests --silent +name: Build +on: + push: + branches: + - master + pull_request: + branches: + - master + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Use Node.js + uses: actions/setup-node@v1 + with: + node-version: 12 + - name: Cache Node.js modules + uses: actions/cache@v1 + with: + path: ~/.pnpm-store + key: ${{ runner.OS }}-node-${{ hashFiles('**/package.json') }} + restore-keys: | + ${{ runner.OS }}-node- + ${{ runner.OS }}- + - name: Install Node.js modules + run: | + npm install -g pnpm + pnpm install --unsafe-perm + - name: Fix nasty bug in CDK + run: | + # This fix is needed in order to run initial-setup/templates tests + # Without the fix, SynthUtils.toCloudFormation fails + find node_modules -name runtime-info.js -exec sed -i 's/mod.paths/(mod.paths || [])/g' {} \; + - name: Build all workspaces + run: | + pnpm recursive run build -- --noEmit + - name: Run tests in all workspaces + run: | + pnpm recursive run test -- --pass-with-no-tests --silent diff --git a/.github/workflows/lint-prettier.yml b/.github/workflows/lint-prettier.yml index 109fc2b4e..84cfe962c 100644 --- a/.github/workflows/lint-prettier.yml +++ b/.github/workflows/lint-prettier.yml @@ -1,51 +1,51 @@ -name: Linter and Prettier -on: - push: - branches: - - master - pull_request: - branches: - - master - -jobs: - linter: - name: Linter - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v1 - with: - node-version: 12 - - name: Cache Node.js modules - uses: actions/cache@v1 - with: - path: ~/.pnpm-store - key: ${{ runner.OS }}-node-${{ hashFiles('**/package.json') }} - restore-keys: | - ${{ runner.OS }}-node- - ${{ runner.OS }}- - - name: Install Node.js modules - run: | - npm install -g pnpm - pnpm install - - name: Analyze TypeScript files - run: | - pnpm recursive run lint - prettier: - name: Prettier - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v1 - with: - node-version: 12 - - name: Install Prettier - run: | - npm install -g prettier - - name: Analyze TypeScript files - run: | - prettier --check **/*.ts +name: Linter and Prettier +on: + push: + branches: + - master + pull_request: + branches: + - master + +jobs: + linter: + name: Linter + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Use Node.js + uses: actions/setup-node@v1 + with: + node-version: 12 + - name: Cache Node.js modules + uses: actions/cache@v1 + with: + path: ~/.pnpm-store + key: ${{ runner.OS }}-node-${{ hashFiles('**/package.json') }} + restore-keys: | + ${{ runner.OS }}-node- + ${{ runner.OS }}- + - name: Install Node.js modules + run: | + npm install -g pnpm + pnpm install + - name: Analyze TypeScript files + run: | + pnpm recursive run lint + prettier: + name: Prettier + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Use Node.js + uses: actions/setup-node@v1 + with: + node-version: 12 + - name: Install Prettier + run: | + npm install -g prettier + - name: Analyze TypeScript files + run: | + prettier --check **/*.ts diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f6e234639..501cfa926 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,36 +1,36 @@ -on: - release: - types: [published] - -name: Merge Release Branch - -jobs: - publish: - name: Publish - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Format Branch Name - id: format - env: - GITHUB_REF: ${{ github.ref }} # This will be the tag; i.e. ref/tags/v1.1.1 - run: | - git fetch --tags - echo ::set-output name=branch_name::"release/$(echo "${GITHUB_REF}" | cut -d/ -f3-)" - - name: Fetch master - run: | - git fetch origin - git checkout ${{ steps.format.outputs.branch_name }} - git checkout master - - name: Merge release branch - run: | - git config user.name github-actions - git config user.email github-actions@github.com - git merge ${{ steps.format.outputs.branch_name }} - - name: Push changes - uses: ad-m/github-push-action@master - with: - github_token: ${{ secrets.ACTION_TOKEN }} +on: + release: + types: [published] + +name: Merge Release Branch + +jobs: + publish: + name: Publish + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Format Branch Name + id: format + env: + GITHUB_REF: ${{ github.ref }} # This will be the tag; i.e. ref/tags/v1.1.1 + run: | + git fetch --tags + echo ::set-output name=branch_name::"release/$(echo "${GITHUB_REF}" | cut -d/ -f3-)" + - name: Fetch master + run: | + git fetch origin + git checkout ${{ steps.format.outputs.branch_name }} + git checkout master + - name: Merge release branch + run: | + git config user.name github-actions + git config user.email github-actions@github.com + git merge ${{ steps.format.outputs.branch_name }} + - name: Push changes + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.ACTION_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9f1217c59..a905cb5e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,104 +1,104 @@ -name: Release -on: - push: - branches: - - 'release/v*' -jobs: - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - persist-credentials: true - - name: Format Branch Name - id: format - env: - GITHUB_REF: ${{ github.ref }} - run: | - git fetch --tags - echo ::set-output name=branch_name::$(echo "${GITHUB_REF}" | cut -d/ -f3-) - echo ::set-output name=tag_name::$(echo "${GITHUB_REF}" | cut -d/ -f4-) - echo ::set-output name=numeric_release::$(echo "${GITHUB_REF}" | cut -d/ -f4- | tr -d v) - echo ::set-output name=release_name::"Release $(echo "${GITHUB_REF}" | cut -d/ -f4-)" - - name: Use Node.js - uses: actions/setup-node@v1 - env: - RUNNER_TEMP: /tmp/runner - with: - node-version: 12 - - name: Install pnpm - run: | - npm install -g pnpm - - name: Build Accelerator Installer - id: build - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_DEFAULT_BRANCH: ${{ steps.format.outputs.branch_name }} - INSTALLER_STACK_DIR: ./src/installer/cdk - INSTALLER_STACK_NAME: AcceleratorInstaller - OUTPUT_DIR: templates - run: | - cd "${INSTALLER_STACK_DIR}" - pnpm install - pnpx cdk synth --output "${OUTPUT_DIR}" "${INSTALLER_STACK_NAME}" - echo ::set-output name=template_name::${INSTALLER_STACK_NAME}.template.json - echo ::set-output name=template_path::$(realpath "${OUTPUT_DIR}/${INSTALLER_STACK_NAME}.template.json") - - name: Generate Changelog - id: changelog - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_DEFAULT_BRANCH: ${{ steps.format.outputs.branch_name }} - run: | - previous_tag=$(git describe --tags --abbrev=0) - echo "Previous release was: ${previous_tag}" - changes=$(git log ${previous_tag}..HEAD --pretty="tformat:* %s (%h)" --first-parent) - echo ${changes} - changes="${changes//'%'/'%25'}" # Avoids whitespace removal. - changes="${changes//$'\n'/'%0A'}" - changes="${changes//$'\r'/'%0D'}" - echo ::set-output name=changelog::${changes} - - name: Bump package.json - run: | - npm install -g json - git config user.name github-actions - git config user.email github-actions@github.com - json -I -f src/core/cdk/package.json -e 'this.version="${{ steps.format.outputs.numeric_release }}"' - git add src/core/cdk/package.json - json -I -f src/installer/cdk/package.json -e 'this.version="${{ steps.format.outputs.numeric_release }}"' - git add src/installer/cdk/package.json - git commit -am 'Updating package to ${{ steps.format.outputs.numeric_release }}' - - name: Push Bumped Package Files - uses: ad-m/github-push-action@master - with: - github_token: ${{ secrets.ACTION_TOKEN }} - branch: ${{ steps.format.outputs.branch_name }} - - name: Create Release - id: create_release - uses: actions/create-release@latest - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ steps.format.outputs.tag_name }} - release_name: ${{ steps.format.outputs.release_name }} - body: | - ${{ steps.changelog.outputs.changelog }} - draft: true - prerelease: false - - name: Upload Release Asset - id: upload-release-asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TEMPLATE_PATH: ${{ steps.build.outputs.template_path }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ steps.build.outputs.template_path }} - asset_name: ${{ steps.build.outputs.template_name }} - asset_content_type: application/json - - name: Get Draft Release Url - id: release_url - run: | - echo "Draft release available at: ${{ steps.create_release.outputs.html_url}}" +name: Release +on: + push: + branches: + - 'release/v*' +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + persist-credentials: true + - name: Format Branch Name + id: format + env: + GITHUB_REF: ${{ github.ref }} + run: | + git fetch --tags + echo ::set-output name=branch_name::$(echo "${GITHUB_REF}" | cut -d/ -f3-) + echo ::set-output name=tag_name::$(echo "${GITHUB_REF}" | cut -d/ -f4-) + echo ::set-output name=numeric_release::$(echo "${GITHUB_REF}" | cut -d/ -f4- | tr -d v) + echo ::set-output name=release_name::"Release $(echo "${GITHUB_REF}" | cut -d/ -f4-)" + - name: Use Node.js + uses: actions/setup-node@v1 + env: + RUNNER_TEMP: /tmp/runner + with: + node-version: 12 + - name: Install pnpm + run: | + npm install -g pnpm + - name: Build Accelerator Installer + id: build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_DEFAULT_BRANCH: ${{ steps.format.outputs.branch_name }} + INSTALLER_STACK_DIR: ./src/installer/cdk + INSTALLER_STACK_NAME: AcceleratorInstaller + OUTPUT_DIR: templates + run: | + cd "${INSTALLER_STACK_DIR}" + pnpm install + pnpx cdk synth --output "${OUTPUT_DIR}" "${INSTALLER_STACK_NAME}" + echo ::set-output name=template_name::${INSTALLER_STACK_NAME}.template.json + echo ::set-output name=template_path::$(realpath "${OUTPUT_DIR}/${INSTALLER_STACK_NAME}.template.json") + - name: Generate Changelog + id: changelog + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_DEFAULT_BRANCH: ${{ steps.format.outputs.branch_name }} + run: | + previous_tag=$(git describe --tags --abbrev=0) + echo "Previous release was: ${previous_tag}" + changes=$(git log ${previous_tag}..HEAD --pretty="tformat:* %s (%h)" --first-parent) + echo ${changes} + changes="${changes//'%'/'%25'}" # Avoids whitespace removal. + changes="${changes//$'\n'/'%0A'}" + changes="${changes//$'\r'/'%0D'}" + echo ::set-output name=changelog::${changes} + - name: Bump package.json + run: | + npm install -g json + git config user.name github-actions + git config user.email github-actions@github.com + json -I -f src/core/cdk/package.json -e 'this.version="${{ steps.format.outputs.numeric_release }}"' + git add src/core/cdk/package.json + json -I -f src/installer/cdk/package.json -e 'this.version="${{ steps.format.outputs.numeric_release }}"' + git add src/installer/cdk/package.json + git commit -am 'Updating package to ${{ steps.format.outputs.numeric_release }}' + - name: Push Bumped Package Files + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.ACTION_TOKEN }} + branch: ${{ steps.format.outputs.branch_name }} + - name: Create Release + id: create_release + uses: actions/create-release@latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ steps.format.outputs.tag_name }} + release_name: ${{ steps.format.outputs.release_name }} + body: | + ${{ steps.changelog.outputs.changelog }} + draft: true + prerelease: false + - name: Upload Release Asset + id: upload-release-asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TEMPLATE_PATH: ${{ steps.build.outputs.template_path }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ${{ steps.build.outputs.template_path }} + asset_name: ${{ steps.build.outputs.template_name }} + asset_content_type: application/json + - name: Get Draft Release Url + id: release_url + run: | + echo "Draft release available at: ${{ steps.create_release.outputs.html_url}}" diff --git a/.gitignore b/.gitignore index 55bd7f3df..2c5bee038 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,8 @@ -cdk.out -node_modules -pnpm-lock.yaml -.DS_Store -*.log -config.json -aws-landing-zone-configuration.zip - +cdk.out +node_modules +pnpm-lock.yaml +.DS_Store +*.log +config.json +aws-landing-zone-configuration.zip + diff --git a/.prettierrc b/.prettierrc index c32f43173..2f56c5242 100644 --- a/.prettierrc +++ b/.prettierrc @@ -1,7 +1,7 @@ -{ - "tabWidth": 2, - "printWidth": 120, - "singleQuote": true, - "trailingComma": "all", - "arrowParens": "avoid" +{ + "tabWidth": 2, + "printWidth": 120, + "singleQuote": true, + "trailingComma": "all", + "arrowParens": "avoid" } \ No newline at end of file diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 944346efa..5b627cfa6 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,4 @@ -## Code of Conduct -This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). -For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact -opensource-codeofconduct@amazon.com with any additional questions or comments. +## Code of Conduct +This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). +For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact +opensource-codeofconduct@amazon.com with any additional questions or comments. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 809e1f3e4..914e0741d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,61 +1,61 @@ -# Contributing Guidelines - -Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional -documentation, we greatly value feedback and contributions from our community. - -Please read through this document before submitting any issues or pull requests to ensure we have all the necessary -information to effectively respond to your bug report or contribution. - - -## Reporting Bugs/Feature Requests - -We welcome you to use the GitHub issue tracker to report bugs or suggest features. - -When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already -reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: - -* A reproducible test case or series of steps -* The version of our code being used -* Any modifications you've made relevant to the bug -* Anything unusual about your environment or deployment - - -## Contributing via Pull Requests -Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: - -1. You are working against the latest source on the *master* branch. -2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. -3. You open an issue to discuss any significant work - we would hate for your time to be wasted. - -To send us a pull request, please: - -1. Fork the repository. -2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. -3. Ensure local tests pass. -4. Commit to your fork using clear commit messages. -5. Send us a pull request, answering any default questions in the pull request interface. -6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. - -GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and -[creating a pull request](https://help.github.com/articles/creating-a-pull-request/). - - -## Finding contributions to work on -Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. - - -## Code of Conduct -This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). -For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact -opensource-codeofconduct@amazon.com with any additional questions or comments. - - -## Security issue notifications -If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. - - -## Licensing - -See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. - -We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. +# Contributing Guidelines + +Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional +documentation, we greatly value feedback and contributions from our community. + +Please read through this document before submitting any issues or pull requests to ensure we have all the necessary +information to effectively respond to your bug report or contribution. + + +## Reporting Bugs/Feature Requests + +We welcome you to use the GitHub issue tracker to report bugs or suggest features. + +When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already +reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: + +* A reproducible test case or series of steps +* The version of our code being used +* Any modifications you've made relevant to the bug +* Anything unusual about your environment or deployment + + +## Contributing via Pull Requests +Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: + +1. You are working against the latest source on the *master* branch. +2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. +3. You open an issue to discuss any significant work - we would hate for your time to be wasted. + +To send us a pull request, please: + +1. Fork the repository. +2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. +3. Ensure local tests pass. +4. Commit to your fork using clear commit messages. +5. Send us a pull request, answering any default questions in the pull request interface. +6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. + +GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and +[creating a pull request](https://help.github.com/articles/creating-a-pull-request/). + + +## Finding contributions to work on +Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. + + +## Code of Conduct +This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). +For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact +opensource-codeofconduct@amazon.com with any additional questions or comments. + + +## Security issue notifications +If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. + + +## Licensing + +See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. + +We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. diff --git a/LICENSE b/LICENSE index c033efdce..44b3db7dd 100644 --- a/LICENSE +++ b/LICENSE @@ -1,96 +1,96 @@ -Amazon Software License 1.0 - -This Amazon Software License ("License") governs your use, reproduction, and -distribution of the accompanying software as specified below. - -1. Definitions - - "Licensor" means any person or entity that distributes its Work. - - "Software" means the original work of authorship made available under this - License. - - "Work" means the Software and any additions to or derivative works of the - Software that are made available under this License. - - The terms "reproduce," "reproduction," "derivative works," and - "distribution" have the meaning as provided under U.S. copyright law; - provided, however, that for the purposes of this License, derivative works - shall not include works that remain separable from, or merely link (or bind - by name) to the interfaces of, the Work. - - Works, including the Software, are "made available" under this License by - including in or with the Work either (a) a copyright notice referencing the - applicability of this License to the Work, or (b) a copy of this License. - -2. License Grants - - 2.1 Copyright Grant. Subject to the terms and conditions of this License, - each Licensor grants to you a perpetual, worldwide, non-exclusive, - royalty-free, copyright license to reproduce, prepare derivative works of, - publicly display, publicly perform, sublicense and distribute its Work and - any resulting derivative works in any form. - - 2.2 Patent Grant. Subject to the terms and conditions of this License, each - Licensor grants to you a perpetual, worldwide, non-exclusive, royalty-free - patent license to make, have made, use, sell, offer for sale, import, and - otherwise transfer its Work, in whole or in part. The foregoing license - applies only to the patent claims licensable by Licensor that would be - infringed by Licensor's Work (or portion thereof) individually and - excluding any combinations with any other materials or technology. - -3. Limitations - - 3.1 Redistribution. You may reproduce or distribute the Work only if - (a) you do so under this License, (b) you include a complete copy of this - License with your distribution, and (c) you retain without modification - any copyright, patent, trademark, or attribution notices that are present - in the Work. - - 3.2 Derivative Works. You may specify that additional or different terms - apply to the use, reproduction, and distribution of your derivative works - of the Work ("Your Terms") only if (a) Your Terms provide that the use - limitation in Section 3.3 applies to your derivative works, and (b) you - identify the specific derivative works that are subject to Your Terms. - Notwithstanding Your Terms, this License (including the redistribution - requirements in Section 3.1) will continue to apply to the Work itself. - - 3.3 Use Limitation. The Work and any derivative works thereof only may be - used or intended for use with the web services, computing platforms or - applications provided by Amazon.com, Inc. or its affiliates, including - Amazon Web Services, Inc. - - 3.4 Patent Claims. If you bring or threaten to bring a patent claim against - any Licensor (including any claim, cross-claim or counterclaim in a - lawsuit) to enforce any patents that you allege are infringed by any Work, - then your rights under this License from such Licensor (including the - grants in Sections 2.1 and 2.2) will terminate immediately. - - 3.5 Trademarks. This License does not grant any rights to use any - Licensor's or its affiliates' names, logos, or trademarks, except as - necessary to reproduce the notices described in this License. - - 3.6 Termination. If you violate any term of this License, then your rights - under this License (including the grants in Sections 2.1 and 2.2) will - terminate immediately. - -4. Disclaimer of Warranty. - - THE WORK IS PROVIDED "AS IS" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, - EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OR CONDITIONS OF - MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR - NON-INFRINGEMENT. YOU BEAR THE RISK OF UNDERTAKING ANY ACTIVITIES UNDER - THIS LICENSE. SOME STATES' CONSUMER LAWS DO NOT ALLOW EXCLUSION OF AN - IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU. - -5. Limitation of Liability. - - EXCEPT AS PROHIBITED BY APPLICABLE LAW, IN NO EVENT AND UNDER NO LEGAL - THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE - SHALL ANY LICENSOR BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY DIRECT, - INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR - RELATED TO THIS LICENSE, THE USE OR INABILITY TO USE THE WORK (INCLUDING - BUT NOT LIMITED TO LOSS OF GOODWILL, BUSINESS INTERRUPTION, LOST PROFITS - OR DATA, COMPUTER FAILURE OR MALFUNCTION, OR ANY OTHER COMM ERCIAL DAMAGES - OR LOSSES), EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. +Amazon Software License 1.0 + +This Amazon Software License ("License") governs your use, reproduction, and +distribution of the accompanying software as specified below. + +1. Definitions + + "Licensor" means any person or entity that distributes its Work. + + "Software" means the original work of authorship made available under this + License. + + "Work" means the Software and any additions to or derivative works of the + Software that are made available under this License. + + The terms "reproduce," "reproduction," "derivative works," and + "distribution" have the meaning as provided under U.S. copyright law; + provided, however, that for the purposes of this License, derivative works + shall not include works that remain separable from, or merely link (or bind + by name) to the interfaces of, the Work. + + Works, including the Software, are "made available" under this License by + including in or with the Work either (a) a copyright notice referencing the + applicability of this License to the Work, or (b) a copy of this License. + +2. License Grants + + 2.1 Copyright Grant. Subject to the terms and conditions of this License, + each Licensor grants to you a perpetual, worldwide, non-exclusive, + royalty-free, copyright license to reproduce, prepare derivative works of, + publicly display, publicly perform, sublicense and distribute its Work and + any resulting derivative works in any form. + + 2.2 Patent Grant. Subject to the terms and conditions of this License, each + Licensor grants to you a perpetual, worldwide, non-exclusive, royalty-free + patent license to make, have made, use, sell, offer for sale, import, and + otherwise transfer its Work, in whole or in part. The foregoing license + applies only to the patent claims licensable by Licensor that would be + infringed by Licensor's Work (or portion thereof) individually and + excluding any combinations with any other materials or technology. + +3. Limitations + + 3.1 Redistribution. You may reproduce or distribute the Work only if + (a) you do so under this License, (b) you include a complete copy of this + License with your distribution, and (c) you retain without modification + any copyright, patent, trademark, or attribution notices that are present + in the Work. + + 3.2 Derivative Works. You may specify that additional or different terms + apply to the use, reproduction, and distribution of your derivative works + of the Work ("Your Terms") only if (a) Your Terms provide that the use + limitation in Section 3.3 applies to your derivative works, and (b) you + identify the specific derivative works that are subject to Your Terms. + Notwithstanding Your Terms, this License (including the redistribution + requirements in Section 3.1) will continue to apply to the Work itself. + + 3.3 Use Limitation. The Work and any derivative works thereof only may be + used or intended for use with the web services, computing platforms or + applications provided by Amazon.com, Inc. or its affiliates, including + Amazon Web Services, Inc. + + 3.4 Patent Claims. If you bring or threaten to bring a patent claim against + any Licensor (including any claim, cross-claim or counterclaim in a + lawsuit) to enforce any patents that you allege are infringed by any Work, + then your rights under this License from such Licensor (including the + grants in Sections 2.1 and 2.2) will terminate immediately. + + 3.5 Trademarks. This License does not grant any rights to use any + Licensor's or its affiliates' names, logos, or trademarks, except as + necessary to reproduce the notices described in this License. + + 3.6 Termination. If you violate any term of this License, then your rights + under this License (including the grants in Sections 2.1 and 2.2) will + terminate immediately. + +4. Disclaimer of Warranty. + + THE WORK IS PROVIDED "AS IS" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OR CONDITIONS OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR + NON-INFRINGEMENT. YOU BEAR THE RISK OF UNDERTAKING ANY ACTIVITIES UNDER + THIS LICENSE. SOME STATES' CONSUMER LAWS DO NOT ALLOW EXCLUSION OF AN + IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU. + +5. Limitation of Liability. + + EXCEPT AS PROHIBITED BY APPLICABLE LAW, IN NO EVENT AND UNDER NO LEGAL + THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE + SHALL ANY LICENSOR BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY DIRECT, + INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR + RELATED TO THIS LICENSE, THE USE OR INABILITY TO USE THE WORK (INCLUDING + BUT NOT LIMITED TO LOSS OF GOODWILL, BUSINESS INTERRUPTION, LOST PROFITS + OR DATA, COMPUTER FAILURE OR MALFUNCTION, OR ANY OTHER COMM ERCIAL DAMAGES + OR LOSSES), EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. diff --git a/NOTICE b/NOTICE index edab54f61..b418696e4 100644 --- a/NOTICE +++ b/NOTICE @@ -1,2 +1,2 @@ -AWS Secure Environment Accelerator -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +AWS Secure Environment Accelerator +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/README.md b/README.md index c80ab1dc3..9dbb0a970 100644 --- a/README.md +++ b/README.md @@ -1,146 +1,146 @@ -# AWS Secure Environment Accelerator - -The AWS Accelerator is a tool designed to deploy and operate secure multi-account AWS environments on an ongoing basis. The power of the solution is the configuration file that drives the architecture deployed by the tool. This enables extensive flexibility and for the completely automated deployment of a customized architecture within AWS without changing a single line of code. - -While flexible, the AWS Accelerator is delivered with a sample configuration file which deploys an opinionated and prescriptive architecture designed to meet the security and operational requirements of many governments around the world (initial focus was the Government of Canada). Tuning the parameters within the configuration file allows for the deployment of these customized architectures and enables the solution to meet the requirements of a broad range of governments and public sector organizations. - -Installation of the provided prescriptive architecture is reasonably simple, deploying a customized architecture does require extensive understanding of the AWS platform. - -## What specifically does the Accelerator deploy and manage? - -A common misconception is that the AWS Secure Environment Accelerator only deploys security services, not true. The Accelerator is capable of deploying a complete end-to-end hybrid enterprise cloud environment. - -Additionally, while the Accelerator is initially responsible for deploying a prescribed architecture, it more importantly allows for organizations to operate, evolve, and maintain their cloud architecture and security controls over time and as they grow, with mininal effort, often using native AWS tools. Customers don't have to change the way they operate in AWS. - -Specifically the accelerator deploys and manages the following functionality, both at initial accelerator deployment and as new accounts are created, added, or onboarded: - -### Creates AWS Account - -- Core Accounts - as many or as few as your organization requires, using the naming you desire - - Shared Network - - Operations - - Perimeter - - Log-Archive - - Security-Audit -- Workload Accounts - automate mass account creation, or use AWS organizations to scale one account at a time -- Supports AWS Organizations nested ou's and importing existing AWS accounts -- Performs 'account warming' to establish initial limits, when required -- Automatically submits limit increases, when required (complies with initial limits until increased) - -### Creates Networking - -- Transit Gateways and TGW route tables -- Centralized and/or Local VPC's -- Subnets, Route tables, NACLs, Security groups, NATGWs, IGWs, VGWs, CGWs -- VPC Endpoints (Gateway and Interface, Centralized or Local) -- Route 53 Private and Public Zones, Resolver Rules and Endpoints, VPC Endpoint Overloaded Zones -- All completely and indivdiually customizable (per account, VPC, or OU) -- Deletes default VPC's (worldwide) - -### Cross-Account Object Sharing - -- VPC and Subnet sharing, including account level retagging (Per account security group 'replication') -- VPC attachments and peering (local and cross-account) -- Zone sharing and VPC associations -- Managed Active Directory sharing, including R53 DNS resolver rule creation/sharing -- (automated TGW inter-region peering on roadmap) - -### Identity - -- Creates Directory services (Managed Active Directory and Active Directory Connectors) -- Creates Windows admin bastion host auto-scaling group -- Set Windows domain password policies -- Set IAM account password policies -- Creates Windows domain users and groups (initial installation only) -- Creates IAM Policies, Roles, Users, and Groups -- Fully integrates with and leverages AWS SSO for centralized and federated login - -### Cloud Security Services - -- Enables and configures the following AWS services, worldwide w/central designated admin account: - - Guardduty - - Security Hub (Enables designated security standards, and disables individual controls) - - Firewall Manager - - CloudTrail w/Insights and S3 data plane logging - - Config Recorders/Aggregator - - Macie - - IAM Access Analyzer - - CloudWatch access from central designated admin account (and setting Log group retentions) - -### Other Security Capabilities - -- Creates, deploys and applies Service Control Policies -- Creates Customer Managed KMS Keys (SSM, EBS, S3) -- Enables account level default EBS encryption and S3 Block Public Access -- Configures Systems Manager Session Manager w/KMS encryption and centralized logging -- Creates and configures AWS budgets (customizable per ou and per account) -- Imports or requests certificates into AWS Certificate Manager -- Deploys both perimeter and account level ALB's w/Lambda health checks, certificates and TLS policies -- Deploys & configures 3rd party firewall clusters and management instances w/vendor best practices and sample security policies, w/automated TGW ECMP BGP tunnel standup -- Protects Accelerator deployed and managed objects - -### Centralized Logging - -- Deploys an rsyslog auto-scaling cluster behind an NLB, all syslogs forwarded to CWL -- Centralizes logging to a single centralize S3 bucket (enables, configures and centralizes) - - VPC Flow logs (Enhanced metadata fields and CWL destination coming soon) - - Organizational Cost and Usage Reports - - CloudTrail Logs including S3 Data Plane Logs (also sent to CWL) - - All CloudWatch Logs (includes rsyslog logs) - - Config History and Snapshots - - Route 53 Public Zone Logs - - GuardDuty Findings - - Macie Discovery results - - ALB Logs - - SSM Session Logs -- Centralized access to "Cloud Security Service" Consoles from designated AWS account - -## Relationship with AWS Landing Zone Solution (ALZ) - -The ALZ is an AWS Solution designed to deploy a multi-account AWS architecture for customers based on best practices and lessons learned from some of AWS' largest customers. The AWS Accelerator draws on design patterns from the Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it, nor does it leverage any code from the ALZ. - -The AWS Accelerator is a superset of the ALZ. The initial versions of the AWS Accelerator presupposed the existence of an AWS Landing Zone Solution in the AWS Organization; this requirement has since been removed as of release `v1.1.0`. - -While the option remains to deploy the AWS Accelerator on top of the ALZ, all new customers are strongly encourage to let the AWS Accelerator deploy and manage the entire environment by performing a standalone installation of the AWS Accelerator. - -## Relationship with AWS Control Tower - -AWS Control Tower is the successor to the ALZ, but offered as an AWS managed service. Many Public Sector customers have found Control Towers limited regional coverage, limited functionality and lack of customizability has made it unsuitable in meeting their requirements. - -When appropriate, it is envisioned that the AWS Accelerator will add the capability to be deployed on top of AWS Control Tower, as we allow with the ALZ today. - -## Accelerator Deployment Process (Summary) - -This summarizes the installation process, the full installation document can be found in the documentation section below. - -- Create a config.json file to represent your organizations requirements (PBMM sample provided) -- Create a Secrets Manager Secret which contains a GitHub token with access to the Accelerator code repo -- Create a unique S3 input bucket and place your config.json and any additional custom config files in the bucket -- Download and execute the latest installer CloudFormation template in your master accounts preferred 'primary' region -- Wait for: - - CloudFormation to deploy and start the Code Pipeline (~5 mins) - - Code Pipeline to download the Accelerator codebase and install the Accelerator State Machine (~15 mins) - - The Accelerator State Machine to finish execution (~3hrs) -- Perform required manual follow-up activities (configure AWS SSO, set firewall passwords, etc.) -- When required: - - Use AWS Organizations to create new fully managed and guardrailed AWS accounts - - Update the config file in CodeCommit and run the Accelerator State Machine (~20min) to: - - deploy, configure and guardrail multiple accounts at the same time - - change Accelerator configuration settings - -# **Documentation** (Linked) - -### - [Installation, Upgrades and Basic Operations Guide](./docs/installation/index.md) - -- Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases) -- Link to example PBMM config [file](./reference-artifacts/config.example.json) - -### - [Accelerator Operations/Troubleshooting Guide](./docs/operations/operations-troubleshooting-guide.md) (Early Draft) - -### - [Accelerator Developer Guide](./docs/developer/developer-guide.md) (Early Draft) - -### - [Prescriptive PBMM Architecture Design Document](./docs/architectures/pbmm/index.md) (Early Draft) - -### - [Frequently Asked Questions](./docs/faq/index.md) (Future) - -[...Go to Table of Contents](./docs/index.md) +# AWS Secure Environment Accelerator + +The AWS Accelerator is a tool designed to deploy and operate secure multi-account AWS environments on an ongoing basis. The power of the solution is the configuration file that drives the architecture deployed by the tool. This enables extensive flexibility and for the completely automated deployment of a customized architecture within AWS without changing a single line of code. + +While flexible, the AWS Accelerator is delivered with a sample configuration file which deploys an opinionated and prescriptive architecture designed to meet the security and operational requirements of many governments around the world (initial focus was the Government of Canada). Tuning the parameters within the configuration file allows for the deployment of these customized architectures and enables the solution to meet the requirements of a broad range of governments and public sector organizations. + +Installation of the provided prescriptive architecture is reasonably simple, deploying a customized architecture does require extensive understanding of the AWS platform. + +## What specifically does the Accelerator deploy and manage? + +A common misconception is that the AWS Secure Environment Accelerator only deploys security services, not true. The Accelerator is capable of deploying a complete end-to-end hybrid enterprise cloud environment. + +Additionally, while the Accelerator is initially responsible for deploying a prescribed architecture, it more importantly allows for organizations to operate, evolve, and maintain their cloud architecture and security controls over time and as they grow, with mininal effort, often using native AWS tools. Customers don't have to change the way they operate in AWS. + +Specifically the accelerator deploys and manages the following functionality, both at initial accelerator deployment and as new accounts are created, added, or onboarded: + +### Creates AWS Account + +- Core Accounts - as many or as few as your organization requires, using the naming you desire + - Shared Network + - Operations + - Perimeter + - Log-Archive + - Security-Audit +- Workload Accounts - automate mass account creation, or use AWS organizations to scale one account at a time +- Supports AWS Organizations nested ou's and importing existing AWS accounts +- Performs 'account warming' to establish initial limits, when required +- Automatically submits limit increases, when required (complies with initial limits until increased) + +### Creates Networking + +- Transit Gateways and TGW route tables +- Centralized and/or Local VPC's +- Subnets, Route tables, NACLs, Security groups, NATGWs, IGWs, VGWs, CGWs +- VPC Endpoints (Gateway and Interface, Centralized or Local) +- Route 53 Private and Public Zones, Resolver Rules and Endpoints, VPC Endpoint Overloaded Zones +- All completely and indivdiually customizable (per account, VPC, or OU) +- Deletes default VPC's (worldwide) + +### Cross-Account Object Sharing + +- VPC and Subnet sharing, including account level retagging (Per account security group 'replication') +- VPC attachments and peering (local and cross-account) +- Zone sharing and VPC associations +- Managed Active Directory sharing, including R53 DNS resolver rule creation/sharing +- (automated TGW inter-region peering on roadmap) + +### Identity + +- Creates Directory services (Managed Active Directory and Active Directory Connectors) +- Creates Windows admin bastion host auto-scaling group +- Set Windows domain password policies +- Set IAM account password policies +- Creates Windows domain users and groups (initial installation only) +- Creates IAM Policies, Roles, Users, and Groups +- Fully integrates with and leverages AWS SSO for centralized and federated login + +### Cloud Security Services + +- Enables and configures the following AWS services, worldwide w/central designated admin account: + - Guardduty + - Security Hub (Enables designated security standards, and disables individual controls) + - Firewall Manager + - CloudTrail w/Insights and S3 data plane logging + - Config Recorders/Aggregator + - Macie + - IAM Access Analyzer + - CloudWatch access from central designated admin account (and setting Log group retentions) + +### Other Security Capabilities + +- Creates, deploys and applies Service Control Policies +- Creates Customer Managed KMS Keys (SSM, EBS, S3) +- Enables account level default EBS encryption and S3 Block Public Access +- Configures Systems Manager Session Manager w/KMS encryption and centralized logging +- Creates and configures AWS budgets (customizable per ou and per account) +- Imports or requests certificates into AWS Certificate Manager +- Deploys both perimeter and account level ALB's w/Lambda health checks, certificates and TLS policies +- Deploys & configures 3rd party firewall clusters and management instances w/vendor best practices and sample security policies, w/automated TGW ECMP BGP tunnel standup +- Protects Accelerator deployed and managed objects + +### Centralized Logging + +- Deploys an rsyslog auto-scaling cluster behind an NLB, all syslogs forwarded to CWL +- Centralizes logging to a single centralize S3 bucket (enables, configures and centralizes) + - VPC Flow logs (Enhanced metadata fields and CWL destination coming soon) + - Organizational Cost and Usage Reports + - CloudTrail Logs including S3 Data Plane Logs (also sent to CWL) + - All CloudWatch Logs (includes rsyslog logs) + - Config History and Snapshots + - Route 53 Public Zone Logs + - GuardDuty Findings + - Macie Discovery results + - ALB Logs + - SSM Session Logs +- Centralized access to "Cloud Security Service" Consoles from designated AWS account + +## Relationship with AWS Landing Zone Solution (ALZ) + +The ALZ is an AWS Solution designed to deploy a multi-account AWS architecture for customers based on best practices and lessons learned from some of AWS' largest customers. The AWS Accelerator draws on design patterns from the Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it, nor does it leverage any code from the ALZ. + +The AWS Accelerator is a superset of the ALZ. The initial versions of the AWS Accelerator presupposed the existence of an AWS Landing Zone Solution in the AWS Organization; this requirement has since been removed as of release `v1.1.0`. + +While the option remains to deploy the AWS Accelerator on top of the ALZ, all new customers are strongly encourage to let the AWS Accelerator deploy and manage the entire environment by performing a standalone installation of the AWS Accelerator. + +## Relationship with AWS Control Tower + +AWS Control Tower is the successor to the ALZ, but offered as an AWS managed service. Many Public Sector customers have found Control Towers limited regional coverage, limited functionality and lack of customizability has made it unsuitable in meeting their requirements. + +When appropriate, it is envisioned that the AWS Accelerator will add the capability to be deployed on top of AWS Control Tower, as we allow with the ALZ today. + +## Accelerator Deployment Process (Summary) + +This summarizes the installation process, the full installation document can be found in the documentation section below. + +- Create a config.json file to represent your organizations requirements (PBMM sample provided) +- Create a Secrets Manager Secret which contains a GitHub token with access to the Accelerator code repo +- Create a unique S3 input bucket and place your config.json and any additional custom config files in the bucket +- Download and execute the latest installer CloudFormation template in your master accounts preferred 'primary' region +- Wait for: + - CloudFormation to deploy and start the Code Pipeline (~5 mins) + - Code Pipeline to download the Accelerator codebase and install the Accelerator State Machine (~15 mins) + - The Accelerator State Machine to finish execution (~3hrs) +- Perform required manual follow-up activities (configure AWS SSO, set firewall passwords, etc.) +- When required: + - Use AWS Organizations to create new fully managed and guardrailed AWS accounts + - Update the config file in CodeCommit and run the Accelerator State Machine (~20min) to: + - deploy, configure and guardrail multiple accounts at the same time + - change Accelerator configuration settings + +# **Documentation** (Linked) + +### - [Installation, Upgrades and Basic Operations Guide](./docs/installation/index.md) + +- Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases) +- Link to example PBMM config [file](./reference-artifacts/config.example.json) + +### - [Accelerator Operations/Troubleshooting Guide](./docs/operations/operations-troubleshooting-guide.md) (Early Draft) + +### - [Accelerator Developer Guide](./docs/developer/developer-guide.md) (Early Draft) + +### - [Prescriptive PBMM Architecture Design Document](./docs/architectures/pbmm/index.md) (Early Draft) + +### - [Frequently Asked Questions](./docs/faq/index.md) (Future) + +[...Go to Table of Contents](./docs/index.md) diff --git a/docs/architectures/pbmm/Makefile b/docs/architectures/pbmm/Makefile index 236352b85..c7a0bf345 100644 --- a/docs/architectures/pbmm/Makefile +++ b/docs/architectures/pbmm/Makefile @@ -1,4 +1,4 @@ -images: FORCE - /Applications/draw.io.app/Contents/MacOS/draw.io -x -f png -b 10 -o images/ diagrams/ - +images: FORCE + /Applications/draw.io.app/Contents/MacOS/draw.io -x -f png -b 10 -o images/ diagrams/ + FORCE: ; \ No newline at end of file diff --git a/docs/architectures/pbmm/index.md b/docs/architectures/pbmm/index.md index f71d19f53..a70fafad8 100644 --- a/docs/architectures/pbmm/index.md +++ b/docs/architectures/pbmm/index.md @@ -1,623 +1,623 @@ -# AWS Secure Environment Architecture - -## Table of Contents -1. [Introduction](#introduction) -1. [Account Structure](#AccountStructure) -1. [Networking](#Networking) -1. [Authorization and Authentication](#AA) -1. [Logging and Monitoring](#LM) - - - - -## 1. Introduction - -The *AWS Secure Environment Architecture* is a comprehensive, multi-account AWS cloud architecture, initially designed for use within the Government of Canada for [PBMM workloads][pbmm]. The *AWS Secure Environment Architecture* has been designed to address central identity and access management, governance, data security, comprehensive logging, and network design/segmentation per Canadian Centre for Cyber Security ITSG-33 specifications. - -The *AWS Secure Environment Architecture* has been built with the following design principles in mind: - -1. Maximize agility, scalability, and availability -2. Enable the full capability of the AWS cloud and do not artificially limit capabilities based on lowest common denominator supported capabilities of other cloud providers -4. Be adaptable to evolving technological capabilities in the underlying platform being used in the *AWS Secure Environment Architecture* -5. Allow for seamless auto-scaling and provide unbounded bandwidth as bandwidth requirements increase (or decrease) based on actual customer load (a key aspect of the value proposition of cloud computing) -6. High availability is paramount: the design stretches across two physical AWS Availability Zones (AZ), such that the loss of any one AZ does not impact application availability. The design can be easily extended to a third availability zone. -7. Least Privilege: all principals in the accounts are intended to operate with the lowest-feasible permission set. - - -### 1.1 Purpose of Document - -This document is intended to outline the technical measures that are delivered by the *AWS Secure Environment Architecture* that make it suitable for PBMM workloads. An explicit **non-goal** of this document is to explain the delivery architecture of the [AWS Secure Environment Accelerator tool][accel_tool] itself, an open-source software project built by AWS. - -While the central purpose of the [AWS Secure Environment Accelerator][accel_tool] is to establish an *AWS Secure Environment Architecture* into an AWS account footprint, this amounts to an implementation detail as far as the *AWS Secure Environment Architecture* is concerned. The *AWS Secure Environment Architecture* is a standalone design, irrespective of how it was delivered into a customer AWS environment. It is nonetheless anticipated that most customers will choose to realize their *AWS Secure Environment Architecture* via the delivery mechanism of the [AWS Secure Environment Accelerator tool][accel_tool]. - -Comprehensive details on the tool itself are available elsewhere: - -1. [AWS Secure Environment Accelerator tool Operations & Troubleshooting Guide][ops_guide] -2. [AWS Secure Environment Accelerator tool Developer Guide][dev_guide] - -Except where absolutely necessary, this document will refrain from referencing the _AWS Secure Environment Accelerator tool_ further. - -### 1.2 Overview - -The central features of the *AWS Secure Environment Architecture* are as follows: - -* **AWS Organization with multiple-accounts:** An [AWS Organization][aws_org] is a grouping construct for a number of separate AWS accounts that are controlled by a single customer entity. This provides consolidated billing, organizational units, and facilitates the deployment of pan-Organizational guardrails such as CloudTrail logs and Service Control Policies. The separate accounts provide strong control-plane and data-plane isolation between workloads and/or environments. -* **Encryption:** AWS KMS with customer-managed CMKs is used extensively for any data stored at rest, in S3 buckets, EBS volumes, RDS encryption. -* **Service Control Policies:** [SCPs][aws_scps] provide a guardrail mechanism principally used to deny entire categories of API operations at an AWS account, OU, or Organization level. These can be used to ensure workloads are deployed only in prescribed regions, ensure only whitelisted services are used, or prevent the disablement of detective/preventative controls. Prescriptive SCPs are provided. -* **Centralized, Isolated Networking:** [Virtual Private Clouds][aws_vpc] (VPCs) are used to create data-plane isolation between workloads, centralized in a shared-network account. Connectivity to on-prem environments, internet egress, shared resources and AWS APIs are mediated at a central point of ingress/egress via the use of [Transit Gateway][aws_tgw], [Site-to-Site VPN][aws_vpn], Next-Gen Firewalls, and [AWS Direct Connect][aws_dc] (where applicable). -* **Centralized DNS Management:** [Amazon Route 53][aws_r53] is used to provide unified public and private hosted zones across the cloud environment. Inbound and Outbound Route 53 Resolvers extend this unified view of DNS to on-premises networks. -* **Comprehensive Logging:** CloudTrail logs are enabled Organization-wide to provide auditability across the cloud environment. CloudWatch Logs, for applications, as well as VPC flow logs, are centralized and deletion is prevented via SCPs. -* **Detective Security Controls:** Potential security threats are surfaced across the cloud environment via automatic deployment of detective security controls such as GuardDuty, AWS Config, and Security Hub. -* **Single-Sign-On**: AWS SSO is used to provide AD-authenticated IAM role assumption into accounts across the Organization for authorized principals. - -### 1.3 Document Convention - -Several conventions are used throughout this document to aid understanding. - - -#### AWS Account Numbers - -AWS account numbers are decimal-digit pseudorandom identifiers with 12 digits (e.g. `651278770121`). This document will use the convention that an AWS master account has the account ID `123456789012`, and child accounts are given by `111111111111`, `222222222222`, etc. - -For example the following ARN would refer to a VPC subnet in the `ca-central-1` region in the master account: - - - arn:aws:ec2:ca-central-1:123456789012:subnet/subnet-024759b61fc305ea3 - -#### JSON Annotation - -Throughout the document, JSON snippets may be annotated with comments (starting with `// `). The JSON language itself does not define comments as part of the specification; these must be removed prior to use in most situations, including the AWS Console and APIs. - -For example: - -```jsonc -{ - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:root" // Trust the master account. - }, - "Action": "sts:AssumeRole" -} -``` - -The above is not valid JSON without first removing the comment on the fourth line. - -#### IP Addresses - - The design makes use of [RFC1918][1918] addresses (e.g. `10.1.0.0/16`) and [RFC6598][6598] (e.g. `100.96.250.0/23`) for various networks; these will be labeled accordingly. Any specific range or IP shown is purely for illustration purposes only. - - - -### 1.4 Department Naming - -This document will make no reference to specific Government of Canada departments. Where naming is required (e.g. in domain names), this document will use a placeholder name as needed; e.g. `dept.gc.ca`. - -### 1.5 Relationship to AWS Landing Zone -AWS Landing Zone is an AWS Solution designed to deploy multi-account cloud architectures for customers. The *AWS Secure Environment Architecture* draws on design patterns from Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it. An earlier internal release of the *AWS Secure Environment Architecture* presupposed the existence of an AWS Landing Zone in the Organization; this requirement has since been removed as of release `v1.1.0`. - - - - -## 2. Account Structure - -AWS accounts are a strong isolation boundary; by default there is zero control plane or data plane access from one AWS account to another. AWS Organizations is a service that provides centralized billing across a fleet of accounts, and optionally, some integration-points for cross-account guardrails and cross-account resource sharing. The *AWS Secure Environment Architecture* uses these features of AWS Organizations to realize its design. - -## Accounts - -The *AWS Secure Environment Architecture* includes the following AWS accounts. - -Note that the account structure is strictly a control plane concept - nothing about this structure implies anything about the network design or network flows. - - -![Organizations Diagram](./images/organization_structure.drawio.png) - -### Master Account -The AWS Organization resides in the master account. This account is not used for workloads (to the full extent possible) - it functions primarily as a billing aggregator, and a gateway to the entire cloud footprint for a high-trust principal. There exists a trust relationship between child AWS accounts in the Organization and the master account; i.e. the child accounts have a role of this form: - -```jsonc -{ - "Role": { - "Path": "/", - "RoleName": "AWSCloudFormationStackSetExecutionRole", - "Arn": "arn:aws:iam::111111111111:role/AWSCloudFormationStackSetExecutionRole", // Child account. - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:root" // Master account may assume this role. - }, - "Action": "sts:AssumeRole" - } - ] - } - } -} -``` - -Note that this is a different role name than the default installed by AWS Organizations (`OrganizationAccountAccessRole`). - - -#### AWS SSO -AWS SSO resides in the master account in the organization, due to a current requirement of the AWS SSO service. This service deploys IAM roles into the accounts in the Organization. More details on SSO are available in the **Authentication and Authorization** section. - - -#### Organizational Units -Underneath the root of the Organization, Organizational Units (OUs) provide an optional mechanism for grouping accounts into logical collections. Aside from the benefit of the grouping itself, these collections serve as the attachment points for SCPs (preventative API-blocking controls), and Resource Access Manager sharing (cross-account resource sharing). - -![OUs](./images/ous.png) - -Example use cases are as follows: - - -* An SCP is attached to the core OU to prevent the deletion of Transit Gateway resources in the associated accounts. -* The shared network account uses RAM sharing to share the development line-of-business VPC with a development OU. This makes the VPC available to a functional account in that OU used by developers, despite residing logically in the shared network account. - -OUs may be nested (to a total depth of five), with SCPs and RAM sharing applied at the desired level. A typical *AWS Secure Environment Architecture* environment will have the following OUs: - -##### Core OU -This OU houses all administrative accounts, such as the core landing zone accounts. No application accounts or application workloads are intended to exist within this OU. This OU also contains the centralized networking infrastructure in the `SharedNetwork` account. - - -##### Central OU -This OU houses accounts containing centralized resources, such as a shared AWS Directory Service (Microsoft AD) instance. Other shared resources such as software development tooling (source control, testing infrastructure), or asset repositories should be created in this OU. - -##### Functional OU: Sandbox -This OU contains a set of Sandbox accounts used by development teams for proof of concept / prototyping work. These accounts are isolated at a network level and are not connected to the VPCs hosting development, test and production workloads. These accounts have direct internet access via an internet gateway (IGW). They do not route through the Perimeter Security services VPC for internet access. - -##### Functional OU: UnClass -Accounts in this OU host unclassified application solutions. These accounts have internet access via the Perimeter firewall. This is an appropriate place to do cross-account unclassified collaboration with other departments or entities, or test services that are not available in the Canadian region. - -##### Functional OU: Dev -Accounts in this OU host development tools and line of business application solutions that are part of approved releases and projects. These accounts have internet access via the Perimeter firewall. - -##### Functional OU: Test -Accounts in this OU host test tools and line of business application solutions that are part of approved releases and projects. These accounts have internet access via the Perimeter firewall. - -##### Functional OU: Prod -Accounts in this OU host production tools and line of business application solutions that are part of approved releases and projects. These accounts have internet access via the Perimeter firewall. Accounts in this OU are locked down with only specific Operations and Security personnel having access. - -##### Suspended OU -A suspended OU is created to act as a container for end-of-life accounts or accounts with suspected credential leakage. The `DenyAll` SCP is applied, which prevents all control-plane API operations from taking place by any account principal. - -### Mandatory Accounts -The *AWS Secure Environment Architecture* is an opinionated design, which partly manifests in the accounts that are deemed mandatory within the Organization. The following accounts are assumed to exist, and each has an important function with respect to the goals of the overall Architecture (mandatory in red) - -![Mandatory Accounts](./images/accounts.png) - -#### Master -As discussed above, the master account functions as the root of the AWS Organization, the billing aggregator, attachment point for SCPs. Workloads are not intended to run in this account. - -**Note:** Customers deploying the *AWS Secure Environment Architecture* via the [AWS Secure Environment Accelerator][accel_tool] will deploy into this account. See the [Operations Guide][ops_guide] for more details. - -#### Perimeter -The perimeter account, and in particular the perimeter VPC therein, functions as the single point of ingress/egress from the PBMM cloud environment to the public internet and/or on-premises network. This provides a central point of network control through which all workload-generated traffic, ingress and egress, must transit. The perimeter VPC hosts next-generation firewall instances that provide security services such as virus scanning, malware protection, intrusion protection, TLS inspection, and web application firewall functionality. More details on can be found in the Networking section of this document. - -#### Shared Network -The shared network account hosts the vast majority of the AWS-side of the networking resources throughout the *AWS Secure Environment Architecture*. Workload-scoped VPCs (`Dev`, `Test`, `Prod`, etc) are defined here, and shared via RAM sharing to the respective OUs in the Organization. A Transit Gateway provides connectivity from the workloads to the internet or on-prem, without permitting cross-environment (AKA "East:West traffic") traffic (e.g. there is no Transit Gateway route from the `Dev` VPC to the `Prod` VPC). More details on can be found in the Networking section of this document. - -#### Operations -The operations account provides a central location for the cloud team to provide cloud operation services to other AWS accounts within the Organization; for example CICD, developer tooling, and a managed Active Directory installation. - - -#### Log Archive -The log archive account provides a central aggregation and secure storage point for all audit logs created within the AWS Organization. This account contains a centralized location for copies of every account’s Audit and Configuration compliance logs. It also provides a storage location for any other audit/compliance logs, as well as application/OS logs. - -The AWS CloudTrail service provides a full audit history of all actions taken against AWS services, including users logging into accounts. We recommend access to this account be restricted to auditors or security teams for compliance and forensic investigations related to account activity. Additional CloudTrail trails for operational use can be created in each account. - - -#### Security -The security account is restricted to authorized security and compliance personnel, and related security or audit tools. This is an aggregation point for security services, including AWS Security Hub, and serves as the master for Amazon Guard Duty. A trust relationship with a readonly permission policy exists between every Organization account and the security account for audit and compliance purposes. - - -### Functional Accounts - -Functional accounts are created on demand, and placed into an appropriate OU in the Organization structure. The purpose of functional accounts is to provide a secure and managed environment where project teams can use AWS resources. They provide an isolated control plane so that the actions of one team in one account cannot inadvertently affect the work of other teams in other accounts. - -Functional accounts will gain access to the RAM shared resources of their respective parent OU. Accounts created for `systemA` and `systemB` in the `Dev` OU would have control plane isolation from each other; however these would both have access to the `Dev` VPC (shared from the `SharedNetwork` account). - -Data plane isolation within the same VPC is achieved by default, by using appropriate security groups whenever ingress is warranted. For example, the app tier of `systemA` should only permit ingress from the `systemA-web` security group, not an overly broad range such as `0.0.0.0/0`, or even the VPC range. - -### Account Level Settings -The *AWS Secure Environment Architecture* recommends the enabling of certain account-wide features on account creation. Namely, these include: - -1. [S3 Public Access Block][s3-block] -2. [By-default encryption of EBS volumes][ebs-encryption]. - -### Private Marketplace -The *AWS Secure Environment Architecture* recommends that the AWS Private Marketplace is enabled for the Organization. Private Marketplace helps administrators govern which products they want their users to run on AWS by making it possible to see only products that comply with their organization's procurement policy. When Private Marketplace is enabled, it will replace the standard AWS Marketplace for all users. - -![PMP](./images/pmp.png) - - - -## 3. Networking - -### Overview -The *AWS Secure Environment Architecture* networking is built on a principle of centralized on-premises and Internet ingress/egress, while enforcing data plane isolation between workloads in different environments. Connectivity to on-prem environments, internet egress, shared resources and AWS APIs are mediated at a central point of ingress/egress via the use of a [Transit Gateway][aws_tgw]. Consider the following overall network diagram: - -![Mandatory Accounts](./images/network_architecture.drawio.png) - -All functional accounts use RAM-shared networking infrastructure as depicted above. The workload VPCs (Dev, Test, Prod, etc) are hosted in the Shared Network account and made available to the appropriate OU in the Organization. - -### Perimeter -The perimeter VPC hosts the Organization's perimeter security services. The Perimeter VPC is used to control the flow of traffic between AWS Accounts and external networks: both public and private via GC CAP and GC TIP. This VPC hosts Next Generation Firewalls (NGFW) that provide perimeter security services including virus scanning / malware protection, Intrusion Protection services, TLS Inspection and Web Application Firewall protection. If applicable, this VPC also hosts reverse proxy servers. - -#### -* **Primary Range**: The *AWS Secure Environment Architecture* recommends that the perimeter VPC have a primary range in the [RFC1918][1918] block (e.g. `10.7.4.0/22`), used only for subnets dedicated to 'detonation' purposes. This primary range, in an otherwise-unused [RFC1918][1918] range, is not intended to be routeable outside of the VPC, and is reserved for future use with malware detonation capabilities of NGFW devices. -* **Secondary Range**: This VPC should also have a secondary range in the [RFC6598][6598] block (e.g. `100.96.250.0/23`) used for the overlay network (NGFW devices inside VPN tunnel) for all other subnets. This secondary range is assigned by an external entity (e.g. Shared Services Canada), and should be carefully selected in order to co-exist with *AWS Secure Environment Architecture* deployments that exist at peer organizations; for instance other government departments that maintain a relationship with the same shared entity in a carrier-grade NAT topology. Although this is a 'secondary' range in VPC parlance, this VPC CIDR should be interpreted as the more 'significant' of the two with respect to Transit Gateway routing; the Transit Gateway will only ever interact with this 'secondary' range. - -![Endpoints](./images/perimeter.drawio.png) - -This VPC has four subnets per AZ, each of which hosts a port used by the NGFW devices, which are deployed in an HA pair. The purpose of these subnets is as follows. - -* **Detonation**: This is an unused subnet reserved for future use with malware detonation capabilities of the NGFW devices. - * e.g. `10.7.4.0/24` - not routable except local. -* **Proxy**: This subnet hosts reverse proxy services for web and other protocols. It also contains the [three interface endpoints][ssm_endpoints] necessary for AWS Systems Manager Session Manager, which enables SSH-less CLI access to authorized and authenticated principals in the perimeter account. - * e.g. `100.96.251.64/26` -* **On-Premises**: This subnet hosts the private interfaces of the firewalls, corresponding to connections from the on-premises network. - * e.g. `100.96.250.192/26` -* **FW-Management**: This subnet is used to host management tools and the management of the Firewalls itself. - * e.g. `100.96.251.160/27` - a smaller subnet is permissible due to modest IP requirements for management instances. -* **Public**: This subnet is the public-access zone for the perimeter VPC. It hosts the public interface of the firewalls, as well as application load balancers that are used to balance traffic across the firewall pair. There is one Elastic IPv4 address per public subnet that corresponds to the IPSec Customer Gateway (CGW) for the VPN connection into the Transit Gateway in Shared Networking. - * e.g. `100.96.250.0/26` - -Outbound internet connections (for software updates, etc.) can be initiated from within the workload VPCs, and use the transparent proxy feature of the next-gen Firewalls. - -### Shared Network -The shared network account, and the AWS networking resources therein, form the core of the cloud networking infrastructure across the account structure. Rather than the individual accounts defining their own networks, these are instead centralized here and shared out to the relevant OUs. Principals in a Dev OU will have access to a Dev VPC, Test OU will have access to a Test VPC and so on - all of which are owned by this account. - -You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with AWS Resource Access Manager (RAM). The RAM service eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account. - -#### Transit Gateway -The Transit Gateway is a central hub that performs several core functions within the Shared Network account. - -1. Routing of permitted flows; for example a Workload to On-premises via the Perimeter VPC. - * All routing tables in SharedNetwork VPCs send `0.0.0.0/0` traffic to the TGW, where its handling will be determined by the TGW Route Table (TGW-RT) that its attachment is associated with. For example: - * an HTTP request to `registry.hub.docker.com` from the Test VPC will go to the TGW - * The Segregated TGW RT will direct that traffic to the Perimeter VPC via the IPsec VPNs - * The request will be proxied to the internet, via GC-CAP if appropriate - * The return traffic will again transit the IPsec VPNs - * The `10.3.0.0/16` bound response traffic will arrive at the Core TGW RT, where a propagation in that TGW RT will direct the response back to the Test VPC. -2. Defining separate routing domains that prohibit undesired east-west flows at the network level; for example, by prohibiting Dev to Prod traffic. For example: - * All routing tables in SharedNetwork VPCs send `0.0.0.0/0` traffic to the TGW, which defines where the next permissible hop is. For example, `10.2.0.0/16` Dev traffic destined for the `10.0.4.0/16` Prod VPC will be blocked by the blackhole route in the Segregated TGW RT. -3. Enabling centralization of shared resources; namely a shared Microsoft AD installation in the Central VPC, and access to shared VPC Endpoints in the Endpoint VPC. - * The Central VPC, and the Endpoint VPC are routable from Workload VPCs. This provides an economical way to share Organization wide resources that are nonetheless isolated into their own VPCs. For example: - * a `git` request in the `Dev` VPC to `git.private-domain.ca` resolves to a `10.1.0.0/16` address in the `Central` VPC. - * The request from the `Dev` VPC will go to the TGW due to the VPC routing table associated with that subnet - * The TGW will send the request to the `Central` VPC via an entry in the Segregated TGW RT - * The `git` response will go to the TGW due to the VPC routing table associated with that subnet - * The Shared TGW RT will direct the response back to the `Dev` VPC - -The four TGW RTs exist to serve the following main functions: - -* **Segregated TGW RT**: Used as the association table for the workload VPCs; prevents east-west traffic, except to shared resources. -* **Core TGW RT**: Used for internet/on-premises response traffic, and Endpoint VPC egress. -* **Shared TGW RT**: Used to provide `Central` VPC access east-west for the purposes of response traffic to shared workloads -* **Standalone TGW RT**: Reserved for future use. Prevents TGW routing except to the Endpoint VPC. - -Note that a unique BGP ASN will need to be available for the TGW. - -#### Endpoint VPC - -DNS functionality for the network architecture is centralized in the Endpoint VPC. It is recommended that the Endpoint VPC use a [RFC1918][1918] range - e.g. `10.7.0.0/22` with sufficient capacity to support 60+ AWS services and future endpoint expansion, and inbound and outbound resolvers (all figures per AZ). - -![Endpoints](./images/dns.drawio.png) - -#### Endpoint VPC: Interface Endpoints - -The endpoint VPC hosts VPC Interface Endpoints (VPCEs) and associated Route 53 private hosted zones for all applicable services in the `ca-central-1` region. This permits traffic destined for an eligible AWS service; for example SQS, to remain entirely within the SharedNetwork account rather than transiting via the IPv4 public endpoint for the service: - -![Endpoints](./images/endpoints.png) - -From within an associated workload VPC such as `Dev`, the service endpoint (e.g. `sqs.ca-central-1.amazonaws.com`) will resolve to an IP in the `Endpoint` VPC: - -```bash -sh-4.2$ nslookup sqs.ca-central-1.amazonaws.com -Server: 10.2.0.2 # Dev VPC's .2 resolver. -Address: 10.2.0.2#53 - -Non-authoritative answer: -Name: sqs.ca-central-1.amazonaws.com -Address: 10.7.1.190 # IP in Endpoint VPC - AZ-a. -Name: sqs.ca-central-1.amazonaws.com -Address: 10.7.0.135 # IP in Endpoint VPC - AZ-b. -``` - -This cross-VPC resolution of the service-specific private hosted zone functions via the association of each VPC to each private hosted zone, as depicted above. - -#### Endpoint VPC: Hybrid DNS - -The Endpoint VPC also hosts the common DNS infrastructure used to resolve DNS queries: - -* within the cloud -* from the cloud to on-premises -* from on-premises to the cloud - - -##### Within The Cloud -In-cloud DNS resolution applies beyond the DNS infrastructure that is put in place to support the Interface Endpoints for the AWS services in-region. Other DNS zones, associated with the Endpoint VPC, are resolvable the same way via an association to workload VPCs. - -##### From Cloud to On-Premises -DNS Resolution from the cloud to on-premises is handled via the use of a Route 53 Outbound Endpoint, deployed in the Endpoint VPC, with an associated Resolver rule that fowards DNS traffic to the outbound endpoint. Each VPC is associated to this rule. - -![Endpoints](./images/resolver-rule.png) - -##### From On-Premises to Cloud -Conditional forwarding from on-premises networks is made possible via the use of a Route 53 Inbound Endpoint. On-prem networks send resolution requests for relevant domains to the endpoints deployed in the Endpoint VPC: - -![Endpoints](./images/inbound-resolver.png) - - - -#### Workload VPCs -The workload VPCs are where line of business applications ultimately reside, segmented by environment (`Dev`, `Test`, `Prod`, etc). It is recommended that the Workload VPC use a [RFC1918][1918] range (e.g. `10.2.0.0/16` for `Dev`, `10.3.0.0/16` for `Test`, etc). - -![Endpoints](./images/workload.drawio.png) - -Note that security groups are recommended as the primary data-plane isolation mechanism between applications that may coexist in the same VPC. It is anticipated that unrelated applications would coexist in their respective tiers without ever permitting east-west traffic flows. - -The following subnets are defined by the *AWS Secure Environment Architecture*: - -* **TGW subnet**: This subnet hosts the elastic-network interfaces for the TGW attachment. A `/27` subnet is sufficient. -* **Web subnet**: This subnet hosts front-end or otherwise 'client' facing infrastructure. A `/20` or larger subnet is recommended to facilitate auto-scaling. -* **App subnet**: This subnet hosts app-tier code (EC2, containers, etc). A `/19` or larger subnet is recommended to facilitate auto-scaling. -* **Data subnet**: This subnet hosts data-tier code (RDS instances, ElastiCache instances). A `/21` or larger subnet is recommended. -* **Mgmt subnet**: This subnet hosts bastion or other management instances. A `/21` or larger subnet is recommended. - -Each subnet is associated with a Common VPC Route Table, as depicted above. Gateway Endpoints for relevant services (Amazon S3, Amazon DynamoDB) are installed in the Common route tables of all Workload VPCs. Aside from local traffic or gateway-bound traffic, `0.0.0.0/0` is always destined for the TGW. - - -##### Security Groups -Security Groups are instance level firewalls, and represent a foundational unit of network segmentation across AWS networking. Security groups are stateful, and support ingress/egress rules based on protocols and source/destinations. While CIDR ranges are supported by the latter, it is preferable to instead use other security groups as source/destinations. This permits a higher level of expressiveness that is not coupled to particular CIDR choices and works well with autoscaling; e.g. - -> "permit port 3306 traffic from the `App` tier to the `Data` tier" - -versus - -> "permit port 3306 traffic from `10.0.1.0/24` to `10.0.2.0/24`. - -Note that in practice, egress rules are generally used in 'allow all' mode, with the focus primarily being on whitelisting certain ingress traffic. - -##### NACLs -Network Access-Control Lists (NACLs) are used sparingly as a defense-in-depth measure. Given that each network flow requires potentially four NACL entries (egress from ephemeral, ingress to destination, egress from destination, ingress to ephemeral), the marginal security value of exhaustive NACL use is generally not worth the administrative complexity. The architecture recommends NACLs as a segmentation mechanism for `Data` subnets; i.e. `DENY` all inbound traffic to such a subnet except that which originates in the `App` subnet for the same VPC. - - -#### Central VPC -The Central VPC is a network for localizing operational infrastructure that may be needed across the Organization, such as code repositories, artifact repositories, and notably, the managed Directory Service (Microsoft AD). Instances that are domain joined will connect to this AD domain - a network flow that is made possible from anywhere in the network structure due to the inclusion of the Central VPC in all relevant association TGW RTs. - -It is recommended that the Central VPC use a [RFC1918][1918] range (e.g. `10.1.0.0/16`) for the purposes of routing from the workload VPCs, and a secondary range from the [RFC6598][6598] block (e.g. `100.96.252.0/23`) to support the Microsoft AD workload. - -Note that this VPC also contains a peering relationship to the `ForSSO` VPC in the master account. This exists purely to support connectivity from an AD-Connector instance in the master account, which in turn enables AWS SSO for federated login to the AWS control plane. - -![Central](./images/central.drawio.png) - -##### Domain Joining - -An EC2 instance deployed in the Workload VPCs can join the domain corresponding to the Microsoft AD in `Central` provided the following conditions are all true: - -1. The instance needs a network path to the Central VPC (given by the Segregated TGW RT), and appropriate security group assignment -2. The Microsoft AD should be 'shared' with the account the EC2 instance resides in (The *AWS Secure Environment Architecture* recommends these directories are shared to workload accounts) -3. The instance has the AWS managed policies `AmazonSSMManagedInstanceCore` and `AmazonSSMDirectoryServiceAccess` attached to its IAM role, or runs under a role with at least the permission policies given by the combination of these two managed policies. -4. The EC2's VPC has an associated resolver rule that directs DNS queries for the AD domain to the Central VPC. - - -#### Sandbox VPC -A sandbox VPC, not depicted, may be included in the *AWS Secure Environment Architecture*. This is **not** connected to the Transit Gateway, Perimeter VPC, on-premises network, or other common infrastructure. It contains its own Internet Gateway, and is an entirely separate VPC with respect to the rest of the *AWS Secure Environment Architecture*. - -The sandbox VPC should be used exclusively for time-limited experimentation, particularly with out-of-region services, and never used for any line of business workload or data. - - - -## 4. Authorization and Authentication -The *AWS Secure Environment Architecture* makes extensive use of AWS authorization and authentication primitives from the Identity and Access Management (IAM) service as a means to enforce the guardrailing objectives of the *AWS Secure Environment Architecture*, and govern access to the set of accounts that makes up the Organization. - -### Relationship to the Master Account - -AWS accounts, as a default position, are entirely self-contained with respect to IAM principals - their Users, Roles, Groups are independent and scoped only to themselves. Accounts created by AWS Organizations deploy a default role with a trust policy back to the master. By default, this role is named the `OrganizationAccountAccessRole`; by contrast, the *AWS Secure Environment Architecture* recommends that this role be replaced by `AWSCloudFormationStackSetExecutionRole`: - - -```jsonc -{ - "Role": { - "Path": "/", - "RoleName": "AWSCloudFormationStackSetExecutionRole", - "Arn": "arn:aws:iam::111111111111:role/AWSCloudFormationStackSetExecutionRole", // Child account. - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:root" // Master account may assume this role. - }, - "Action": "sts:AssumeRole" - } - ] - } - } -} -``` - -As discussed, the AWS Organization resides in the master account. This account is not used for workloads and is primarily a gateway to the entire cloud footprint for a high-trust principal. This is realized via the `AWSCloudFormationStackSetExecutionRole` role. It is therefore crucial that the master account root credentials be handled with extreme diligence, and with a U2F hardware key enabled as a second-factor (and stored in a secure location such as a safe). - -### Break Glass Accounts -Given the Organizational-wide trust relationship in the `AWSCloudFormationStackSetExecutionRole` and its broad exclusion from SCPs (discussed below), the assumption of this role grants 'super admin' status, and is thus an extremely high privilege operation. The ability to assume this role should be considered a 'break glass' capability - to be used only in extraordinary circumstances. Access to this role can be granted by IAM Users or IAM Roles in the master account (via SSO) - as with the master root account credentials, these should be handled with extreme diligence, and with a U2F hardware key enabled as a second-factor (and stored in a secure location such as a safe). - - -### Control Plane Access via AWS SSO -The vast majority of end-users of the AWS cloud within the Organization will never use or interact with the master account, or indeed the root users of any child account in the Organization. The *AWS Secure Environment Architecture* recommends instead that AWS SSO be provisioned in the master account (a rare case where master account deployment is mandated). - -Users will login to AWS via the web-based endpoint for the AWS SSO service: - -![SSO](./images/sso.drawio.png) - -Via an AWS Directory Connector deployed in the master account, AWS SSO will authenticate the user based on the underlying Microsoft AD installation (in the Central account). Based on group membership, the user will be presented with a set of roles to assume into those accounts. For example, a developer may be placed into groups that permit `Admin` access in the `Dev` account and `Readonly` access in `Test`; meanwhile an IT Director may have high-privilege access to most, or all, accounts. In effect, AWS SSO adds SAML IdP capabilities to the AWS Managed Microsoft AD, with the AWS Console acting as a service-provider (SP) in SAML parlance. Other SAML-aware SPs may also be used with AWS SSO. - -#### SSO User Roles -AWS SSO creates an identity provider (IdP) in each account in the Organization. The roles used by end users have a trust policy to this IdP. When a user authenticates to AWS SSO (via the underlying AD Connector) and selects a role to assume based on their group memmership, the SSO service provides the user with temporary security credentials unique to the role session. In such a scenario, the user has no long term credentials (e.g. password, or access keys) and instead uses their temporary security credentials. - -Users, via their AD group membership, are ultimately assigned to SSO User Roles via the use of AWS SSO Permission Sets. A permission set is an assignment of a particular permission policy to a set of accounts. For example: - -An organization might decide to use **AWS Managed Policies for Job Functions** that are located within the SSO service as the baseline for role-based-access-control (RBAC) separation within an AWS account. This enables job function policies such as: - -* **Administrator** - This policy grants almost all actions for all AWS services and for all resources in the account. -* **Developer Power User** - This user performs application development tasks and can create and configure resources and services that support AWS aware application development. -* **Database Administrator** - This policy grants permissions to create, configure, and maintain databases. It includes access to AWS database services, such as Amazon DynamoDB, Amazon Relational Database Service (RDS), and Amazon Redshift. -* **View-Only User** - This policy grants `List*`, `Describe*`, `Get*`, `View*`, and `Lookup*` access to resources for most AWS services. - -#### Principal Authorization - -Having assumed a role, a user’s permission-level within an AWS account with respect to any API operation is governed by the IAM policy evaluation logic flow ([detailed here][iam_flow]): - -![IAM-policy](./images/iam-policy-evaluation.png) - -Having an `Allow` to a particular API operation from the Role (i.e. Session Policy) does not necessarily imply that API operation will succeed. As depicted above, **Deny** may result due to another evaluation stage in the logic; for example a restrictive permission boundary or an explicit `Deny` at the Resource or SCP (account) level. SCPs are used extensively as a guardrailing mechanism in the *AWS Secure Environment Architecture*, and are discussed in a later section. - -### Root Authorization -Root credentials for individual accounts in an AWS organization may be created on demand via a password reset process on the unique account email address; however, the *AWS Secure Environment Architecture* specifically denies this via SCP. Root credentials authorize all actions for all AWS services and for all resources in the account (except anything denied by SCPs). There are some actions which only root has the capability to perform which are found within the [AWS online documentation][root]. These are typically rare operations (e.g. creation of X.509 keys), and should not be required in the normal course of business. Any root credentials, if ever they need to be created, should be handled with extreme diligence, with U2F MFA enabled. - -### Service Roles -A service role is an IAM Role that a service assumes to perform actions in an account on the user’s behalf. When a user sets up AWS service environments, the user must define an IAM Role for the service to assume. This service role must include all the permissions that are required for the service to access the AWS resources that it needs. Service roles provide access only within a single account and cannot be used to grant access to services in other accounts. Users can create, modify, and delete a service role from within the IAM service. For example, a user can create a role that allows Amazon Redshift to access an Amazon S3 bucket on the user’s behalf and then load data from that bucket into an Amazon Redshift cluster. In the case of SSO, during the process in which AWS SSO is enabled, the AWS Organizations service grants AWS SSO the necessary permissions to create subsequent IAM Roles. - -### Service Control Policies - -Service Control Policies are a key preventative control recommended by the *AWS Secure Environment Architecture*. It is crucial to note that SCPs, by themselves, never _grant_ permissions. They are most often used to `Deny` certain actions at a root, OU, or account level within an AWS Organization. Since `Deny` always overrides `Allow` in the IAM policy evaluation logic, SCPs can have a powerful effect on all principals in an account, and can wholesale deny entire categories of actions irrespective of the permission policy attached to the principal itself - even the root user of the account. - -SCPs follow an inheritance pattern from the root of the Organization: - -![SCPs](./images/scp-venn.png) - -In order for any principal to be able to perform an action A, it is necessary (but not sufficient) that there is an `Allow` on action A from all levels of the hierarchy down to the account, and no explicit `Deny` anywhere. This is discussed in further detail in [How SCPs Work][scps]. - -The *AWS Secure Environment Architecture* recommends the following SCPs in the Organization: - -#### PBMM Only -This is a comprehensive policy whose main goal is to provide a PBMM-compliant cloud environment, namely prohibiting any non-centralized networking, and mandating data residency in Canada. It should be attached to all non-`Unclass` OUs. - -| Policy Statement ID (SID) | Description | -| --- | --- | -| `DenyNetworkPBMMONLY` | Prevents the creation of any networking infrastructure in the workload accounts such as VPCs, NATs, VPC peers, etc. | -| `DenyAllOutsideCanadaPBMMONLY` | Prevents the use of any service in any non-Canadian AWS region with the exception of services that are considered global; e.g. CloudFront, IAM, STS, etc | -| `ScopeSpecificGlobalActionsToCanadaUSE1` | Within services that are exempted from `DenyAllOutsideCanadaPBMMONLY`, scope the use of those services to the `us-east-1` region | - -#### PBMM Unclass Only -This is broadly similar to `PBMM Only`; however it relaxes the requirement for Canadian region usage, and does not prohibit network infrastructure creation (e.g. VPCs, IGWs). This is appropriate for OUs in which AWS service experimentation is taking place. - -| Policy Statement ID (SID) | Description | -| --- | --- | -| `DenyUnclass` | Prevents the deletion of KMS encryption keys and IAM password policies | -| `DenyAllOutsideCanadaUS` | Prevents the use of any service in any region that is not `ca-central-1` or `us-east-1`, with the exception of services that are considered global; e.g. CloudFront, IAM, STS, etc | - -#### PBMM Guardrails (Parts 1 and 2) -PBMM Guardrails apply across the Organization. These guardrails protect key infrastructure, mandate encryption at rest, and prevent other non-PBMM configurations. Note that this guardrail is split into two parts due to a current limitation of SCP sizing, but logically it should be considered a single policy. - -| Policy Statement ID (SID) | Description | -| --- | --- | -| `DenyTag1` | Prevents modification of any protected security group | -| `DenyTag2` | Prevents modification of any protected IAM resource | -| `DenyS3` | Prevents modification of any S3 bucket used for Accelerator purposes | -| `ProtectCloudFormation` | Prevents modification of any CloudFormation stack used for Accelerator tool purposes | -| `DenyAlarmDeletion` | Prevents modification of any cloudwatch alarm used to alert on significant control plane events | -| `ProtectKeyRoles` | Prevents any IAM operation on Accelerator tool IAM roles | -| `DenySSMDel` | Prevents modification of any ssm resource used for Accelerator tool purposes | -| `DenyLogDel` | Prevents the deletion of any log resource in Cloudwatch Logs | -| `DenyLeaveOrg` | Prevents an account from leaving the Organization | -| `DenyLambdaDel` | Prevents the modification of any guardrail Lambda function | -| `BlockOther` | Prevents miscellaneous operations; e.g. Deny `ds:DisableSso` | -| `BlockMarketplacePMP` | Prevents the modification or creation of a cloud private marketplace | -| `DenyRoot` | Prevents the use of the root user in an account | -| `EnforceEbsEncryption` | Enforces the use of volume level encryption in running instances | -| `EnforceEBSVolumeEncryption` | Enforces the use of volume level encryption with EBS | -| `EnforceRdsEncryption` | Enforces the use of RDS encryption | -| `EnforceAuroraEncryption` | Enforces the use of Aurora encryption | -| `DenyRDGWRole` | Prevents the modification of a role used for Remote Desktop Gateway | -| `DenyGDSHFMAAChange` | Prevents the modification of GuardDuty & Security Hub | - -##### Encryption at Rest -Note that the `*Encryption*` SCP statements above, taken together, mandate encryption at rest for block storage volumes used in EC2 and RDS instances. - -#### Quarantine Deny All - -This policy can be attached to an account to 'quarantine' it - to prevent any AWS operation from taking place. This is useful in the case of an account with credentials which are believed to have been compromised. - -| Policy Statement ID (SID) | Description | -| --- | --- | -| `DenyAllAWSServicesExceptBreakglassRoles` | Blanket denial on all AWS control plane operations for all non-break-glass roles | - -#### Quarantine New Object - -This policy is applied to new accounts upon creation. After the installation of guardrails, it is removed. In the meantime, it prevents all AWS control plane operations except by principals required to deploy guardrails. - -| Policy Statement ID (SID) | Description | -| --- | --- | -| `DenyAllAWSServicesExceptBreakglassRoles` | Blanket denial on all AWS control plane operations for all non-break-glass roles | - - - -## 5. Logging and Monitoring - -The *AWS Secure Environment Architecture* recommends the following detective controls across the Organization. These controls, taken together, provide a comprehensive picture of the full set of control plane and data plane operations across the set of accounts. - -### CloudTrail -A CloudTrail Organizational trail should be deployed into the Organization. For each account, this captures management events and optionally S3 data plane events taking place by every principal in the account. These records are sent to an S3 bucket in the log archive account, and the trail itself cannot be modified or deleted by any principal in any child account. This provides an audit trail for detective purposes in the event of the need for forensic analysis into account usage. The logs themselves provide an integrity guarantee: every hour, CloudTrail produces a digest of that hour's logs files, and signs with its own private key. The authenticity of the logs may be verified using the corresponding public key. This process is [detailed here][ct-digest]. - -### VPC Flow Logs -VPC Flow Logs capture information about the IP traffic going to and from network interfaces in an AWS Account VPC such as source and destination IPs, protocol, ports, and success/failure of the flow. The *AWS Secure Environment Architecture* recommends enabling `ALL` (i.e. both accepted and rejected traffic) logs for all VPCs in the Shared Network account with an S3 destination in the log-archive account. More details about VPC Flow Logs are [available here][flow]. - -Note that certain categories of network flows are not captured, including traffic to and from Traffic to and from `169.254.169.254` for instance metadata, and DNS traffic with an Amazon VPC resolver. - -### GuardDuty -Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty uses a number of data sources including VPC Flow Logs and CloudTrail logs. - -The *AWS Secure Environment Architecture* recommends enabling GuardDuty [at the Organization level][gd-org], and delegating the security account as the GuardDuty master. The GuardDuty master should be auto-enabled to add new accounts as they come online. Note that this should be done in every region as a defense in depth measure, with the understanding that the PBMM SCP will prevent service usage in all other regions. - -### Config -[AWS Config][config] provides a detailed view of the resources associated with each account in the AWS Organization, including how they are configured, how they are related to one another, and how the configurations have changed on a recurring basis. Resources can be evaluated on the basis of their compliance with Config Rules - for example, a Config Rule might continually examine EBS volumes and check that they are encrypted. - -Config may be [enabled at the Organization][config-org] level - this provides an overall view of the compliance status of all resources across the Organization. - -_Note: At the time of writing, the Config Multi-Account Multi-Region Data Aggregation sits in the master account. The *AWS Secure Environment Architecture* will recommend that this be situated in the security account, once that becomes easily-configurable in Organizations._ - -### Cloudwatch Logs -CloudWatch Logs is AWS' logging aggregator service, used to monitor, store, and access log files from EC2 instances, AWS CloudTrail, Route 53, and other sources. The *AWS Secure Environment Architecture* recommends that log subscriptions are created for all log groups in all workload accounts, and streamed into S3 in the log-archive account (via Kinesis) for analysis and long-term audit purposes. - -### SecurityHub -The primary dashboard for Operators to assess the security posture of the AWS footprint is the centralized AWS Security Hub service. Security Hub should be configured to aggregate findings from Amazon GuardDuty, AWS Config and IAM Access Analyzers. Events from security integrations are correlated and displayed on the Security Hub dashboard as 'findings' with a severity level (informational, low, medium, high, critical). - -The *AWS Secure Environment Architecture* recommends that certain Security Hub frameworks be enabled, specifically: - -* [AWS Foundational Security Best Practices v1.0.0][found] -* [PCI DSS v3.2.1][pci] -* [CIS AWS Foundations Benchmark v1.2.0][cis] - -These frameworks will perform checks against the accounts via Config Rules that are evaluated against the AWS Config resources in scope. See the above links for a definition of the associated controls. - -[pbmm]: https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html#toc4 -[ops_guide]: https://TODO -[dev_guide]: https://TODO -[accel_tool]:(../../../../) -[aws_org]: https://aws.amazon.com/organizations/ -[aws_scps]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html#orgs_manage_policies_scp -[aws_vpn]: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html -[aws_dc]: https://aws.amazon.com/directconnect/ -[aws_vpc]: https://aws.amazon.com/vpc/ -[aws_tgw]: https://aws.amazon.com/transit-gateway/ -[aws_r53]: https://aws.amazon.com/route53/ -[ssm_endpoints]: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/ -[1918]: https://tools.ietf.org/html/rfc1918 -[6598]: https://tools.ietf.org/html/rfc6598 -[root]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html -[iam_flow]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html -[scps]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps-about.html -[ct-digest]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html -[ebs-encryption]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default -[s3-block]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options -[flow]: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html -[gd-org]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html -[config]: https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html -[config-org]: https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html -[found]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html -[pci]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html +# AWS Secure Environment Architecture + +## Table of Contents +1. [Introduction](#introduction) +1. [Account Structure](#AccountStructure) +1. [Networking](#Networking) +1. [Authorization and Authentication](#AA) +1. [Logging and Monitoring](#LM) + + + + +## 1. Introduction + +The *AWS Secure Environment Architecture* is a comprehensive, multi-account AWS cloud architecture, initially designed for use within the Government of Canada for [PBMM workloads][pbmm]. The *AWS Secure Environment Architecture* has been designed to address central identity and access management, governance, data security, comprehensive logging, and network design/segmentation per Canadian Centre for Cyber Security ITSG-33 specifications. + +The *AWS Secure Environment Architecture* has been built with the following design principles in mind: + +1. Maximize agility, scalability, and availability +2. Enable the full capability of the AWS cloud and do not artificially limit capabilities based on lowest common denominator supported capabilities of other cloud providers +4. Be adaptable to evolving technological capabilities in the underlying platform being used in the *AWS Secure Environment Architecture* +5. Allow for seamless auto-scaling and provide unbounded bandwidth as bandwidth requirements increase (or decrease) based on actual customer load (a key aspect of the value proposition of cloud computing) +6. High availability is paramount: the design stretches across two physical AWS Availability Zones (AZ), such that the loss of any one AZ does not impact application availability. The design can be easily extended to a third availability zone. +7. Least Privilege: all principals in the accounts are intended to operate with the lowest-feasible permission set. + + +### 1.1 Purpose of Document + +This document is intended to outline the technical measures that are delivered by the *AWS Secure Environment Architecture* that make it suitable for PBMM workloads. An explicit **non-goal** of this document is to explain the delivery architecture of the [AWS Secure Environment Accelerator tool][accel_tool] itself, an open-source software project built by AWS. + +While the central purpose of the [AWS Secure Environment Accelerator][accel_tool] is to establish an *AWS Secure Environment Architecture* into an AWS account footprint, this amounts to an implementation detail as far as the *AWS Secure Environment Architecture* is concerned. The *AWS Secure Environment Architecture* is a standalone design, irrespective of how it was delivered into a customer AWS environment. It is nonetheless anticipated that most customers will choose to realize their *AWS Secure Environment Architecture* via the delivery mechanism of the [AWS Secure Environment Accelerator tool][accel_tool]. + +Comprehensive details on the tool itself are available elsewhere: + +1. [AWS Secure Environment Accelerator tool Operations & Troubleshooting Guide][ops_guide] +2. [AWS Secure Environment Accelerator tool Developer Guide][dev_guide] + +Except where absolutely necessary, this document will refrain from referencing the _AWS Secure Environment Accelerator tool_ further. + +### 1.2 Overview + +The central features of the *AWS Secure Environment Architecture* are as follows: + +* **AWS Organization with multiple-accounts:** An [AWS Organization][aws_org] is a grouping construct for a number of separate AWS accounts that are controlled by a single customer entity. This provides consolidated billing, organizational units, and facilitates the deployment of pan-Organizational guardrails such as CloudTrail logs and Service Control Policies. The separate accounts provide strong control-plane and data-plane isolation between workloads and/or environments. +* **Encryption:** AWS KMS with customer-managed CMKs is used extensively for any data stored at rest, in S3 buckets, EBS volumes, RDS encryption. +* **Service Control Policies:** [SCPs][aws_scps] provide a guardrail mechanism principally used to deny entire categories of API operations at an AWS account, OU, or Organization level. These can be used to ensure workloads are deployed only in prescribed regions, ensure only whitelisted services are used, or prevent the disablement of detective/preventative controls. Prescriptive SCPs are provided. +* **Centralized, Isolated Networking:** [Virtual Private Clouds][aws_vpc] (VPCs) are used to create data-plane isolation between workloads, centralized in a shared-network account. Connectivity to on-prem environments, internet egress, shared resources and AWS APIs are mediated at a central point of ingress/egress via the use of [Transit Gateway][aws_tgw], [Site-to-Site VPN][aws_vpn], Next-Gen Firewalls, and [AWS Direct Connect][aws_dc] (where applicable). +* **Centralized DNS Management:** [Amazon Route 53][aws_r53] is used to provide unified public and private hosted zones across the cloud environment. Inbound and Outbound Route 53 Resolvers extend this unified view of DNS to on-premises networks. +* **Comprehensive Logging:** CloudTrail logs are enabled Organization-wide to provide auditability across the cloud environment. CloudWatch Logs, for applications, as well as VPC flow logs, are centralized and deletion is prevented via SCPs. +* **Detective Security Controls:** Potential security threats are surfaced across the cloud environment via automatic deployment of detective security controls such as GuardDuty, AWS Config, and Security Hub. +* **Single-Sign-On**: AWS SSO is used to provide AD-authenticated IAM role assumption into accounts across the Organization for authorized principals. + +### 1.3 Document Convention + +Several conventions are used throughout this document to aid understanding. + + +#### AWS Account Numbers + +AWS account numbers are decimal-digit pseudorandom identifiers with 12 digits (e.g. `651278770121`). This document will use the convention that an AWS master account has the account ID `123456789012`, and child accounts are given by `111111111111`, `222222222222`, etc. + +For example the following ARN would refer to a VPC subnet in the `ca-central-1` region in the master account: + + + arn:aws:ec2:ca-central-1:123456789012:subnet/subnet-024759b61fc305ea3 + +#### JSON Annotation + +Throughout the document, JSON snippets may be annotated with comments (starting with `// `). The JSON language itself does not define comments as part of the specification; these must be removed prior to use in most situations, including the AWS Console and APIs. + +For example: + +```jsonc +{ + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:root" // Trust the master account. + }, + "Action": "sts:AssumeRole" +} +``` + +The above is not valid JSON without first removing the comment on the fourth line. + +#### IP Addresses + + The design makes use of [RFC1918][1918] addresses (e.g. `10.1.0.0/16`) and [RFC6598][6598] (e.g. `100.96.250.0/23`) for various networks; these will be labeled accordingly. Any specific range or IP shown is purely for illustration purposes only. + + + +### 1.4 Department Naming + +This document will make no reference to specific Government of Canada departments. Where naming is required (e.g. in domain names), this document will use a placeholder name as needed; e.g. `dept.gc.ca`. + +### 1.5 Relationship to AWS Landing Zone +AWS Landing Zone is an AWS Solution designed to deploy multi-account cloud architectures for customers. The *AWS Secure Environment Architecture* draws on design patterns from Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it. An earlier internal release of the *AWS Secure Environment Architecture* presupposed the existence of an AWS Landing Zone in the Organization; this requirement has since been removed as of release `v1.1.0`. + + + + +## 2. Account Structure + +AWS accounts are a strong isolation boundary; by default there is zero control plane or data plane access from one AWS account to another. AWS Organizations is a service that provides centralized billing across a fleet of accounts, and optionally, some integration-points for cross-account guardrails and cross-account resource sharing. The *AWS Secure Environment Architecture* uses these features of AWS Organizations to realize its design. + +## Accounts + +The *AWS Secure Environment Architecture* includes the following AWS accounts. + +Note that the account structure is strictly a control plane concept - nothing about this structure implies anything about the network design or network flows. + + +![Organizations Diagram](./images/organization_structure.drawio.png) + +### Master Account +The AWS Organization resides in the master account. This account is not used for workloads (to the full extent possible) - it functions primarily as a billing aggregator, and a gateway to the entire cloud footprint for a high-trust principal. There exists a trust relationship between child AWS accounts in the Organization and the master account; i.e. the child accounts have a role of this form: + +```jsonc +{ + "Role": { + "Path": "/", + "RoleName": "AWSCloudFormationStackSetExecutionRole", + "Arn": "arn:aws:iam::111111111111:role/AWSCloudFormationStackSetExecutionRole", // Child account. + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:root" // Master account may assume this role. + }, + "Action": "sts:AssumeRole" + } + ] + } + } +} +``` + +Note that this is a different role name than the default installed by AWS Organizations (`OrganizationAccountAccessRole`). + + +#### AWS SSO +AWS SSO resides in the master account in the organization, due to a current requirement of the AWS SSO service. This service deploys IAM roles into the accounts in the Organization. More details on SSO are available in the **Authentication and Authorization** section. + + +#### Organizational Units +Underneath the root of the Organization, Organizational Units (OUs) provide an optional mechanism for grouping accounts into logical collections. Aside from the benefit of the grouping itself, these collections serve as the attachment points for SCPs (preventative API-blocking controls), and Resource Access Manager sharing (cross-account resource sharing). + +![OUs](./images/ous.png) + +Example use cases are as follows: + + +* An SCP is attached to the core OU to prevent the deletion of Transit Gateway resources in the associated accounts. +* The shared network account uses RAM sharing to share the development line-of-business VPC with a development OU. This makes the VPC available to a functional account in that OU used by developers, despite residing logically in the shared network account. + +OUs may be nested (to a total depth of five), with SCPs and RAM sharing applied at the desired level. A typical *AWS Secure Environment Architecture* environment will have the following OUs: + +##### Core OU +This OU houses all administrative accounts, such as the core landing zone accounts. No application accounts or application workloads are intended to exist within this OU. This OU also contains the centralized networking infrastructure in the `SharedNetwork` account. + + +##### Central OU +This OU houses accounts containing centralized resources, such as a shared AWS Directory Service (Microsoft AD) instance. Other shared resources such as software development tooling (source control, testing infrastructure), or asset repositories should be created in this OU. + +##### Functional OU: Sandbox +This OU contains a set of Sandbox accounts used by development teams for proof of concept / prototyping work. These accounts are isolated at a network level and are not connected to the VPCs hosting development, test and production workloads. These accounts have direct internet access via an internet gateway (IGW). They do not route through the Perimeter Security services VPC for internet access. + +##### Functional OU: UnClass +Accounts in this OU host unclassified application solutions. These accounts have internet access via the Perimeter firewall. This is an appropriate place to do cross-account unclassified collaboration with other departments or entities, or test services that are not available in the Canadian region. + +##### Functional OU: Dev +Accounts in this OU host development tools and line of business application solutions that are part of approved releases and projects. These accounts have internet access via the Perimeter firewall. + +##### Functional OU: Test +Accounts in this OU host test tools and line of business application solutions that are part of approved releases and projects. These accounts have internet access via the Perimeter firewall. + +##### Functional OU: Prod +Accounts in this OU host production tools and line of business application solutions that are part of approved releases and projects. These accounts have internet access via the Perimeter firewall. Accounts in this OU are locked down with only specific Operations and Security personnel having access. + +##### Suspended OU +A suspended OU is created to act as a container for end-of-life accounts or accounts with suspected credential leakage. The `DenyAll` SCP is applied, which prevents all control-plane API operations from taking place by any account principal. + +### Mandatory Accounts +The *AWS Secure Environment Architecture* is an opinionated design, which partly manifests in the accounts that are deemed mandatory within the Organization. The following accounts are assumed to exist, and each has an important function with respect to the goals of the overall Architecture (mandatory in red) + +![Mandatory Accounts](./images/accounts.png) + +#### Master +As discussed above, the master account functions as the root of the AWS Organization, the billing aggregator, attachment point for SCPs. Workloads are not intended to run in this account. + +**Note:** Customers deploying the *AWS Secure Environment Architecture* via the [AWS Secure Environment Accelerator][accel_tool] will deploy into this account. See the [Operations Guide][ops_guide] for more details. + +#### Perimeter +The perimeter account, and in particular the perimeter VPC therein, functions as the single point of ingress/egress from the PBMM cloud environment to the public internet and/or on-premises network. This provides a central point of network control through which all workload-generated traffic, ingress and egress, must transit. The perimeter VPC hosts next-generation firewall instances that provide security services such as virus scanning, malware protection, intrusion protection, TLS inspection, and web application firewall functionality. More details on can be found in the Networking section of this document. + +#### Shared Network +The shared network account hosts the vast majority of the AWS-side of the networking resources throughout the *AWS Secure Environment Architecture*. Workload-scoped VPCs (`Dev`, `Test`, `Prod`, etc) are defined here, and shared via RAM sharing to the respective OUs in the Organization. A Transit Gateway provides connectivity from the workloads to the internet or on-prem, without permitting cross-environment (AKA "East:West traffic") traffic (e.g. there is no Transit Gateway route from the `Dev` VPC to the `Prod` VPC). More details on can be found in the Networking section of this document. + +#### Operations +The operations account provides a central location for the cloud team to provide cloud operation services to other AWS accounts within the Organization; for example CICD, developer tooling, and a managed Active Directory installation. + + +#### Log Archive +The log archive account provides a central aggregation and secure storage point for all audit logs created within the AWS Organization. This account contains a centralized location for copies of every account’s Audit and Configuration compliance logs. It also provides a storage location for any other audit/compliance logs, as well as application/OS logs. + +The AWS CloudTrail service provides a full audit history of all actions taken against AWS services, including users logging into accounts. We recommend access to this account be restricted to auditors or security teams for compliance and forensic investigations related to account activity. Additional CloudTrail trails for operational use can be created in each account. + + +#### Security +The security account is restricted to authorized security and compliance personnel, and related security or audit tools. This is an aggregation point for security services, including AWS Security Hub, and serves as the master for Amazon Guard Duty. A trust relationship with a readonly permission policy exists between every Organization account and the security account for audit and compliance purposes. + + +### Functional Accounts + +Functional accounts are created on demand, and placed into an appropriate OU in the Organization structure. The purpose of functional accounts is to provide a secure and managed environment where project teams can use AWS resources. They provide an isolated control plane so that the actions of one team in one account cannot inadvertently affect the work of other teams in other accounts. + +Functional accounts will gain access to the RAM shared resources of their respective parent OU. Accounts created for `systemA` and `systemB` in the `Dev` OU would have control plane isolation from each other; however these would both have access to the `Dev` VPC (shared from the `SharedNetwork` account). + +Data plane isolation within the same VPC is achieved by default, by using appropriate security groups whenever ingress is warranted. For example, the app tier of `systemA` should only permit ingress from the `systemA-web` security group, not an overly broad range such as `0.0.0.0/0`, or even the VPC range. + +### Account Level Settings +The *AWS Secure Environment Architecture* recommends the enabling of certain account-wide features on account creation. Namely, these include: + +1. [S3 Public Access Block][s3-block] +2. [By-default encryption of EBS volumes][ebs-encryption]. + +### Private Marketplace +The *AWS Secure Environment Architecture* recommends that the AWS Private Marketplace is enabled for the Organization. Private Marketplace helps administrators govern which products they want their users to run on AWS by making it possible to see only products that comply with their organization's procurement policy. When Private Marketplace is enabled, it will replace the standard AWS Marketplace for all users. + +![PMP](./images/pmp.png) + + + +## 3. Networking + +### Overview +The *AWS Secure Environment Architecture* networking is built on a principle of centralized on-premises and Internet ingress/egress, while enforcing data plane isolation between workloads in different environments. Connectivity to on-prem environments, internet egress, shared resources and AWS APIs are mediated at a central point of ingress/egress via the use of a [Transit Gateway][aws_tgw]. Consider the following overall network diagram: + +![Mandatory Accounts](./images/network_architecture.drawio.png) + +All functional accounts use RAM-shared networking infrastructure as depicted above. The workload VPCs (Dev, Test, Prod, etc) are hosted in the Shared Network account and made available to the appropriate OU in the Organization. + +### Perimeter +The perimeter VPC hosts the Organization's perimeter security services. The Perimeter VPC is used to control the flow of traffic between AWS Accounts and external networks: both public and private via GC CAP and GC TIP. This VPC hosts Next Generation Firewalls (NGFW) that provide perimeter security services including virus scanning / malware protection, Intrusion Protection services, TLS Inspection and Web Application Firewall protection. If applicable, this VPC also hosts reverse proxy servers. + +#### +* **Primary Range**: The *AWS Secure Environment Architecture* recommends that the perimeter VPC have a primary range in the [RFC1918][1918] block (e.g. `10.7.4.0/22`), used only for subnets dedicated to 'detonation' purposes. This primary range, in an otherwise-unused [RFC1918][1918] range, is not intended to be routeable outside of the VPC, and is reserved for future use with malware detonation capabilities of NGFW devices. +* **Secondary Range**: This VPC should also have a secondary range in the [RFC6598][6598] block (e.g. `100.96.250.0/23`) used for the overlay network (NGFW devices inside VPN tunnel) for all other subnets. This secondary range is assigned by an external entity (e.g. Shared Services Canada), and should be carefully selected in order to co-exist with *AWS Secure Environment Architecture* deployments that exist at peer organizations; for instance other government departments that maintain a relationship with the same shared entity in a carrier-grade NAT topology. Although this is a 'secondary' range in VPC parlance, this VPC CIDR should be interpreted as the more 'significant' of the two with respect to Transit Gateway routing; the Transit Gateway will only ever interact with this 'secondary' range. + +![Endpoints](./images/perimeter.drawio.png) + +This VPC has four subnets per AZ, each of which hosts a port used by the NGFW devices, which are deployed in an HA pair. The purpose of these subnets is as follows. + +* **Detonation**: This is an unused subnet reserved for future use with malware detonation capabilities of the NGFW devices. + * e.g. `10.7.4.0/24` - not routable except local. +* **Proxy**: This subnet hosts reverse proxy services for web and other protocols. It also contains the [three interface endpoints][ssm_endpoints] necessary for AWS Systems Manager Session Manager, which enables SSH-less CLI access to authorized and authenticated principals in the perimeter account. + * e.g. `100.96.251.64/26` +* **On-Premises**: This subnet hosts the private interfaces of the firewalls, corresponding to connections from the on-premises network. + * e.g. `100.96.250.192/26` +* **FW-Management**: This subnet is used to host management tools and the management of the Firewalls itself. + * e.g. `100.96.251.160/27` - a smaller subnet is permissible due to modest IP requirements for management instances. +* **Public**: This subnet is the public-access zone for the perimeter VPC. It hosts the public interface of the firewalls, as well as application load balancers that are used to balance traffic across the firewall pair. There is one Elastic IPv4 address per public subnet that corresponds to the IPSec Customer Gateway (CGW) for the VPN connection into the Transit Gateway in Shared Networking. + * e.g. `100.96.250.0/26` + +Outbound internet connections (for software updates, etc.) can be initiated from within the workload VPCs, and use the transparent proxy feature of the next-gen Firewalls. + +### Shared Network +The shared network account, and the AWS networking resources therein, form the core of the cloud networking infrastructure across the account structure. Rather than the individual accounts defining their own networks, these are instead centralized here and shared out to the relevant OUs. Principals in a Dev OU will have access to a Dev VPC, Test OU will have access to a Test VPC and so on - all of which are owned by this account. + +You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with AWS Resource Access Manager (RAM). The RAM service eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account. + +#### Transit Gateway +The Transit Gateway is a central hub that performs several core functions within the Shared Network account. + +1. Routing of permitted flows; for example a Workload to On-premises via the Perimeter VPC. + * All routing tables in SharedNetwork VPCs send `0.0.0.0/0` traffic to the TGW, where its handling will be determined by the TGW Route Table (TGW-RT) that its attachment is associated with. For example: + * an HTTP request to `registry.hub.docker.com` from the Test VPC will go to the TGW + * The Segregated TGW RT will direct that traffic to the Perimeter VPC via the IPsec VPNs + * The request will be proxied to the internet, via GC-CAP if appropriate + * The return traffic will again transit the IPsec VPNs + * The `10.3.0.0/16` bound response traffic will arrive at the Core TGW RT, where a propagation in that TGW RT will direct the response back to the Test VPC. +2. Defining separate routing domains that prohibit undesired east-west flows at the network level; for example, by prohibiting Dev to Prod traffic. For example: + * All routing tables in SharedNetwork VPCs send `0.0.0.0/0` traffic to the TGW, which defines where the next permissible hop is. For example, `10.2.0.0/16` Dev traffic destined for the `10.0.4.0/16` Prod VPC will be blocked by the blackhole route in the Segregated TGW RT. +3. Enabling centralization of shared resources; namely a shared Microsoft AD installation in the Central VPC, and access to shared VPC Endpoints in the Endpoint VPC. + * The Central VPC, and the Endpoint VPC are routable from Workload VPCs. This provides an economical way to share Organization wide resources that are nonetheless isolated into their own VPCs. For example: + * a `git` request in the `Dev` VPC to `git.private-domain.ca` resolves to a `10.1.0.0/16` address in the `Central` VPC. + * The request from the `Dev` VPC will go to the TGW due to the VPC routing table associated with that subnet + * The TGW will send the request to the `Central` VPC via an entry in the Segregated TGW RT + * The `git` response will go to the TGW due to the VPC routing table associated with that subnet + * The Shared TGW RT will direct the response back to the `Dev` VPC + +The four TGW RTs exist to serve the following main functions: + +* **Segregated TGW RT**: Used as the association table for the workload VPCs; prevents east-west traffic, except to shared resources. +* **Core TGW RT**: Used for internet/on-premises response traffic, and Endpoint VPC egress. +* **Shared TGW RT**: Used to provide `Central` VPC access east-west for the purposes of response traffic to shared workloads +* **Standalone TGW RT**: Reserved for future use. Prevents TGW routing except to the Endpoint VPC. + +Note that a unique BGP ASN will need to be available for the TGW. + +#### Endpoint VPC + +DNS functionality for the network architecture is centralized in the Endpoint VPC. It is recommended that the Endpoint VPC use a [RFC1918][1918] range - e.g. `10.7.0.0/22` with sufficient capacity to support 60+ AWS services and future endpoint expansion, and inbound and outbound resolvers (all figures per AZ). + +![Endpoints](./images/dns.drawio.png) + +#### Endpoint VPC: Interface Endpoints + +The endpoint VPC hosts VPC Interface Endpoints (VPCEs) and associated Route 53 private hosted zones for all applicable services in the `ca-central-1` region. This permits traffic destined for an eligible AWS service; for example SQS, to remain entirely within the SharedNetwork account rather than transiting via the IPv4 public endpoint for the service: + +![Endpoints](./images/endpoints.png) + +From within an associated workload VPC such as `Dev`, the service endpoint (e.g. `sqs.ca-central-1.amazonaws.com`) will resolve to an IP in the `Endpoint` VPC: + +```bash +sh-4.2$ nslookup sqs.ca-central-1.amazonaws.com +Server: 10.2.0.2 # Dev VPC's .2 resolver. +Address: 10.2.0.2#53 + +Non-authoritative answer: +Name: sqs.ca-central-1.amazonaws.com +Address: 10.7.1.190 # IP in Endpoint VPC - AZ-a. +Name: sqs.ca-central-1.amazonaws.com +Address: 10.7.0.135 # IP in Endpoint VPC - AZ-b. +``` + +This cross-VPC resolution of the service-specific private hosted zone functions via the association of each VPC to each private hosted zone, as depicted above. + +#### Endpoint VPC: Hybrid DNS + +The Endpoint VPC also hosts the common DNS infrastructure used to resolve DNS queries: + +* within the cloud +* from the cloud to on-premises +* from on-premises to the cloud + + +##### Within The Cloud +In-cloud DNS resolution applies beyond the DNS infrastructure that is put in place to support the Interface Endpoints for the AWS services in-region. Other DNS zones, associated with the Endpoint VPC, are resolvable the same way via an association to workload VPCs. + +##### From Cloud to On-Premises +DNS Resolution from the cloud to on-premises is handled via the use of a Route 53 Outbound Endpoint, deployed in the Endpoint VPC, with an associated Resolver rule that fowards DNS traffic to the outbound endpoint. Each VPC is associated to this rule. + +![Endpoints](./images/resolver-rule.png) + +##### From On-Premises to Cloud +Conditional forwarding from on-premises networks is made possible via the use of a Route 53 Inbound Endpoint. On-prem networks send resolution requests for relevant domains to the endpoints deployed in the Endpoint VPC: + +![Endpoints](./images/inbound-resolver.png) + + + +#### Workload VPCs +The workload VPCs are where line of business applications ultimately reside, segmented by environment (`Dev`, `Test`, `Prod`, etc). It is recommended that the Workload VPC use a [RFC1918][1918] range (e.g. `10.2.0.0/16` for `Dev`, `10.3.0.0/16` for `Test`, etc). + +![Endpoints](./images/workload.drawio.png) + +Note that security groups are recommended as the primary data-plane isolation mechanism between applications that may coexist in the same VPC. It is anticipated that unrelated applications would coexist in their respective tiers without ever permitting east-west traffic flows. + +The following subnets are defined by the *AWS Secure Environment Architecture*: + +* **TGW subnet**: This subnet hosts the elastic-network interfaces for the TGW attachment. A `/27` subnet is sufficient. +* **Web subnet**: This subnet hosts front-end or otherwise 'client' facing infrastructure. A `/20` or larger subnet is recommended to facilitate auto-scaling. +* **App subnet**: This subnet hosts app-tier code (EC2, containers, etc). A `/19` or larger subnet is recommended to facilitate auto-scaling. +* **Data subnet**: This subnet hosts data-tier code (RDS instances, ElastiCache instances). A `/21` or larger subnet is recommended. +* **Mgmt subnet**: This subnet hosts bastion or other management instances. A `/21` or larger subnet is recommended. + +Each subnet is associated with a Common VPC Route Table, as depicted above. Gateway Endpoints for relevant services (Amazon S3, Amazon DynamoDB) are installed in the Common route tables of all Workload VPCs. Aside from local traffic or gateway-bound traffic, `0.0.0.0/0` is always destined for the TGW. + + +##### Security Groups +Security Groups are instance level firewalls, and represent a foundational unit of network segmentation across AWS networking. Security groups are stateful, and support ingress/egress rules based on protocols and source/destinations. While CIDR ranges are supported by the latter, it is preferable to instead use other security groups as source/destinations. This permits a higher level of expressiveness that is not coupled to particular CIDR choices and works well with autoscaling; e.g. + +> "permit port 3306 traffic from the `App` tier to the `Data` tier" + +versus + +> "permit port 3306 traffic from `10.0.1.0/24` to `10.0.2.0/24`. + +Note that in practice, egress rules are generally used in 'allow all' mode, with the focus primarily being on whitelisting certain ingress traffic. + +##### NACLs +Network Access-Control Lists (NACLs) are used sparingly as a defense-in-depth measure. Given that each network flow requires potentially four NACL entries (egress from ephemeral, ingress to destination, egress from destination, ingress to ephemeral), the marginal security value of exhaustive NACL use is generally not worth the administrative complexity. The architecture recommends NACLs as a segmentation mechanism for `Data` subnets; i.e. `DENY` all inbound traffic to such a subnet except that which originates in the `App` subnet for the same VPC. + + +#### Central VPC +The Central VPC is a network for localizing operational infrastructure that may be needed across the Organization, such as code repositories, artifact repositories, and notably, the managed Directory Service (Microsoft AD). Instances that are domain joined will connect to this AD domain - a network flow that is made possible from anywhere in the network structure due to the inclusion of the Central VPC in all relevant association TGW RTs. + +It is recommended that the Central VPC use a [RFC1918][1918] range (e.g. `10.1.0.0/16`) for the purposes of routing from the workload VPCs, and a secondary range from the [RFC6598][6598] block (e.g. `100.96.252.0/23`) to support the Microsoft AD workload. + +Note that this VPC also contains a peering relationship to the `ForSSO` VPC in the master account. This exists purely to support connectivity from an AD-Connector instance in the master account, which in turn enables AWS SSO for federated login to the AWS control plane. + +![Central](./images/central.drawio.png) + +##### Domain Joining + +An EC2 instance deployed in the Workload VPCs can join the domain corresponding to the Microsoft AD in `Central` provided the following conditions are all true: + +1. The instance needs a network path to the Central VPC (given by the Segregated TGW RT), and appropriate security group assignment +2. The Microsoft AD should be 'shared' with the account the EC2 instance resides in (The *AWS Secure Environment Architecture* recommends these directories are shared to workload accounts) +3. The instance has the AWS managed policies `AmazonSSMManagedInstanceCore` and `AmazonSSMDirectoryServiceAccess` attached to its IAM role, or runs under a role with at least the permission policies given by the combination of these two managed policies. +4. The EC2's VPC has an associated resolver rule that directs DNS queries for the AD domain to the Central VPC. + + +#### Sandbox VPC +A sandbox VPC, not depicted, may be included in the *AWS Secure Environment Architecture*. This is **not** connected to the Transit Gateway, Perimeter VPC, on-premises network, or other common infrastructure. It contains its own Internet Gateway, and is an entirely separate VPC with respect to the rest of the *AWS Secure Environment Architecture*. + +The sandbox VPC should be used exclusively for time-limited experimentation, particularly with out-of-region services, and never used for any line of business workload or data. + + + +## 4. Authorization and Authentication +The *AWS Secure Environment Architecture* makes extensive use of AWS authorization and authentication primitives from the Identity and Access Management (IAM) service as a means to enforce the guardrailing objectives of the *AWS Secure Environment Architecture*, and govern access to the set of accounts that makes up the Organization. + +### Relationship to the Master Account + +AWS accounts, as a default position, are entirely self-contained with respect to IAM principals - their Users, Roles, Groups are independent and scoped only to themselves. Accounts created by AWS Organizations deploy a default role with a trust policy back to the master. By default, this role is named the `OrganizationAccountAccessRole`; by contrast, the *AWS Secure Environment Architecture* recommends that this role be replaced by `AWSCloudFormationStackSetExecutionRole`: + + +```jsonc +{ + "Role": { + "Path": "/", + "RoleName": "AWSCloudFormationStackSetExecutionRole", + "Arn": "arn:aws:iam::111111111111:role/AWSCloudFormationStackSetExecutionRole", // Child account. + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:root" // Master account may assume this role. + }, + "Action": "sts:AssumeRole" + } + ] + } + } +} +``` + +As discussed, the AWS Organization resides in the master account. This account is not used for workloads and is primarily a gateway to the entire cloud footprint for a high-trust principal. This is realized via the `AWSCloudFormationStackSetExecutionRole` role. It is therefore crucial that the master account root credentials be handled with extreme diligence, and with a U2F hardware key enabled as a second-factor (and stored in a secure location such as a safe). + +### Break Glass Accounts +Given the Organizational-wide trust relationship in the `AWSCloudFormationStackSetExecutionRole` and its broad exclusion from SCPs (discussed below), the assumption of this role grants 'super admin' status, and is thus an extremely high privilege operation. The ability to assume this role should be considered a 'break glass' capability - to be used only in extraordinary circumstances. Access to this role can be granted by IAM Users or IAM Roles in the master account (via SSO) - as with the master root account credentials, these should be handled with extreme diligence, and with a U2F hardware key enabled as a second-factor (and stored in a secure location such as a safe). + + +### Control Plane Access via AWS SSO +The vast majority of end-users of the AWS cloud within the Organization will never use or interact with the master account, or indeed the root users of any child account in the Organization. The *AWS Secure Environment Architecture* recommends instead that AWS SSO be provisioned in the master account (a rare case where master account deployment is mandated). + +Users will login to AWS via the web-based endpoint for the AWS SSO service: + +![SSO](./images/sso.drawio.png) + +Via an AWS Directory Connector deployed in the master account, AWS SSO will authenticate the user based on the underlying Microsoft AD installation (in the Central account). Based on group membership, the user will be presented with a set of roles to assume into those accounts. For example, a developer may be placed into groups that permit `Admin` access in the `Dev` account and `Readonly` access in `Test`; meanwhile an IT Director may have high-privilege access to most, or all, accounts. In effect, AWS SSO adds SAML IdP capabilities to the AWS Managed Microsoft AD, with the AWS Console acting as a service-provider (SP) in SAML parlance. Other SAML-aware SPs may also be used with AWS SSO. + +#### SSO User Roles +AWS SSO creates an identity provider (IdP) in each account in the Organization. The roles used by end users have a trust policy to this IdP. When a user authenticates to AWS SSO (via the underlying AD Connector) and selects a role to assume based on their group memmership, the SSO service provides the user with temporary security credentials unique to the role session. In such a scenario, the user has no long term credentials (e.g. password, or access keys) and instead uses their temporary security credentials. + +Users, via their AD group membership, are ultimately assigned to SSO User Roles via the use of AWS SSO Permission Sets. A permission set is an assignment of a particular permission policy to a set of accounts. For example: + +An organization might decide to use **AWS Managed Policies for Job Functions** that are located within the SSO service as the baseline for role-based-access-control (RBAC) separation within an AWS account. This enables job function policies such as: + +* **Administrator** - This policy grants almost all actions for all AWS services and for all resources in the account. +* **Developer Power User** - This user performs application development tasks and can create and configure resources and services that support AWS aware application development. +* **Database Administrator** - This policy grants permissions to create, configure, and maintain databases. It includes access to AWS database services, such as Amazon DynamoDB, Amazon Relational Database Service (RDS), and Amazon Redshift. +* **View-Only User** - This policy grants `List*`, `Describe*`, `Get*`, `View*`, and `Lookup*` access to resources for most AWS services. + +#### Principal Authorization + +Having assumed a role, a user’s permission-level within an AWS account with respect to any API operation is governed by the IAM policy evaluation logic flow ([detailed here][iam_flow]): + +![IAM-policy](./images/iam-policy-evaluation.png) + +Having an `Allow` to a particular API operation from the Role (i.e. Session Policy) does not necessarily imply that API operation will succeed. As depicted above, **Deny** may result due to another evaluation stage in the logic; for example a restrictive permission boundary or an explicit `Deny` at the Resource or SCP (account) level. SCPs are used extensively as a guardrailing mechanism in the *AWS Secure Environment Architecture*, and are discussed in a later section. + +### Root Authorization +Root credentials for individual accounts in an AWS organization may be created on demand via a password reset process on the unique account email address; however, the *AWS Secure Environment Architecture* specifically denies this via SCP. Root credentials authorize all actions for all AWS services and for all resources in the account (except anything denied by SCPs). There are some actions which only root has the capability to perform which are found within the [AWS online documentation][root]. These are typically rare operations (e.g. creation of X.509 keys), and should not be required in the normal course of business. Any root credentials, if ever they need to be created, should be handled with extreme diligence, with U2F MFA enabled. + +### Service Roles +A service role is an IAM Role that a service assumes to perform actions in an account on the user’s behalf. When a user sets up AWS service environments, the user must define an IAM Role for the service to assume. This service role must include all the permissions that are required for the service to access the AWS resources that it needs. Service roles provide access only within a single account and cannot be used to grant access to services in other accounts. Users can create, modify, and delete a service role from within the IAM service. For example, a user can create a role that allows Amazon Redshift to access an Amazon S3 bucket on the user’s behalf and then load data from that bucket into an Amazon Redshift cluster. In the case of SSO, during the process in which AWS SSO is enabled, the AWS Organizations service grants AWS SSO the necessary permissions to create subsequent IAM Roles. + +### Service Control Policies + +Service Control Policies are a key preventative control recommended by the *AWS Secure Environment Architecture*. It is crucial to note that SCPs, by themselves, never _grant_ permissions. They are most often used to `Deny` certain actions at a root, OU, or account level within an AWS Organization. Since `Deny` always overrides `Allow` in the IAM policy evaluation logic, SCPs can have a powerful effect on all principals in an account, and can wholesale deny entire categories of actions irrespective of the permission policy attached to the principal itself - even the root user of the account. + +SCPs follow an inheritance pattern from the root of the Organization: + +![SCPs](./images/scp-venn.png) + +In order for any principal to be able to perform an action A, it is necessary (but not sufficient) that there is an `Allow` on action A from all levels of the hierarchy down to the account, and no explicit `Deny` anywhere. This is discussed in further detail in [How SCPs Work][scps]. + +The *AWS Secure Environment Architecture* recommends the following SCPs in the Organization: + +#### PBMM Only +This is a comprehensive policy whose main goal is to provide a PBMM-compliant cloud environment, namely prohibiting any non-centralized networking, and mandating data residency in Canada. It should be attached to all non-`Unclass` OUs. + +| Policy Statement ID (SID) | Description | +| --- | --- | +| `DenyNetworkPBMMONLY` | Prevents the creation of any networking infrastructure in the workload accounts such as VPCs, NATs, VPC peers, etc. | +| `DenyAllOutsideCanadaPBMMONLY` | Prevents the use of any service in any non-Canadian AWS region with the exception of services that are considered global; e.g. CloudFront, IAM, STS, etc | +| `ScopeSpecificGlobalActionsToCanadaUSE1` | Within services that are exempted from `DenyAllOutsideCanadaPBMMONLY`, scope the use of those services to the `us-east-1` region | + +#### PBMM Unclass Only +This is broadly similar to `PBMM Only`; however it relaxes the requirement for Canadian region usage, and does not prohibit network infrastructure creation (e.g. VPCs, IGWs). This is appropriate for OUs in which AWS service experimentation is taking place. + +| Policy Statement ID (SID) | Description | +| --- | --- | +| `DenyUnclass` | Prevents the deletion of KMS encryption keys and IAM password policies | +| `DenyAllOutsideCanadaUS` | Prevents the use of any service in any region that is not `ca-central-1` or `us-east-1`, with the exception of services that are considered global; e.g. CloudFront, IAM, STS, etc | + +#### PBMM Guardrails (Parts 1 and 2) +PBMM Guardrails apply across the Organization. These guardrails protect key infrastructure, mandate encryption at rest, and prevent other non-PBMM configurations. Note that this guardrail is split into two parts due to a current limitation of SCP sizing, but logically it should be considered a single policy. + +| Policy Statement ID (SID) | Description | +| --- | --- | +| `DenyTag1` | Prevents modification of any protected security group | +| `DenyTag2` | Prevents modification of any protected IAM resource | +| `DenyS3` | Prevents modification of any S3 bucket used for Accelerator purposes | +| `ProtectCloudFormation` | Prevents modification of any CloudFormation stack used for Accelerator tool purposes | +| `DenyAlarmDeletion` | Prevents modification of any cloudwatch alarm used to alert on significant control plane events | +| `ProtectKeyRoles` | Prevents any IAM operation on Accelerator tool IAM roles | +| `DenySSMDel` | Prevents modification of any ssm resource used for Accelerator tool purposes | +| `DenyLogDel` | Prevents the deletion of any log resource in Cloudwatch Logs | +| `DenyLeaveOrg` | Prevents an account from leaving the Organization | +| `DenyLambdaDel` | Prevents the modification of any guardrail Lambda function | +| `BlockOther` | Prevents miscellaneous operations; e.g. Deny `ds:DisableSso` | +| `BlockMarketplacePMP` | Prevents the modification or creation of a cloud private marketplace | +| `DenyRoot` | Prevents the use of the root user in an account | +| `EnforceEbsEncryption` | Enforces the use of volume level encryption in running instances | +| `EnforceEBSVolumeEncryption` | Enforces the use of volume level encryption with EBS | +| `EnforceRdsEncryption` | Enforces the use of RDS encryption | +| `EnforceAuroraEncryption` | Enforces the use of Aurora encryption | +| `DenyRDGWRole` | Prevents the modification of a role used for Remote Desktop Gateway | +| `DenyGDSHFMAAChange` | Prevents the modification of GuardDuty & Security Hub | + +##### Encryption at Rest +Note that the `*Encryption*` SCP statements above, taken together, mandate encryption at rest for block storage volumes used in EC2 and RDS instances. + +#### Quarantine Deny All + +This policy can be attached to an account to 'quarantine' it - to prevent any AWS operation from taking place. This is useful in the case of an account with credentials which are believed to have been compromised. + +| Policy Statement ID (SID) | Description | +| --- | --- | +| `DenyAllAWSServicesExceptBreakglassRoles` | Blanket denial on all AWS control plane operations for all non-break-glass roles | + +#### Quarantine New Object + +This policy is applied to new accounts upon creation. After the installation of guardrails, it is removed. In the meantime, it prevents all AWS control plane operations except by principals required to deploy guardrails. + +| Policy Statement ID (SID) | Description | +| --- | --- | +| `DenyAllAWSServicesExceptBreakglassRoles` | Blanket denial on all AWS control plane operations for all non-break-glass roles | + + + +## 5. Logging and Monitoring + +The *AWS Secure Environment Architecture* recommends the following detective controls across the Organization. These controls, taken together, provide a comprehensive picture of the full set of control plane and data plane operations across the set of accounts. + +### CloudTrail +A CloudTrail Organizational trail should be deployed into the Organization. For each account, this captures management events and optionally S3 data plane events taking place by every principal in the account. These records are sent to an S3 bucket in the log archive account, and the trail itself cannot be modified or deleted by any principal in any child account. This provides an audit trail for detective purposes in the event of the need for forensic analysis into account usage. The logs themselves provide an integrity guarantee: every hour, CloudTrail produces a digest of that hour's logs files, and signs with its own private key. The authenticity of the logs may be verified using the corresponding public key. This process is [detailed here][ct-digest]. + +### VPC Flow Logs +VPC Flow Logs capture information about the IP traffic going to and from network interfaces in an AWS Account VPC such as source and destination IPs, protocol, ports, and success/failure of the flow. The *AWS Secure Environment Architecture* recommends enabling `ALL` (i.e. both accepted and rejected traffic) logs for all VPCs in the Shared Network account with an S3 destination in the log-archive account. More details about VPC Flow Logs are [available here][flow]. + +Note that certain categories of network flows are not captured, including traffic to and from Traffic to and from `169.254.169.254` for instance metadata, and DNS traffic with an Amazon VPC resolver. + +### GuardDuty +Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty uses a number of data sources including VPC Flow Logs and CloudTrail logs. + +The *AWS Secure Environment Architecture* recommends enabling GuardDuty [at the Organization level][gd-org], and delegating the security account as the GuardDuty master. The GuardDuty master should be auto-enabled to add new accounts as they come online. Note that this should be done in every region as a defense in depth measure, with the understanding that the PBMM SCP will prevent service usage in all other regions. + +### Config +[AWS Config][config] provides a detailed view of the resources associated with each account in the AWS Organization, including how they are configured, how they are related to one another, and how the configurations have changed on a recurring basis. Resources can be evaluated on the basis of their compliance with Config Rules - for example, a Config Rule might continually examine EBS volumes and check that they are encrypted. + +Config may be [enabled at the Organization][config-org] level - this provides an overall view of the compliance status of all resources across the Organization. + +_Note: At the time of writing, the Config Multi-Account Multi-Region Data Aggregation sits in the master account. The *AWS Secure Environment Architecture* will recommend that this be situated in the security account, once that becomes easily-configurable in Organizations._ + +### Cloudwatch Logs +CloudWatch Logs is AWS' logging aggregator service, used to monitor, store, and access log files from EC2 instances, AWS CloudTrail, Route 53, and other sources. The *AWS Secure Environment Architecture* recommends that log subscriptions are created for all log groups in all workload accounts, and streamed into S3 in the log-archive account (via Kinesis) for analysis and long-term audit purposes. + +### SecurityHub +The primary dashboard for Operators to assess the security posture of the AWS footprint is the centralized AWS Security Hub service. Security Hub should be configured to aggregate findings from Amazon GuardDuty, AWS Config and IAM Access Analyzers. Events from security integrations are correlated and displayed on the Security Hub dashboard as 'findings' with a severity level (informational, low, medium, high, critical). + +The *AWS Secure Environment Architecture* recommends that certain Security Hub frameworks be enabled, specifically: + +* [AWS Foundational Security Best Practices v1.0.0][found] +* [PCI DSS v3.2.1][pci] +* [CIS AWS Foundations Benchmark v1.2.0][cis] + +These frameworks will perform checks against the accounts via Config Rules that are evaluated against the AWS Config resources in scope. See the above links for a definition of the associated controls. + +[pbmm]: https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html#toc4 +[ops_guide]: https://TODO +[dev_guide]: https://TODO +[accel_tool]:(../../../../) +[aws_org]: https://aws.amazon.com/organizations/ +[aws_scps]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html#orgs_manage_policies_scp +[aws_vpn]: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html +[aws_dc]: https://aws.amazon.com/directconnect/ +[aws_vpc]: https://aws.amazon.com/vpc/ +[aws_tgw]: https://aws.amazon.com/transit-gateway/ +[aws_r53]: https://aws.amazon.com/route53/ +[ssm_endpoints]: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/ +[1918]: https://tools.ietf.org/html/rfc1918 +[6598]: https://tools.ietf.org/html/rfc6598 +[root]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html +[iam_flow]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html +[scps]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps-about.html +[ct-digest]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html +[ebs-encryption]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default +[s3-block]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options +[flow]: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html +[gd-org]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html +[config]: https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html +[config-org]: https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html +[found]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html +[pci]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html [cis]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html \ No newline at end of file diff --git a/docs/developer/developer-guide.md b/docs/developer/developer-guide.md index cfeebee62..584594724 100644 --- a/docs/developer/developer-guide.md +++ b/docs/developer/developer-guide.md @@ -1,1260 +1,1260 @@ -# Developer Guide - -This document is a reference document. Instead of reading through it in linear order, you can use it to look up specific issues as needed. - -It is important to read the [Operations Guide](../operations/operations-troubleshooting-guide.md) before reading this document. - -## Table of Contents - -- [Developer Guide](#developer-guide) - - [Table of Contents](#table-of-contents) - - [Technology Stack](#technology-stack) - - [TypeScript and NodeJS](#typescript-and-nodejs) - - [pnpm](#pnpm) - - [prettier](#prettier) - - [tslint](#tslint) - - [CloudFormation](#cloudformation) - - [CDK](#cdk) - - [Development](#development) - - [Project Structure](#project-structure) - - [Installer Stack](#installer-stack) - - [Initial Setup Stack](#initial-setup-stack) - - [CodeBuild and Prebuilt Docker Image](#codebuild-and-prebuilt-docker-image) - - [Passing Data to Phase Steps and Phase Stacks](#passing-data-to-phase-steps-and-phase-stacks) - - [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks) - - [Phases and Deployments](#phases-and-deployments) - - [Passing Outputs Between Phases](#passing-outputs-between-phases) - - [Decoupling Configuration from Constructs](#decoupling-configuration-from-constructs) - - [Libraries & Tools](#libraries--tools) - - [CDK Assume Role Plugin](#cdk-assume-role-plugin) - - [CDK API](#cdk-api) - - [AWS SDK Wrappers](#aws-sdk-wrappers) - - [Configuration File Parsing](#configuration-file-parsing) - - [`AcceleratorNameTagger`](#acceleratornametagger) - - [`AcceleratorStack`](#acceleratorstack) - - [Name Generator](#name-generator) - - [`AccountStacks`](#accountstacks) - - [`Vpc` and `ImportedVpc`](#vpc-and-importedvpc) - - [`Limiter`](#limiter) - - [Creating Stack Outputs](#creating-stack-outputs) - - [Adding Tags to Shared Resources in Destination Account](#adding-tags-to-shared-resources-in-destination-account) - - [Custom Resources](#custom-resources) - - [Externalizing `aws-sdk`](#externalizing-aws-sdk) - - [cfn-response](#cfn-response) - - [cfn-tags](#cfn-tags) - - [webpack-base](#webpack-base) - - [Workarounds](#workarounds) - - [Stacks with Same Name in Different Regions](#stacks-with-same-name-in-different-regions) - - [Account Warming](#account-warming) - - [Local Development](#local-development) - - [Installer Stack](#installer-stack-1) - - [Initial Setup Stack](#initial-setup-stack-1) - - [Phase Stacks](#phase-stacks) - - [Testing](#testing) - - [Validating Immutable Property Changes and Logical ID Changes](#validating-immutable-property-changes-and-logical-id-changes) - - [Upgrade CDK](#upgrade-cdk) - - [Best Practices](#best-practices) - - [TypeScript and NodeJS](#typescript-and-nodejs-1) - - [Handle Unhandled Promises](#handle-unhandled-promises) - - [CloudFormation](#cloudformation-1) - - [Cross-Account/Region References](#cross-accountregion-references) - - [Resource Names and Logical IDs](#resource-names-and-logical-ids) - - [Changing Logical IDs](#changing-logical-ids) - - [Changing (Immutable) Properties](#changing-immutable-properties) - - [CDK](#cdk-1) - - [Logical IDs](#logical-ids) - - [Moving Resources between Nested Stacks](#moving-resources-between-nested-stacks) - - [L1 vs. L2 Constructs](#l1-vs-l2-constructs) - - [CDK Code Dependency on Lambda Function Code](#cdk-code-dependency-on-lambda-function-code) - - [Custom Resource](#custom-resource) - - [Escape Hatches](#escape-hatches) - - [AutoScaling Group Metadata](#autoscaling-group-metadata) - - [Secret `SecretValue`](#secret-secretvalue) - - [Contributing Guidelines](#contributing-guidelines) - - [How-to](#how-to) - - [Adding New Functionality?](#adding-new-functionality) - - [Create a CDK Lambda Function with Lambda Runtime Code](#create-a-cdk-lambda-function-with-lambda-runtime-code) - - [Create a Custom Resource](#create-a-custom-resource) - - [Run All Unit Tests](#run-all-unit-tests) - - [Accept Unit Test Snapshot Changes](#accept-unit-test-snapshot-changes) - - [Validate Code with Prettier](#validate-code-with-prettier) - - [Format Code with Prettier](#format-code-with-prettier) - - [Validate Code with `tslint`](#validate-code-with-tslint) - -## Technology Stack - -We use TypeScript, NodeJS, CDK and CloudFormation. You can find some more information in the sections below. - -### TypeScript and NodeJS - -In the following sections we describe the tools and libraries used along with TypeScript. - -#### pnpm - -We use the `pnpm` package manager along with `pnpm workspaces` to manage all the packages in this monorepo. - -https://pnpm.js.org - -https://pnpm.js.org/en/workspaces - -The binary `pnpx` can be used to run binaries that belong to `pnpm` packages in the workspace. - -https://pnpm.js.org/en/pnpx-cli - -#### prettier - -We use [`prettier`](https://prettier.io) to format code in this repository. A GitHub action makes sure that all the code in a pull requests adheres to the configured `prettier` rules. See [Github Actions](#github-actions). - -#### tslint - -We use [`tslint`](https://palantir.github.io/tslint) as a static analysis tool that checks our TypeScript code. A GitHub action makes sure that all the code in a pull requests adheres to the configured `tslint` rules. See [Github Actions](#github-actions). - -> _Action Item:_ Migrate to `eslint` as `tslint` is deprecated but is still being used by this project. We can look at [`aws-cdk` pull request #8946](https://github.com/aws/aws-cdk/pull/8946) as an example to migrate. - -### CloudFormation - -CloudFormation is used to deploy both the Accelerator stacks and resources and the deployed stacks and resources. See [Operations Guide: System Overview](../operations/operations-troubleshooting-guide.md) for the distinction between Accelerator resources and deployed resources. - -### CDK - -https://docs.aws.amazon.com/cdk/latest/guide/home.html - -## Development - -There are different types of projects in this monorepo. - -1. CDK code and compile to CloudFormation or use the CDK toolkit to deploy to AWS; -2. Runtime code and is used by our CDK code to deploy Lambda functions; -3. Reusable code; both for use by our CDK code and or runtime code. - -The CDK code either deploys Accelerator-management resources or Accelerator-managed resources. See the [Operations Guide](../operations/operations-troubleshooting-guide.md) for the distinction between Accelerator-management and Accelerator-managed resources. - -The only language used in the project is TypeScript and exceptionally JavaScript. We do not write CloudFormation templates, only CDK code. - -When we want to enable functionality in a managed account we try to - -1. use native CloudFormation/CDK resource to enable the functionality; -2. create a custom resource to enable the functionality; -3. or lastly create a new step in the `Initial Setup` state machine to enable the functionality. - -### Project Structure - -The folder structure of the project is as follows: - -- `src/installer/cdk`: See [Installer Stack](#installer-stack); -- `src/core/cdk`: See [Initial Setup Stack](#initial-setup-stack); -- `src/core/runtime` See [Initial Setup Stack](#initial-setup-stack) and [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks); -- `src/deployments/runtime` See [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks); -- `src/deployments/cdk`: See [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks); -- `src/lib/cdk-constructs`: See [Libraries & Tools](#libraries--tools); -- `src/lib/common-outputs`: See [Libraries & Tools](#libraries--tools); -- `src/lib/common-types`: See [Libraries & Tools](#libraries--tools); -- `src/lib/accelerator-cdk`: See [Libraries & Tools](#libraries--tools); -- `src/lib/common`: See [Libraries & Tools](#libraries--tools); -- `src/lib/common-config`: See [Libraries & Tools](#libraries--tools); -- `src/lib/custom-resources/**/cdk`: See [Custom Resources](#custom-resources); -- `src/lib/custom-resources/**/runtime`: See [Custom Resources](#custom-resources); -- `src/lib/cdk-plugin-assume-role`: See [CDK Assume Role Plugin](#cdk-assume-role-plugin). - -#### Installer Stack - -.md -Read [Operations Guide](../operations/operations-troubleshooting-guide.md#installer-stack) first before reading this section. This section is a technical addition to the section in the Operations Guide. - -As stated in the Operations Guide, the `Installer` stack is responsible for installing the `Initial Setup` stack. The main resource in the `Installer` stack is the `PBMMAccel-Installer` CodePipeline. It uses the GitHub repository as source action and runs CDK in a CodeBuild step to deploy the `Initial Setup` stack. - -```typescript -new codebuild.PipelineProject(stack, 'InstallerProject', { - buildSpec: codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - 'runtime-versions': { - nodejs: 12, - }, - // The flag '--unsafe-perm' is necessary to run pnpm scripts in Docker - commands: ['npm install --global pnpm', 'pnpm install --unsafe-perm'], - }, - build: { - commands: [ - 'cd src/core/cdk', - 'pnpx cdk bootstrap --require-approval never', - 'pnpx cdk deploy --require-approval never', - ], - }, - }, - }), -}); -``` - -After deploying the `Initial Setup` stack, a Lambda function runs that starts the execution of the `Initial Setup` stack's main state machine. - -The `Initial Setup` stack deployment gets various environment variables through the CodeBuild project. The most notable environment variables are: - -- `ACCELERATOR_STATE_MACHINE_NAME`: The name the main state machine in the Initial Setup stack should get. By passing the name of the state machine in the `Installer` stack we can confidently start the main state machine; -- `ENABLE_PREBUILT_PROJECT`: See [Prebuilt Docker Image](#codebuild-and-prebuilt-docker-image). - -#### Initial Setup Stack - -Read [Operations Guide](../operations/operations-troubleshooting-guide.md#initial-setup-stack) first before reading this section. This section is a technical addition to the section in the Operations Guide. - -The `Initial Setup` stack is defined in the `src/core/cdk` folder. - -As stated in the Operations Guide, the `Initial Setup` stack consists of a state machine, named `PBMMAccel-MainStateMachine_sm`, that executes various steps to create the Accelerator-managed stacks and resources in the managed accounts. - -The `Initial Setup` stack is similar to the `Installer` stack, as in that it runs a CodeBuild project to deploy others stacks using CDK. In case of the `Initial Setup` stack - -- we use a AWS Step Functions State Machine to run the various steps instead of CodePipeline; -- we deploy multiple stacks, called `Phase` stacks, in Accelerator-managed accounts. These `Phase` stacks contain Accelerator-managed resources. - -In order to install these `Phase` stacks in Accelerator-managed accounts, we need access to those accounts. We create a stack set in the master account that has instances in all Accelerator-managed accounts. This stack set contains what we call the `PipelineRole`. - -The code for the steps in the state machine is in `src/core/runtime`. All the steps are in different files but are compiled into a single file. We used to compile all the steps separately but we would hit a limit in the amount of parameters in the generated CloudFormation template. Each step would have its own CDK asset that would introduce three new parameters. We quickly reached the limit of 60 parameters in a CloudFormation template and decided to compile the steps into a single file and use it across all different Lambda functions. - -##### CodeBuild and Prebuilt Docker Image - -The CodeBuild project that deploys the different phases is constructed using the `CdkDeployProject` or `PrebuiltCdkDeployProject` based on the value of the environment variable `ENABLE_PREBUILT_PROJECT`. - -The first, `CdkDeployProject` constructs a CodeBuild project that copies the whole projects as a ZIP file to S3 using [CDK S3 assets](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-assets-readme.html). This ZIP file is then used as source for the CodeBuild project. When the CodeBuild project executes, it runs `pnpm recursive install` which in turn will run all `prepare` scripts in all `package.json` files in the project -- as described in section [CDK Code Dependency on Lambda Function Code](#cdk-code-dependency-on-lambda-function-code). - -After installing the dependencies, the CodeBuild project deploys the `Phase` stacks. - -```sh -cd src/deployments/cdk -sh codebuild-deploy.sh -``` - -We have more than 20 project in the monorepo with a `prepare` script, so the `pnpm recursive install` step can take some time. Also, the CodeBuild project will run more than once per deployment. - -That is where the `PrebuiltCdkDeployProject` CodeBuild project comes in. The `PrebuiltCdkDeployProject` contains an Docker image that contains the whole project in the `/app` directory and has all the dependencies already built. - -```Dockerfile -FROM node:12-alpine3.11 -# Install the package manager -RUN npm install --global pnpm -RUN mkdir /app -WORKDIR /app -# Copy over the project root to the /app directory -ADD . /app/ -# Install the dependencies -RUN pnpm install --unsafe-perm -``` - -When this CodeBuild project executes, it uses the Docker image as base -- the dependencies are already installed -- and runs the same commands as the `CdkDeployProject` to deploy the `Phase` stacks. - -##### Passing Data to Phase Steps and Phase Stacks - -Some steps in the state machine write data to AWS Secrets Manager or Amazon S3. This data is necessary to deploy the `Phase` stacks later on. - -- `Load Accounts` step: This step finds the Accelerator-managed accounts in AWS Organizations and stores the account key -- the key of the account in `mandatory-account-configs` or `workload-account-configs` object in the Accelerator config -- and account ID and other useful information in the `accelerator/accounts` secret; -- `Load Organizations` step: More or less the same as the `Load Accounts` step but for organizational units in AWS Organizations and stores the values in `accelerator/organizations`; -- `Load Limits` step: This step requests limit increases for Accelerator-managed accounts and stores the current limits in the `accelerator/limits` secret. -- `Store Phase X Output`: This step loads stack outputs from all existing `Phase` stacks and stores them in S3 in the Accelerator configuration bucket that is created in the `Phase 0` stack. - -Other data is passed through environment variables: - -- `ACCELERATOR_NAME`: The name of the Accelerator; -- `ACCELERATOR_PREFIX`: The prefix of the Accelerator; -- `ACCELERATOR_EXECUTION_ROLE_NAME`: The name of the execution role in the Accelerator-managed accounts. This is the `PipelineRole` we created with stack sets. - -#### Phase Steps and Phase Stacks - -Read [Operations Guide](../operations/operations-troubleshooting-guide.md#initial-setup-stack) first before reading this section. This section is a technical addition to the _Deploy Phase X_ sections in the Operations Guide. - -The `Phase` stacks contain the Accelerator-managed resources. The reason the deployment of Accelerator-managed resources is split into different phases is because there cannot be cross account/region references between CloudFormation stacks. See [Cross-Account/Region References](#cross-accountregion-references). - -The file `cdk.ts` is meant as a replacement for the `cdk` CLI command. So to deploy a phase stack you would **not** run `pnpx cdk deploy` but `cdk.sh --phase 1`. This can be seen in `codebuild-deploy.sh`, the script that is run by the `Initial Setup` stack CodeBuild deploy project. See [CDK API](#cdk-api) for more information why we use the CDK API instead of using the CDK CLI. - -The `cdk.sh` command parses command line arguments and creates all the `cdk.App` for all accounts and regions for the given `--phase`. When you pass the `--region` or `--account-key` command, all the `cdk.App` for all accounts and regions will still be created, except that only the `cdk.App`s matching the parameters will be deployed. This behavior could be optimized in the future. See [Stacks with Same Name in Different Regions](#stacks-with-same-name-in-different-regions) for more information why we're creating multiple `cdk.App`s. - -##### Phases and Deployments - -The `cdk.ts` file calls the `deploy` method in the `apps/app.ts`. This `deploy` method loads the Accelerator configuration, accounts, organizations from AWS Secrets Managers; loads the stack outputs from S3; and loads required environment variables. - -```typescript -/** - * Input to the `deploy` method of a phase. - */ -export interface PhaseInput { - // The config.json file - acceleratorConfig: AcceleratorConfig; - // Auxiliary class to construct stacks - accountStacks: AccountStacks; - // The list of accounts, their key in the configuration file and their ID - accounts: Account[]; - // The parsed environment variables - context: Context; - // The list of stack outputs from previous phases - outputs: StackOutput[]; - // Auxiliary class to manage limits - limiter: Limiter; -} -``` - -It is important to note that nothing is hard-coded. The CloudFormation templates are generated by CDK and the CDK constructs are created according to the configuration file. Changes to the configuration will make changes to the CDK construct tree and that will result in a different CloudFormation file that will be deployed. - -The different phases are defined in `apps/phase-x.ts`. Historically we put all logic in the `phase-x.ts` files. After a while the `phase-x.ts` files started to get to big and we moved to separating the logic into separate deployments. Every logical component has a separate folder in the `deployments` folder. Every `deployment` consists of so-called steps. Separate steps are put in loaded in phases. - -For example, take the `deployments/defaults` deployment. The deployment consists of two steps, i.e. `step-1.ts` and `step-2.ts`. `deployments/defaults/step-1.ts` is deployed in `apps/phase-0.ts` and `deployments/defaults/step-2.ts` is called in `apps/phase-1.ts`. You can find more details about what happens in each phase in the [Operations Guide](../operations/operations-troubleshooting-guide.md). - -`apps/phase-0.ts` - -```typescript -export async function deploy({ acceleratorConfig, accountStacks, accounts, context }: PhaseInput) { - // Create defaults, e.g. S3 buckets, EBS encryption keys - const defaultsResult = await defaults.step1({ - acceleratorPrefix: context.acceleratorPrefix, - accountStacks, - accounts, - config: acceleratorConfig, - }); -``` - -`apps/phase-1.ts` - -```typescript -export async function deploy({ acceleratorConfig, accountStacks, accounts, outputs }: PhaseInput) { - // Find the central bucket in the outputs - const centralBucket = CentralBucketOutput.getBucket({ - accountStacks, - config: acceleratorConfig, - outputs, - }); - - // Find the log bucket in the outputs - const logBucket = LogBucketOutput.getBucket({ - accountStacks, - config: acceleratorConfig, - outputs, - }); - - // Find the account buckets in the outputs - const accountBuckets = await defaults.step2({ - accounts, - accountStacks, - centralLogBucket: logBucket, - config: acceleratorConfig, - }); -} -``` - -##### Passing Outputs Between Phases - -The CodeBuild step that is responsible for deploying a `Phase` stack runs in the master account. We wrote a CDK plugin that allows the CDK deploy step to assume a role in the Accelerator-managed account and create the CloudFormation `Phase` stack in the managed account. See [CDK Assume Role Plugin](#cdk-assume-role-plugin). - -After a `Phase-X` is deployed in all Accelerator-managed accounts, a step in the `Initial Setup` state machine collects all the `Phase-X` stack outputs in all Accelerator-managed accounts and regions and stores theses outputs in S3. - -Then the next `Phase-X+1` deploys using the outputs from the previous `Phase-X` stacks. - -See [Creating Stack Outputs](#creating-stack-outputs) for helper constructs to create outputs. - -##### Decoupling Configuration from Constructs - -At the start of the project we created constructs that had tight coupling to the Accelerator config structure. The properties to instantiate a construct would sometimes have a reference to an Accelerator-specific interface. An example of this is the `Vpc` construct in `src/deployments/cdk/common/vpc.ts`. - -Later on in the project we started decoupling the Accelerator config from the construct properties. Good examples are in `src/lib/cdk-constructs/`. - -### Libraries & Tools - -#### CDK Assume Role Plugin - -At the time of writing, CDK does not support cross-account deployments of stacks. It is possible however to write a CDK plugin and implement your own credential loader for cross-account deployment. - -We wrote a CDK plugin that can assume a role into another account. In our case, the master account will assume the `PipelineRole` in an Accelerator-managed account to deploy stacks. - -#### CDK API - -We are using the internal CDK API to deploy the `Phase` stacks instead of the CDK CLI for various reasons: - -- It allows us to deploy multiple stacks in parallel; -- Disable stack termination before destroying a stack; -- Deleting a stack after it initially failed to create; -- Deploying multiple apps at the same time -- see [Stacks with Same Name in Different Regions](#stacks-with-same-name-in-different-regions). - -The helper class `CdkToolkit` in `toolkit.ts` wraps around the CDK API. - -The risk of using the CDK API directly is that the CDK API can change at any time. There is no stable API yet. When upgrading the CDK version, the `CdkToolkit` wrapper might need to be adapted. - -#### AWS SDK Wrappers - -You can find `aws-sdk` wrappers in the `src/lib/common/src/aws` folder. Most of the classes and functions just wrap around `aws-sdk` classes and wrappers and promisify some calls and add exponential backoff to retryable errors. Other classes, like `Organizations` have additional functionality such as listing all the organizational units in an organization in the function `listOrganizationalUnits`. - -Please use the `aws-sdk` wrappers throughout the project or write an additional wrapper when necessary. - -#### Configuration File Parsing - -The configuration file is defined and validated using the [`io-ts`](https://github.com/gcanti/io-ts) library. See `src/lib/common-config/src/index.ts`. In case any changes need to be made to the configuration file parsing, this is the place to be. - -We wrap a class around the `AcceleratorConfig` type that contains additional helper functions. You can add your own additional helper functions. - -##### `AcceleratorNameTagger` - -`AcceleratorNameTagger` is a [CDK aspect](https://docs.aws.amazon.com/cdk/latest/guide/aspects.html) that sets the name tag on specific resources based on the construct ID of the resource. - -The following example illustrates its purpose. - -```typescript -const stack = new cdk.Stack(); -new ec2.CfnVpc(stack, 'SharedNetwork', {}); -stack.node.applyAspect(new AcceleratorNameTagger()); -``` - -The example above synthesizes to the following CloudFormation template. - -```yaml -Resources: - SharedNetworkAB7JKF7: - Properties: - Tags: - - Key: Name - Value: SharedNetwork_vpc -``` - -##### `AcceleratorStack` - -`AcceleratorStack` is a class that extends `cdk.Stack` and adds the `Accelerator` tag to all resources in the stack. It also applies the aspect `AcceleratorNameTagger`. - -It is also used by the `accelerator-name-generator` functions to find the name of the `Accelerator`. - -##### Name Generator - -The `accelerator-name-generator.ts` file contains several methods that create names for resources that are optionally prefixed with the Accelerator name, and optionally suffixed with a hash based on the path of the resource, the account ID and region of the stack. - -The functions should be used to create pseudo-random names for IAM roles, KMS keys, key pairs and log groups. - -##### `AccountStacks` - -`AccountStacks` is a class that manages the creation of an `AcceleratorStack` based on a given account key and region. If an account with the given account key cannot be found in the accounts object -- which is loaded by `apps/app.ts` then no stack will be created. This class is used extensively throughout the phases and deployment steps. - -```typescript -export async function step1(props: CertificatesStep1Props) { - const { accountStacks, centralBucket: centralBucket, config } = props; - - for (const { accountKey, certificates } of config.getCertificateConfigs()) { - if (certificates.length === 0) { - continue; - } - - const accountStack = accountStacks.tryGetOrCreateAccountStack(accountKey); - if (!accountStack) { - console.warn(`Cannot find account stack ${accountKey}`); - continue; - } - - for (const certificate of certificates) { - createCertificate({ - centralBucket, - certificate, - scope: accountStack, - }); - } - } -} -``` - -##### `Vpc` and `ImportedVpc` - -`Vpc` is an interface in the `src/lib/cdk-constructs/src/vpc/vpc.ts` file that attempts to define an interface for a VPC. The goal of the interface is to be implemented by an actual `cdk.Construct` that implements the interface. - -Another goal of the interface is to provide an interface on top of imported VPC outputs. This is what the `ImportedVpc` class implements. The class loads outputs from VPC in a previous phase and implements the `Vpc` interface on top of those outputs. - -> _Action Item:_ Use the `ImportedVpc` class more extensively throughout the code. - -##### `Limiter` - -So far we haven't talked about limits yet. There is a step in the `Initial Setup` state machine that requests limit increases according to the desired limits in the configuration file. The step saves the current limits to the `accelerator/limits` secret. The `apps/app.ts` file load the limits and passes them as an input to the phase deployment. - -The `Limiter` class helps keeps track of resource we create and prevents exceeding these limits. - -```typescript -for (const { ouKey, accountKey, vpcConfig, deployments } of acceleratorConfig.getVpcConfigs()) { - if (!limiter.create(accountKey, Limit.VpcPerRegion, region)) { - console.log(`Skipping VPC "${vpcConfig.name}" deployment.`); - console.log(`Reached maximum VPCs per region for account "${accountKey}" and region "${region}"`); - continue; - } - - createVpc({ ouKey, accountKey, vpcConfig }); -} -``` - -> _Action Item:_ This functionality could be redesigned to scan all the constructs in a `cdk.App` and remove resource that are exceeding any limits. - -#### Creating Stack Outputs - -Initially we would create stack outputs like this: - -```typescript -new cdk.CfnOutput(stack, 'BucketOutput', { - value: bucket.bucketArn, -}); -``` - -But then we'd get a lot of outputs in a stack. We started some outputs together using JSON. This allowed us to store structured data inside the stack outputs. - -```typescript -new JsonOutputValue(stack, 'Output', { - type: 'FirewallInstanceOutput', - value: { - instanceId: instance.instanceId, - name: firewallConfig.name, - az, - }, -}); -``` - -Using the solution above, we'd not have type checking when reading or writing outputs. That's what the class `StructuredOutputValue` has a solution for. It uses the `io-ts` library to serialize and deserialize structured types. We use the library to deserialize the configuration too. - -```typescript -export const FirewallInstanceOutput = t.interface( - { - id: t.string, - name: t.string, - az: t.string, - }, - 'FirewallInstanceOutput', -); - -export type FirewallInstanceOutput = t.TypeOf; - -new StructuredOutputValue(stack, 'Output', { - type: FirewallInstanceOutput, - value: { - instanceId: instance.instanceId, - name: firewallConfig.name, - az, - }, -}); -``` - -And we can even improve on this a bit more. - -```typescript -export const CfnFirewallInstanceOutput = createCfnStructuredOutput(FirewallInstanceOutput); - -new CfnFirewallInstanceOutput(stack, 'Output', { - vpcId: vpc.ref, - vpcName: vpcConfig.name, -}); -``` - -```typescript -export const FirewallInstanceOutputFinder = createStructuredOutputFinder(FirewallInstanceOutput, () => ({})); - -const firewallInstances = FirewallInstanceOutputFinder.findAll({ - outputs, - accountKey, -}); -``` - -Generally you would place the output type definition inside `src/lib/common-outputs` along with the output finder. Then in the deployment folder in `src/deployments/cdk/deployments` you would create an `output.ts` file where you would define the CDK output type with `createCfnStructuredOutput`. You would not define the CDK output type in `src/lib/common-outputs` since that project is also used by runtime code that does not know about CDK and CloudFormation. - -##### Adding Tags to Shared Resources in Destination Account - -There is another special type of output, `AddTagsToResourcesOutput`. It can be used to attach tags to resources that are shared into another account. - -```typescript -new AddTagsToResourcesOutput(this, 'OutputSharedResourcesSubnets', { - dependencies: sharedSubnets.map(o => o.subnet), - produceResources: () => - sharedSubnets.map(o => ({ - resourceId: o.subnet.ref, - resourceType: 'subnet', - sourceAccountId: o.sourceAccountId, - targetAccountIds: o.targetAccountIds, - tags: o.subnet.tags.renderTags(), - })), -}); -``` - -This will add the outputs to the stack in the account that is initiating the resource share. - -Next, the state machine step `Add Tags to Shared Resources` looks for all those outputs. The step will assume the `PipelineRole` in the `targetAccountIds` and attach the given tags to the shared resource. - -#### Custom Resources - -There are different ways to create a custom resource using CDK. See the [Custom Resource](#custom-resource) section for more information. - -All custom resource have a `README.md` that demonstrates their usage. - -##### Externalizing `aws-sdk` - -Some custom resources set the `aws-sdk` as external dependency and some do not. - -Example of setting `aws-sdk` as external dependency. - -`src/lib/custom-resources/cdk-kms-grant/runtime/package.json` - -```json -{ - "externals": ["aws-lambda", "aws-sdk"], - "dependencies": { - "aws-lambda": "1.0.5", - "aws-sdk": "2.631.0" - } -} -``` - -Example of setting `aws-sdk` as embedded dependency. - -`src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/package.json` - -```json -{ - "externals": ["aws-lambda"], - "dependencies": { - "aws-lambda": "1.0.5", - "aws-sdk": "2.711.0" - } -} -``` - -Setting the `aws-sdk` library as external is sometimes necessary when a newer `aws-sdk` version is necessary for the Lambda runtime code. At the time of writing the NodeJS 12 runtime uses `aws-sdk` version `2.631.0` - -For example the method `AWS.GuardDuty.enableOrganizationAdminAccount` was only introduced in `aws-sdk` version `2.660`. That means that Webpack has to embed the `aws-sdk` version specified in `package.json` into the compiled JavaScript file. This can be achieved by removing `aws-sdk` from the `external` array. - -`src/lib/custom-resources/cdk-kms-grant/runtime/package.json` - -##### cfn-response - -This library helps you send a custom resource response to CloudFormation. - -`src/lib/custom-resources/cdk-kms-grant/runtime/src/index.ts` - -```typescript -export const handler = errorHandler(onEvent); - -async function onEvent(event: CloudFormationCustomResourceEvent) { - console.log(`Creating KMS grant...`); - console.log(JSON.stringify(event, null, 2)); - - // tslint:disable-next-line: switch-default - switch (event.RequestType) { - case 'Create': - return onCreate(event); - case 'Update': - return onUpdate(event); - case 'Delete': - return onDelete(event); - } -} -``` - -##### cfn-tags - -This library helps you send attaching tags to resource created in a custom resource. - -##### webpack-base - -This library defines the base Webpack template to compile custom resource runtime code. - -`src/lib/custom-resources/cdk-kms-grant/runtime/package.json` - -```json -{ - "name": "@aws-accelerator/custom-resource-kms-grant-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "source": "src/index.ts", - "main": "dist/index.js", - "types": "dist/index.d.ts", - "externals": ["aws-lambda", "aws-sdk"], - "devDependencies": { - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11" - }, - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0" - } -} -``` - -`src/lib/custom-resources/cdk-ec2-image-finder/runtime/webpack.config.ts` - -```typescript -import { webpackConfigurationForPackage } from '@aws-accelerator/custom-resource-runtime-webpack-base'; -import pkg from './package.json'; - -export default webpackConfigurationForPackage(pkg); -``` - -### Workarounds - -#### Stacks with Same Name in Different Regions - -The reason we're creating a `cdk.App` per account and per region and per phase is because stack names across environments might overlap, and at the time of writing, the CDK CLI does not handle stacks with the same name very well. For example, when there is a stack `Phase1` in `us-east-1` and another stack `Phase1` in `ca-central-1`, the stacks will both be synthesized by CDK to the `cdk.out/Phase1.template.json` file and one stack will overwrite another's output. Using multiple `cdk.App`s overcomes this issues as a different `outdir` can be set on each `cdk.App`. These `cdk.App`s are managed by the `AccountStacks` abstraction. - -#### Account Warming - -### Local Development - -#### Installer Stack - -```sh -cd src/installer/cdk -pnpx cdk synth -``` - -The installer template file is now in `cdk.out/AcceleratorInstaller.template.json`. This file can be used to install the installer stack. - -You can also deploy the installer stack directly from the command line but then you'd have to pass some stack parameters. See [CDK documentation: Deploying with parameters](https://docs.aws.amazon.com/cdk/latest/guide/parameters.html#parameters_deploy). - -```sh -cd accelerator/installer -pnpx cdk deploy --parameters GithubBranch=master --parameters ConfigS3Bucket=pbmmaccel-myconfigbucket -``` - -#### Initial Setup Stack - -There is a script called `cdk.sh` in `src/core/cdk` that allows you to deploy the Initial Setup stack. - -The script sets the required environment variables and makes sure all workspace projects are built before deploying the CDK stack. - -#### Phase Stacks - -There is a script called `cdk.sh` in `src/deployments/cdk` that allows you to deploy a phase stack straight from the command-line without having to deploy the Initial Setup stack first. - -The script enables development mode which means that accounts, organizations, configuration, limits and outputs will be loaded from the local environment instead of loading the values from secrets manager or S3. The local files that need to be available in the `src/deployments/cdk` folder are the following. - -1. `accounts.json` based on `accelerator/accounts` - -```json -[ - { - "key": "shared-network", - "id": "000000000001", - "arn": "arn:aws:organizations::000000000000:account/o-0123456789/000000000001", - "name": "myacct-pbmm-shared-network", - "email": "myacct+pbmm-mandatory-shared-network@example.com", - "ou": "core" - }, - { - "key": "operations", - "id": "000000000002", - "arn": "arn:aws:organizations::000000000000:account/o-0123456789/000000000002", - "name": "myacct-pbmm-operations", - "email": "myacct+pbmm-mandatory-operations@example.com", - "ou": "core" - } -] -``` - -2. `organizations.json` based on `accelerator/organizations` - -```json -[ - { - "ouId": "ou-0000-00000000", - "ouArn": "arn:aws:organizations::000000000000:ou/o-0123456789/ou-0000-00000000", - "ouName": "core", - "ouPath": "core" - }, - { - "ouId": "ou-0000-00000001", - "ouArn": "arn:aws:organizations::000000000000:ou/o-0123456789/ou-0000-00000001", - "ouName": "prod", - "ouPath": "prod" - } -] -``` - -3. `limits.json` based on `accelerator/limits` - -```json -[ - { - "accountKey": "shared-network", - "limitKey": "Amazon VPC/VPCs per Region", - "serviceCode": "vpc", - "quotaCode": "L-F678F1CE", - "value": 15 - }, - { - "accountKey": "shared-network", - "limitKey": "Amazon VPC/Interface VPC endpoints per VPC", - "serviceCode": "vpc", - "quotaCode": "L-29B6F2EB", - "value": 50 - } -] -``` - -4. `outputs.json` based on `outputs.json` in the Accelerator configuration bucket - -```json -[ - { - "accountKey": "shared-network", - "outputKey": "DefaultBucketOutputC7CE5936", - "outputValue": "{\"type\":\"AccountBucket\",\"value\":{\"bucketArn\":\"arn:aws:s3:::pbmmaccel-sharednetwork-phase1-cacentral1-18vq0emthri3h\",\"bucketName\":\"pbmmaccel-sharednetwork-phase1-cacentral1-18vq0emthri3h\",\"encryptionKeyArn\":\"arn:aws:kms:ca-central-1:0000000000001:key/d54a8acb-694c-4fc5-9afe-ca2b263cd0b3\",\"region\":\"ca-central-1\"}}" - } -] -``` - -5. `context.json` that contains the default values for values that are otherwise passed as environment variables. - -```json -{ - "acceleratorName": "PBMM", - "acceleratorPrefix": "PBMMAccel-", - "acceleratorExecutionRoleName": "PBMMAccel-PipelineRole", - "defaultRegion": "ca-central-1" -} -``` - -6. `config.json` that contains the Accelerator configuration. - -The script also sets the default execution role to allow CDK to assume a role in subaccounts to deploy the phase stacks. - -Now that you have all the required local files you can deploy the phase stacks using `cdk.sh`. - -```sh -cd src/deployments/cdk -./cdk.sh deploy --phase 1 # deploy all phase 1 stacks -./cdk.sh deploy --phase 1 --parallel # deploy all phase 1 stacks in parallel -./cdk.sh deploy --phase 1 --account shared-network # deploy phase 1 stacks for account shared-network in all regions -./cdk.sh deploy --phase 1 --region ca-central-1 # deploy phase 1 stacks for region ca-central-1 for all accounts -./cdk.sh deploy --phase 1 --account shared-network --region ca-central-1 # deploy phase 1 stacks for account shared-network and region ca-central -``` - -Other CDK commands are also available. - -```sh -cd src/deployments/cdk -./cdk.sh bootstrap --phase 1 -./cdk.sh synth --phase 1 -``` - -### Testing - -We use `jest` for unit testing. There are no integration tests but this could be set-up by configuring the `Installer` CodePipeline to have a webhook on the repository and deploying changes automatically. - -To run unit tests locally you can run the following command in the monorepo. - -```sh -pnpx recursive run test -- --pass-with-no-tests --silent -``` - -See CDK's documentation on [Testing constructs](https://docs.aws.amazon.com/cdk/latest/guide/testing.html) for more information on how to tests CDK constructs. - -#### Validating Immutable Property Changes and Logical ID Changes - -The most important unit test in this project is one that validates that logical IDs and immutable properties do not change unexpectedly. To avoid the issues described in section [Resource Names and Logical IDs](#resource-names-and-logical-ids), [Changing Logical IDs](#changing-logical-ids) and [Changing (Immutable) Properties](#changing-immutable-properties). - -This test can be found in the `src/deployments/cdk/test/apps/unsupported-changes.spec.ts` file. It synthesizes the `Phase` stacks using mocked outputs and uses [`jest` snapshots](https://jestjs.io/docs/en/snapshot-testing) to compare against future changes. - -The test will fail when changing immutable properties or changing logical IDs of existing resources. In case the changes are expected then the snapshots will need to be updated. You can update the snapshots by running the following command. - -```sh -pnpx run test -- -u -``` - -See [Accept Unit Test Snapshot Changes](#accept-unit-test-snapshot-changes). - -#### Upgrade CDK - -There's a test in the file `src/deployments/cdk/test/apps/unsupported-changes.spec.ts` that is currently commented out. The test takes a snapshot of the whole `Phase` stack and compares the snapshot to changes in the code. - -```typescript -test('templates should stay exactly the same', () => { - for (const [stackName, resources] of Object.entries(stackResources)) { - // Compare the relevant properties to the snapshot - expect(resources).toMatchSnapshot(stackName); - } -}); -``` - -Before upgrading CDK we uncomment this test. We run the test to update all the snapshots. Then we update all CDK versions and run the test again to compare the snapshots with the code using the new CDK version. If the test passes, then the upgrade should be stable. - -> _Action Item:_ Automate this process. - -## Best Practices - -### TypeScript and NodeJS - -#### Handle Unhandled Promises - -Entrypoint TypeScript files -- files that start execution instead of just defining methods and classes -- should have the following code snippet at the start of the file. - -```typescript -process.on('unhandledRejection', (reason, _) => { - console.error(reason); - process.exit(1); -}); -``` - -This prevents unhandled promise rejection errors by NodeJS. Please read https://medium.com/dailyjs/how-to-prevent-your-node-js-process-from-crashing-5d40247b8ab2 for more information. - -### CloudFormation - -#### Cross-Account/Region References - -When managing multiple AWS accounts, the Accelerator may need permissions to modify resources in the managed accounts. For example, a transit gateway could be created in a shared network account and it need to be shared to the perimeter account to create a VPN connection. - -In a single-account environment we would could just: - -1. create a single stack and use `!Ref` to refer to the transit gateway; -2. or deploy two stacks - - one stack that contains the transit gateway and creates a CloudFormation exported output that contains the transit gateway ID; - - another stack that imports the exported output value from the previous stack and uses it to create a VPN connection. - -In a multi-account environment this is not possible and we had to find a way to share outputs across accounts and regions. - -See [Passing Outputs Between Phases](#passing-outputs-between-phases). - -#### Resource Names and Logical IDs - -Some resources, like `AWS::S3::Bucket`, can have an explicit name. Setting an explicit name can introduce some possible issues. - -The first issue that could occur goes as follows: - -- the named resource has a retention policy to retain the resource after deleting; -- then the named resource is created through a CloudFormation stack; -- next, an error happens while creating or updating the stack and the stack rolls back; -- and finally the named resource is deleted from the stack but has a retention policy to retain, so the resource not be deleted; - -Suppose then that the stack creation issue is resolved and we retry to create the named resource through the CloudFormation stack: - -- the named resource is created through a CloudFormation stack; -- the named resource will fail to create because a resource with the given name already exists. - -The best way to prevent this issue from happening is to not explicitly set a name for the resource and let CloudFormation generate the name. - -Another issue could occur when changing the logical ID of the named resource. This is documented in the following section. - -#### Changing Logical IDs - -When changing the logical ID of a resource CloudFormation assumes the resource is a new resource since it has a logical ID it does not know yet. When updating a stack, CloudFormation will always prioritize resource creation before deletion. - -The following issue could occur when the resource has an explicit name. CloudFormation will try to create the resource anew and will fail since a resource with the given name already exists. Example of resources where this could happen are `AWS::S3::Bucket`, `AWS::SecretManager::Secret`. - -#### Changing (Immutable) Properties - -Not only changing logical IDs could cause CloudFormation to replace resources. Changing immutable properties also cause replacement of resources. See [Update behaviors of stack resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement). - -Be especially careful when: - -- changing immutable properties for a named resource. Example of a resource is `AWS::Budgets::Budget`, `AWS::ElasticLoadBalancingV2::LoadBalancer`. -- updating network interfaces for an `AWS::EC2::Instance`. Not only will this cause the instance to re-create, it will also fail to attach the network interfaces to the new EC2 instance. CloudFormation creates the new EC2 instance first before deleting the old one. It will try to attach the network interfaces to the new instance, but the network interfaces are still attached to the old instance and CloudFormation will fail. - -For some named resources, like `AWS::AutoScaling::LaunchConfiguration` and `AWS::Budgets::Budget`, we append a hash to the name of the resource that is based on its properties. This way when an immutable property is changed, the name will also change, and the resource will be replaced successfully. See for example `src/lib/cdk-constructs/src/autoscaling/launch-configuration.ts` and `src/lib/cdk-constructs/src//billing/budget.ts`. - -```typescript -export type LaunchConfigurationProps = autoscaling.CfnLaunchConfigurationProps; - -/** - * Wrapper around CfnLaunchConfiguration. The construct adds a hash to the launch configuration name that is based on - * the launch configuration properties. The hash makes sure the launch configuration gets replaced correctly by - * CloudFormation. - */ -export class LaunchConfiguration extends autoscaling.CfnLaunchConfiguration { - constructor(scope: cdk.Construct, id: string, props: LaunchConfigurationProps) { - super(scope, id, props); - - if (props.launchConfigurationName) { - const hash = hashSum({ ...props, path: this.node.path }); - this.launchConfigurationName = `${props.launchConfigurationName}-${hash}`; - } - } -} -``` - -### CDK - -CDK makes heavy use of CloudFormation so all best practices that apply to CloudFormation also apply to CDK. - -#### Logical IDs - -The logical ID of a CDK component is calculated based on its path in the construct tree. Be careful moving around constructs in the construct tree -- e.g. changing the parent of a construct or nesting a construct in another construct -- as this will change the logical ID of the construct. Then you might end up with the issues described in section [Changing Logical IDs](#changing-logical-ids) and section [Changing (Immutable) Properties](#changing-immutable-properties). - -See [Logical ID Stability](https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_logical_id_stability) for more information. - -#### Moving Resources between Nested Stacks - -In some cases we use nested stacks to overcome [the limit of 200 CloudFormation resources per stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html). - -In the code snippet below you can see how we generate a dynamic amount of nested stack based on the amount of interface endpoints we construct. The `InterfaceEndpoint` construct contains several CloudFormation resources so we have to be careful to not exceed the limit of 200 CloudFormation resources per nested stack. That is why we limit the amount of interface endpoints to 30 per nested stack. - -```typescript -let endpointCount = 0; -let endpointStackIndex = 0; -let endpointStack; -for (const endpoint of endpointConfig.endpoints) { - if (!endpointStack || endpointCount >= 30) { - endpointStack = new NestedStack(accountStack, `Endpoint${endpointStackIndex++}`); - endpointCount = 0; - } - new InterfaceEndpoint(endpointStack, pascalCase(endpoint), { - serviceName: endpoint, - }); - endpointCount++; -} -``` - -We have to be careful here though. Suppose the configuration file contains 40 interface endpoints. The first 30 interface endpoints will be created in the first nested stack; the next 10 interface endpoints will be created in the second nested stack. Suppose now that we remove the first nested endpoint from the configuration file. This will cause the 31st interface endpoint to become the 30th interface endpoint in the list and it will cause the interface endpoint to be moved from the second nested stack to the first nested stack. This will cause the stack updates to fail since CloudFormation will first try to create the interface endpoint in the first nested stack before removing it from the second nested stack. We do currently not support changes to the interface endpoint configuration because of this behavior. - -#### L1 vs. L2 Constructs - -See [AWS Construct library](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib) for an explanation on L1 and L2 constructs. - -The L2 constructs for EC2 and VPC do not map well onto the Accelerator-managed resources. For this reason we mostly use L1 CDK constructs -- such as `ec2.CfnVPC`, `ec2.CfnSubnet` -- instead of using L2 CDK constructs -- such as `ec2.Vpc` and `ec2.Subnet`. - -#### CDK Code Dependency on Lambda Function Code - -You can read about the distinction between CDK code and runtime code in the introduction of the [Development](#development) section. - -CDK code can depend on runtime code. For example when we want to create a Lambda function using CDK, we need the runtime code to define the Lambda function. We use `npm scripts`, `npm` dependencies and the `NodeJS` `modules` API to define this dependency between CDK code and runtime code. - -First of all, we need to create a separate folder that will contain the workspace and runtime code for our Lambda function. Throughout the project we've called these workspaces `...-lambda` but it could also be named `...-runtime`. See `src/lib/custom-resources/cdk-acm-import-certificate/runtime/package.json`. - -This workspace's `package.json` file needs a `prepare` script that compiles the runtime code. See [`npm-scripts`](https://docs.npmjs.com/misc/scripts). - -The `package.json` file also needs a `name` and a `main` entry that points to the compiled code. - -`runtime/package.json` - -```json -{ - "name": "lambda-fn-runtime", - "main": "dist/index.js", - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - } -} -``` - -Now when another workspace depends on our Lambda function runtime code workspace, the `prepare` script will run and it will compile the Lambda function runtime code. - -Next, we add the dependency to the new workspace to the workspace that contains the CDK code using `pnpm` or by adding it to `package.json`. - -`cdk/package.json` - -```json -{ - "devDependencies": { - "lambda-fn-runtime": "workspace:^0.0.1" - } -} -``` - -In the CDK code we can now resolve the path to the compiled code using the `NodeJS` `modules` API. See [NodeJS `modules` API](https://nodejs.org/api/modules.html#modules_require_resolve_request_options). - -`cdk/src/index.ts` - -```typescript -class LambdaFun extends cdk.Construct { - constructor(scope: cdk.Construct, id: string) { - super(scope, id); - - // Find the runtime package folder and resolves the `main` entry of `package.json`. - // In our case this is `node_modules/lambda-fn-runtime/dist/index.js`. - const runtimeMain = resolve.require('lambda-fn-runtime'); - - // Find the directory containing our `index.js` file. - // In our case this is `node_modules/lambda-fn-runtime/dist`. - const runtimeDir = path.dirname(lambdaPath); - - new lambda.Function(this, 'Resource', { - runtime: lambda.Runtime.NODEJS_12_X, - code: lambda.Code.fromAsset(runtimeDir), - handler: 'index.handler', // The `handler` function in `index.js` - }); - } -} -``` - -You now have a CDK Lambda function that uses the compiled Lambda function runtime code. - -> _Note_: The runtime code needs to be recompiled every time it changes since the `prepare` script only runs when the runtime workspace is installed. - -#### Custom Resource - -We create custom resources for functionality that is not supported natively by CloudFormation. We have two types of custom resources in this project: - -1. Custom resource that calls an SDK method; -2. Custom resource that needs additional functionality and is backed by a custom Lambda function. - -CDK has a helper construct for the first type of custom resources. See [CDK `AwsCustomResource` documentation](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_custom-resources.AwsCustomResource.html). This helper construct is for example used in the custom resource [`ds-log-subscription`](../../../../src/lib/custom-resources/cdk-cdk-ds-log-subscription/). - -The second type of custom resources requires a custom Lambda function runtime as described in the previous section. For example [`acm-import-certificate`](../../../../src/lib/custom-resources/cdk-acm-import-certificate) is backed by a custom Lambda function. - -Only a single Lambda function is created per custom resource, account and region. This is achieved by creating only a single Lambda function in the construct tree. - -`src/lib/custom-resources/custom-resource/cdk/index.ts` - -```typescript -class CustomResource extends cdk.Construct { - constructor(scope: cdk.Construct, id: string, props: CustomResourceProps) { - super(scope, id); - - new cdk.CustomResource(this, 'Resource', { - resourceType: 'Custom::CustomResource', - serviceToken: this.lambdaFunction.functionArn, - }); - } - - private get lambdaFunction() { - const constructName = `CustomResourceLambda`; - - const stack = cdk.Stack.of(this); - const existing = stack.node.tryFindChild(constructName); - if (existing) { - return existing as lambda.Function; - } - - // The package '@aws-accelerator/custom-resources/cdk-custom-resource-runtime' contains the runtime code for the custom resource - const lambdaPath = require.resolve('@aws-accelerator/custom-resources/cdk-custom-resource-runtime'); - const lambdaDir = path.dirname(lambdaPath); - - return new lambda.Function(stack, constructName, { - code: lambda.Code.fromAsset(lambdaDir), - }); - } -} -``` - -#### Escape Hatches - -Sometimes CDK does not support a property on a resource that CloudFormation does support. You can then override the property using the `addOverride` or `addPropertyOverride` methods on CDK CloudFormation resources. See [CDK escape hatches](https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html). - -##### AutoScaling Group Metadata - -An example where we override metadata is when we create a launch configuration.S - -```typescript -const launchConfig = new autoscaling.CfnLaunchConfiguration(this, 'LaunchConfig', { ... }); - -launchConfig.addOverride('Metadata.AWS::CloudFormation::Authentication', { - S3AccessCreds: { - type: 'S3', - roleName, - buckets: [bucketName], - }, -}); - -launchConfig.addOverride('Metadata.AWS::CloudFormation::Init', { - configSets: { - config: ['setup'], - }, - setup: { - files: { - // Add files here - }, - services: { - // Add services here - }, - commands: { - // Add commands here - }, - }, -}); -``` - -##### Secret `SecretValue` - -Another example is when we want to use `secretsmanager.Secret` and set the secret value. - -```typescript -function setSecretValue(secret: secrets.Secret, value: string) { - const cfnSecret = secret.node.defaultChild as secrets.CfnSecret; // Get the L1 resource that backs this L2 resource - cfnSecret.addPropertyOverride('SecretString', value); // Override the property `SecretString` on the L1 resource - cfnSecret.addPropertyDeletionOverride('GenerateSecretString'); // Delete the property `GenerateSecretString` from the L1 resource -} -``` - -## Contributing Guidelines - -### How-to - -#### Adding New Functionality? - -Before making a change or adding new functionality you have to verify what kind of functionality is being added. - -- Is it an Accelerator-management change? - - Is the change related to the `Installer` stack? - - Is the change CDK related? - - Make the change in `src/installer/cdk`. - - Is the change runtime related? - - Make the change in `src/installer/cdk/assets`. - - Is the change related to the `Initial Setup` stack? - - Is the change CDK related? - - Make the change in `src/core/cdk` - - Is the change runtime related? - - Make the change in `src/core/runtime` -- Is it an Accelerator-managed change? - - Is the change related to the `Phase` stacks? - - Is the change CDK related? - - Make the change in `src/deployments/cdk` - - Is the change runtime related? - - Make the change in `src/deployments/runtime` - -#### Create a CDK Lambda Function with Lambda Runtime Code - -See [CDK Code Dependency on Lambda Function Code](#cdk-code-dependency-on-lambda-function-code) for a short introduction. - -#### Create a Custom Resource - -See [Custom Resource](#custom-resource) and [Custom Resources](#custom-resources) for a short introduction. - -1. Create a separate folder that will contain the CDK and Lambda function runtime code, e.g. `src/lib/custom-resources/my-custom-resource`; -2. Create a folder `my-custom-resource` that will contain the CDK code; - 1. Create a `package.json` file with a dependency to the `my-custom-resource/runtime` package; - 2. Create a `cdk` folder that contains the source of the CDK code; -3. Create a folder `my-custom-resource/runtime` that will contain the runtime code; - 1. Create a `runtime/package.json` file with a `"name"`, `"prepare"` script and a `"main"`; - 2. Create a `runtime/webpack.config.ts` file that compiles TypeScript code to a single JavaScript file; - 3. Create a `runtime/src` folder that contains the source of the Lambda function runtime code; - -You can look at the `src/lib/custom-resources/cdk-acm-import-certificate` custom resource as an example. - -It is best practice to add tags to any resources that the custom resource creates using the `cfn-tags` library. - -#### Run All Unit Tests - -Run in the root of the project. - -```sh -pnpm recursive run test --no-bail --stream -- --silent -``` - -#### Accept Unit Test Snapshot Changes - -Run in `src/deployments/cdk`. - -```sh -pnpm run test -- -u -``` - -#### Validate Code with Prettier - -Run in the root of the project. - -```sh -pnpx prettier --check **/*.ts -``` - -#### Format Code with Prettier - -Run in the root of the project. - -```sh -pnpx prettier --write **/*.ts -``` - -#### Validate Code with `tslint` - -Run in the root of the project. - -```sh -pnpm recursive run lint --stream --no-bail -``` +# Developer Guide + +This document is a reference document. Instead of reading through it in linear order, you can use it to look up specific issues as needed. + +It is important to read the [Operations Guide](../operations/operations-troubleshooting-guide.md) before reading this document. + +## Table of Contents + +- [Developer Guide](#developer-guide) + - [Table of Contents](#table-of-contents) + - [Technology Stack](#technology-stack) + - [TypeScript and NodeJS](#typescript-and-nodejs) + - [pnpm](#pnpm) + - [prettier](#prettier) + - [tslint](#tslint) + - [CloudFormation](#cloudformation) + - [CDK](#cdk) + - [Development](#development) + - [Project Structure](#project-structure) + - [Installer Stack](#installer-stack) + - [Initial Setup Stack](#initial-setup-stack) + - [CodeBuild and Prebuilt Docker Image](#codebuild-and-prebuilt-docker-image) + - [Passing Data to Phase Steps and Phase Stacks](#passing-data-to-phase-steps-and-phase-stacks) + - [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks) + - [Phases and Deployments](#phases-and-deployments) + - [Passing Outputs Between Phases](#passing-outputs-between-phases) + - [Decoupling Configuration from Constructs](#decoupling-configuration-from-constructs) + - [Libraries & Tools](#libraries--tools) + - [CDK Assume Role Plugin](#cdk-assume-role-plugin) + - [CDK API](#cdk-api) + - [AWS SDK Wrappers](#aws-sdk-wrappers) + - [Configuration File Parsing](#configuration-file-parsing) + - [`AcceleratorNameTagger`](#acceleratornametagger) + - [`AcceleratorStack`](#acceleratorstack) + - [Name Generator](#name-generator) + - [`AccountStacks`](#accountstacks) + - [`Vpc` and `ImportedVpc`](#vpc-and-importedvpc) + - [`Limiter`](#limiter) + - [Creating Stack Outputs](#creating-stack-outputs) + - [Adding Tags to Shared Resources in Destination Account](#adding-tags-to-shared-resources-in-destination-account) + - [Custom Resources](#custom-resources) + - [Externalizing `aws-sdk`](#externalizing-aws-sdk) + - [cfn-response](#cfn-response) + - [cfn-tags](#cfn-tags) + - [webpack-base](#webpack-base) + - [Workarounds](#workarounds) + - [Stacks with Same Name in Different Regions](#stacks-with-same-name-in-different-regions) + - [Account Warming](#account-warming) + - [Local Development](#local-development) + - [Installer Stack](#installer-stack-1) + - [Initial Setup Stack](#initial-setup-stack-1) + - [Phase Stacks](#phase-stacks) + - [Testing](#testing) + - [Validating Immutable Property Changes and Logical ID Changes](#validating-immutable-property-changes-and-logical-id-changes) + - [Upgrade CDK](#upgrade-cdk) + - [Best Practices](#best-practices) + - [TypeScript and NodeJS](#typescript-and-nodejs-1) + - [Handle Unhandled Promises](#handle-unhandled-promises) + - [CloudFormation](#cloudformation-1) + - [Cross-Account/Region References](#cross-accountregion-references) + - [Resource Names and Logical IDs](#resource-names-and-logical-ids) + - [Changing Logical IDs](#changing-logical-ids) + - [Changing (Immutable) Properties](#changing-immutable-properties) + - [CDK](#cdk-1) + - [Logical IDs](#logical-ids) + - [Moving Resources between Nested Stacks](#moving-resources-between-nested-stacks) + - [L1 vs. L2 Constructs](#l1-vs-l2-constructs) + - [CDK Code Dependency on Lambda Function Code](#cdk-code-dependency-on-lambda-function-code) + - [Custom Resource](#custom-resource) + - [Escape Hatches](#escape-hatches) + - [AutoScaling Group Metadata](#autoscaling-group-metadata) + - [Secret `SecretValue`](#secret-secretvalue) + - [Contributing Guidelines](#contributing-guidelines) + - [How-to](#how-to) + - [Adding New Functionality?](#adding-new-functionality) + - [Create a CDK Lambda Function with Lambda Runtime Code](#create-a-cdk-lambda-function-with-lambda-runtime-code) + - [Create a Custom Resource](#create-a-custom-resource) + - [Run All Unit Tests](#run-all-unit-tests) + - [Accept Unit Test Snapshot Changes](#accept-unit-test-snapshot-changes) + - [Validate Code with Prettier](#validate-code-with-prettier) + - [Format Code with Prettier](#format-code-with-prettier) + - [Validate Code with `tslint`](#validate-code-with-tslint) + +## Technology Stack + +We use TypeScript, NodeJS, CDK and CloudFormation. You can find some more information in the sections below. + +### TypeScript and NodeJS + +In the following sections we describe the tools and libraries used along with TypeScript. + +#### pnpm + +We use the `pnpm` package manager along with `pnpm workspaces` to manage all the packages in this monorepo. + +https://pnpm.js.org + +https://pnpm.js.org/en/workspaces + +The binary `pnpx` can be used to run binaries that belong to `pnpm` packages in the workspace. + +https://pnpm.js.org/en/pnpx-cli + +#### prettier + +We use [`prettier`](https://prettier.io) to format code in this repository. A GitHub action makes sure that all the code in a pull requests adheres to the configured `prettier` rules. See [Github Actions](#github-actions). + +#### tslint + +We use [`tslint`](https://palantir.github.io/tslint) as a static analysis tool that checks our TypeScript code. A GitHub action makes sure that all the code in a pull requests adheres to the configured `tslint` rules. See [Github Actions](#github-actions). + +> _Action Item:_ Migrate to `eslint` as `tslint` is deprecated but is still being used by this project. We can look at [`aws-cdk` pull request #8946](https://github.com/aws/aws-cdk/pull/8946) as an example to migrate. + +### CloudFormation + +CloudFormation is used to deploy both the Accelerator stacks and resources and the deployed stacks and resources. See [Operations Guide: System Overview](../operations/operations-troubleshooting-guide.md) for the distinction between Accelerator resources and deployed resources. + +### CDK + +https://docs.aws.amazon.com/cdk/latest/guide/home.html + +## Development + +There are different types of projects in this monorepo. + +1. CDK code and compile to CloudFormation or use the CDK toolkit to deploy to AWS; +2. Runtime code and is used by our CDK code to deploy Lambda functions; +3. Reusable code; both for use by our CDK code and or runtime code. + +The CDK code either deploys Accelerator-management resources or Accelerator-managed resources. See the [Operations Guide](../operations/operations-troubleshooting-guide.md) for the distinction between Accelerator-management and Accelerator-managed resources. + +The only language used in the project is TypeScript and exceptionally JavaScript. We do not write CloudFormation templates, only CDK code. + +When we want to enable functionality in a managed account we try to + +1. use native CloudFormation/CDK resource to enable the functionality; +2. create a custom resource to enable the functionality; +3. or lastly create a new step in the `Initial Setup` state machine to enable the functionality. + +### Project Structure + +The folder structure of the project is as follows: + +- `src/installer/cdk`: See [Installer Stack](#installer-stack); +- `src/core/cdk`: See [Initial Setup Stack](#initial-setup-stack); +- `src/core/runtime` See [Initial Setup Stack](#initial-setup-stack) and [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks); +- `src/deployments/runtime` See [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks); +- `src/deployments/cdk`: See [Phase Steps and Phase Stacks](#phase-steps-and-phase-stacks); +- `src/lib/cdk-constructs`: See [Libraries & Tools](#libraries--tools); +- `src/lib/common-outputs`: See [Libraries & Tools](#libraries--tools); +- `src/lib/common-types`: See [Libraries & Tools](#libraries--tools); +- `src/lib/accelerator-cdk`: See [Libraries & Tools](#libraries--tools); +- `src/lib/common`: See [Libraries & Tools](#libraries--tools); +- `src/lib/common-config`: See [Libraries & Tools](#libraries--tools); +- `src/lib/custom-resources/**/cdk`: See [Custom Resources](#custom-resources); +- `src/lib/custom-resources/**/runtime`: See [Custom Resources](#custom-resources); +- `src/lib/cdk-plugin-assume-role`: See [CDK Assume Role Plugin](#cdk-assume-role-plugin). + +#### Installer Stack + +.md +Read [Operations Guide](../operations/operations-troubleshooting-guide.md#installer-stack) first before reading this section. This section is a technical addition to the section in the Operations Guide. + +As stated in the Operations Guide, the `Installer` stack is responsible for installing the `Initial Setup` stack. The main resource in the `Installer` stack is the `PBMMAccel-Installer` CodePipeline. It uses the GitHub repository as source action and runs CDK in a CodeBuild step to deploy the `Initial Setup` stack. + +```typescript +new codebuild.PipelineProject(stack, 'InstallerProject', { + buildSpec: codebuild.BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + 'runtime-versions': { + nodejs: 12, + }, + // The flag '--unsafe-perm' is necessary to run pnpm scripts in Docker + commands: ['npm install --global pnpm', 'pnpm install --unsafe-perm'], + }, + build: { + commands: [ + 'cd src/core/cdk', + 'pnpx cdk bootstrap --require-approval never', + 'pnpx cdk deploy --require-approval never', + ], + }, + }, + }), +}); +``` + +After deploying the `Initial Setup` stack, a Lambda function runs that starts the execution of the `Initial Setup` stack's main state machine. + +The `Initial Setup` stack deployment gets various environment variables through the CodeBuild project. The most notable environment variables are: + +- `ACCELERATOR_STATE_MACHINE_NAME`: The name the main state machine in the Initial Setup stack should get. By passing the name of the state machine in the `Installer` stack we can confidently start the main state machine; +- `ENABLE_PREBUILT_PROJECT`: See [Prebuilt Docker Image](#codebuild-and-prebuilt-docker-image). + +#### Initial Setup Stack + +Read [Operations Guide](../operations/operations-troubleshooting-guide.md#initial-setup-stack) first before reading this section. This section is a technical addition to the section in the Operations Guide. + +The `Initial Setup` stack is defined in the `src/core/cdk` folder. + +As stated in the Operations Guide, the `Initial Setup` stack consists of a state machine, named `PBMMAccel-MainStateMachine_sm`, that executes various steps to create the Accelerator-managed stacks and resources in the managed accounts. + +The `Initial Setup` stack is similar to the `Installer` stack, as in that it runs a CodeBuild project to deploy others stacks using CDK. In case of the `Initial Setup` stack + +- we use a AWS Step Functions State Machine to run the various steps instead of CodePipeline; +- we deploy multiple stacks, called `Phase` stacks, in Accelerator-managed accounts. These `Phase` stacks contain Accelerator-managed resources. + +In order to install these `Phase` stacks in Accelerator-managed accounts, we need access to those accounts. We create a stack set in the master account that has instances in all Accelerator-managed accounts. This stack set contains what we call the `PipelineRole`. + +The code for the steps in the state machine is in `src/core/runtime`. All the steps are in different files but are compiled into a single file. We used to compile all the steps separately but we would hit a limit in the amount of parameters in the generated CloudFormation template. Each step would have its own CDK asset that would introduce three new parameters. We quickly reached the limit of 60 parameters in a CloudFormation template and decided to compile the steps into a single file and use it across all different Lambda functions. + +##### CodeBuild and Prebuilt Docker Image + +The CodeBuild project that deploys the different phases is constructed using the `CdkDeployProject` or `PrebuiltCdkDeployProject` based on the value of the environment variable `ENABLE_PREBUILT_PROJECT`. + +The first, `CdkDeployProject` constructs a CodeBuild project that copies the whole projects as a ZIP file to S3 using [CDK S3 assets](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-assets-readme.html). This ZIP file is then used as source for the CodeBuild project. When the CodeBuild project executes, it runs `pnpm recursive install` which in turn will run all `prepare` scripts in all `package.json` files in the project -- as described in section [CDK Code Dependency on Lambda Function Code](#cdk-code-dependency-on-lambda-function-code). + +After installing the dependencies, the CodeBuild project deploys the `Phase` stacks. + +```sh +cd src/deployments/cdk +sh codebuild-deploy.sh +``` + +We have more than 20 project in the monorepo with a `prepare` script, so the `pnpm recursive install` step can take some time. Also, the CodeBuild project will run more than once per deployment. + +That is where the `PrebuiltCdkDeployProject` CodeBuild project comes in. The `PrebuiltCdkDeployProject` contains an Docker image that contains the whole project in the `/app` directory and has all the dependencies already built. + +```Dockerfile +FROM node:12-alpine3.11 +# Install the package manager +RUN npm install --global pnpm +RUN mkdir /app +WORKDIR /app +# Copy over the project root to the /app directory +ADD . /app/ +# Install the dependencies +RUN pnpm install --unsafe-perm +``` + +When this CodeBuild project executes, it uses the Docker image as base -- the dependencies are already installed -- and runs the same commands as the `CdkDeployProject` to deploy the `Phase` stacks. + +##### Passing Data to Phase Steps and Phase Stacks + +Some steps in the state machine write data to AWS Secrets Manager or Amazon S3. This data is necessary to deploy the `Phase` stacks later on. + +- `Load Accounts` step: This step finds the Accelerator-managed accounts in AWS Organizations and stores the account key -- the key of the account in `mandatory-account-configs` or `workload-account-configs` object in the Accelerator config -- and account ID and other useful information in the `accelerator/accounts` secret; +- `Load Organizations` step: More or less the same as the `Load Accounts` step but for organizational units in AWS Organizations and stores the values in `accelerator/organizations`; +- `Load Limits` step: This step requests limit increases for Accelerator-managed accounts and stores the current limits in the `accelerator/limits` secret. +- `Store Phase X Output`: This step loads stack outputs from all existing `Phase` stacks and stores them in S3 in the Accelerator configuration bucket that is created in the `Phase 0` stack. + +Other data is passed through environment variables: + +- `ACCELERATOR_NAME`: The name of the Accelerator; +- `ACCELERATOR_PREFIX`: The prefix of the Accelerator; +- `ACCELERATOR_EXECUTION_ROLE_NAME`: The name of the execution role in the Accelerator-managed accounts. This is the `PipelineRole` we created with stack sets. + +#### Phase Steps and Phase Stacks + +Read [Operations Guide](../operations/operations-troubleshooting-guide.md#initial-setup-stack) first before reading this section. This section is a technical addition to the _Deploy Phase X_ sections in the Operations Guide. + +The `Phase` stacks contain the Accelerator-managed resources. The reason the deployment of Accelerator-managed resources is split into different phases is because there cannot be cross account/region references between CloudFormation stacks. See [Cross-Account/Region References](#cross-accountregion-references). + +The file `cdk.ts` is meant as a replacement for the `cdk` CLI command. So to deploy a phase stack you would **not** run `pnpx cdk deploy` but `cdk.sh --phase 1`. This can be seen in `codebuild-deploy.sh`, the script that is run by the `Initial Setup` stack CodeBuild deploy project. See [CDK API](#cdk-api) for more information why we use the CDK API instead of using the CDK CLI. + +The `cdk.sh` command parses command line arguments and creates all the `cdk.App` for all accounts and regions for the given `--phase`. When you pass the `--region` or `--account-key` command, all the `cdk.App` for all accounts and regions will still be created, except that only the `cdk.App`s matching the parameters will be deployed. This behavior could be optimized in the future. See [Stacks with Same Name in Different Regions](#stacks-with-same-name-in-different-regions) for more information why we're creating multiple `cdk.App`s. + +##### Phases and Deployments + +The `cdk.ts` file calls the `deploy` method in the `apps/app.ts`. This `deploy` method loads the Accelerator configuration, accounts, organizations from AWS Secrets Managers; loads the stack outputs from S3; and loads required environment variables. + +```typescript +/** + * Input to the `deploy` method of a phase. + */ +export interface PhaseInput { + // The config.json file + acceleratorConfig: AcceleratorConfig; + // Auxiliary class to construct stacks + accountStacks: AccountStacks; + // The list of accounts, their key in the configuration file and their ID + accounts: Account[]; + // The parsed environment variables + context: Context; + // The list of stack outputs from previous phases + outputs: StackOutput[]; + // Auxiliary class to manage limits + limiter: Limiter; +} +``` + +It is important to note that nothing is hard-coded. The CloudFormation templates are generated by CDK and the CDK constructs are created according to the configuration file. Changes to the configuration will make changes to the CDK construct tree and that will result in a different CloudFormation file that will be deployed. + +The different phases are defined in `apps/phase-x.ts`. Historically we put all logic in the `phase-x.ts` files. After a while the `phase-x.ts` files started to get to big and we moved to separating the logic into separate deployments. Every logical component has a separate folder in the `deployments` folder. Every `deployment` consists of so-called steps. Separate steps are put in loaded in phases. + +For example, take the `deployments/defaults` deployment. The deployment consists of two steps, i.e. `step-1.ts` and `step-2.ts`. `deployments/defaults/step-1.ts` is deployed in `apps/phase-0.ts` and `deployments/defaults/step-2.ts` is called in `apps/phase-1.ts`. You can find more details about what happens in each phase in the [Operations Guide](../operations/operations-troubleshooting-guide.md). + +`apps/phase-0.ts` + +```typescript +export async function deploy({ acceleratorConfig, accountStacks, accounts, context }: PhaseInput) { + // Create defaults, e.g. S3 buckets, EBS encryption keys + const defaultsResult = await defaults.step1({ + acceleratorPrefix: context.acceleratorPrefix, + accountStacks, + accounts, + config: acceleratorConfig, + }); +``` + +`apps/phase-1.ts` + +```typescript +export async function deploy({ acceleratorConfig, accountStacks, accounts, outputs }: PhaseInput) { + // Find the central bucket in the outputs + const centralBucket = CentralBucketOutput.getBucket({ + accountStacks, + config: acceleratorConfig, + outputs, + }); + + // Find the log bucket in the outputs + const logBucket = LogBucketOutput.getBucket({ + accountStacks, + config: acceleratorConfig, + outputs, + }); + + // Find the account buckets in the outputs + const accountBuckets = await defaults.step2({ + accounts, + accountStacks, + centralLogBucket: logBucket, + config: acceleratorConfig, + }); +} +``` + +##### Passing Outputs Between Phases + +The CodeBuild step that is responsible for deploying a `Phase` stack runs in the master account. We wrote a CDK plugin that allows the CDK deploy step to assume a role in the Accelerator-managed account and create the CloudFormation `Phase` stack in the managed account. See [CDK Assume Role Plugin](#cdk-assume-role-plugin). + +After a `Phase-X` is deployed in all Accelerator-managed accounts, a step in the `Initial Setup` state machine collects all the `Phase-X` stack outputs in all Accelerator-managed accounts and regions and stores theses outputs in S3. + +Then the next `Phase-X+1` deploys using the outputs from the previous `Phase-X` stacks. + +See [Creating Stack Outputs](#creating-stack-outputs) for helper constructs to create outputs. + +##### Decoupling Configuration from Constructs + +At the start of the project we created constructs that had tight coupling to the Accelerator config structure. The properties to instantiate a construct would sometimes have a reference to an Accelerator-specific interface. An example of this is the `Vpc` construct in `src/deployments/cdk/common/vpc.ts`. + +Later on in the project we started decoupling the Accelerator config from the construct properties. Good examples are in `src/lib/cdk-constructs/`. + +### Libraries & Tools + +#### CDK Assume Role Plugin + +At the time of writing, CDK does not support cross-account deployments of stacks. It is possible however to write a CDK plugin and implement your own credential loader for cross-account deployment. + +We wrote a CDK plugin that can assume a role into another account. In our case, the master account will assume the `PipelineRole` in an Accelerator-managed account to deploy stacks. + +#### CDK API + +We are using the internal CDK API to deploy the `Phase` stacks instead of the CDK CLI for various reasons: + +- It allows us to deploy multiple stacks in parallel; +- Disable stack termination before destroying a stack; +- Deleting a stack after it initially failed to create; +- Deploying multiple apps at the same time -- see [Stacks with Same Name in Different Regions](#stacks-with-same-name-in-different-regions). + +The helper class `CdkToolkit` in `toolkit.ts` wraps around the CDK API. + +The risk of using the CDK API directly is that the CDK API can change at any time. There is no stable API yet. When upgrading the CDK version, the `CdkToolkit` wrapper might need to be adapted. + +#### AWS SDK Wrappers + +You can find `aws-sdk` wrappers in the `src/lib/common/src/aws` folder. Most of the classes and functions just wrap around `aws-sdk` classes and wrappers and promisify some calls and add exponential backoff to retryable errors. Other classes, like `Organizations` have additional functionality such as listing all the organizational units in an organization in the function `listOrganizationalUnits`. + +Please use the `aws-sdk` wrappers throughout the project or write an additional wrapper when necessary. + +#### Configuration File Parsing + +The configuration file is defined and validated using the [`io-ts`](https://github.com/gcanti/io-ts) library. See `src/lib/common-config/src/index.ts`. In case any changes need to be made to the configuration file parsing, this is the place to be. + +We wrap a class around the `AcceleratorConfig` type that contains additional helper functions. You can add your own additional helper functions. + +##### `AcceleratorNameTagger` + +`AcceleratorNameTagger` is a [CDK aspect](https://docs.aws.amazon.com/cdk/latest/guide/aspects.html) that sets the name tag on specific resources based on the construct ID of the resource. + +The following example illustrates its purpose. + +```typescript +const stack = new cdk.Stack(); +new ec2.CfnVpc(stack, 'SharedNetwork', {}); +stack.node.applyAspect(new AcceleratorNameTagger()); +``` + +The example above synthesizes to the following CloudFormation template. + +```yaml +Resources: + SharedNetworkAB7JKF7: + Properties: + Tags: + - Key: Name + Value: SharedNetwork_vpc +``` + +##### `AcceleratorStack` + +`AcceleratorStack` is a class that extends `cdk.Stack` and adds the `Accelerator` tag to all resources in the stack. It also applies the aspect `AcceleratorNameTagger`. + +It is also used by the `accelerator-name-generator` functions to find the name of the `Accelerator`. + +##### Name Generator + +The `accelerator-name-generator.ts` file contains several methods that create names for resources that are optionally prefixed with the Accelerator name, and optionally suffixed with a hash based on the path of the resource, the account ID and region of the stack. + +The functions should be used to create pseudo-random names for IAM roles, KMS keys, key pairs and log groups. + +##### `AccountStacks` + +`AccountStacks` is a class that manages the creation of an `AcceleratorStack` based on a given account key and region. If an account with the given account key cannot be found in the accounts object -- which is loaded by `apps/app.ts` then no stack will be created. This class is used extensively throughout the phases and deployment steps. + +```typescript +export async function step1(props: CertificatesStep1Props) { + const { accountStacks, centralBucket: centralBucket, config } = props; + + for (const { accountKey, certificates } of config.getCertificateConfigs()) { + if (certificates.length === 0) { + continue; + } + + const accountStack = accountStacks.tryGetOrCreateAccountStack(accountKey); + if (!accountStack) { + console.warn(`Cannot find account stack ${accountKey}`); + continue; + } + + for (const certificate of certificates) { + createCertificate({ + centralBucket, + certificate, + scope: accountStack, + }); + } + } +} +``` + +##### `Vpc` and `ImportedVpc` + +`Vpc` is an interface in the `src/lib/cdk-constructs/src/vpc/vpc.ts` file that attempts to define an interface for a VPC. The goal of the interface is to be implemented by an actual `cdk.Construct` that implements the interface. + +Another goal of the interface is to provide an interface on top of imported VPC outputs. This is what the `ImportedVpc` class implements. The class loads outputs from VPC in a previous phase and implements the `Vpc` interface on top of those outputs. + +> _Action Item:_ Use the `ImportedVpc` class more extensively throughout the code. + +##### `Limiter` + +So far we haven't talked about limits yet. There is a step in the `Initial Setup` state machine that requests limit increases according to the desired limits in the configuration file. The step saves the current limits to the `accelerator/limits` secret. The `apps/app.ts` file load the limits and passes them as an input to the phase deployment. + +The `Limiter` class helps keeps track of resource we create and prevents exceeding these limits. + +```typescript +for (const { ouKey, accountKey, vpcConfig, deployments } of acceleratorConfig.getVpcConfigs()) { + if (!limiter.create(accountKey, Limit.VpcPerRegion, region)) { + console.log(`Skipping VPC "${vpcConfig.name}" deployment.`); + console.log(`Reached maximum VPCs per region for account "${accountKey}" and region "${region}"`); + continue; + } + + createVpc({ ouKey, accountKey, vpcConfig }); +} +``` + +> _Action Item:_ This functionality could be redesigned to scan all the constructs in a `cdk.App` and remove resource that are exceeding any limits. + +#### Creating Stack Outputs + +Initially we would create stack outputs like this: + +```typescript +new cdk.CfnOutput(stack, 'BucketOutput', { + value: bucket.bucketArn, +}); +``` + +But then we'd get a lot of outputs in a stack. We started some outputs together using JSON. This allowed us to store structured data inside the stack outputs. + +```typescript +new JsonOutputValue(stack, 'Output', { + type: 'FirewallInstanceOutput', + value: { + instanceId: instance.instanceId, + name: firewallConfig.name, + az, + }, +}); +``` + +Using the solution above, we'd not have type checking when reading or writing outputs. That's what the class `StructuredOutputValue` has a solution for. It uses the `io-ts` library to serialize and deserialize structured types. We use the library to deserialize the configuration too. + +```typescript +export const FirewallInstanceOutput = t.interface( + { + id: t.string, + name: t.string, + az: t.string, + }, + 'FirewallInstanceOutput', +); + +export type FirewallInstanceOutput = t.TypeOf; + +new StructuredOutputValue(stack, 'Output', { + type: FirewallInstanceOutput, + value: { + instanceId: instance.instanceId, + name: firewallConfig.name, + az, + }, +}); +``` + +And we can even improve on this a bit more. + +```typescript +export const CfnFirewallInstanceOutput = createCfnStructuredOutput(FirewallInstanceOutput); + +new CfnFirewallInstanceOutput(stack, 'Output', { + vpcId: vpc.ref, + vpcName: vpcConfig.name, +}); +``` + +```typescript +export const FirewallInstanceOutputFinder = createStructuredOutputFinder(FirewallInstanceOutput, () => ({})); + +const firewallInstances = FirewallInstanceOutputFinder.findAll({ + outputs, + accountKey, +}); +``` + +Generally you would place the output type definition inside `src/lib/common-outputs` along with the output finder. Then in the deployment folder in `src/deployments/cdk/deployments` you would create an `output.ts` file where you would define the CDK output type with `createCfnStructuredOutput`. You would not define the CDK output type in `src/lib/common-outputs` since that project is also used by runtime code that does not know about CDK and CloudFormation. + +##### Adding Tags to Shared Resources in Destination Account + +There is another special type of output, `AddTagsToResourcesOutput`. It can be used to attach tags to resources that are shared into another account. + +```typescript +new AddTagsToResourcesOutput(this, 'OutputSharedResourcesSubnets', { + dependencies: sharedSubnets.map(o => o.subnet), + produceResources: () => + sharedSubnets.map(o => ({ + resourceId: o.subnet.ref, + resourceType: 'subnet', + sourceAccountId: o.sourceAccountId, + targetAccountIds: o.targetAccountIds, + tags: o.subnet.tags.renderTags(), + })), +}); +``` + +This will add the outputs to the stack in the account that is initiating the resource share. + +Next, the state machine step `Add Tags to Shared Resources` looks for all those outputs. The step will assume the `PipelineRole` in the `targetAccountIds` and attach the given tags to the shared resource. + +#### Custom Resources + +There are different ways to create a custom resource using CDK. See the [Custom Resource](#custom-resource) section for more information. + +All custom resource have a `README.md` that demonstrates their usage. + +##### Externalizing `aws-sdk` + +Some custom resources set the `aws-sdk` as external dependency and some do not. + +Example of setting `aws-sdk` as external dependency. + +`src/lib/custom-resources/cdk-kms-grant/runtime/package.json` + +```json +{ + "externals": ["aws-lambda", "aws-sdk"], + "dependencies": { + "aws-lambda": "1.0.5", + "aws-sdk": "2.631.0" + } +} +``` + +Example of setting `aws-sdk` as embedded dependency. + +`src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/package.json` + +```json +{ + "externals": ["aws-lambda"], + "dependencies": { + "aws-lambda": "1.0.5", + "aws-sdk": "2.711.0" + } +} +``` + +Setting the `aws-sdk` library as external is sometimes necessary when a newer `aws-sdk` version is necessary for the Lambda runtime code. At the time of writing the NodeJS 12 runtime uses `aws-sdk` version `2.631.0` + +For example the method `AWS.GuardDuty.enableOrganizationAdminAccount` was only introduced in `aws-sdk` version `2.660`. That means that Webpack has to embed the `aws-sdk` version specified in `package.json` into the compiled JavaScript file. This can be achieved by removing `aws-sdk` from the `external` array. + +`src/lib/custom-resources/cdk-kms-grant/runtime/package.json` + +##### cfn-response + +This library helps you send a custom resource response to CloudFormation. + +`src/lib/custom-resources/cdk-kms-grant/runtime/src/index.ts` + +```typescript +export const handler = errorHandler(onEvent); + +async function onEvent(event: CloudFormationCustomResourceEvent) { + console.log(`Creating KMS grant...`); + console.log(JSON.stringify(event, null, 2)); + + // tslint:disable-next-line: switch-default + switch (event.RequestType) { + case 'Create': + return onCreate(event); + case 'Update': + return onUpdate(event); + case 'Delete': + return onDelete(event); + } +} +``` + +##### cfn-tags + +This library helps you send attaching tags to resource created in a custom resource. + +##### webpack-base + +This library defines the base Webpack template to compile custom resource runtime code. + +`src/lib/custom-resources/cdk-kms-grant/runtime/package.json` + +```json +{ + "name": "@aws-accelerator/custom-resource-kms-grant-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "source": "src/index.ts", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "externals": ["aws-lambda", "aws-sdk"], + "devDependencies": { + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11" + }, + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0" + } +} +``` + +`src/lib/custom-resources/cdk-ec2-image-finder/runtime/webpack.config.ts` + +```typescript +import { webpackConfigurationForPackage } from '@aws-accelerator/custom-resource-runtime-webpack-base'; +import pkg from './package.json'; + +export default webpackConfigurationForPackage(pkg); +``` + +### Workarounds + +#### Stacks with Same Name in Different Regions + +The reason we're creating a `cdk.App` per account and per region and per phase is because stack names across environments might overlap, and at the time of writing, the CDK CLI does not handle stacks with the same name very well. For example, when there is a stack `Phase1` in `us-east-1` and another stack `Phase1` in `ca-central-1`, the stacks will both be synthesized by CDK to the `cdk.out/Phase1.template.json` file and one stack will overwrite another's output. Using multiple `cdk.App`s overcomes this issues as a different `outdir` can be set on each `cdk.App`. These `cdk.App`s are managed by the `AccountStacks` abstraction. + +#### Account Warming + +### Local Development + +#### Installer Stack + +```sh +cd src/installer/cdk +pnpx cdk synth +``` + +The installer template file is now in `cdk.out/AcceleratorInstaller.template.json`. This file can be used to install the installer stack. + +You can also deploy the installer stack directly from the command line but then you'd have to pass some stack parameters. See [CDK documentation: Deploying with parameters](https://docs.aws.amazon.com/cdk/latest/guide/parameters.html#parameters_deploy). + +```sh +cd accelerator/installer +pnpx cdk deploy --parameters GithubBranch=master --parameters ConfigS3Bucket=pbmmaccel-myconfigbucket +``` + +#### Initial Setup Stack + +There is a script called `cdk.sh` in `src/core/cdk` that allows you to deploy the Initial Setup stack. + +The script sets the required environment variables and makes sure all workspace projects are built before deploying the CDK stack. + +#### Phase Stacks + +There is a script called `cdk.sh` in `src/deployments/cdk` that allows you to deploy a phase stack straight from the command-line without having to deploy the Initial Setup stack first. + +The script enables development mode which means that accounts, organizations, configuration, limits and outputs will be loaded from the local environment instead of loading the values from secrets manager or S3. The local files that need to be available in the `src/deployments/cdk` folder are the following. + +1. `accounts.json` based on `accelerator/accounts` + +```json +[ + { + "key": "shared-network", + "id": "000000000001", + "arn": "arn:aws:organizations::000000000000:account/o-0123456789/000000000001", + "name": "myacct-pbmm-shared-network", + "email": "myacct+pbmm-mandatory-shared-network@example.com", + "ou": "core" + }, + { + "key": "operations", + "id": "000000000002", + "arn": "arn:aws:organizations::000000000000:account/o-0123456789/000000000002", + "name": "myacct-pbmm-operations", + "email": "myacct+pbmm-mandatory-operations@example.com", + "ou": "core" + } +] +``` + +2. `organizations.json` based on `accelerator/organizations` + +```json +[ + { + "ouId": "ou-0000-00000000", + "ouArn": "arn:aws:organizations::000000000000:ou/o-0123456789/ou-0000-00000000", + "ouName": "core", + "ouPath": "core" + }, + { + "ouId": "ou-0000-00000001", + "ouArn": "arn:aws:organizations::000000000000:ou/o-0123456789/ou-0000-00000001", + "ouName": "prod", + "ouPath": "prod" + } +] +``` + +3. `limits.json` based on `accelerator/limits` + +```json +[ + { + "accountKey": "shared-network", + "limitKey": "Amazon VPC/VPCs per Region", + "serviceCode": "vpc", + "quotaCode": "L-F678F1CE", + "value": 15 + }, + { + "accountKey": "shared-network", + "limitKey": "Amazon VPC/Interface VPC endpoints per VPC", + "serviceCode": "vpc", + "quotaCode": "L-29B6F2EB", + "value": 50 + } +] +``` + +4. `outputs.json` based on `outputs.json` in the Accelerator configuration bucket + +```json +[ + { + "accountKey": "shared-network", + "outputKey": "DefaultBucketOutputC7CE5936", + "outputValue": "{\"type\":\"AccountBucket\",\"value\":{\"bucketArn\":\"arn:aws:s3:::pbmmaccel-sharednetwork-phase1-cacentral1-18vq0emthri3h\",\"bucketName\":\"pbmmaccel-sharednetwork-phase1-cacentral1-18vq0emthri3h\",\"encryptionKeyArn\":\"arn:aws:kms:ca-central-1:0000000000001:key/d54a8acb-694c-4fc5-9afe-ca2b263cd0b3\",\"region\":\"ca-central-1\"}}" + } +] +``` + +5. `context.json` that contains the default values for values that are otherwise passed as environment variables. + +```json +{ + "acceleratorName": "PBMM", + "acceleratorPrefix": "PBMMAccel-", + "acceleratorExecutionRoleName": "PBMMAccel-PipelineRole", + "defaultRegion": "ca-central-1" +} +``` + +6. `config.json` that contains the Accelerator configuration. + +The script also sets the default execution role to allow CDK to assume a role in subaccounts to deploy the phase stacks. + +Now that you have all the required local files you can deploy the phase stacks using `cdk.sh`. + +```sh +cd src/deployments/cdk +./cdk.sh deploy --phase 1 # deploy all phase 1 stacks +./cdk.sh deploy --phase 1 --parallel # deploy all phase 1 stacks in parallel +./cdk.sh deploy --phase 1 --account shared-network # deploy phase 1 stacks for account shared-network in all regions +./cdk.sh deploy --phase 1 --region ca-central-1 # deploy phase 1 stacks for region ca-central-1 for all accounts +./cdk.sh deploy --phase 1 --account shared-network --region ca-central-1 # deploy phase 1 stacks for account shared-network and region ca-central +``` + +Other CDK commands are also available. + +```sh +cd src/deployments/cdk +./cdk.sh bootstrap --phase 1 +./cdk.sh synth --phase 1 +``` + +### Testing + +We use `jest` for unit testing. There are no integration tests but this could be set-up by configuring the `Installer` CodePipeline to have a webhook on the repository and deploying changes automatically. + +To run unit tests locally you can run the following command in the monorepo. + +```sh +pnpx recursive run test -- --pass-with-no-tests --silent +``` + +See CDK's documentation on [Testing constructs](https://docs.aws.amazon.com/cdk/latest/guide/testing.html) for more information on how to tests CDK constructs. + +#### Validating Immutable Property Changes and Logical ID Changes + +The most important unit test in this project is one that validates that logical IDs and immutable properties do not change unexpectedly. To avoid the issues described in section [Resource Names and Logical IDs](#resource-names-and-logical-ids), [Changing Logical IDs](#changing-logical-ids) and [Changing (Immutable) Properties](#changing-immutable-properties). + +This test can be found in the `src/deployments/cdk/test/apps/unsupported-changes.spec.ts` file. It synthesizes the `Phase` stacks using mocked outputs and uses [`jest` snapshots](https://jestjs.io/docs/en/snapshot-testing) to compare against future changes. + +The test will fail when changing immutable properties or changing logical IDs of existing resources. In case the changes are expected then the snapshots will need to be updated. You can update the snapshots by running the following command. + +```sh +pnpx run test -- -u +``` + +See [Accept Unit Test Snapshot Changes](#accept-unit-test-snapshot-changes). + +#### Upgrade CDK + +There's a test in the file `src/deployments/cdk/test/apps/unsupported-changes.spec.ts` that is currently commented out. The test takes a snapshot of the whole `Phase` stack and compares the snapshot to changes in the code. + +```typescript +test('templates should stay exactly the same', () => { + for (const [stackName, resources] of Object.entries(stackResources)) { + // Compare the relevant properties to the snapshot + expect(resources).toMatchSnapshot(stackName); + } +}); +``` + +Before upgrading CDK we uncomment this test. We run the test to update all the snapshots. Then we update all CDK versions and run the test again to compare the snapshots with the code using the new CDK version. If the test passes, then the upgrade should be stable. + +> _Action Item:_ Automate this process. + +## Best Practices + +### TypeScript and NodeJS + +#### Handle Unhandled Promises + +Entrypoint TypeScript files -- files that start execution instead of just defining methods and classes -- should have the following code snippet at the start of the file. + +```typescript +process.on('unhandledRejection', (reason, _) => { + console.error(reason); + process.exit(1); +}); +``` + +This prevents unhandled promise rejection errors by NodeJS. Please read https://medium.com/dailyjs/how-to-prevent-your-node-js-process-from-crashing-5d40247b8ab2 for more information. + +### CloudFormation + +#### Cross-Account/Region References + +When managing multiple AWS accounts, the Accelerator may need permissions to modify resources in the managed accounts. For example, a transit gateway could be created in a shared network account and it need to be shared to the perimeter account to create a VPN connection. + +In a single-account environment we would could just: + +1. create a single stack and use `!Ref` to refer to the transit gateway; +2. or deploy two stacks + - one stack that contains the transit gateway and creates a CloudFormation exported output that contains the transit gateway ID; + - another stack that imports the exported output value from the previous stack and uses it to create a VPN connection. + +In a multi-account environment this is not possible and we had to find a way to share outputs across accounts and regions. + +See [Passing Outputs Between Phases](#passing-outputs-between-phases). + +#### Resource Names and Logical IDs + +Some resources, like `AWS::S3::Bucket`, can have an explicit name. Setting an explicit name can introduce some possible issues. + +The first issue that could occur goes as follows: + +- the named resource has a retention policy to retain the resource after deleting; +- then the named resource is created through a CloudFormation stack; +- next, an error happens while creating or updating the stack and the stack rolls back; +- and finally the named resource is deleted from the stack but has a retention policy to retain, so the resource not be deleted; + +Suppose then that the stack creation issue is resolved and we retry to create the named resource through the CloudFormation stack: + +- the named resource is created through a CloudFormation stack; +- the named resource will fail to create because a resource with the given name already exists. + +The best way to prevent this issue from happening is to not explicitly set a name for the resource and let CloudFormation generate the name. + +Another issue could occur when changing the logical ID of the named resource. This is documented in the following section. + +#### Changing Logical IDs + +When changing the logical ID of a resource CloudFormation assumes the resource is a new resource since it has a logical ID it does not know yet. When updating a stack, CloudFormation will always prioritize resource creation before deletion. + +The following issue could occur when the resource has an explicit name. CloudFormation will try to create the resource anew and will fail since a resource with the given name already exists. Example of resources where this could happen are `AWS::S3::Bucket`, `AWS::SecretManager::Secret`. + +#### Changing (Immutable) Properties + +Not only changing logical IDs could cause CloudFormation to replace resources. Changing immutable properties also cause replacement of resources. See [Update behaviors of stack resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement). + +Be especially careful when: + +- changing immutable properties for a named resource. Example of a resource is `AWS::Budgets::Budget`, `AWS::ElasticLoadBalancingV2::LoadBalancer`. +- updating network interfaces for an `AWS::EC2::Instance`. Not only will this cause the instance to re-create, it will also fail to attach the network interfaces to the new EC2 instance. CloudFormation creates the new EC2 instance first before deleting the old one. It will try to attach the network interfaces to the new instance, but the network interfaces are still attached to the old instance and CloudFormation will fail. + +For some named resources, like `AWS::AutoScaling::LaunchConfiguration` and `AWS::Budgets::Budget`, we append a hash to the name of the resource that is based on its properties. This way when an immutable property is changed, the name will also change, and the resource will be replaced successfully. See for example `src/lib/cdk-constructs/src/autoscaling/launch-configuration.ts` and `src/lib/cdk-constructs/src//billing/budget.ts`. + +```typescript +export type LaunchConfigurationProps = autoscaling.CfnLaunchConfigurationProps; + +/** + * Wrapper around CfnLaunchConfiguration. The construct adds a hash to the launch configuration name that is based on + * the launch configuration properties. The hash makes sure the launch configuration gets replaced correctly by + * CloudFormation. + */ +export class LaunchConfiguration extends autoscaling.CfnLaunchConfiguration { + constructor(scope: cdk.Construct, id: string, props: LaunchConfigurationProps) { + super(scope, id, props); + + if (props.launchConfigurationName) { + const hash = hashSum({ ...props, path: this.node.path }); + this.launchConfigurationName = `${props.launchConfigurationName}-${hash}`; + } + } +} +``` + +### CDK + +CDK makes heavy use of CloudFormation so all best practices that apply to CloudFormation also apply to CDK. + +#### Logical IDs + +The logical ID of a CDK component is calculated based on its path in the construct tree. Be careful moving around constructs in the construct tree -- e.g. changing the parent of a construct or nesting a construct in another construct -- as this will change the logical ID of the construct. Then you might end up with the issues described in section [Changing Logical IDs](#changing-logical-ids) and section [Changing (Immutable) Properties](#changing-immutable-properties). + +See [Logical ID Stability](https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_logical_id_stability) for more information. + +#### Moving Resources between Nested Stacks + +In some cases we use nested stacks to overcome [the limit of 200 CloudFormation resources per stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html). + +In the code snippet below you can see how we generate a dynamic amount of nested stack based on the amount of interface endpoints we construct. The `InterfaceEndpoint` construct contains several CloudFormation resources so we have to be careful to not exceed the limit of 200 CloudFormation resources per nested stack. That is why we limit the amount of interface endpoints to 30 per nested stack. + +```typescript +let endpointCount = 0; +let endpointStackIndex = 0; +let endpointStack; +for (const endpoint of endpointConfig.endpoints) { + if (!endpointStack || endpointCount >= 30) { + endpointStack = new NestedStack(accountStack, `Endpoint${endpointStackIndex++}`); + endpointCount = 0; + } + new InterfaceEndpoint(endpointStack, pascalCase(endpoint), { + serviceName: endpoint, + }); + endpointCount++; +} +``` + +We have to be careful here though. Suppose the configuration file contains 40 interface endpoints. The first 30 interface endpoints will be created in the first nested stack; the next 10 interface endpoints will be created in the second nested stack. Suppose now that we remove the first nested endpoint from the configuration file. This will cause the 31st interface endpoint to become the 30th interface endpoint in the list and it will cause the interface endpoint to be moved from the second nested stack to the first nested stack. This will cause the stack updates to fail since CloudFormation will first try to create the interface endpoint in the first nested stack before removing it from the second nested stack. We do currently not support changes to the interface endpoint configuration because of this behavior. + +#### L1 vs. L2 Constructs + +See [AWS Construct library](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib) for an explanation on L1 and L2 constructs. + +The L2 constructs for EC2 and VPC do not map well onto the Accelerator-managed resources. For this reason we mostly use L1 CDK constructs -- such as `ec2.CfnVPC`, `ec2.CfnSubnet` -- instead of using L2 CDK constructs -- such as `ec2.Vpc` and `ec2.Subnet`. + +#### CDK Code Dependency on Lambda Function Code + +You can read about the distinction between CDK code and runtime code in the introduction of the [Development](#development) section. + +CDK code can depend on runtime code. For example when we want to create a Lambda function using CDK, we need the runtime code to define the Lambda function. We use `npm scripts`, `npm` dependencies and the `NodeJS` `modules` API to define this dependency between CDK code and runtime code. + +First of all, we need to create a separate folder that will contain the workspace and runtime code for our Lambda function. Throughout the project we've called these workspaces `...-lambda` but it could also be named `...-runtime`. See `src/lib/custom-resources/cdk-acm-import-certificate/runtime/package.json`. + +This workspace's `package.json` file needs a `prepare` script that compiles the runtime code. See [`npm-scripts`](https://docs.npmjs.com/misc/scripts). + +The `package.json` file also needs a `name` and a `main` entry that points to the compiled code. + +`runtime/package.json` + +```json +{ + "name": "lambda-fn-runtime", + "main": "dist/index.js", + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + } +} +``` + +Now when another workspace depends on our Lambda function runtime code workspace, the `prepare` script will run and it will compile the Lambda function runtime code. + +Next, we add the dependency to the new workspace to the workspace that contains the CDK code using `pnpm` or by adding it to `package.json`. + +`cdk/package.json` + +```json +{ + "devDependencies": { + "lambda-fn-runtime": "workspace:^0.0.1" + } +} +``` + +In the CDK code we can now resolve the path to the compiled code using the `NodeJS` `modules` API. See [NodeJS `modules` API](https://nodejs.org/api/modules.html#modules_require_resolve_request_options). + +`cdk/src/index.ts` + +```typescript +class LambdaFun extends cdk.Construct { + constructor(scope: cdk.Construct, id: string) { + super(scope, id); + + // Find the runtime package folder and resolves the `main` entry of `package.json`. + // In our case this is `node_modules/lambda-fn-runtime/dist/index.js`. + const runtimeMain = resolve.require('lambda-fn-runtime'); + + // Find the directory containing our `index.js` file. + // In our case this is `node_modules/lambda-fn-runtime/dist`. + const runtimeDir = path.dirname(lambdaPath); + + new lambda.Function(this, 'Resource', { + runtime: lambda.Runtime.NODEJS_12_X, + code: lambda.Code.fromAsset(runtimeDir), + handler: 'index.handler', // The `handler` function in `index.js` + }); + } +} +``` + +You now have a CDK Lambda function that uses the compiled Lambda function runtime code. + +> _Note_: The runtime code needs to be recompiled every time it changes since the `prepare` script only runs when the runtime workspace is installed. + +#### Custom Resource + +We create custom resources for functionality that is not supported natively by CloudFormation. We have two types of custom resources in this project: + +1. Custom resource that calls an SDK method; +2. Custom resource that needs additional functionality and is backed by a custom Lambda function. + +CDK has a helper construct for the first type of custom resources. See [CDK `AwsCustomResource` documentation](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_custom-resources.AwsCustomResource.html). This helper construct is for example used in the custom resource [`ds-log-subscription`](../../../../src/lib/custom-resources/cdk-cdk-ds-log-subscription/). + +The second type of custom resources requires a custom Lambda function runtime as described in the previous section. For example [`acm-import-certificate`](../../../../src/lib/custom-resources/cdk-acm-import-certificate) is backed by a custom Lambda function. + +Only a single Lambda function is created per custom resource, account and region. This is achieved by creating only a single Lambda function in the construct tree. + +`src/lib/custom-resources/custom-resource/cdk/index.ts` + +```typescript +class CustomResource extends cdk.Construct { + constructor(scope: cdk.Construct, id: string, props: CustomResourceProps) { + super(scope, id); + + new cdk.CustomResource(this, 'Resource', { + resourceType: 'Custom::CustomResource', + serviceToken: this.lambdaFunction.functionArn, + }); + } + + private get lambdaFunction() { + const constructName = `CustomResourceLambda`; + + const stack = cdk.Stack.of(this); + const existing = stack.node.tryFindChild(constructName); + if (existing) { + return existing as lambda.Function; + } + + // The package '@aws-accelerator/custom-resources/cdk-custom-resource-runtime' contains the runtime code for the custom resource + const lambdaPath = require.resolve('@aws-accelerator/custom-resources/cdk-custom-resource-runtime'); + const lambdaDir = path.dirname(lambdaPath); + + return new lambda.Function(stack, constructName, { + code: lambda.Code.fromAsset(lambdaDir), + }); + } +} +``` + +#### Escape Hatches + +Sometimes CDK does not support a property on a resource that CloudFormation does support. You can then override the property using the `addOverride` or `addPropertyOverride` methods on CDK CloudFormation resources. See [CDK escape hatches](https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html). + +##### AutoScaling Group Metadata + +An example where we override metadata is when we create a launch configuration.S + +```typescript +const launchConfig = new autoscaling.CfnLaunchConfiguration(this, 'LaunchConfig', { ... }); + +launchConfig.addOverride('Metadata.AWS::CloudFormation::Authentication', { + S3AccessCreds: { + type: 'S3', + roleName, + buckets: [bucketName], + }, +}); + +launchConfig.addOverride('Metadata.AWS::CloudFormation::Init', { + configSets: { + config: ['setup'], + }, + setup: { + files: { + // Add files here + }, + services: { + // Add services here + }, + commands: { + // Add commands here + }, + }, +}); +``` + +##### Secret `SecretValue` + +Another example is when we want to use `secretsmanager.Secret` and set the secret value. + +```typescript +function setSecretValue(secret: secrets.Secret, value: string) { + const cfnSecret = secret.node.defaultChild as secrets.CfnSecret; // Get the L1 resource that backs this L2 resource + cfnSecret.addPropertyOverride('SecretString', value); // Override the property `SecretString` on the L1 resource + cfnSecret.addPropertyDeletionOverride('GenerateSecretString'); // Delete the property `GenerateSecretString` from the L1 resource +} +``` + +## Contributing Guidelines + +### How-to + +#### Adding New Functionality? + +Before making a change or adding new functionality you have to verify what kind of functionality is being added. + +- Is it an Accelerator-management change? + - Is the change related to the `Installer` stack? + - Is the change CDK related? + - Make the change in `src/installer/cdk`. + - Is the change runtime related? + - Make the change in `src/installer/cdk/assets`. + - Is the change related to the `Initial Setup` stack? + - Is the change CDK related? + - Make the change in `src/core/cdk` + - Is the change runtime related? + - Make the change in `src/core/runtime` +- Is it an Accelerator-managed change? + - Is the change related to the `Phase` stacks? + - Is the change CDK related? + - Make the change in `src/deployments/cdk` + - Is the change runtime related? + - Make the change in `src/deployments/runtime` + +#### Create a CDK Lambda Function with Lambda Runtime Code + +See [CDK Code Dependency on Lambda Function Code](#cdk-code-dependency-on-lambda-function-code) for a short introduction. + +#### Create a Custom Resource + +See [Custom Resource](#custom-resource) and [Custom Resources](#custom-resources) for a short introduction. + +1. Create a separate folder that will contain the CDK and Lambda function runtime code, e.g. `src/lib/custom-resources/my-custom-resource`; +2. Create a folder `my-custom-resource` that will contain the CDK code; + 1. Create a `package.json` file with a dependency to the `my-custom-resource/runtime` package; + 2. Create a `cdk` folder that contains the source of the CDK code; +3. Create a folder `my-custom-resource/runtime` that will contain the runtime code; + 1. Create a `runtime/package.json` file with a `"name"`, `"prepare"` script and a `"main"`; + 2. Create a `runtime/webpack.config.ts` file that compiles TypeScript code to a single JavaScript file; + 3. Create a `runtime/src` folder that contains the source of the Lambda function runtime code; + +You can look at the `src/lib/custom-resources/cdk-acm-import-certificate` custom resource as an example. + +It is best practice to add tags to any resources that the custom resource creates using the `cfn-tags` library. + +#### Run All Unit Tests + +Run in the root of the project. + +```sh +pnpm recursive run test --no-bail --stream -- --silent +``` + +#### Accept Unit Test Snapshot Changes + +Run in `src/deployments/cdk`. + +```sh +pnpm run test -- -u +``` + +#### Validate Code with Prettier + +Run in the root of the project. + +```sh +pnpx prettier --check **/*.ts +``` + +#### Format Code with Prettier + +Run in the root of the project. + +```sh +pnpx prettier --write **/*.ts +``` + +#### Validate Code with `tslint` + +Run in the root of the project. + +```sh +pnpm recursive run lint --stream --no-bail +``` diff --git a/docs/faq/index.md b/docs/faq/index.md index ed19f65ed..a8c3ff7c9 100644 --- a/docs/faq/index.md +++ b/docs/faq/index.md @@ -1,11 +1,11 @@ -# Frequently Asked Questions - -### Furture Question 1? - -Future answer 1 - -### Furture Question 2? - -Future answer 2 - -[...Return to Table of Contents](../index.md) +# Frequently Asked Questions + +### Furture Question 1? + +Future answer 1 + +### Furture Question 2? + +Future answer 2 + +[...Return to Table of Contents](../index.md) diff --git a/docs/index.md b/docs/index.md index 3796071f1..ac06af4a4 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,18 +1,18 @@ -# AWS Secure Environment Accelerator - -# **Documentation** (Linked) - -### - [Solution Summary / Repo Root](../README.md) - -### - [Installation, Upgrades and Basic Operations Guide](./installation/index.md) - -- Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases) -- Link to example PBMM config [file](../reference-artifacts/config.example.json) - -### - [Accelerator Operations/Troubleshooting Guide](./operations/operations-troubleshooting-guide.md) (Early Draft) - -### - [Accelerator Developer Guide](./developer/developer-guide.md) (Early Draft) - -### - [Prescriptive PBMM Architecture Design Document](./architectures/pbmm/index.md) (Early Draft) - -### - [Frequently Asked Questions](./faq/index.md) +# AWS Secure Environment Accelerator + +# **Documentation** (Linked) + +### - [Solution Summary / Repo Root](../README.md) + +### - [Installation, Upgrades and Basic Operations Guide](./installation/index.md) + +- Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases) +- Link to example PBMM config [file](../reference-artifacts/config.example.json) + +### - [Accelerator Operations/Troubleshooting Guide](./operations/operations-troubleshooting-guide.md) (Early Draft) + +### - [Accelerator Developer Guide](./developer/developer-guide.md) (Early Draft) + +### - [Prescriptive PBMM Architecture Design Document](./architectures/pbmm/index.md) (Early Draft) + +### - [Frequently Asked Questions](./faq/index.md) diff --git a/docs/installation/index.md b/docs/installation/index.md index b9dbe4422..2f5aa684d 100644 --- a/docs/installation/index.md +++ b/docs/installation/index.md @@ -1,431 +1,431 @@ -# Installation, Upgrades and Basic Operations - -**_Deploying the AWS Accelerator requires the assistance of your local AWS Account team. Attempts to deploy the Accelerator without the support of your AWS SA, TAM, Proserve, or AM will fail as new AWS accounts do not have appropriate limits established to facilitate installation._** - -Installation of the provided prescriptive AWS architecture, as-is, requires a limit increase to support a minimum of 6 AWS accounts in the AWS Organization plus any additional required workload accounts. - -These installation instructions assume the prescribed architecture is being deployed. - -## Prerequisites - -- Master or Root AWS account (the AWS Accelerator cannot be deployed in an AWS sub-account) - - No additional AWS accounts need to be pre-created before Accelerator installation -- Limit increase to support a minimum of 6 new sub-accounts plus any additional workload accounts -- Determine if you will install on top of ALZ or as a standalone installation - - If you don't already have the ALZ installed, you will be doing a standalone installation - - Even if you do have the ALZ installed, we recommend customers consider uninstalling the ALZ and proceeding with a standalone installation -- Valid configuration file, updated to reflect your deployment (see below) -- Determine your primary or Accelerator 'control' region. These instructions have been written assuming ca-central-1, but any supported region can be substituted. - -#### Existing AWS Organizations or AWS Accounts - -- The Accelerator _can_ be installed into existing AWS Organizations - - our early adopters have all successfully deployed into existing organizations -- Existing AWS accounts _can_ also be imported into an Accelerator managed Organization -- Caveats: - - Per AWS Best Practices, the Accelerator deletes the default VPC's in all AWS accounts. The inability to delete default VPC's in preexisting accounts will fail the installation/account import process. Ensure default VPC's can or are deleted before importing existing accounts. On failure, either rectify the situation, or remove the account from Accelerator management and rerun the state machine - - The Accelerator will NOT alter existing (legacy) constructs (e.g. VPC's, EBS volumes, etc.). For imported and pre-existing accounts, objects the Accelerator prevents from being created using preventative guardrails will continue to exist and not conform to the prescriptive security guidance - - Existing workloads should be migrated to Accelerator managed VPC's and legacy VPC's deleted to gain the full governance benefits of the Accelerator (centralized flow logging, centralized ingress/egress, no IGW's, Session Manager access, existing non-encrypted EBS volumes, etc.) - - Existing AWS services will be reconfigured as defined in the Accelerator configuration file (overwriting existing settings) - - We do NOT support _any_ workloads running or users operating in the master AWS account. The master AWS account MUST be tightly controlled - - Importing existing _workload_ accounts is fully supported, we do NOT support, recommend and strongly discourage importing mandatory accounts, unless they were clean/empty accounts. Mandatory accounts are critical to ensuring governance across the entire solution - -### Standalone Accelerator Installation (No ALZ base) (Preferred) - -Before installing, you must first: - -1. Login to the Organization **Master AWS account** with `AdministratorAccess`. -2. **_Set the region to `ca-central-1`._** -3. Enable AWS Organizations -4. Enable Service Control Policies -5. In AWS Organizations, "Verify" the master account email address (this is a technical process) -6. Set `alz-baseline=false` in the configuration file -7. Create a new KMS key to encrypt your source configuration bucket (you can use an existing key) - -- AWS Key Management Service, Customer Managed Keys, Create Key, Symmetric, and then provide a key name - (`Accel-Source-Bucket-Key`), Next -- Select a key administrator (Admin Role or Group for the master account), Next -- Select key users (Admin Role or Group for the master account), Next -- Validate an entry exists to "Enable IAM User Permissions" (critical step if using an existing key) - - `"arn:aws:iam::123456789012:root"`, where `123456789012` is your **_master_** account id. -- Click Finish - -### ALZ Based Accelerator Installation - -You need an AWS account with the AWS Landing Zone (ALZ) v2.3.1 or v2.4.0 deployed. It is strongly encouraged to upgrade to ALZ v2.4.0 before deploying the Accelerator. - -When deploying the ALZ select: - -1. Set `Lock StackSetExecution Role` to `No` -2. For production deployments, deploy to `All regions`, or `ca-central-1` for testing -3. Specify Non-Core OU Names: `Dev,Test,Prod,Central,UnClass,Sandbox` (case sensitive) - - these match the provided prescriptive Accelerator configuration file (config.example.json) - -Before installing, you must first: - -1. Set `alz-baseline=true` in the configuration file -2. Login to the Organization **Master AWS account** where AWS Landing Zone is deployed with `AdministratorAccess`. -3. **_Set the region to `ca-central-1`._** -4. Enable IAM permissions to control access to use the `AwsLandingZoneKMSKey` KMS key. - - i.e. add a root entry - `"arn:aws:iam::123456789012:root"`, where `123456789012` is your **_master_** account id. - -### BOTH Installation Types - -In the Master or root AWS account, manually: - -1. Enable `"Cost Explorer"` (My Account, Cost Explorer, Enable Cost Explorer) -2. Enable `"Receive Billing Alerts"` (My Account, Billing Preferences, Receive Billing Alerts) -3. It is **_extremely important_** that **_all_** the account contact details be validated in the MASTER account before deploying any new sub-accounts. - -- This information is copied to every new sub-account on creation. -- Subsequent changes to this information require manually updating it in **\*each** sub-account. -- Go to `My Account` and verify/update the information lists under both the `Contact Information` section and the `Alternate Contacts` section. -- Please ESPECIALLY make sure the email addresses and Phone numbers are valid and regularly monitored. If we need to reach you due to suspicious account activity, billing issues, or other urgent problems with your account - this is the information that is used. It is CRITICAL it is kept accurate and up to date at all times. - -### AWS Internal Accounts Only - -If deploying to an internal AWS account, to successfully install the entire solution, you need to enable Private Marketplace (PMP) before starting: - -1. In the master account go here: https://aws.amazon.com/marketplace/privatemarketplace/create -2. Click Create Marketplace -3. Go to Profile sub-tab, click the `Not Live` slider to make it `Live` -4. Click the `Software requests` slider to turn `Requests off` -5. Change the name field (i.e. append `-PMP`) and change the color, so it is clear PMP is enabled for users -6. Search Private Marketplace for Fortinet products -7. Unselect the `Approved Products` filter and then select: - - `Fortinet FortiGate (BYOL) Next-Generation Firewall` -8. Select "Add to Private Marketplace" in the top right - - Due to PMP provisioning delays, this sometimes fails when attempted immediately following enablement of PMP - retry after 20 minutes. -9. Wait a couple of minutes while it adds item to your PMP - do NOT subscribe or accept the EULA - - Repeat for `Fortinet FortiManager (BYOL) Centralized Security Management` - -## Preparation - -### Create a GitHub Personal Access Token. - -1. You require a GitHub access token to access the code repository -2. Instructions on how to create a personal access token are located here: https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line -3. Select the scope `repo: Full control over private repositories`. -4. Store the personal access token in Secrets Manager as plain text. Name the secret `accelerator/github-token` (case sensitive). - - Via AWS console - - Store a new secret, and select `Other type of secrets`, `Plaintext` - - Paste your secret with no formatting no leading or trailing spaces - - Select either the key you created above (`Accel-Source-Bucket-Key`) or the `AwsLandingZoneKMSKey`, - - Set the secret name to `accelerator/github-token` (case sensitive) - - Select `Disable rotation` - -### Accelerator Configuration - -1. You can use the [`config.example.json`](../../reference-artifacts/config.example.json) file as base - - Use the version from the branch you are deploying from as some parameters have changed over time - - On upgrades, compare your deployed configuration file with the latest branch configuration file for any new or changed parameters - - This configuration file can be used, as-is, with only minor modification to successfully deploy the standard architecture -2. At minimum, you MUST update the AWS account names and email addresses in the sample file: - 1. For existing accounts, they must match identically to the ones defined in your AWS Landing Zone; - 2. For new accounts, they must reflect the new account name/email you want created; - 3. All new AWS accounts require a unique email address which has never before been used to create an AWS account; - 4. When updating the budget notification email addresses within the example, a single email address for all is sufficient; - 5. For a test deployment, the remainder of the values can be used as-is. -3. In the ALZ version of the Accelerator, we strongly recommend removing _all_ workload accounts from the configuration file during initial deployment. Workload accounts can be added in the future. The ALZ AVM takes 42 minutes per sub-account. Additionally, importing existing accounts during initial deployment increases the risk of initial deployment failures. -4. A successful deployment requires VPC access to 6 AWS endpoints, you cannot remove both the perimeter firewalls (all public endpoints) and the 6 required central VPC endpoints from the config file (ec2, ec2messages, ssm, ssmmessages, cloudformation, secretsmanager). - -### Key Production Config File Requirements: - -- **For a production deployment, THIS REQUIRES EXTENSIVE PREPARATION AND PLANNING** - - Plan your OU structure, we are suggesting: - - core, Central, Sandbox, Unclass, Dev, Test, Prod - - 6 \* RFC1918 Class B address blocks (CIDR's) which do not conflict with your on-premise networks - - (one for each OU, except Sandbox which is not routable) - - core Class B range will be split to support the Endpoint VPC and Perimeter VPC - - 3 \* RFC6598 /23 address blocks (Government of Canada (GC) requirement only) - - (MAD, perimeter underlay, perimeter overlay)(non-GC customers can use address space from the core CIDR range) - - 3 \* BGP ASN's (TGW, FW Cluster, VGW) - - A Unique Windows domain name (`deptaws`/`dept.aws`, `deptcloud`/`dept.cloud`, etc.) - - DNS Domain names and DNS server IP's for on-premise private DNS zones requiring cloud resolution - - DNS Domain for a cloud hosted public zone `"public": ["dept.cloud-nuage.canada.ca"]` - - DNS Domain for a cloud hosted private zone `"private": ["dept.cloud-nuage.gc.ca"]` - - Wildcard TLS certificate for each of the 2 previous zones - - 2 Fortinet FortiGate firewall licenses - - We also recommend at least 20 unique email ALIASES associated with a single mailbox, never used before to open AWS accounts, such that you do not need to request new email aliases every time you need to create a new AWS account. - -4. Create an S3 bucket in your master account with versioning enabled `your-bucket-name` - - you must supply this bucket name in the CFN parameters _and_ in the config file - - the bucket name _must_ be the same in both spots - - the bucket should be `S3-KMS` encrypted using either the `AwsLandingZoneKMSKey` or the `Accel-Source-Bucket-Key` created above -5. Place your customized config file, named `config.json`, in your new bucket -6. Place the firewall configuration and license files in the folder and path defined in the config file - - i.e. `firewall/firewall-example.txt`, `firewall/license1.lic` and `firewall/license2.lic` - - Sample available here: `./reference-artifacts/Third-Party/firewall-example.txt` - - If you don't have any license files, update the config file with an empty array [] -7. Place any defined certificate files in the folder and path defined in the config file - - i.e. `certs/example1-cert.key`, `certs/example1-cert.crt` - - Sample available here: `./reference-artifacts/Certs-Sample/*` - - Ideally you would generate real certificates using your existing certificate authority - - Should you wish, instructions are provided to aid in generating your own self-signed certificates - - Use the examples to demonstrate Accelerator TLS functionality only -8. Detach **_ALL_** SCPs (except `FullAWSAccess` which remains in place) from all OU's and accounts before proceeding - - Installation **will fail** if this step is skipped - -### Deploy the Accelerator Installer Stack - -1. You can find the latest release in the repository [here:](https://github.com/aws-samples/aws-secure-environment-accelerator/releases) -2. Download the CloudFormation template `AcceleratorInstaller.template.json` for the release you plan to install -3. Use the template to deploy a new stack in your AWS account -4. **_Make sure you are in `ca-central-1` (or your desired primary or control region)_** -5. Fill out the required parameters - **_LEAVE THE DEFAULTS UNLESS SPECIFIED BELOW_** -6. Specify `Stack Name` STARTING with `PBMMAccel-` (case sensitive) suggest a suffix of `deptname` or `username` -7. Change `ConfigS3Bucket` to the name of the bucket you created above `your-bucket-name` -8. Add an `Email` address to be used for notification of code releases -9. The `GithubBranch` should point to the release you selected - - if upgrading, change it to point to the desired release - - the latest stable branch is currently `release/v1.1.6`, case sensitive -10. For deployments before v1.1.6, update the `GithubRepository` name to `aws-secure-environment-accelerator` -11. Apply a tag on the stack, Key=`Accelerator`, Value=`PBMM` (case sensitive). -12. **ENABLE STACK TERMINATION PROTECTION** under `Stack creation options` -13. The stack typically takes under 5 minutes to deploy. -14. Once deployed, you should see a CodePipeline project named `PBMMAccel-InstallerPipeline` in your account. This pipeline connects to Github, pulls the code from the prescribed branch and deploys the Accelerator state machine. -15. For new stack deployments, when the stack deployment completes, the Accelerator state machine will automatically execute (in Code Pipeline). When upgrading you must manually `Release Change` to start the pipeline. -16. **While the pipeline is running, review the list of [Known Installation Issues]([https://github.com/aws-samples/aws-secure-environment-accelerator/blob/master/docs/installation/index.md#Known-Installation-Issues) near the bottom on this document** -17. Once the pipeline completes (typically 15-20 minutes), the state machine, named `PBMMAccel-MainStateMachine_sm`, will start in Step Functions -18. The state machine takes several hours to execute on an initial installation. Timing for subsequent executions depends entirely on what resources are changed in the configuration file, but can take as little as 20 minutes. -19. The configuration file will be automatically moved into Code Commit (and deleted from S3). From this point forward, you must update your configuration file in CodeCommit. -20. You will receive an email from the State Machine SNS topic. Please confirm the email subscription to enable receipt of state machine status messages. Until completed you will not receive any email messages. -21. After the perimeter account is created in AWS Organizations, but before the Accelerator reaches Stage 2: - 1. NOTE: If you miss the step, or fail to execute it in time, no need to be concerned, you will simply need to re-run the state machine to deploy the firewall products - 2. Login to the **perimeter** sub-account (Assume your `organization-admin-role`) - 3. Activate the Fortinet Fortigate BYOL AMI and the Fortinet FortiManager BYOL AMI at the URL: https://aws.amazon.com/marketplace/privatemarketplace - - Note: you should see the private marketplace, including the custom color specified in prerequisite step 4 above. - - When complete, you should see the marketplace products as subscriptions **in the Perimeter account**: - -![marketplace](img/marketplace.png) - -21. Once the state machine completes successfully, confirm the status of your perimeter firewall deployment. - - While you can watch the state machine in Step Functions, you will also be notified via email when the State Machine completes (or fails). Successful state machine executions include a list of all accounts which were successfully processed by the Accelerator. -22. If your perimeter firewalls were not deployed on first run, you will need to rerun the state machine. This happens when: - 1. you were unable to activate the firewall AMI's before stage 2 (step 19) - 2. we were not able to fully activate your account before we were ready to deploy your firewalls - 3. In these cases, simply select the `PBMMAccel-MainStateMachine_sm` in Step Functions and select `Start Execution` -23. The Accelerator installation is complete, but several manual steps remain: - - 1. recover root passwords for all sub-accounts - 2. enable MFA for **all** IAM users and **all** root users - 3. Login to the firewalls and firewall manager appliance and set default passwords - - Update firewall configuration per your organizations security best practices - - manually update firewall configuration to forward all logs to the Accelerator deployed NLB addresses fronting the rsyslog cluster - - manually update the firewall configuration to connect perimeter ALB high port flows through to internal account ALB's - 4. In ca-central-1, Enable AWS SSO, Set the SSO directory to MAD, set the SSO email attrib to: \${dir:email}, create all default permission sets and any desired custom permission sets, map MAD groups to perm sets - 5. On a per role basis, you need to enable the CWL Account Selector in the Security and the Ops accounts - -24. During the installation we request required limit increases, resources dependent on these limits were not deployed - 1. You should receive emails from support confirming the limit increases - ~~2. Unfortunately, once the VPC endpoint limit is increased, it does not properly register in AWS Quota tool~~ - ~~- If and when you receive confirmation from support that the **VPC Endpoint** limit in the shared network account has been increased~~ - ~~- Set `"customer-confirm-inplace"` to **true** in the config file for the limit `"Amazon VPC/Interface VPC endpoints per VPC"` in the shared network account~~ - 2. On the next state machine execution, resources blocked by limits should be deployed (i.e. additional VPC's and Endpoints) - 3. If more than 2 days elapses without the limits being increased, on the next state machine execution, they will be re-requested - -# Accelerator Basic Operation - -### How do I add new AWS accounts to my AWS Organization? - -- We offer two options and both can be used in the same deployment: - - - In both the ALZ and standalone versions of the Accelerator, you can simply add the following five lines to the configuration file `workload-account-configs` section and rerun the state machine. The majority of the account configuration will be picked up from the ou the AWS account has been assigned. You can also add additional account specific configuration, or override items like the default ou budget with an account specific budget. This mechanism is often used by customers that wish to programmatically create AWS accounts using the Accelerator and allows for adding many new accounts at one time. - - ``` - "fun-acct": { - "account-name": "TheFunAccount", - "email": "myemail+pbmmT-funacct@example.com", - "ou": "Sandbox" - } - ``` - - - STANDALONE VERSION ONLY: We've heard consistent feedback that our customers wish to use native AWS services and do not want to do things differently once security controls, guardrails, or accelerators are applied to their environment. In this regard, simply create your new AWS account in AWS Organizations as you did before\*\*. - - - \*\* **IMPORTANT:** When creating the new AWS account using AWS Organizations, you need to specify the role name you provided in the Accelerator configuration file `global-options\organization-admin-role`, the default value is `AWSCloudFormationStackSetExecutionRole`, otherwise we cannot bootstrap the account. - - On account creation we will apply a quarantine SCP which prevents the account from being used by anyone until the Accelerator has applied the appropriate guardrails - - Moving the account into the appropriate OU triggers the state machine and the application of the guardrails to the account, once complete, we will remove the quarantine SCP - -### Can I use AWS Organizations for all tasks I currently use AWS Organizations for? (Standalone Version Only) - -- In AWS Organizations you can continue to: - - create and rename AWS accounts - - move AWS accounts between ou's - - create, delete and rename ou's, including support for nested ou's - - create, rename, modify, apply and remove SCP's -- What can't I do: - - modify Accelerator controlled SCP's - - add/remove SCP's on top-level OU's (these are Accelerator controlled) - - users can change SCP's on non-top-level ou's and accounts as they please - - move an AWS account between top-level ou's (i.e. `Sandbox` to `Prod` is a security violation) - - moving between `Prod/sub-ou-1` to `Prod/sub-ou2` or `Prod/sub-ou2/sub-ou2a/sub-ou2ab` is fully supported - - create a top-level ou (need to validate, as they require config file entries) - - remove quarantine SCP from newly created accounts - - we do not support forward slashes (`/`) in ou names, even though the AWS platform does -- More details: - - If you edit an Accelerator controlled SCP through Organizations, we will reset it per what is defined in the Accelerator configuration files. - - If you add/remove an SCP from a top-level ou, we will put them back as defined in the Accelerator configuration file. - - If you move an account between top-level ou's, we will put it back to its original designated top-level ou. - - The Accelerator fully supports nested ou's, customers can create any depth ou structure in AWS Organizations and add/remove/change SCP's _below_ the top-level as they desire or move accounts between these ou's without restriction. Users can create ou's to the full AWS ou structure/depth. - - Except for the Quarantine SCP applied to specific accounts, we do not 'control' SCP's below the top level, customers can add/create/customize SCP's - -### How do I import an existing AWS account into my Accelerator managed AWS Organization (or what if I created a new AWS account with a different Organization trust role)?\* - -- Ensure you have valid administrative privileges for the account to be invited/added -- Add the account to your AWS Organization using standard processes (i.e. Invite/Accept) - - this process does NOT create an organization trust role - - imported accounts do NOT have the quarantine SCP applied as we don't want to break existing workloads -- Login to the account using the existing administrative credentials -- Execute the Accelerator provided CloudFormation template to create the required Accelerator bootstrapping role - in the Github repo here: reference-artifacts\Import-Account\cfn-awscloudformationstacksetexecutionrole.template.yml - - add the account to the Accelerator config file and run the state machine -- If you simply created the account with an incorrect role name, you likely need to take extra steps: - - Update the Accelerator config file to add the parameter: `global-options\ignored-ous` = `["UnManagedAccounts"]` - - In AWS Organizations, create a new OU named `UnManagedAccounts` (case sensitive) - - Move the account to the `UnManagedAccounts` ou - - You can now remove the Quarantine SCP from the account - - Assume an administrative role into the account - - Execute the Accelerator provided CloudFormation template to create the required Accelerator bootstrapping role - -\* A slightly different process exists for ALZ versions of the Accelerator - -### How do I modify and extend the Accelerator or execute my own code after the Accelerator provisions a new AWS account or the state machine executes? - -Flexibility: - -- The AWS Secure Environment Accelerator was developed to enable extreme flexibility without requiring a single line of code to be changed. One of our primary goals throughout the development process was to avoid making any decisions that would result in users needing to fork or branch the Accelerator codebase. This would help ensure we had a sustainable and upgradable solution for a broad customer base over time. -- Functionality provided by the Accelerator can generally be controlled by modifying the main Accelerator configuration file. -- Items like SCP's, rsyslog config, Powershell scripts, and iam-policies have config files provided and auto-deployed as part of the Accelerator to deliver on the prescriptive architecture (these are located in the \reference-artifacts folder of the Github repo for reference). If you want to alter the functionality delivered by any of these additional config files, you can simply provide your own by placing it in your specified Accelerator bucket in the appropriate sub-folder. The Accelerator will use your provided version instead of the supplied repo reference version. -- As SCP's and IAM policies are defined in the main config file, you can simply define new policies, pointing to new policy files, and provide these new files in your bucket, and they will be used. -- While a sample firewall config file is provided in the \reference-artifacts folder, it must be manually placed in your s3 bucket/folder on new Accelerator deployments -- Any/all of these files can be updated at any time and will be used on the next execution of the state machine -- Over time, we predict we will provide several sample or reference architectures and not just the current single PBMM architecture (all located in the \reference-artifacts folder). - -Extensibility: - -- Every execution of the state machine sends a state machine status event to a state machine SNS topic -- These status events include the Success/Failure status of the state machine, and on success, a list of all successfully processed AWS accounts -- While this SNS topic is automatically subscribed to a user provided email address for user notification, users can also create additional SNS subscriptions to enable triggering their own subsequent workflows, state machines, or custom code using any supported SNS subscription type (Lambda, SQS, Email, HTTPS, HTTPS) - -Example: - -- One of our early adopter customers has developed a custom user interface which allows their clients to request new AWS environments. Clients provide items like cost center, budget, and select their environment requirements (i.e. Sandbox, Unclass or full PBMM SDLC account set). On appropriate approval, this pushes the changes to the Accelerator configuration file and triggers the state machine. -- Once the state machine completes, the SNS topic triggers their follow-up workflow, validates the requested accounts were provisioned, updates the customer's account database, and then executes a collection of customer specific follow-up workflow actions on any newly provisioned accounts. - -### What if my State Machine fails? Why? Previous solutions had complex recovery processes, what's involved? - -If your state machine fails, review the error(s), resolve the problem and simply re-run the state machine. We've put a huge focus on ensuring the solution is idempotent and to ensure recovery is a smooth and easy process. - -Ensuring the integrity of deployed guardrails is critical in operating and maintaining an environment hosting protected data. Based on customer feedback and security best practices, we purposely fail the state machine if we cannot successfuly deploy guardrails. - -Additionally, with millions of active customers each supporting different and diverse use cases and with the rapid rate of evolution of the AWS platform, sometimes we will encounter unexpected circumstances and the state machine might fail. - -We've spent a lot of time over the course of the Accelerator development process ensuring the solution can roll forward, roll backward, be stopped, restarted, and rerun without issues. A huge focus was placed on dealing with and writing custom code to manage and deal with non-idempotent resources (like S3 buckets, log groups, KMS keys, etc). We've spent a lot of time ensuring that any failed artifacts are automatically cleaned up and don't cause subsequent executions to fail. We've put a strong focus on ensuring you do not need to go into your various AWS sub-accounts and manually remove or cleanup resources or deployment failures. We've also tried to provide usable error messages that are easy to understand and troubleshoot. As we find new issues, we continue to adjust the codebase to handle these situations smoothly and prevent state machine failures when it makes sense. - -Will your state machine fail at some point in time, likely. Will you be able to easily recover and move forward without extensive time and effort, YES! - -### How do I make changes to items I defined in the Accelerator configuration file during installation? - -Simply update your configuration file and rerun the state machine! In most cases, it is that simple. - -If you ask the Accelerator to do something that is not supported by the AWS platform, the state machine will fail, so it needs to be a supported capability. For example, the platform does not allow you to change the CIDR block on a VPC, but you can accomplish this as you would today by using the Accelerator to deploy a new second VPC, manually migrating workloads, and then removing the deprecated VPC from the Accelerator configuration. - -Below we have also documented additional considerations when creating or updating the configuration file. - -It should be noted that we have added code to the Accelerator to block customers from making many 'breaking' or impactful changes to their configuration files. If someone is positive they want to make these changes, we also provide overide switches to allow these changes to be attempted forcefully. - -# Notes - -## UPGRADES - -- Always compare your configuration file with the config file from the latest release to validate new or changed parameters or changes in parameter types / formats -- Upgrades from versions prior to v1.1.4 require dropping the fw AND fwMgr deployments during the upgrade (i.e. simply comment out the fw and fwmgr sections before upgrade). \*\* See below. You can redeploy the firewalls using the Accelerator after the upgrade. If you miss this step, the perimeter stack will likely fail to rollback and require manual intervention before you can re-run the state machine without the fws and fwmgr configurations. -- Upgrades to v1.1.5 and above from v1.1.4 and below: - - requires providing the "overrideComparison": true flag to the State Machine, as we are changing file formats and cannot compare to previous config file versions. Use extra caution, as we are not blocking breaking changes to the configuration file when this parameter is provided. - - High probability of a State Machine failure due to a 1hr step timeout limitation. No easy fix available. Simply rerun the State Machine. We are reversing something from the v1.1.4 release which is extremely time consuming. - -\*\* If you have customized the FW configuration, make sure you have backed up the FW configs before upgrade. If you want your fw customizations automatically redeployed, simply add them into the appropriate firewall-example.txt configuration file. - -### Summary of Upgrade Steps (to v1.1.6) - -- Ensure a valid Github token is stored in secrets manager -- Update the config file in Code Commit with new parameters and updated parameter types (this is important as features are iterating rapidly) -- If you are replacing your GitHub Token: - - Take note of the s3 bucket name from the stack parameters - - Delete the Installer CFN stack (`PBMMAccel-what-you-provided`) - - Redeploy the Installer CFN stack using the latest template (provide bucket name and notification email address) - - The pipeline will automatically run and trigger the upgraded state machine -- If you are using a pre-existing GitHub token: - - Update the Installer CFN stack, providing the new `GithubRepository` name and `GithubBranch` associated with the release (eg. `aws-secure-environment-accelerator` and `release/v1.1.6`) - - Some releases, not this one, require replacing the CFN template - - Go To Code Pipeline and Release the PBMMAccel-InstallerPipeline -- In both cases the State Machine will fail upon execution, rerun the State Machine providing the "overrideComparison": true flag - -### Summary of Upgrade Steps (to v1.1.4) - -- Ensure a valid Github token is stored in secrets manager -- Update the config file with new parameters and updated parameter types -- Remove the **_fw_** AND **_fwmgr_** from the config file -- Delete the Installer CFN stack (take note of the s3 bucket name first) - - If you are using a pre-existing GitHub token, you can simply Update the stack -- Redeploy the Installer CFN stack using the latest template - -## Configuration File Notes - -- You cannot supply (or change) configuration file values to something not supported by the AWS platform - - For example, CWL retention only supports specific retention values (not any number) - - Shard count - can only increase/reduce by half the current limit. i.e. you can change from `1`-`2`, `2`-`3`, `4`-`6` -- Always add any new items to the END of all lists or sections in the config file, otherwise - - Update validation checks will fail (vpc's, subnets, share-to, etc.) - - VPC endpoint deployments will fail - do NOT re-order or insert VPC endpoints (unless you first remove them all completely, execute SM, and then re-add them, run SM) -- To skip, remove or uninstall a component, you can simply change the section header - - change "deployments"/"firewalls" to "deployments"/"xxfirewalls" and it will uninstall the firewalls -- As you grow and add AWS accounts, the Kinesis Data stream in the log-archive account will need to be monitored and have its capacity (shard count) increased by setting `"kinesis-stream-shard-count"` variable under `"central-log-services"` in the config file -- Updates to NACL's requires changing the rule number (`100` to `101`) or they will fail to update -- The sample firewall configuration uses an instance with **4** NIC's, make sure you use an instance size that supports 4 ENI's -- Re-enabling individual security controls in Security Hub requires toggling the entire security standard off and on again, controls can be disabled at any time -- Firewall names, CGW names, TGW names, MAD Directory ID, account keys, and ou's must all be unique throughout the entire configuration file -- The configuration file _does_ have validation checks in place that prevent users from making certain major unsupported configuration changes -- The configuration file does _NOT_ have extensive error checking. It is expected you know what you are doing. We eventually hope to offer a config file, wizard based GUI editor and add the validation logic in this separate tool. In most cases the State Machine will fail with an error, and you will simply need to troubleshoot, rectify and rerun the state machine. -- You cannot move an account between top-level ou's. This would be a security violation and cause other issues. You can move accounts between sub-ou. Note: The ALZ version of the Accelerator does not support sub-ou. -- v1.1.5 and above adds support for customer provided YAML config file(s) as well as JSON. Once YAML is suppported we will be providing a version of the config file with comments describing the purpose of each configuration item -- Security Group names were designed to be identical between environments, if you want the VPC name in the SG name, you need to do it manually in the config file -- We only support the subset of yaml that converts to JSON (we do not support anchors) -- Do not change the `organization-admin-role` unless you have created the new role with appropriate trust relationship in ALL existing accounts - -## General Notes - -- The master account does NOT have any preventative controls to protect the integrity of the Accelerator codebase, deployed objects or guardrails. Do not delete, modify, or change anything in the master account unless you are certain as to what you are doing. -- More specifically, do NOT delete, or change _any_ buckets in the master account -- While likely protected, do not delete/update/change s3 buckets with CDK, CFN, or PBMMAccel- in _any_ sub-accounts -- Log group deletion is prevented for security purposes. Users of the Accelerator environment will need to ensure they set CFN stack Log group retention type to RETAIN, or stack deletes will fail when attempting to delete a stack and your users will complain. - -## Known limitations/purposeful exclusions: - -- ALB automated deployments currently only supports Forward and not redirect rules -- AWS Config Aggregator is deployed in the Organization master account as enabling through Organizations is much simpler to implement. Organizations only supports deploying the Aggregator in the Org master account and not in a designated master account at this time. Once supported, we will update the code to move the Aggregator master account. -- Amazon Detective - not included -- Only 1 auto-deployed MAD per AWS account is supported today -- VPC Endpoints have no Name tags applied as CloudFormation does not currently support tagging VPC Endpoints -- If the master account coincidentally already has an ADC with the same domain name, we do not create/deploy a new ADC. You must manually create a new ADC (it won't cause issues). -- Firewall updates are to be performed using the firewall OS based update capabilities. To update the AMI using the Accelerator, you must first remove the firewalls and then redeploy them (as the EIP's will block a parallel deployment), or deploy a second parallel FW cluster and deprovision the first cluster when ready. - -## Known Installation Issues: - -- All versions are currently experiencing GuardDuty deployment failures in at least one random region, cause and retry behaviour currently under investigation. Simply rerun the State Machine -- Standalone installation - currently requires manually creating the core ou and moving the master AWS account into it before running the State Machine, otherwise, once the SM fails, simply move the master account into the auto-created core ou and rerun the SM - -# AWS Internal - Accelerator Release Process - -## Creating a new Accelerator Code Release - -1. Ensure `master` is in a suitable state -2. Create a version branch with [SemVer](https://semver.org/) semantics and a `release/` prefix: e.g. `release/v1.0.5` - -- **Important:** Certain git operations are ambiguous if tags and branches have the same name. Using the `release/` prefix reserves the actual version name for the tag itself. - -3. Push that branch to GitHub (if created locally) -4. The release workflow will run, and create a **draft** release if successful with all commits since the last tagged release. -5. Prune the commits that have been added to the release (e.g. remove any low-information commits) -6. Publish the release - this creates the git tag in the repo and marks the release as latest. - -[...Return to Table of Contents](../index.md) +# Installation, Upgrades and Basic Operations + +**_Deploying the AWS Accelerator requires the assistance of your local AWS Account team. Attempts to deploy the Accelerator without the support of your AWS SA, TAM, Proserve, or AM will fail as new AWS accounts do not have appropriate limits established to facilitate installation._** + +Installation of the provided prescriptive AWS architecture, as-is, requires a limit increase to support a minimum of 6 AWS accounts in the AWS Organization plus any additional required workload accounts. + +These installation instructions assume the prescribed architecture is being deployed. + +## Prerequisites + +- Master or Root AWS account (the AWS Accelerator cannot be deployed in an AWS sub-account) + - No additional AWS accounts need to be pre-created before Accelerator installation +- Limit increase to support a minimum of 6 new sub-accounts plus any additional workload accounts +- Determine if you will install on top of ALZ or as a standalone installation + - If you don't already have the ALZ installed, you will be doing a standalone installation + - Even if you do have the ALZ installed, we recommend customers consider uninstalling the ALZ and proceeding with a standalone installation +- Valid configuration file, updated to reflect your deployment (see below) +- Determine your primary or Accelerator 'control' region. These instructions have been written assuming ca-central-1, but any supported region can be substituted. + +#### Existing AWS Organizations or AWS Accounts + +- The Accelerator _can_ be installed into existing AWS Organizations + - our early adopters have all successfully deployed into existing organizations +- Existing AWS accounts _can_ also be imported into an Accelerator managed Organization +- Caveats: + - Per AWS Best Practices, the Accelerator deletes the default VPC's in all AWS accounts. The inability to delete default VPC's in preexisting accounts will fail the installation/account import process. Ensure default VPC's can or are deleted before importing existing accounts. On failure, either rectify the situation, or remove the account from Accelerator management and rerun the state machine + - The Accelerator will NOT alter existing (legacy) constructs (e.g. VPC's, EBS volumes, etc.). For imported and pre-existing accounts, objects the Accelerator prevents from being created using preventative guardrails will continue to exist and not conform to the prescriptive security guidance + - Existing workloads should be migrated to Accelerator managed VPC's and legacy VPC's deleted to gain the full governance benefits of the Accelerator (centralized flow logging, centralized ingress/egress, no IGW's, Session Manager access, existing non-encrypted EBS volumes, etc.) + - Existing AWS services will be reconfigured as defined in the Accelerator configuration file (overwriting existing settings) + - We do NOT support _any_ workloads running or users operating in the master AWS account. The master AWS account MUST be tightly controlled + - Importing existing _workload_ accounts is fully supported, we do NOT support, recommend and strongly discourage importing mandatory accounts, unless they were clean/empty accounts. Mandatory accounts are critical to ensuring governance across the entire solution + +### Standalone Accelerator Installation (No ALZ base) (Preferred) + +Before installing, you must first: + +1. Login to the Organization **Master AWS account** with `AdministratorAccess`. +2. **_Set the region to `ca-central-1`._** +3. Enable AWS Organizations +4. Enable Service Control Policies +5. In AWS Organizations, "Verify" the master account email address (this is a technical process) +6. Set `alz-baseline=false` in the configuration file +7. Create a new KMS key to encrypt your source configuration bucket (you can use an existing key) + +- AWS Key Management Service, Customer Managed Keys, Create Key, Symmetric, and then provide a key name + (`Accel-Source-Bucket-Key`), Next +- Select a key administrator (Admin Role or Group for the master account), Next +- Select key users (Admin Role or Group for the master account), Next +- Validate an entry exists to "Enable IAM User Permissions" (critical step if using an existing key) + - `"arn:aws:iam::123456789012:root"`, where `123456789012` is your **_master_** account id. +- Click Finish + +### ALZ Based Accelerator Installation + +You need an AWS account with the AWS Landing Zone (ALZ) v2.3.1 or v2.4.0 deployed. It is strongly encouraged to upgrade to ALZ v2.4.0 before deploying the Accelerator. + +When deploying the ALZ select: + +1. Set `Lock StackSetExecution Role` to `No` +2. For production deployments, deploy to `All regions`, or `ca-central-1` for testing +3. Specify Non-Core OU Names: `Dev,Test,Prod,Central,UnClass,Sandbox` (case sensitive) + - these match the provided prescriptive Accelerator configuration file (config.example.json) + +Before installing, you must first: + +1. Set `alz-baseline=true` in the configuration file +2. Login to the Organization **Master AWS account** where AWS Landing Zone is deployed with `AdministratorAccess`. +3. **_Set the region to `ca-central-1`._** +4. Enable IAM permissions to control access to use the `AwsLandingZoneKMSKey` KMS key. + - i.e. add a root entry - `"arn:aws:iam::123456789012:root"`, where `123456789012` is your **_master_** account id. + +### BOTH Installation Types + +In the Master or root AWS account, manually: + +1. Enable `"Cost Explorer"` (My Account, Cost Explorer, Enable Cost Explorer) +2. Enable `"Receive Billing Alerts"` (My Account, Billing Preferences, Receive Billing Alerts) +3. It is **_extremely important_** that **_all_** the account contact details be validated in the MASTER account before deploying any new sub-accounts. + +- This information is copied to every new sub-account on creation. +- Subsequent changes to this information require manually updating it in **\*each** sub-account. +- Go to `My Account` and verify/update the information lists under both the `Contact Information` section and the `Alternate Contacts` section. +- Please ESPECIALLY make sure the email addresses and Phone numbers are valid and regularly monitored. If we need to reach you due to suspicious account activity, billing issues, or other urgent problems with your account - this is the information that is used. It is CRITICAL it is kept accurate and up to date at all times. + +### AWS Internal Accounts Only + +If deploying to an internal AWS account, to successfully install the entire solution, you need to enable Private Marketplace (PMP) before starting: + +1. In the master account go here: https://aws.amazon.com/marketplace/privatemarketplace/create +2. Click Create Marketplace +3. Go to Profile sub-tab, click the `Not Live` slider to make it `Live` +4. Click the `Software requests` slider to turn `Requests off` +5. Change the name field (i.e. append `-PMP`) and change the color, so it is clear PMP is enabled for users +6. Search Private Marketplace for Fortinet products +7. Unselect the `Approved Products` filter and then select: + - `Fortinet FortiGate (BYOL) Next-Generation Firewall` +8. Select "Add to Private Marketplace" in the top right + - Due to PMP provisioning delays, this sometimes fails when attempted immediately following enablement of PMP - retry after 20 minutes. +9. Wait a couple of minutes while it adds item to your PMP - do NOT subscribe or accept the EULA + - Repeat for `Fortinet FortiManager (BYOL) Centralized Security Management` + +## Preparation + +### Create a GitHub Personal Access Token. + +1. You require a GitHub access token to access the code repository +2. Instructions on how to create a personal access token are located here: https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line +3. Select the scope `repo: Full control over private repositories`. +4. Store the personal access token in Secrets Manager as plain text. Name the secret `accelerator/github-token` (case sensitive). + - Via AWS console + - Store a new secret, and select `Other type of secrets`, `Plaintext` + - Paste your secret with no formatting no leading or trailing spaces + - Select either the key you created above (`Accel-Source-Bucket-Key`) or the `AwsLandingZoneKMSKey`, + - Set the secret name to `accelerator/github-token` (case sensitive) + - Select `Disable rotation` + +### Accelerator Configuration + +1. You can use the [`config.example.json`](../../reference-artifacts/config.example.json) file as base + - Use the version from the branch you are deploying from as some parameters have changed over time + - On upgrades, compare your deployed configuration file with the latest branch configuration file for any new or changed parameters + - This configuration file can be used, as-is, with only minor modification to successfully deploy the standard architecture +2. At minimum, you MUST update the AWS account names and email addresses in the sample file: + 1. For existing accounts, they must match identically to the ones defined in your AWS Landing Zone; + 2. For new accounts, they must reflect the new account name/email you want created; + 3. All new AWS accounts require a unique email address which has never before been used to create an AWS account; + 4. When updating the budget notification email addresses within the example, a single email address for all is sufficient; + 5. For a test deployment, the remainder of the values can be used as-is. +3. In the ALZ version of the Accelerator, we strongly recommend removing _all_ workload accounts from the configuration file during initial deployment. Workload accounts can be added in the future. The ALZ AVM takes 42 minutes per sub-account. Additionally, importing existing accounts during initial deployment increases the risk of initial deployment failures. +4. A successful deployment requires VPC access to 6 AWS endpoints, you cannot remove both the perimeter firewalls (all public endpoints) and the 6 required central VPC endpoints from the config file (ec2, ec2messages, ssm, ssmmessages, cloudformation, secretsmanager). + +### Key Production Config File Requirements: + +- **For a production deployment, THIS REQUIRES EXTENSIVE PREPARATION AND PLANNING** + - Plan your OU structure, we are suggesting: + - core, Central, Sandbox, Unclass, Dev, Test, Prod + - 6 \* RFC1918 Class B address blocks (CIDR's) which do not conflict with your on-premise networks + - (one for each OU, except Sandbox which is not routable) + - core Class B range will be split to support the Endpoint VPC and Perimeter VPC + - 3 \* RFC6598 /23 address blocks (Government of Canada (GC) requirement only) + - (MAD, perimeter underlay, perimeter overlay)(non-GC customers can use address space from the core CIDR range) + - 3 \* BGP ASN's (TGW, FW Cluster, VGW) + - A Unique Windows domain name (`deptaws`/`dept.aws`, `deptcloud`/`dept.cloud`, etc.) + - DNS Domain names and DNS server IP's for on-premise private DNS zones requiring cloud resolution + - DNS Domain for a cloud hosted public zone `"public": ["dept.cloud-nuage.canada.ca"]` + - DNS Domain for a cloud hosted private zone `"private": ["dept.cloud-nuage.gc.ca"]` + - Wildcard TLS certificate for each of the 2 previous zones + - 2 Fortinet FortiGate firewall licenses + - We also recommend at least 20 unique email ALIASES associated with a single mailbox, never used before to open AWS accounts, such that you do not need to request new email aliases every time you need to create a new AWS account. + +4. Create an S3 bucket in your master account with versioning enabled `your-bucket-name` + - you must supply this bucket name in the CFN parameters _and_ in the config file + - the bucket name _must_ be the same in both spots + - the bucket should be `S3-KMS` encrypted using either the `AwsLandingZoneKMSKey` or the `Accel-Source-Bucket-Key` created above +5. Place your customized config file, named `config.json`, in your new bucket +6. Place the firewall configuration and license files in the folder and path defined in the config file + - i.e. `firewall/firewall-example.txt`, `firewall/license1.lic` and `firewall/license2.lic` + - Sample available here: `./reference-artifacts/Third-Party/firewall-example.txt` + - If you don't have any license files, update the config file with an empty array [] +7. Place any defined certificate files in the folder and path defined in the config file + - i.e. `certs/example1-cert.key`, `certs/example1-cert.crt` + - Sample available here: `./reference-artifacts/Certs-Sample/*` + - Ideally you would generate real certificates using your existing certificate authority + - Should you wish, instructions are provided to aid in generating your own self-signed certificates + - Use the examples to demonstrate Accelerator TLS functionality only +8. Detach **_ALL_** SCPs (except `FullAWSAccess` which remains in place) from all OU's and accounts before proceeding + - Installation **will fail** if this step is skipped + +### Deploy the Accelerator Installer Stack + +1. You can find the latest release in the repository [here:](https://github.com/aws-samples/aws-secure-environment-accelerator/releases) +2. Download the CloudFormation template `AcceleratorInstaller.template.json` for the release you plan to install +3. Use the template to deploy a new stack in your AWS account +4. **_Make sure you are in `ca-central-1` (or your desired primary or control region)_** +5. Fill out the required parameters - **_LEAVE THE DEFAULTS UNLESS SPECIFIED BELOW_** +6. Specify `Stack Name` STARTING with `PBMMAccel-` (case sensitive) suggest a suffix of `deptname` or `username` +7. Change `ConfigS3Bucket` to the name of the bucket you created above `your-bucket-name` +8. Add an `Email` address to be used for notification of code releases +9. The `GithubBranch` should point to the release you selected + - if upgrading, change it to point to the desired release + - the latest stable branch is currently `release/v1.1.6`, case sensitive +10. For deployments before v1.1.6, update the `GithubRepository` name to `aws-secure-environment-accelerator` +11. Apply a tag on the stack, Key=`Accelerator`, Value=`PBMM` (case sensitive). +12. **ENABLE STACK TERMINATION PROTECTION** under `Stack creation options` +13. The stack typically takes under 5 minutes to deploy. +14. Once deployed, you should see a CodePipeline project named `PBMMAccel-InstallerPipeline` in your account. This pipeline connects to Github, pulls the code from the prescribed branch and deploys the Accelerator state machine. +15. For new stack deployments, when the stack deployment completes, the Accelerator state machine will automatically execute (in Code Pipeline). When upgrading you must manually `Release Change` to start the pipeline. +16. **While the pipeline is running, review the list of [Known Installation Issues]([https://github.com/aws-samples/aws-secure-environment-accelerator/blob/master/docs/installation/index.md#Known-Installation-Issues) near the bottom on this document** +17. Once the pipeline completes (typically 15-20 minutes), the state machine, named `PBMMAccel-MainStateMachine_sm`, will start in Step Functions +18. The state machine takes several hours to execute on an initial installation. Timing for subsequent executions depends entirely on what resources are changed in the configuration file, but can take as little as 20 minutes. +19. The configuration file will be automatically moved into Code Commit (and deleted from S3). From this point forward, you must update your configuration file in CodeCommit. +20. You will receive an email from the State Machine SNS topic. Please confirm the email subscription to enable receipt of state machine status messages. Until completed you will not receive any email messages. +21. After the perimeter account is created in AWS Organizations, but before the Accelerator reaches Stage 2: + 1. NOTE: If you miss the step, or fail to execute it in time, no need to be concerned, you will simply need to re-run the state machine to deploy the firewall products + 2. Login to the **perimeter** sub-account (Assume your `organization-admin-role`) + 3. Activate the Fortinet Fortigate BYOL AMI and the Fortinet FortiManager BYOL AMI at the URL: https://aws.amazon.com/marketplace/privatemarketplace + - Note: you should see the private marketplace, including the custom color specified in prerequisite step 4 above. + - When complete, you should see the marketplace products as subscriptions **in the Perimeter account**: + +![marketplace](img/marketplace.png) + +21. Once the state machine completes successfully, confirm the status of your perimeter firewall deployment. + - While you can watch the state machine in Step Functions, you will also be notified via email when the State Machine completes (or fails). Successful state machine executions include a list of all accounts which were successfully processed by the Accelerator. +22. If your perimeter firewalls were not deployed on first run, you will need to rerun the state machine. This happens when: + 1. you were unable to activate the firewall AMI's before stage 2 (step 19) + 2. we were not able to fully activate your account before we were ready to deploy your firewalls + 3. In these cases, simply select the `PBMMAccel-MainStateMachine_sm` in Step Functions and select `Start Execution` +23. The Accelerator installation is complete, but several manual steps remain: + + 1. recover root passwords for all sub-accounts + 2. enable MFA for **all** IAM users and **all** root users + 3. Login to the firewalls and firewall manager appliance and set default passwords + - Update firewall configuration per your organizations security best practices + - manually update firewall configuration to forward all logs to the Accelerator deployed NLB addresses fronting the rsyslog cluster + - manually update the firewall configuration to connect perimeter ALB high port flows through to internal account ALB's + 4. In ca-central-1, Enable AWS SSO, Set the SSO directory to MAD, set the SSO email attrib to: \${dir:email}, create all default permission sets and any desired custom permission sets, map MAD groups to perm sets + 5. On a per role basis, you need to enable the CWL Account Selector in the Security and the Ops accounts + +24. During the installation we request required limit increases, resources dependent on these limits were not deployed + 1. You should receive emails from support confirming the limit increases + ~~2. Unfortunately, once the VPC endpoint limit is increased, it does not properly register in AWS Quota tool~~ + ~~- If and when you receive confirmation from support that the **VPC Endpoint** limit in the shared network account has been increased~~ + ~~- Set `"customer-confirm-inplace"` to **true** in the config file for the limit `"Amazon VPC/Interface VPC endpoints per VPC"` in the shared network account~~ + 2. On the next state machine execution, resources blocked by limits should be deployed (i.e. additional VPC's and Endpoints) + 3. If more than 2 days elapses without the limits being increased, on the next state machine execution, they will be re-requested + +# Accelerator Basic Operation + +### How do I add new AWS accounts to my AWS Organization? + +- We offer two options and both can be used in the same deployment: + + - In both the ALZ and standalone versions of the Accelerator, you can simply add the following five lines to the configuration file `workload-account-configs` section and rerun the state machine. The majority of the account configuration will be picked up from the ou the AWS account has been assigned. You can also add additional account specific configuration, or override items like the default ou budget with an account specific budget. This mechanism is often used by customers that wish to programmatically create AWS accounts using the Accelerator and allows for adding many new accounts at one time. + + ``` + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+pbmmT-funacct@example.com", + "ou": "Sandbox" + } + ``` + + - STANDALONE VERSION ONLY: We've heard consistent feedback that our customers wish to use native AWS services and do not want to do things differently once security controls, guardrails, or accelerators are applied to their environment. In this regard, simply create your new AWS account in AWS Organizations as you did before\*\*. + + - \*\* **IMPORTANT:** When creating the new AWS account using AWS Organizations, you need to specify the role name you provided in the Accelerator configuration file `global-options\organization-admin-role`, the default value is `AWSCloudFormationStackSetExecutionRole`, otherwise we cannot bootstrap the account. + - On account creation we will apply a quarantine SCP which prevents the account from being used by anyone until the Accelerator has applied the appropriate guardrails + - Moving the account into the appropriate OU triggers the state machine and the application of the guardrails to the account, once complete, we will remove the quarantine SCP + +### Can I use AWS Organizations for all tasks I currently use AWS Organizations for? (Standalone Version Only) + +- In AWS Organizations you can continue to: + - create and rename AWS accounts + - move AWS accounts between ou's + - create, delete and rename ou's, including support for nested ou's + - create, rename, modify, apply and remove SCP's +- What can't I do: + - modify Accelerator controlled SCP's + - add/remove SCP's on top-level OU's (these are Accelerator controlled) + - users can change SCP's on non-top-level ou's and accounts as they please + - move an AWS account between top-level ou's (i.e. `Sandbox` to `Prod` is a security violation) + - moving between `Prod/sub-ou-1` to `Prod/sub-ou2` or `Prod/sub-ou2/sub-ou2a/sub-ou2ab` is fully supported + - create a top-level ou (need to validate, as they require config file entries) + - remove quarantine SCP from newly created accounts + - we do not support forward slashes (`/`) in ou names, even though the AWS platform does +- More details: + - If you edit an Accelerator controlled SCP through Organizations, we will reset it per what is defined in the Accelerator configuration files. + - If you add/remove an SCP from a top-level ou, we will put them back as defined in the Accelerator configuration file. + - If you move an account between top-level ou's, we will put it back to its original designated top-level ou. + - The Accelerator fully supports nested ou's, customers can create any depth ou structure in AWS Organizations and add/remove/change SCP's _below_ the top-level as they desire or move accounts between these ou's without restriction. Users can create ou's to the full AWS ou structure/depth. + - Except for the Quarantine SCP applied to specific accounts, we do not 'control' SCP's below the top level, customers can add/create/customize SCP's + +### How do I import an existing AWS account into my Accelerator managed AWS Organization (or what if I created a new AWS account with a different Organization trust role)?\* + +- Ensure you have valid administrative privileges for the account to be invited/added +- Add the account to your AWS Organization using standard processes (i.e. Invite/Accept) + - this process does NOT create an organization trust role + - imported accounts do NOT have the quarantine SCP applied as we don't want to break existing workloads +- Login to the account using the existing administrative credentials +- Execute the Accelerator provided CloudFormation template to create the required Accelerator bootstrapping role - in the Github repo here: reference-artifacts\Import-Account\cfn-awscloudformationstacksetexecutionrole.template.yml + - add the account to the Accelerator config file and run the state machine +- If you simply created the account with an incorrect role name, you likely need to take extra steps: + - Update the Accelerator config file to add the parameter: `global-options\ignored-ous` = `["UnManagedAccounts"]` + - In AWS Organizations, create a new OU named `UnManagedAccounts` (case sensitive) + - Move the account to the `UnManagedAccounts` ou + - You can now remove the Quarantine SCP from the account + - Assume an administrative role into the account + - Execute the Accelerator provided CloudFormation template to create the required Accelerator bootstrapping role + +\* A slightly different process exists for ALZ versions of the Accelerator + +### How do I modify and extend the Accelerator or execute my own code after the Accelerator provisions a new AWS account or the state machine executes? + +Flexibility: + +- The AWS Secure Environment Accelerator was developed to enable extreme flexibility without requiring a single line of code to be changed. One of our primary goals throughout the development process was to avoid making any decisions that would result in users needing to fork or branch the Accelerator codebase. This would help ensure we had a sustainable and upgradable solution for a broad customer base over time. +- Functionality provided by the Accelerator can generally be controlled by modifying the main Accelerator configuration file. +- Items like SCP's, rsyslog config, Powershell scripts, and iam-policies have config files provided and auto-deployed as part of the Accelerator to deliver on the prescriptive architecture (these are located in the \reference-artifacts folder of the Github repo for reference). If you want to alter the functionality delivered by any of these additional config files, you can simply provide your own by placing it in your specified Accelerator bucket in the appropriate sub-folder. The Accelerator will use your provided version instead of the supplied repo reference version. +- As SCP's and IAM policies are defined in the main config file, you can simply define new policies, pointing to new policy files, and provide these new files in your bucket, and they will be used. +- While a sample firewall config file is provided in the \reference-artifacts folder, it must be manually placed in your s3 bucket/folder on new Accelerator deployments +- Any/all of these files can be updated at any time and will be used on the next execution of the state machine +- Over time, we predict we will provide several sample or reference architectures and not just the current single PBMM architecture (all located in the \reference-artifacts folder). + +Extensibility: + +- Every execution of the state machine sends a state machine status event to a state machine SNS topic +- These status events include the Success/Failure status of the state machine, and on success, a list of all successfully processed AWS accounts +- While this SNS topic is automatically subscribed to a user provided email address for user notification, users can also create additional SNS subscriptions to enable triggering their own subsequent workflows, state machines, or custom code using any supported SNS subscription type (Lambda, SQS, Email, HTTPS, HTTPS) + +Example: + +- One of our early adopter customers has developed a custom user interface which allows their clients to request new AWS environments. Clients provide items like cost center, budget, and select their environment requirements (i.e. Sandbox, Unclass or full PBMM SDLC account set). On appropriate approval, this pushes the changes to the Accelerator configuration file and triggers the state machine. +- Once the state machine completes, the SNS topic triggers their follow-up workflow, validates the requested accounts were provisioned, updates the customer's account database, and then executes a collection of customer specific follow-up workflow actions on any newly provisioned accounts. + +### What if my State Machine fails? Why? Previous solutions had complex recovery processes, what's involved? + +If your state machine fails, review the error(s), resolve the problem and simply re-run the state machine. We've put a huge focus on ensuring the solution is idempotent and to ensure recovery is a smooth and easy process. + +Ensuring the integrity of deployed guardrails is critical in operating and maintaining an environment hosting protected data. Based on customer feedback and security best practices, we purposely fail the state machine if we cannot successfuly deploy guardrails. + +Additionally, with millions of active customers each supporting different and diverse use cases and with the rapid rate of evolution of the AWS platform, sometimes we will encounter unexpected circumstances and the state machine might fail. + +We've spent a lot of time over the course of the Accelerator development process ensuring the solution can roll forward, roll backward, be stopped, restarted, and rerun without issues. A huge focus was placed on dealing with and writing custom code to manage and deal with non-idempotent resources (like S3 buckets, log groups, KMS keys, etc). We've spent a lot of time ensuring that any failed artifacts are automatically cleaned up and don't cause subsequent executions to fail. We've put a strong focus on ensuring you do not need to go into your various AWS sub-accounts and manually remove or cleanup resources or deployment failures. We've also tried to provide usable error messages that are easy to understand and troubleshoot. As we find new issues, we continue to adjust the codebase to handle these situations smoothly and prevent state machine failures when it makes sense. + +Will your state machine fail at some point in time, likely. Will you be able to easily recover and move forward without extensive time and effort, YES! + +### How do I make changes to items I defined in the Accelerator configuration file during installation? + +Simply update your configuration file and rerun the state machine! In most cases, it is that simple. + +If you ask the Accelerator to do something that is not supported by the AWS platform, the state machine will fail, so it needs to be a supported capability. For example, the platform does not allow you to change the CIDR block on a VPC, but you can accomplish this as you would today by using the Accelerator to deploy a new second VPC, manually migrating workloads, and then removing the deprecated VPC from the Accelerator configuration. + +Below we have also documented additional considerations when creating or updating the configuration file. + +It should be noted that we have added code to the Accelerator to block customers from making many 'breaking' or impactful changes to their configuration files. If someone is positive they want to make these changes, we also provide overide switches to allow these changes to be attempted forcefully. + +# Notes + +## UPGRADES + +- Always compare your configuration file with the config file from the latest release to validate new or changed parameters or changes in parameter types / formats +- Upgrades from versions prior to v1.1.4 require dropping the fw AND fwMgr deployments during the upgrade (i.e. simply comment out the fw and fwmgr sections before upgrade). \*\* See below. You can redeploy the firewalls using the Accelerator after the upgrade. If you miss this step, the perimeter stack will likely fail to rollback and require manual intervention before you can re-run the state machine without the fws and fwmgr configurations. +- Upgrades to v1.1.5 and above from v1.1.4 and below: + - requires providing the "overrideComparison": true flag to the State Machine, as we are changing file formats and cannot compare to previous config file versions. Use extra caution, as we are not blocking breaking changes to the configuration file when this parameter is provided. + - High probability of a State Machine failure due to a 1hr step timeout limitation. No easy fix available. Simply rerun the State Machine. We are reversing something from the v1.1.4 release which is extremely time consuming. + +\*\* If you have customized the FW configuration, make sure you have backed up the FW configs before upgrade. If you want your fw customizations automatically redeployed, simply add them into the appropriate firewall-example.txt configuration file. + +### Summary of Upgrade Steps (to v1.1.6) + +- Ensure a valid Github token is stored in secrets manager +- Update the config file in Code Commit with new parameters and updated parameter types (this is important as features are iterating rapidly) +- If you are replacing your GitHub Token: + - Take note of the s3 bucket name from the stack parameters + - Delete the Installer CFN stack (`PBMMAccel-what-you-provided`) + - Redeploy the Installer CFN stack using the latest template (provide bucket name and notification email address) + - The pipeline will automatically run and trigger the upgraded state machine +- If you are using a pre-existing GitHub token: + - Update the Installer CFN stack, providing the new `GithubRepository` name and `GithubBranch` associated with the release (eg. `aws-secure-environment-accelerator` and `release/v1.1.6`) + - Some releases, not this one, require replacing the CFN template + - Go To Code Pipeline and Release the PBMMAccel-InstallerPipeline +- In both cases the State Machine will fail upon execution, rerun the State Machine providing the "overrideComparison": true flag + +### Summary of Upgrade Steps (to v1.1.4) + +- Ensure a valid Github token is stored in secrets manager +- Update the config file with new parameters and updated parameter types +- Remove the **_fw_** AND **_fwmgr_** from the config file +- Delete the Installer CFN stack (take note of the s3 bucket name first) + - If you are using a pre-existing GitHub token, you can simply Update the stack +- Redeploy the Installer CFN stack using the latest template + +## Configuration File Notes + +- You cannot supply (or change) configuration file values to something not supported by the AWS platform + - For example, CWL retention only supports specific retention values (not any number) + - Shard count - can only increase/reduce by half the current limit. i.e. you can change from `1`-`2`, `2`-`3`, `4`-`6` +- Always add any new items to the END of all lists or sections in the config file, otherwise + - Update validation checks will fail (vpc's, subnets, share-to, etc.) + - VPC endpoint deployments will fail - do NOT re-order or insert VPC endpoints (unless you first remove them all completely, execute SM, and then re-add them, run SM) +- To skip, remove or uninstall a component, you can simply change the section header + - change "deployments"/"firewalls" to "deployments"/"xxfirewalls" and it will uninstall the firewalls +- As you grow and add AWS accounts, the Kinesis Data stream in the log-archive account will need to be monitored and have its capacity (shard count) increased by setting `"kinesis-stream-shard-count"` variable under `"central-log-services"` in the config file +- Updates to NACL's requires changing the rule number (`100` to `101`) or they will fail to update +- The sample firewall configuration uses an instance with **4** NIC's, make sure you use an instance size that supports 4 ENI's +- Re-enabling individual security controls in Security Hub requires toggling the entire security standard off and on again, controls can be disabled at any time +- Firewall names, CGW names, TGW names, MAD Directory ID, account keys, and ou's must all be unique throughout the entire configuration file +- The configuration file _does_ have validation checks in place that prevent users from making certain major unsupported configuration changes +- The configuration file does _NOT_ have extensive error checking. It is expected you know what you are doing. We eventually hope to offer a config file, wizard based GUI editor and add the validation logic in this separate tool. In most cases the State Machine will fail with an error, and you will simply need to troubleshoot, rectify and rerun the state machine. +- You cannot move an account between top-level ou's. This would be a security violation and cause other issues. You can move accounts between sub-ou. Note: The ALZ version of the Accelerator does not support sub-ou. +- v1.1.5 and above adds support for customer provided YAML config file(s) as well as JSON. Once YAML is suppported we will be providing a version of the config file with comments describing the purpose of each configuration item +- Security Group names were designed to be identical between environments, if you want the VPC name in the SG name, you need to do it manually in the config file +- We only support the subset of yaml that converts to JSON (we do not support anchors) +- Do not change the `organization-admin-role` unless you have created the new role with appropriate trust relationship in ALL existing accounts + +## General Notes + +- The master account does NOT have any preventative controls to protect the integrity of the Accelerator codebase, deployed objects or guardrails. Do not delete, modify, or change anything in the master account unless you are certain as to what you are doing. +- More specifically, do NOT delete, or change _any_ buckets in the master account +- While likely protected, do not delete/update/change s3 buckets with CDK, CFN, or PBMMAccel- in _any_ sub-accounts +- Log group deletion is prevented for security purposes. Users of the Accelerator environment will need to ensure they set CFN stack Log group retention type to RETAIN, or stack deletes will fail when attempting to delete a stack and your users will complain. + +## Known limitations/purposeful exclusions: + +- ALB automated deployments currently only supports Forward and not redirect rules +- AWS Config Aggregator is deployed in the Organization master account as enabling through Organizations is much simpler to implement. Organizations only supports deploying the Aggregator in the Org master account and not in a designated master account at this time. Once supported, we will update the code to move the Aggregator master account. +- Amazon Detective - not included +- Only 1 auto-deployed MAD per AWS account is supported today +- VPC Endpoints have no Name tags applied as CloudFormation does not currently support tagging VPC Endpoints +- If the master account coincidentally already has an ADC with the same domain name, we do not create/deploy a new ADC. You must manually create a new ADC (it won't cause issues). +- Firewall updates are to be performed using the firewall OS based update capabilities. To update the AMI using the Accelerator, you must first remove the firewalls and then redeploy them (as the EIP's will block a parallel deployment), or deploy a second parallel FW cluster and deprovision the first cluster when ready. + +## Known Installation Issues: + +- All versions are currently experiencing GuardDuty deployment failures in at least one random region, cause and retry behaviour currently under investigation. Simply rerun the State Machine +- Standalone installation - currently requires manually creating the core ou and moving the master AWS account into it before running the State Machine, otherwise, once the SM fails, simply move the master account into the auto-created core ou and rerun the SM + +# AWS Internal - Accelerator Release Process + +## Creating a new Accelerator Code Release + +1. Ensure `master` is in a suitable state +2. Create a version branch with [SemVer](https://semver.org/) semantics and a `release/` prefix: e.g. `release/v1.0.5` + +- **Important:** Certain git operations are ambiguous if tags and branches have the same name. Using the `release/` prefix reserves the actual version name for the tag itself. + +3. Push that branch to GitHub (if created locally) +4. The release workflow will run, and create a **draft** release if successful with all commits since the last tagged release. +5. Prune the commits that have been added to the release (e.g. remove any low-information commits) +6. Publish the release - this creates the git tag in the repo and marks the release as latest. + +[...Return to Table of Contents](../index.md) diff --git a/docs/operations/operations-troubleshooting-guide.md b/docs/operations/operations-troubleshooting-guide.md index 1c74beb45..8d956acc2 100644 --- a/docs/operations/operations-troubleshooting-guide.md +++ b/docs/operations/operations-troubleshooting-guide.md @@ -1,576 +1,576 @@ -# Operations & Troubleshooting Guide - -> TODO: Purpose of document. Target audience. - -> TODO: -> -> - How to update the configuration file? -> - How to restart the installer? - -- [Operations & Troubleshooting Guide](#operations--troubleshooting-guide) - - [System Overview](#system-overview) - - [Installer Stack](#installer-stack) - - [Initial Setup Stack](#initial-setup-stack) - - [Get or Create Configuration from S3](#get-or-create-configuration-from-s3) - - [Compare Configurations](#compare-configurations) - - [Get Baseline from Configuration](#get-baseline-from-configuration) - - [Load Landing Zone Configuration](#load-landing-zone-configuration) - - [Add Execution Role to Service Catalog](#add-execution-role-to-service-catalog) - - [Create Landing Zone Account](#create-landing-zone-account) - - [Organizational Unit Validation](#organizational-unit-validation) - - [Load Organization Configuration](#load-organization-configuration) - - [Install CloudFormation Role in Master](#install-cloudformation-role-in-master) - - [Create Organization Account](#create-organization-account) - - [Load Organizational Units](#load-organizational-units) - - [Load Accounts](#load-accounts) - - [Install Execution Roles](#install-execution-roles) - - [Delete Default VPCs](#delete-default-vpcs) - - [Load Limits](#load-limits) - - [Enable Trusted Access for Services](#enable-trusted-access-for-services) - - [Deploy Phase 0](#deploy-phase-0) - - [Store Phase 0 Output](#store-phase-0-output) - - [Add SCPs to Organization](#add-scps-to-organization) - - [Deploy Phase 1](#deploy-phase-1) - - [Store Phase 1 Output](#store-phase-1-output) - - [Account Default Settings](#account-default-settings) - - [Deploy Phase 2](#deploy-phase-2) - - [Store Phase 2 Output](#store-phase-2-output) - - [Deploy Phase 3](#deploy-phase-3) - - [Store Phase 3 Output](#store-phase-3-output) - - [Deploy Phase 4](#deploy-phase-4) - - [Store Phase 4 Output](#store-phase-4-output) - - [Associate Hosted Zones](#associate-hosted-zones) - - [Add Tags to Shared Resources](#add-tags-to-shared-resources) - - [Enable Directory Sharing](#enable-directory-sharing) - - [Deploy Phase 5](#deploy-phase-5) - - [Create AD Connector](#create-ad-connector) - - [Store Commit ID](#store-commit-id) - - [Detach Quarantine SCP](#detach-quarantine-scp) - - [Troubleshooting](#troubleshooting) - - [Components](#components) - - [CodePipeline](#codepipeline) - - [CodeBuild](#codebuild) - - [CloudFormation](#cloudformation) - - [Custom Resource](#custom-resource) - - [CloudWatch](#cloudwatch) - - [State Machine](#state-machine) - - [How-to](#how-to) - - [Restart the State Machine](#restart-the-state-machine) - - [Switch To a Managed Account](#switch-to-a-managed-account) - -## System Overview - -The system can be thought of in two levels. The first level of the system consists of Accelerator stacks and resources. Let's call these the Accelerator-management resource. The second level of the system consists of stacks and resources that are deployed by the Accelerator-management resource. Let's call these the Accelerator-managed resources. The Accelerator-management resources are responsible for deploying the Accelerator-managed resources. - -There are two Accelerator-management stacks: - -- the `Installer` stack that is responsible for creating the next listed stack; -- the `Initial Setup` stack. This stack is responsible for reading configuration file and creating Accelerator-managed resources in the relevant accounts. - -There are multiple Accelerator-managed stacks. Currently there are at most six Accelerator-managed stacks per managed account. - -The figure below shows a zoomed-out overview of the Accelerator. The top of the overview shows the Accelerator-management resources, i.e. the `Installer` stack and the `Initial Setup` stack. The bottom of the overview shows the Accelerator-managed resources in the different accounts. - -![System Overview Diagram](img/overview.png) - -### Installer Stack - -The Accelerator-management `Installer` stack contains the necessary resources to deploy the Accelerator-management `Initial Setup` stack in an AWS account. This AWS account will be referred to as the 'master' account in this document. - -It consists of the following resources: - -- `PBMMAccel-InstallerPipeline`: this is a `AWS::CodePipeline::Pipeline` that pulls the latest Accelerator code from - GitHub. It launches the CodeBuild project `PBMMAccel-InstallerProject_pl` and launches the Accelerator state machine. -- `PBMMAccel-InstallerProject_pl`: this is a `AWS::CodeBuild::Project` that installs the Accelerator in AWS account. -- `PBMMAccel-Installer-StartExecution`: this is a `AWS::Lambda::Function` that launches the Accelerator after - CodeBuild deploys the Accelerator. - -![Installer Diagram](img/installer.png) - -The `PBMMAccel-InstallerPipeline` starts when first installed using the CloudFormation template. The pipeline also runs after every GitHub update for the configured branch. The administrator can also start the pipeline manually by clicking the `Release Change` button in the AWS Console. - -![CodePipeline Release Change](img/codepipeline-release-change.png) - -After pulling the source from GitHub the pipeline needs manual approval from the administrator to continue deploying the Accelerator in the AWS account. - -![CodePipeline Manual Approval](img/codepipeline-approval.png) - -![CodePipeline Manual Approval Popup](img/codepipeline-approval-popup.png) - -After the administrator approves the change, the `PBMMAccel-InstallerProject_pl` CodeBuild project starts. The CodeBuild project uses the GitHub source artifact. The CodeBuild projects spins up a new Linux instances and installs the Accelerator dependencies and starts the deployment of the Accelerator using the AWS Cloud Development Kit (CDK[1](#cdk)). - -CDK bootstraps its environment and creates the `CDKToolkit` stack in the AWS account. It creates the S3 bucket `cdktoolkit-stagingbucket-*` and the ECR repository `aws-cdk/assets`. - -CDK copies assets to the bootstrap bucket and bootstrap repository that are used by the Accelerator. The assets that are stored on S3 include default IAM policies, default SCPs, default firewall configuration. The assets that are pushed to ECR include the Accelerator Docker build image. This Docker image is responsible for deploying Accelerator resources using the CDK. - -CDK finally deploys the `Initial Setup` stack, and launches the Accelerator state machine. The Accelerator state machine is described in the next section. - -### Initial Setup Stack - -The Accelerator-management `Initial Setup` stack, named `PBMMAccel-InitialSetup`, consists of a state machine, named `PBMMAccel-MainStateMachine_sm`, that executes various steps to create the Accelerator-managed stacks and resources in the Accelerator-managed accounts. Using a state machine, we can clearly define the deployment process and systematically control branches of execution and handle exceptions. - -The image below describes the latest state machine. Each white square in the image represents a step in the state machine. - -![Accelerator State Machine](img/step-functions-main-sm.png) - -The state machine contains three types of steps: - -1. steps that execute a Lambda function; -2. steps that start another state machine, e.g. `Create Accounts` step; -3. steps that start another state machine that starts a CodeBuild project, e.g. the `Phase {0,1,2,3,4,5}` steps. - -The stack additionally consists of the following resources: - -- AWS::CodeBuild::Project - - `PBMMAccel-Deploy` or `PBMMAccel-DeployPrebuilt` -- AWS::CodeCommit::Repository - - `PBMMAccel-Config-Repo` -- AWS::IAM::Role - - `PBMMAccel-L-SFN-MasterRole` - - `PBMMAccel-L-SFN-Execution` - - An AWS::IAM::Role for every state machine (might be merged into a single role); -- AWS::Lambda::Function - - A Lambda function for every Lambda function step in the state machine. -- AWS::SecretsManager::Secret - - `accelerator/accounts` - - `accelerator/organizations` - - `accelerator/outputs` - - `accelerator/limits` -- AWS::StepFunctions::StateMachine - - `PBMMAccel-ALZCreateAccount_sm`: See [_Create Landing Zone Account_](#create-landing-zone-account); - - `PBMMAccel-OrgCreateAccount_sm`: See [_Create Organization Account_](#create-organization-account); - - `PBMMAccel-InstallCfnRoleMaster_sm`: See [Install CloudFormation Execution Role](#install-cloudformation-role-in-master); - - `PBMMAccel-InstallRoles_sm`: See [_Install Execution Roles_](#install-execution-roles); - - `PBMMAccel-DeleteDefaultVpcs_sfn`: See [_Delete Default VPCs_](#delete-default-vpcs); - - `PBMMAccel-CodeBuild_sm`: See [_Deploy Phase 0_](#deploy-phase-0); - - `PBMMAccel-CreateConfigRecorder_sfn`; - - `PBMMAccel-CreateAdConnector_sm`: See [_Create AD Connector_](#create-ad-connector). - -_Note: Most resources have a random suffix to their name. This is because we use CDK to deploy the resources. See [https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_logical_ids]()_ - -#### Get or Create Configuration from S3 - -This step calls a Lambda function that finds or creates the configuration repository. Finds the configuration file in the repository. If the configuration file cannot be found in the repository it is copied from the customer's configuration bucket. If the copy is successful then the configuration file in the S3 bucket will be removed. - -The configuration file is parsed and validated. This step will fail if the configuration file is not valid JSON or does not adhere to the configuration file specification. - -#### Compare Configurations - -This step calls a Lambda function that compares the previous version of the configuration file with the current version of the configuration file. The previous configuration file version is stored in the secret `accelerator/config/last-successful-commit` in AWS Secrets Manager in fthe master account. - -The following configuration file changes are not allowed: - -- changing ALZ baseline; -- changing master account or region; -- changing central log services account or region; -- changing the organizational unit, name or email address of an account; -- removing an account; -- changing the name, CIDR or region of a VPC; -- disabling a VPC; -- changing the name, availability zone, CIDR of a subnet; -- disabling a subnet; -- removing a subnet; -- changing the name, ASN, region or features of a transit gateway; -- changing the ID, VPC, subnet, region, size, DNS, Netbios of a Managed Active Directory; -- disabling a Managed Active Directory; -- changing the ASN of a virtual private gateway; -- changing the sharing to accounts of a VPC; -- changing the NACLs of a subnet. - -It is possible to ignore certain configuration file changes. See [Restart the State Machine](#restart-the-state-machine) how to pass these options to the state machine. - -#### Get Baseline from Configuration - -This step calls a Lambda function that gets the `alz-baseline` of the configuration file to decide which path in the state machine will be taken. - -#### Load Landing Zone Configuration - -_Executed only when using AWS Landing Zone baseline_ - -This step calls a Lambda function that validates the ALZ deployment and configuration. - -This step fails when - -- an existing ALZ deployment in the master account can not be found; -- an organizational unit that is used by ALZ or the Accelerator can not be found; -- an account is present in the Accelerator configuration but does not exist in AWS Organizations; -- an account has a name, email address or organizational unit that is different from the ALZ configuration; -- an account has a name, email address or organizational unit that is different from the Accelerator configuration; -- the organizational units in the ALZ configuration are different from the ones in AWS Organizations; -- the account type of ALZ configuration accounts can not be detected; -- the accounts of type `primary`', `security`, `log-archive`, `shared-services` are missing from the ALZ configuration. - -#### Add Execution Role to Service Catalog - -_Executed only when using AWS Landing Zone baseline_ - -This step calls a Lambda function that adds the state machine's IAM role to the ALZ Account Vending Machine (AVM) service catalog portfolio. - -#### Create Landing Zone Account - -_Executed only when using AWS Landing Zone baseline_ - -This step starts the `PBMMAccel-ALZCreateAccount_sm` state machine. This state machine is responsible for creating an account using the AVM and waits for the account to be created and configured. - -#### Organizational Unit Validation - -_Executed only when using AWS Organizations baseline_ - -> TODO: Document - -#### Load Organization Configuration - -_Executed only when using AWS Organizations baseline_ - -This step calls a Lambda function that validates the Accelerator deployment and configuration. - -This step fails when - -- an organizational unit that is used by the Accelerator can not be found; -- an account is present in the Accelerator configuration but does not exist in AWS Organizations; -- an account has a name, email address or organizational unit that is different from the Accelerator configuration. - -#### Install CloudFormation Role in Master - -_Executed only when using AWS Organizations baseline_ - -This step starts the `PBMMAccel-InstallCfnRoleMaster_sm` state machine. This state machine is responsible for creating the IAM role `AWSCloudFormationStackSetAdministrationRole` in the master account. You can read more about why this role is created [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). - -#### Create Organization Account - -_Executed only when using AWS Organizations baseline_ - -This step starts the `PBMMAccel-OrgCreateAccount_sm` state machine. This state machine is responsible for creating an account using the AWS Organizations and waits for the account to be created and configured. The newly created account will be moved to the correct organizational unit and will have an the `PBMMAccel-Quarantine-New-Object` Service Control Policy (SCP) attached to it. The SCP will only be removed after the Accelerator state machine has completed. - -> TODO(bmycroft): Explain why the SCP is attached. - -#### Load Organizational Units - -> TODO: Document - -#### Load Accounts - -This step calls a Lambda function that loads all accounts and organizational units. The accounts and organizational units are stored in the secret `accelerator/accounts` and `accelerator/organizations` in AWS Secrets Manager in the master account. The accounts and organizational units will later be used to deploy stacks in the correct accounts. - -#### Install Execution Roles - -This step calls a Lambda function that creates stack sets in all Accelerator accounts. This stack sets contains a single resource, i.e. an IAM role `PBMMAccel-PipelineRole` that can be assumed by the `PBMMAccel-L-SFN-MasterRole`. This IAM role allows the master account to administer the Accelerator accounts. - -#### Delete Default VPCs - -This step starts the `PBMMAccel-DeleteDefaultVpcs_sfn` state machine. This state machine is responsible for deleting default subnets, internet gateways and VPCs for all regions and accounts in the Accelerator configuration. - -This step fails when one or more default VPCs cannot be deleted. - -#### Load Limits - -This step calls a Lambda function that loads service quotas and requests a service quota increase according to the configuration file. When a service quota increase request has been closed but not increased, then the service quota request will be issued again when the creation of the last request was at least two days ago. - -#### Enable Trusted Access for Services - -This step calls a Lambda function that is responsible for - -- enabling AWS service access in the organization; -- enabling AWS Resource Access Manager sharing in the organization; -- creating a service-linked role for AWS IAM Access Analyzer; -- setting the security account as delegated administrator for AWS Firewall Manager; -- setting the security account as delegated administrator for AWS IAM Access Analyzer; -- setting the security account as delegated administrator for Amazon GuardDuty. - -#### Deploy Phase 0 - -This step starts the `PBMMAccel-CodeBuild_sm` state machine. This state machine is responsible for starting a CodeBuild execution that deploys CloudFormation stacks in Accelerator-managed accounts using CDK. - -![CodeBuild State Machine](img/step-functions-codebuild-sm.png) - -![CodeBuild Diagram](img/deploy.png) - -The same CodeBuild project is used to deploy all phases. The environment variable `ACCELERATOR_PHASE` in the CodeBuild execution decides which phase to deploy. - -- create default EBS encryption key; -- create an AWS log bucket with encryption key; -- create the central log services bucket with encryption key; -- create the Accelerator configuration bucket with encryption key; -- copy artifacts to the Accelerator configuration bucket: - - SCPs; - - firewall configuration; -- account warming (step 1); -- set password policy (step 1); -- create IAM users (step 1): - - create passwords and store in Secrets Manager; -- create MAD deployment (step 1): - - create passwords and store in Secrets Manager; - - create service-linked role; -- create `rsyslog` deployment (step 1); -- create firewalls (step 1); -- create budgets (step 1); -- create transit gateways (step 1); -- create Route53 DNS logging log group; -- enable Macie (step 1); -- enable GuardDuty; -- enable Access Analyzer; - -#### Store Phase 0 Output - -This step calls a Lambda function that stores the outputs from the deployed stacks in subaccounts in the secret `accelerator/outputs` in AWS Secrets Manager in the master account. - -#### Add SCPs to Organization - -This step calls a Lambda function that creates and attaches the SCPs listed in the Accelerator configuration. The SCP policies are loaded from the Accelerator configuration bucket. - -This step fails when - -- an SCP policy cannot be found in the Accelerator configuration bucket; -- an SCP could not be attached to an organizational unit or account, e.g. when the maximum number of attached SCPs is exceeded - -#### Deploy Phase 1 - -- create VPCs; - - subnets; - - route tables; - - security groups; - - interface endpoints; - - transit gateway attachments; - - flow logs; - - resource sharing in case the VPC is shared; - - role to accept peering connection requests; -- create firewalls (step 2); -- create IAM roles (step 2); -- create budgets (step 2); -- create certificates (step 1); -- create reports (step 1); -- enable SSM (step 1); -- enable Security Hub (step 1); -- enable Macie (step 2); -- enable GuardDuty (step 3); -- enable central logging to S3 (step 1); - -#### Store Phase 1 Output - -See [_Deploy Phase 0_](#deploy-phase-0). - -#### Account Default Settings - -This step calls a Lambda function that - -- enables and sets EBS default encryption for all accounts in the Accelerator configuration; -- enables S3 object level ALZ Cloudtrail logging; -- enables Log Insight events; -- enables KMS encryption using the CMK from the central logging account; -- sets AWS Systems Manager Session Manager default configuration in every Accelerator-managed account in every region with a VPC. - -#### Deploy Phase 2 - -- create peering connections; -- create security groups in shared account; -- create MAD deployment (step 2); -- create firewalls (step 3); -- create firewall manager (step 1); -- create transit gateways (step 2); -- enable Security Hub (step 2); -- enable Macie (step 3); - -#### Store Phase 2 Output - -See [_Deploy Phase 0_](#deploy-phase-0). - -#### Deploy Phase 3 - -- create peering connection routes; -- create ALB (step 1); -- create `rsyslog` deployment (step 2); -- create hosted zones, resolver rules and resolver endpoints; - -#### Store Phase 3 Output - -See [_Deploy Phase 0_](#deploy-phase-0). - -#### Deploy Phase 4 - -- share resolver rules; - -#### Store Phase 4 Output - -See [_Deploy Phase 0_](#deploy-phase-0). - -#### Associate Hosted Zones - -This step calls a Lambda function that associates the private zones, all the interface endpoint zones, and the resolver rules with each VPC that leverages endpoint services. - -#### Add Tags to Shared Resources - -This step calls a Lambda function that adds tags to shared resources in the share destination account. For example, when a subnet is shared into another account, this step will add the `Name` tag to the subnet in the shared account. - -The supported resources are - -- VPCs; -- subnets; -- security groups; -- transit gateway attachments. - -#### Enable Directory Sharing - -This step calls a Lambda function that shares Managed Active Directory according to the Accelerator configuration. The directory is shared from the source account to the target account. The directory will be accepted in the target account. - -#### Deploy Phase 5 - -- create Remote Desktop Gateway; - - create launch configuration; - - create autoscaling group; -- enable central logging to S3 (step 2); - -#### Create AD Connector - -This step starts the `PBMMAccel-DeleteDefaultVpcs_sfn` state machine. This state machine is responsible for creating AD connectors according to the Accelerator configuration. - -This step fails when one or more AD connectors failed to be created. - -#### Store Commit ID - -This step calls a Lambda function that stores the commit ID of the configuration file for which the state machine ran. - -#### Detach Quarantine SCP - -_Executed only when using AWS Organizations baseline_ - -This step calls a Lambda function that stores the commit ID for which the state machine just ran. - -## Troubleshooting - -Issues could occur in different parts of the Accelerator. We'll guide you through troubleshooting these issues in this section. - -### Components - -#### CodePipeline - -> TODO(ggindera): -> -> - Installer Pipeline -> - "Internal Failure" incorrect Github token, repo or branch - -#### CodeBuild - -There are two Accelerator CodeBuild projects that we need to be able to troubleshoot: `PBMMAccel-InstallerProject_pl` and `PBMMAccel-DeployPrebuilt`. Both are similar in that they use CDK to deploy stacks. - -When an error occurs you will see that the CodeBuild project execution fails when looking in the execution overview. - -![CodeBuild Execution Overview](img/codebuild-build-failure-list.png) - -You can click on the name of the CodeBuild execution and then look inside the logs what caused the failure. - -![CodeBuild Execution Build Failure](img/codebuild-build-failure.png) - -You can for example see the error message `The stack named PBMMAccel-Perimeter-Phase2 is in a failed state: UPDATE_ROLLBACK_COMPLETE`. This means the stack `PBMMAccel-Perimeter-Phase2` failed to update and it had to rollback. When you scroll up in the logs there should be a failure listed in the CloudFormation update logs. - -![CodeBuild Execution Update Failed](img/codebuild-build-failure-update-failed.png) - -In this example we can see that the resource `FirewallManager` failed to create through CloudFormation. One way to solve this issue is to deprovision the firewall manager in the configuration file and then run the state machine. Next, provision the firewall manager and run the state machine again. - -If the error message is not clear, or the error occurred in a nested stack, then a more detailed error will be available in the CloudFormation stack events. See the [CloudFormation](#cloudformation) section below. - -![CodeBuild Execution Nested Stack Failure](img/codebuild-build-failure-nested-stack.png) - -#### CloudFormation - -In case you want to troubleshoot errors that occurred in CloudFormation, the best way is to look in the CloudFormation stack's events. - -![CodeBuild Execution Nested Stack Events](img/codebuild-failure-nested-stack-events.png) - -![CodeBuild Execution Nested Stack Search](img/codebuild-failure-nested-stack-search.png) - -When a native resource fails to create or update there are no additional logs available except what is displayed in the `Status reason` column. When a custom resource fails to create or update -- i.e. not a native CloudFormation resource but a resource backed by a custom Lambda function -- then we can find additional logs in CloudWatch. - -Sometimes the stack failure could have occurred in a managed account instead of the master account. See [Switch To a Managed Account](#switch-to-a-managed-account) to switch to the CloudFormation console in the managed account. - -#### Custom Resource - -Custom resources are backed by a Lambda function that implements the creation, modification or deletion or the resource. Every Lambda function has a CloudWatch log group that contains logs about the custom resource creation. To troubleshoot errors in custom resource, you need to check the custom resource's log group. - -Example custom resource log group names: - -``` -/aws/lambda/PBMMAccel-Master-Phase1-CustomCurReportDefinitionL-14IHLQCC1LY8L -/aws/lambda/PBMMAccel-Master-Phase2-AWS679f53fac002430cb0da5b7-Z75Q4GG9LIV5 -/aws/lambda/PBMMAccel-Operations-Phas-AWS679f53fac002430cb0da5-HMV2YF6OKJET -/aws/lambda/PBMMAccel-Operations-Phas-CustomGetDetectorIdLambd-HEM07DR0DOOJ -``` - -#### CloudWatch - -When you arrived in CloudWatch logs by clicking on the state machine's step `CloudWatch Logs` link you will immediately see the list of log streams. Every log stream represents an instance of the Lambda function. - -You can find errors in multiple log groups using CloudWatch Log Insights. - -![CloudWatch Log Insights](img/cloudwatch-insights.png) - -``` -fields @timestamp, @message -| sort @timestamp desc -| filter strcontains(@message, 'ERROR') -| limit 100 -``` - -#### State Machine - -When troubleshooting a failed step in the state machine it is important to know what type of step failed. If the step is calling a Lambda function then you will see the following after clicking the failed step. - -![State Machine Lambda Failure](img/state-machine-lambda-failure.png) - -You can see that the exception contains a useful message. This message will differ between Lambda functions. In case this message does not make the issue clear, you can click on the `CloudWatch Logs` link in the `Resource` section to view the output of the Lambda function that was called by the step. See the section [CloudWatch Logs](#cloudwatch-logs). - -In case the failed step started another state machine, you will see the following after clicking the failed step. - -![State Machine Other State Machine Failure](img/state-machine-state-machine-failure.png) - -To view the state machine execution that failed you can click the link in the `Resource` section. - -In case the failed step started the CodeBuild state machine, `PBMMAccel-CodeBuild_sm`, you will be able to see the CodeBuild project and execution ID that failed by looking at the output of the `Start Build` step in the `PBMMAccel-CodeBuild_sm` state machine. - -![State Machine CodeBuild Failure](img/state-machine-codebuild-failure.png). - -In the image above the execution of CodeBuild project `PBMMAccel-DeployPrebuilt` with ID `PBMMAccel-DeployPrebuilt:717584a9-c406-4569-9cc2-0d23e9ff9ef0` failed. See the [CodeBuild](#codebuild) section to troubleshoot. - -### How-to - -#### Restart the State Machine - -> TODO(ggindera) -> -> ``` -> { -> 'ov-global-options': true, -> 'ov-del-accts': true, -> 'ov-ren-accts': true, -> 'ov-acct-email': true, -> 'ov-acct-ou': true, -> 'ov-acct-vpc': true, -> 'ov-acct-subnet': true, -> 'ov-tgw': true, -> 'ov-mad': true, -> 'ov-ou-vpc': true, -> 'ov-ou-subnet': true, -> 'ov-share-to-ou': true, -> 'ov-share-to-accounts': true, -> 'ov-nacl': true -> } -> ``` - -#### Switch To a Managed Account - -To switch from the master account to a managed account you can click on your account name in the AWS Console. Then choose `Switch Role` in the menu. - -![Switch Role Menu](img/switch-role-menu.png) - -In the page that appears next you need to fill out the account ID of the managed account you want to switch to. Next, you need to enter the role name `PBMMAccel-PipelineRole`. And lastly, you need to enter a relevant name so you can later switch roles by using this name. - -![Switch Role Page](img/switch-role-page.png) - -After switching to the managed account, the AWS Console header will look like the following image. - -![Switch Role Header](img/switch-role-switched-header.png) - -You can switch to the same account again quickly by clicking the name you entered previously in the menu. - -![Switch Role Again Menu](img/switch-role-switched-menu.png) - -[1]: https://docs.aws.amazon.com/cdk/latest/guide/home.html +# Operations & Troubleshooting Guide + +> TODO: Purpose of document. Target audience. + +> TODO: +> +> - How to update the configuration file? +> - How to restart the installer? + +- [Operations & Troubleshooting Guide](#operations--troubleshooting-guide) + - [System Overview](#system-overview) + - [Installer Stack](#installer-stack) + - [Initial Setup Stack](#initial-setup-stack) + - [Get or Create Configuration from S3](#get-or-create-configuration-from-s3) + - [Compare Configurations](#compare-configurations) + - [Get Baseline from Configuration](#get-baseline-from-configuration) + - [Load Landing Zone Configuration](#load-landing-zone-configuration) + - [Add Execution Role to Service Catalog](#add-execution-role-to-service-catalog) + - [Create Landing Zone Account](#create-landing-zone-account) + - [Organizational Unit Validation](#organizational-unit-validation) + - [Load Organization Configuration](#load-organization-configuration) + - [Install CloudFormation Role in Master](#install-cloudformation-role-in-master) + - [Create Organization Account](#create-organization-account) + - [Load Organizational Units](#load-organizational-units) + - [Load Accounts](#load-accounts) + - [Install Execution Roles](#install-execution-roles) + - [Delete Default VPCs](#delete-default-vpcs) + - [Load Limits](#load-limits) + - [Enable Trusted Access for Services](#enable-trusted-access-for-services) + - [Deploy Phase 0](#deploy-phase-0) + - [Store Phase 0 Output](#store-phase-0-output) + - [Add SCPs to Organization](#add-scps-to-organization) + - [Deploy Phase 1](#deploy-phase-1) + - [Store Phase 1 Output](#store-phase-1-output) + - [Account Default Settings](#account-default-settings) + - [Deploy Phase 2](#deploy-phase-2) + - [Store Phase 2 Output](#store-phase-2-output) + - [Deploy Phase 3](#deploy-phase-3) + - [Store Phase 3 Output](#store-phase-3-output) + - [Deploy Phase 4](#deploy-phase-4) + - [Store Phase 4 Output](#store-phase-4-output) + - [Associate Hosted Zones](#associate-hosted-zones) + - [Add Tags to Shared Resources](#add-tags-to-shared-resources) + - [Enable Directory Sharing](#enable-directory-sharing) + - [Deploy Phase 5](#deploy-phase-5) + - [Create AD Connector](#create-ad-connector) + - [Store Commit ID](#store-commit-id) + - [Detach Quarantine SCP](#detach-quarantine-scp) + - [Troubleshooting](#troubleshooting) + - [Components](#components) + - [CodePipeline](#codepipeline) + - [CodeBuild](#codebuild) + - [CloudFormation](#cloudformation) + - [Custom Resource](#custom-resource) + - [CloudWatch](#cloudwatch) + - [State Machine](#state-machine) + - [How-to](#how-to) + - [Restart the State Machine](#restart-the-state-machine) + - [Switch To a Managed Account](#switch-to-a-managed-account) + +## System Overview + +The system can be thought of in two levels. The first level of the system consists of Accelerator stacks and resources. Let's call these the Accelerator-management resource. The second level of the system consists of stacks and resources that are deployed by the Accelerator-management resource. Let's call these the Accelerator-managed resources. The Accelerator-management resources are responsible for deploying the Accelerator-managed resources. + +There are two Accelerator-management stacks: + +- the `Installer` stack that is responsible for creating the next listed stack; +- the `Initial Setup` stack. This stack is responsible for reading configuration file and creating Accelerator-managed resources in the relevant accounts. + +There are multiple Accelerator-managed stacks. Currently there are at most six Accelerator-managed stacks per managed account. + +The figure below shows a zoomed-out overview of the Accelerator. The top of the overview shows the Accelerator-management resources, i.e. the `Installer` stack and the `Initial Setup` stack. The bottom of the overview shows the Accelerator-managed resources in the different accounts. + +![System Overview Diagram](img/overview.png) + +### Installer Stack + +The Accelerator-management `Installer` stack contains the necessary resources to deploy the Accelerator-management `Initial Setup` stack in an AWS account. This AWS account will be referred to as the 'master' account in this document. + +It consists of the following resources: + +- `PBMMAccel-InstallerPipeline`: this is a `AWS::CodePipeline::Pipeline` that pulls the latest Accelerator code from + GitHub. It launches the CodeBuild project `PBMMAccel-InstallerProject_pl` and launches the Accelerator state machine. +- `PBMMAccel-InstallerProject_pl`: this is a `AWS::CodeBuild::Project` that installs the Accelerator in AWS account. +- `PBMMAccel-Installer-StartExecution`: this is a `AWS::Lambda::Function` that launches the Accelerator after + CodeBuild deploys the Accelerator. + +![Installer Diagram](img/installer.png) + +The `PBMMAccel-InstallerPipeline` starts when first installed using the CloudFormation template. The pipeline also runs after every GitHub update for the configured branch. The administrator can also start the pipeline manually by clicking the `Release Change` button in the AWS Console. + +![CodePipeline Release Change](img/codepipeline-release-change.png) + +After pulling the source from GitHub the pipeline needs manual approval from the administrator to continue deploying the Accelerator in the AWS account. + +![CodePipeline Manual Approval](img/codepipeline-approval.png) + +![CodePipeline Manual Approval Popup](img/codepipeline-approval-popup.png) + +After the administrator approves the change, the `PBMMAccel-InstallerProject_pl` CodeBuild project starts. The CodeBuild project uses the GitHub source artifact. The CodeBuild projects spins up a new Linux instances and installs the Accelerator dependencies and starts the deployment of the Accelerator using the AWS Cloud Development Kit (CDK[1](#cdk)). + +CDK bootstraps its environment and creates the `CDKToolkit` stack in the AWS account. It creates the S3 bucket `cdktoolkit-stagingbucket-*` and the ECR repository `aws-cdk/assets`. + +CDK copies assets to the bootstrap bucket and bootstrap repository that are used by the Accelerator. The assets that are stored on S3 include default IAM policies, default SCPs, default firewall configuration. The assets that are pushed to ECR include the Accelerator Docker build image. This Docker image is responsible for deploying Accelerator resources using the CDK. + +CDK finally deploys the `Initial Setup` stack, and launches the Accelerator state machine. The Accelerator state machine is described in the next section. + +### Initial Setup Stack + +The Accelerator-management `Initial Setup` stack, named `PBMMAccel-InitialSetup`, consists of a state machine, named `PBMMAccel-MainStateMachine_sm`, that executes various steps to create the Accelerator-managed stacks and resources in the Accelerator-managed accounts. Using a state machine, we can clearly define the deployment process and systematically control branches of execution and handle exceptions. + +The image below describes the latest state machine. Each white square in the image represents a step in the state machine. + +![Accelerator State Machine](img/step-functions-main-sm.png) + +The state machine contains three types of steps: + +1. steps that execute a Lambda function; +2. steps that start another state machine, e.g. `Create Accounts` step; +3. steps that start another state machine that starts a CodeBuild project, e.g. the `Phase {0,1,2,3,4,5}` steps. + +The stack additionally consists of the following resources: + +- AWS::CodeBuild::Project + - `PBMMAccel-Deploy` or `PBMMAccel-DeployPrebuilt` +- AWS::CodeCommit::Repository + - `PBMMAccel-Config-Repo` +- AWS::IAM::Role + - `PBMMAccel-L-SFN-MasterRole` + - `PBMMAccel-L-SFN-Execution` + - An AWS::IAM::Role for every state machine (might be merged into a single role); +- AWS::Lambda::Function + - A Lambda function for every Lambda function step in the state machine. +- AWS::SecretsManager::Secret + - `accelerator/accounts` + - `accelerator/organizations` + - `accelerator/outputs` + - `accelerator/limits` +- AWS::StepFunctions::StateMachine + - `PBMMAccel-ALZCreateAccount_sm`: See [_Create Landing Zone Account_](#create-landing-zone-account); + - `PBMMAccel-OrgCreateAccount_sm`: See [_Create Organization Account_](#create-organization-account); + - `PBMMAccel-InstallCfnRoleMaster_sm`: See [Install CloudFormation Execution Role](#install-cloudformation-role-in-master); + - `PBMMAccel-InstallRoles_sm`: See [_Install Execution Roles_](#install-execution-roles); + - `PBMMAccel-DeleteDefaultVpcs_sfn`: See [_Delete Default VPCs_](#delete-default-vpcs); + - `PBMMAccel-CodeBuild_sm`: See [_Deploy Phase 0_](#deploy-phase-0); + - `PBMMAccel-CreateConfigRecorder_sfn`; + - `PBMMAccel-CreateAdConnector_sm`: See [_Create AD Connector_](#create-ad-connector). + +_Note: Most resources have a random suffix to their name. This is because we use CDK to deploy the resources. See [https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_logical_ids]()_ + +#### Get or Create Configuration from S3 + +This step calls a Lambda function that finds or creates the configuration repository. Finds the configuration file in the repository. If the configuration file cannot be found in the repository it is copied from the customer's configuration bucket. If the copy is successful then the configuration file in the S3 bucket will be removed. + +The configuration file is parsed and validated. This step will fail if the configuration file is not valid JSON or does not adhere to the configuration file specification. + +#### Compare Configurations + +This step calls a Lambda function that compares the previous version of the configuration file with the current version of the configuration file. The previous configuration file version is stored in the secret `accelerator/config/last-successful-commit` in AWS Secrets Manager in fthe master account. + +The following configuration file changes are not allowed: + +- changing ALZ baseline; +- changing master account or region; +- changing central log services account or region; +- changing the organizational unit, name or email address of an account; +- removing an account; +- changing the name, CIDR or region of a VPC; +- disabling a VPC; +- changing the name, availability zone, CIDR of a subnet; +- disabling a subnet; +- removing a subnet; +- changing the name, ASN, region or features of a transit gateway; +- changing the ID, VPC, subnet, region, size, DNS, Netbios of a Managed Active Directory; +- disabling a Managed Active Directory; +- changing the ASN of a virtual private gateway; +- changing the sharing to accounts of a VPC; +- changing the NACLs of a subnet. + +It is possible to ignore certain configuration file changes. See [Restart the State Machine](#restart-the-state-machine) how to pass these options to the state machine. + +#### Get Baseline from Configuration + +This step calls a Lambda function that gets the `alz-baseline` of the configuration file to decide which path in the state machine will be taken. + +#### Load Landing Zone Configuration + +_Executed only when using AWS Landing Zone baseline_ + +This step calls a Lambda function that validates the ALZ deployment and configuration. + +This step fails when + +- an existing ALZ deployment in the master account can not be found; +- an organizational unit that is used by ALZ or the Accelerator can not be found; +- an account is present in the Accelerator configuration but does not exist in AWS Organizations; +- an account has a name, email address or organizational unit that is different from the ALZ configuration; +- an account has a name, email address or organizational unit that is different from the Accelerator configuration; +- the organizational units in the ALZ configuration are different from the ones in AWS Organizations; +- the account type of ALZ configuration accounts can not be detected; +- the accounts of type `primary`', `security`, `log-archive`, `shared-services` are missing from the ALZ configuration. + +#### Add Execution Role to Service Catalog + +_Executed only when using AWS Landing Zone baseline_ + +This step calls a Lambda function that adds the state machine's IAM role to the ALZ Account Vending Machine (AVM) service catalog portfolio. + +#### Create Landing Zone Account + +_Executed only when using AWS Landing Zone baseline_ + +This step starts the `PBMMAccel-ALZCreateAccount_sm` state machine. This state machine is responsible for creating an account using the AVM and waits for the account to be created and configured. + +#### Organizational Unit Validation + +_Executed only when using AWS Organizations baseline_ + +> TODO: Document + +#### Load Organization Configuration + +_Executed only when using AWS Organizations baseline_ + +This step calls a Lambda function that validates the Accelerator deployment and configuration. + +This step fails when + +- an organizational unit that is used by the Accelerator can not be found; +- an account is present in the Accelerator configuration but does not exist in AWS Organizations; +- an account has a name, email address or organizational unit that is different from the Accelerator configuration. + +#### Install CloudFormation Role in Master + +_Executed only when using AWS Organizations baseline_ + +This step starts the `PBMMAccel-InstallCfnRoleMaster_sm` state machine. This state machine is responsible for creating the IAM role `AWSCloudFormationStackSetAdministrationRole` in the master account. You can read more about why this role is created [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). + +#### Create Organization Account + +_Executed only when using AWS Organizations baseline_ + +This step starts the `PBMMAccel-OrgCreateAccount_sm` state machine. This state machine is responsible for creating an account using the AWS Organizations and waits for the account to be created and configured. The newly created account will be moved to the correct organizational unit and will have an the `PBMMAccel-Quarantine-New-Object` Service Control Policy (SCP) attached to it. The SCP will only be removed after the Accelerator state machine has completed. + +> TODO(bmycroft): Explain why the SCP is attached. + +#### Load Organizational Units + +> TODO: Document + +#### Load Accounts + +This step calls a Lambda function that loads all accounts and organizational units. The accounts and organizational units are stored in the secret `accelerator/accounts` and `accelerator/organizations` in AWS Secrets Manager in the master account. The accounts and organizational units will later be used to deploy stacks in the correct accounts. + +#### Install Execution Roles + +This step calls a Lambda function that creates stack sets in all Accelerator accounts. This stack sets contains a single resource, i.e. an IAM role `PBMMAccel-PipelineRole` that can be assumed by the `PBMMAccel-L-SFN-MasterRole`. This IAM role allows the master account to administer the Accelerator accounts. + +#### Delete Default VPCs + +This step starts the `PBMMAccel-DeleteDefaultVpcs_sfn` state machine. This state machine is responsible for deleting default subnets, internet gateways and VPCs for all regions and accounts in the Accelerator configuration. + +This step fails when one or more default VPCs cannot be deleted. + +#### Load Limits + +This step calls a Lambda function that loads service quotas and requests a service quota increase according to the configuration file. When a service quota increase request has been closed but not increased, then the service quota request will be issued again when the creation of the last request was at least two days ago. + +#### Enable Trusted Access for Services + +This step calls a Lambda function that is responsible for + +- enabling AWS service access in the organization; +- enabling AWS Resource Access Manager sharing in the organization; +- creating a service-linked role for AWS IAM Access Analyzer; +- setting the security account as delegated administrator for AWS Firewall Manager; +- setting the security account as delegated administrator for AWS IAM Access Analyzer; +- setting the security account as delegated administrator for Amazon GuardDuty. + +#### Deploy Phase 0 + +This step starts the `PBMMAccel-CodeBuild_sm` state machine. This state machine is responsible for starting a CodeBuild execution that deploys CloudFormation stacks in Accelerator-managed accounts using CDK. + +![CodeBuild State Machine](img/step-functions-codebuild-sm.png) + +![CodeBuild Diagram](img/deploy.png) + +The same CodeBuild project is used to deploy all phases. The environment variable `ACCELERATOR_PHASE` in the CodeBuild execution decides which phase to deploy. + +- create default EBS encryption key; +- create an AWS log bucket with encryption key; +- create the central log services bucket with encryption key; +- create the Accelerator configuration bucket with encryption key; +- copy artifacts to the Accelerator configuration bucket: + - SCPs; + - firewall configuration; +- account warming (step 1); +- set password policy (step 1); +- create IAM users (step 1): + - create passwords and store in Secrets Manager; +- create MAD deployment (step 1): + - create passwords and store in Secrets Manager; + - create service-linked role; +- create `rsyslog` deployment (step 1); +- create firewalls (step 1); +- create budgets (step 1); +- create transit gateways (step 1); +- create Route53 DNS logging log group; +- enable Macie (step 1); +- enable GuardDuty; +- enable Access Analyzer; + +#### Store Phase 0 Output + +This step calls a Lambda function that stores the outputs from the deployed stacks in subaccounts in the secret `accelerator/outputs` in AWS Secrets Manager in the master account. + +#### Add SCPs to Organization + +This step calls a Lambda function that creates and attaches the SCPs listed in the Accelerator configuration. The SCP policies are loaded from the Accelerator configuration bucket. + +This step fails when + +- an SCP policy cannot be found in the Accelerator configuration bucket; +- an SCP could not be attached to an organizational unit or account, e.g. when the maximum number of attached SCPs is exceeded + +#### Deploy Phase 1 + +- create VPCs; + - subnets; + - route tables; + - security groups; + - interface endpoints; + - transit gateway attachments; + - flow logs; + - resource sharing in case the VPC is shared; + - role to accept peering connection requests; +- create firewalls (step 2); +- create IAM roles (step 2); +- create budgets (step 2); +- create certificates (step 1); +- create reports (step 1); +- enable SSM (step 1); +- enable Security Hub (step 1); +- enable Macie (step 2); +- enable GuardDuty (step 3); +- enable central logging to S3 (step 1); + +#### Store Phase 1 Output + +See [_Deploy Phase 0_](#deploy-phase-0). + +#### Account Default Settings + +This step calls a Lambda function that + +- enables and sets EBS default encryption for all accounts in the Accelerator configuration; +- enables S3 object level ALZ Cloudtrail logging; +- enables Log Insight events; +- enables KMS encryption using the CMK from the central logging account; +- sets AWS Systems Manager Session Manager default configuration in every Accelerator-managed account in every region with a VPC. + +#### Deploy Phase 2 + +- create peering connections; +- create security groups in shared account; +- create MAD deployment (step 2); +- create firewalls (step 3); +- create firewall manager (step 1); +- create transit gateways (step 2); +- enable Security Hub (step 2); +- enable Macie (step 3); + +#### Store Phase 2 Output + +See [_Deploy Phase 0_](#deploy-phase-0). + +#### Deploy Phase 3 + +- create peering connection routes; +- create ALB (step 1); +- create `rsyslog` deployment (step 2); +- create hosted zones, resolver rules and resolver endpoints; + +#### Store Phase 3 Output + +See [_Deploy Phase 0_](#deploy-phase-0). + +#### Deploy Phase 4 + +- share resolver rules; + +#### Store Phase 4 Output + +See [_Deploy Phase 0_](#deploy-phase-0). + +#### Associate Hosted Zones + +This step calls a Lambda function that associates the private zones, all the interface endpoint zones, and the resolver rules with each VPC that leverages endpoint services. + +#### Add Tags to Shared Resources + +This step calls a Lambda function that adds tags to shared resources in the share destination account. For example, when a subnet is shared into another account, this step will add the `Name` tag to the subnet in the shared account. + +The supported resources are + +- VPCs; +- subnets; +- security groups; +- transit gateway attachments. + +#### Enable Directory Sharing + +This step calls a Lambda function that shares Managed Active Directory according to the Accelerator configuration. The directory is shared from the source account to the target account. The directory will be accepted in the target account. + +#### Deploy Phase 5 + +- create Remote Desktop Gateway; + - create launch configuration; + - create autoscaling group; +- enable central logging to S3 (step 2); + +#### Create AD Connector + +This step starts the `PBMMAccel-DeleteDefaultVpcs_sfn` state machine. This state machine is responsible for creating AD connectors according to the Accelerator configuration. + +This step fails when one or more AD connectors failed to be created. + +#### Store Commit ID + +This step calls a Lambda function that stores the commit ID of the configuration file for which the state machine ran. + +#### Detach Quarantine SCP + +_Executed only when using AWS Organizations baseline_ + +This step calls a Lambda function that stores the commit ID for which the state machine just ran. + +## Troubleshooting + +Issues could occur in different parts of the Accelerator. We'll guide you through troubleshooting these issues in this section. + +### Components + +#### CodePipeline + +> TODO(ggindera): +> +> - Installer Pipeline +> - "Internal Failure" incorrect Github token, repo or branch + +#### CodeBuild + +There are two Accelerator CodeBuild projects that we need to be able to troubleshoot: `PBMMAccel-InstallerProject_pl` and `PBMMAccel-DeployPrebuilt`. Both are similar in that they use CDK to deploy stacks. + +When an error occurs you will see that the CodeBuild project execution fails when looking in the execution overview. + +![CodeBuild Execution Overview](img/codebuild-build-failure-list.png) + +You can click on the name of the CodeBuild execution and then look inside the logs what caused the failure. + +![CodeBuild Execution Build Failure](img/codebuild-build-failure.png) + +You can for example see the error message `The stack named PBMMAccel-Perimeter-Phase2 is in a failed state: UPDATE_ROLLBACK_COMPLETE`. This means the stack `PBMMAccel-Perimeter-Phase2` failed to update and it had to rollback. When you scroll up in the logs there should be a failure listed in the CloudFormation update logs. + +![CodeBuild Execution Update Failed](img/codebuild-build-failure-update-failed.png) + +In this example we can see that the resource `FirewallManager` failed to create through CloudFormation. One way to solve this issue is to deprovision the firewall manager in the configuration file and then run the state machine. Next, provision the firewall manager and run the state machine again. + +If the error message is not clear, or the error occurred in a nested stack, then a more detailed error will be available in the CloudFormation stack events. See the [CloudFormation](#cloudformation) section below. + +![CodeBuild Execution Nested Stack Failure](img/codebuild-build-failure-nested-stack.png) + +#### CloudFormation + +In case you want to troubleshoot errors that occurred in CloudFormation, the best way is to look in the CloudFormation stack's events. + +![CodeBuild Execution Nested Stack Events](img/codebuild-failure-nested-stack-events.png) + +![CodeBuild Execution Nested Stack Search](img/codebuild-failure-nested-stack-search.png) + +When a native resource fails to create or update there are no additional logs available except what is displayed in the `Status reason` column. When a custom resource fails to create or update -- i.e. not a native CloudFormation resource but a resource backed by a custom Lambda function -- then we can find additional logs in CloudWatch. + +Sometimes the stack failure could have occurred in a managed account instead of the master account. See [Switch To a Managed Account](#switch-to-a-managed-account) to switch to the CloudFormation console in the managed account. + +#### Custom Resource + +Custom resources are backed by a Lambda function that implements the creation, modification or deletion or the resource. Every Lambda function has a CloudWatch log group that contains logs about the custom resource creation. To troubleshoot errors in custom resource, you need to check the custom resource's log group. + +Example custom resource log group names: + +``` +/aws/lambda/PBMMAccel-Master-Phase1-CustomCurReportDefinitionL-14IHLQCC1LY8L +/aws/lambda/PBMMAccel-Master-Phase2-AWS679f53fac002430cb0da5b7-Z75Q4GG9LIV5 +/aws/lambda/PBMMAccel-Operations-Phas-AWS679f53fac002430cb0da5-HMV2YF6OKJET +/aws/lambda/PBMMAccel-Operations-Phas-CustomGetDetectorIdLambd-HEM07DR0DOOJ +``` + +#### CloudWatch + +When you arrived in CloudWatch logs by clicking on the state machine's step `CloudWatch Logs` link you will immediately see the list of log streams. Every log stream represents an instance of the Lambda function. + +You can find errors in multiple log groups using CloudWatch Log Insights. + +![CloudWatch Log Insights](img/cloudwatch-insights.png) + +``` +fields @timestamp, @message +| sort @timestamp desc +| filter strcontains(@message, 'ERROR') +| limit 100 +``` + +#### State Machine + +When troubleshooting a failed step in the state machine it is important to know what type of step failed. If the step is calling a Lambda function then you will see the following after clicking the failed step. + +![State Machine Lambda Failure](img/state-machine-lambda-failure.png) + +You can see that the exception contains a useful message. This message will differ between Lambda functions. In case this message does not make the issue clear, you can click on the `CloudWatch Logs` link in the `Resource` section to view the output of the Lambda function that was called by the step. See the section [CloudWatch Logs](#cloudwatch-logs). + +In case the failed step started another state machine, you will see the following after clicking the failed step. + +![State Machine Other State Machine Failure](img/state-machine-state-machine-failure.png) + +To view the state machine execution that failed you can click the link in the `Resource` section. + +In case the failed step started the CodeBuild state machine, `PBMMAccel-CodeBuild_sm`, you will be able to see the CodeBuild project and execution ID that failed by looking at the output of the `Start Build` step in the `PBMMAccel-CodeBuild_sm` state machine. + +![State Machine CodeBuild Failure](img/state-machine-codebuild-failure.png). + +In the image above the execution of CodeBuild project `PBMMAccel-DeployPrebuilt` with ID `PBMMAccel-DeployPrebuilt:717584a9-c406-4569-9cc2-0d23e9ff9ef0` failed. See the [CodeBuild](#codebuild) section to troubleshoot. + +### How-to + +#### Restart the State Machine + +> TODO(ggindera) +> +> ``` +> { +> 'ov-global-options': true, +> 'ov-del-accts': true, +> 'ov-ren-accts': true, +> 'ov-acct-email': true, +> 'ov-acct-ou': true, +> 'ov-acct-vpc': true, +> 'ov-acct-subnet': true, +> 'ov-tgw': true, +> 'ov-mad': true, +> 'ov-ou-vpc': true, +> 'ov-ou-subnet': true, +> 'ov-share-to-ou': true, +> 'ov-share-to-accounts': true, +> 'ov-nacl': true +> } +> ``` + +#### Switch To a Managed Account + +To switch from the master account to a managed account you can click on your account name in the AWS Console. Then choose `Switch Role` in the menu. + +![Switch Role Menu](img/switch-role-menu.png) + +In the page that appears next you need to fill out the account ID of the managed account you want to switch to. Next, you need to enter the role name `PBMMAccel-PipelineRole`. And lastly, you need to enter a relevant name so you can later switch roles by using this name. + +![Switch Role Page](img/switch-role-page.png) + +After switching to the managed account, the AWS Console header will look like the following image. + +![Switch Role Header](img/switch-role-switched-header.png) + +You can switch to the same account again quickly by clicking the name you entered previously in the menu. + +![Switch Role Again Menu](img/switch-role-switched-menu.png) + +[1]: https://docs.aws.amazon.com/cdk/latest/guide/home.html diff --git a/package.json b/package.json index 3e90522a5..ac1d65bde 100644 --- a/package.json +++ b/package.json @@ -1,14 +1,14 @@ -{ - "devDependencies": { - "@types/jest": "^25.2.1", - "@types/node": "12.12.6", - "husky": "4.2.3", - "prettier": "2.0.2", - "pretty-quick": "2.0.1" - }, - "husky": { - "hooks": { - "pre-commit": "pnpx pretty-quick --pattern **/*.ts" - } - } -} +{ + "devDependencies": { + "@types/jest": "^25.2.1", + "@types/node": "12.12.6", + "husky": "4.2.3", + "prettier": "2.0.2", + "pretty-quick": "2.0.1" + }, + "husky": { + "hooks": { + "pre-commit": "pnpx pretty-quick --pattern **/*.ts" + } + } +} diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 37889c62b..150f598a8 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,14 +1,14 @@ -packages: - - src/installer/** - - src/core/cdk/** - - src/core/runtime/** - - src/deployments/cdk/** - - src/deployments/runtime/** - - src/lib/common-types/** - - src/lib/common-outputs/** - - src/lib/common/** - - src/lib/common-config/** - - src/lib/cdk-plugin-assume-role/** - - src/lib/custom-resources/** - - src/lib/cdk-accelerator/** +packages: + - src/installer/** + - src/core/cdk/** + - src/core/runtime/** + - src/deployments/cdk/** + - src/deployments/runtime/** + - src/lib/common-types/** + - src/lib/common-outputs/** + - src/lib/common/** + - src/lib/common-config/** + - src/lib/cdk-plugin-assume-role/** + - src/lib/custom-resources/** + - src/lib/cdk-accelerator/** - src/lib/cdk-constructs/** \ No newline at end of file diff --git a/reference-artifacts/Certs-Sample/To_Create_Self_Signed-Cert.txt b/reference-artifacts/Certs-Sample/To_Create_Self_Signed-Cert.txt index 3b1727809..3a53dc3ad 100644 --- a/reference-artifacts/Certs-Sample/To_Create_Self_Signed-Cert.txt +++ b/reference-artifacts/Certs-Sample/To_Create_Self_Signed-Cert.txt @@ -1,9 +1,9 @@ -Run the following: - -Example1: -openssl req -newkey rsa:2048 -nodes -keyout example1-cert.key -out example1-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.ca" -openssl x509 -signkey example1-cert.key -in example1-cert.csr -req -days 1095 -out example1-cert.crt - -Example2: -openssl req -newkey rsa:2048 -nodes -keyout example2-cert.key -out example2-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.local" +Run the following: + +Example1: +openssl req -newkey rsa:2048 -nodes -keyout example1-cert.key -out example1-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.ca" +openssl x509 -signkey example1-cert.key -in example1-cert.csr -req -days 1095 -out example1-cert.crt + +Example2: +openssl req -newkey rsa:2048 -nodes -keyout example2-cert.key -out example2-cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=AnyCompany/CN=*.example.local" openssl x509 -signkey example2-cert.key -in example2-cert.csr -req -days 1095 -out example2-cert.crt \ No newline at end of file diff --git a/reference-artifacts/Certs-Sample/example1-cert.crt b/reference-artifacts/Certs-Sample/example1-cert.crt index 19c7b741d..9fbaf7666 100644 --- a/reference-artifacts/Certs-Sample/example1-cert.crt +++ b/reference-artifacts/Certs-Sample/example1-cert.crt @@ -1,20 +1,20 @@ ------BEGIN CERTIFICATE----- -MIIDPzCCAicCFBabjzVzqu7a5AHoyNjOqR89wsJQMA0GCSqGSIb3DQEBCwUAMFwx -CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2Ex -EzARBgNVBAoMCkFueUNvbXBhbnkxFTATBgNVBAMMDCouZXhhbXBsZS5jYTAeFw0y -MDA2MTExMTMxMjhaFw0yMzA2MTExMTMxMjhaMFwxCzAJBgNVBAYTAkNBMRAwDgYD -VQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExEzARBgNVBAoMCkFueUNvbXBh -bnkxFTATBgNVBAMMDCouZXhhbXBsZS5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBALdSngcKWfYcHQg5vTKXoguSA2NZ9GB89rbLv8fOAlmsWkHE8ilz -BnjEHYcMTvcmQ+sePRzMeGumDDwNnY181hCvzKYNy64ApGa7r3BhgJU9G7jH1qMo -9L9NJe5xc+0nd4L6/jKJrNJGjZG75/nqs3WEuhzyrQaLYHckanF4GTcxhLZgHxUA -7n1WBF7WAHqRCU3e0U0infG3eyELZJKlgFIHGqQ9nHmOVXeWspL1ANPJWkkCbgA1 -bpeD2b3eX0RV4k7fVhzRBVZVY5n7DnWFhLGdbLtWrk5lnPig4Rlp88c/LeTVikSW -PnHLpvChRqfA3PAIZ2jsHyYR/9BwP4gc4ZcCAwEAATANBgkqhkiG9w0BAQsFAAOC -AQEAsJDZDUUfAEufnYZUtOhEAPX8dZyNCtorAqYt7teAthndy2Xq5ai+meKJgeNK -rNXd+bTRL5rPyNUGo93j37UAca1+KGF3qxpJeSEh38a2IGjNzuqg7tNJURs07pLf -JWCW7vS6lgNViqNtn4Th1W9t4Xadi7i2yV10iLZ6GDCES3nmpaUgisiA8GrHp2hQ -eYZbj6Y1ycSGVF+sEhDE3XkbUNE/uaLbCQO+aKAseWRdEDJiNPx8GgZ8dAZQnNxl -qaSvV/A6aQpdFiVjGbSig17GnicZhoYPyVMTJeq4qJwWusOKxMSw/UqpwjKDQnfN -mU9xGOqP1td5ZxAGlATi0BCUuA== ------END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDPzCCAicCFBabjzVzqu7a5AHoyNjOqR89wsJQMA0GCSqGSIb3DQEBCwUAMFwx +CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2Ex +EzARBgNVBAoMCkFueUNvbXBhbnkxFTATBgNVBAMMDCouZXhhbXBsZS5jYTAeFw0y +MDA2MTExMTMxMjhaFw0yMzA2MTExMTMxMjhaMFwxCzAJBgNVBAYTAkNBMRAwDgYD +VQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExEzARBgNVBAoMCkFueUNvbXBh +bnkxFTATBgNVBAMMDCouZXhhbXBsZS5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALdSngcKWfYcHQg5vTKXoguSA2NZ9GB89rbLv8fOAlmsWkHE8ilz +BnjEHYcMTvcmQ+sePRzMeGumDDwNnY181hCvzKYNy64ApGa7r3BhgJU9G7jH1qMo +9L9NJe5xc+0nd4L6/jKJrNJGjZG75/nqs3WEuhzyrQaLYHckanF4GTcxhLZgHxUA +7n1WBF7WAHqRCU3e0U0infG3eyELZJKlgFIHGqQ9nHmOVXeWspL1ANPJWkkCbgA1 +bpeD2b3eX0RV4k7fVhzRBVZVY5n7DnWFhLGdbLtWrk5lnPig4Rlp88c/LeTVikSW +PnHLpvChRqfA3PAIZ2jsHyYR/9BwP4gc4ZcCAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAsJDZDUUfAEufnYZUtOhEAPX8dZyNCtorAqYt7teAthndy2Xq5ai+meKJgeNK +rNXd+bTRL5rPyNUGo93j37UAca1+KGF3qxpJeSEh38a2IGjNzuqg7tNJURs07pLf +JWCW7vS6lgNViqNtn4Th1W9t4Xadi7i2yV10iLZ6GDCES3nmpaUgisiA8GrHp2hQ +eYZbj6Y1ycSGVF+sEhDE3XkbUNE/uaLbCQO+aKAseWRdEDJiNPx8GgZ8dAZQnNxl +qaSvV/A6aQpdFiVjGbSig17GnicZhoYPyVMTJeq4qJwWusOKxMSw/UqpwjKDQnfN +mU9xGOqP1td5ZxAGlATi0BCUuA== +-----END CERTIFICATE----- diff --git a/reference-artifacts/Certs-Sample/example1-cert.csr b/reference-artifacts/Certs-Sample/example1-cert.csr index 2cdae359b..c59c44e40 100644 --- a/reference-artifacts/Certs-Sample/example1-cert.csr +++ b/reference-artifacts/Certs-Sample/example1-cert.csr @@ -1,17 +1,17 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICoTCCAYkCAQAwXDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzAN -BgNVBAcMBk90dGF3YTETMBEGA1UECgwKQW55Q29tcGFueTEVMBMGA1UEAwwMKi5l -eGFtcGxlLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1KeBwpZ -9hwdCDm9MpeiC5IDY1n0YHz2tsu/x84CWaxaQcTyKXMGeMQdhwxO9yZD6x49HMx4 -a6YMPA2djXzWEK/Mpg3LrgCkZruvcGGAlT0buMfWoyj0v00l7nFz7Sd3gvr+Moms -0kaNkbvn+eqzdYS6HPKtBotgdyRqcXgZNzGEtmAfFQDufVYEXtYAepEJTd7RTSKd -8bd7IQtkkqWAUgcapD2ceY5Vd5aykvUA08laSQJuADVul4PZvd5fRFXiTt9WHNEF -VlVjmfsOdYWEsZ1su1auTmWc+KDhGWnzxz8t5NWKRJY+ccum8KFGp8Dc8AhnaOwf -JhH/0HA/iBzhlwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAInEXZvnfnwZxexn -502ak12AzUKZjp0i3lIkPNYlawtzHnCizyxasy6N5IobcGxLrJsIjBkxQE8q8bpm -kkNqzlLJ2kStcsIu6cp1gTSfjwULdB7PV+VK2ruORSAa/RVZ3jC4VQeIqF+qFgLd -WgW/79sid9O6Ev87NfX/OvkbYaBNbX4AGdccG3GJqJqC+UumXiLTYZ5tmaNTPJex -4ya7rY+Yo8KqJLvdwi+YXNDFyzgfvCz8u6RltwRaS4Owd1ownIf1vo4tfhoWp5Tr -61FcbgnuZsWUI1SFAVHuhF7k8pYDaU872RtXKer1pDAnulZ+0BGtHpV3sQ3u6Zlk -tcrf6dU= ------END CERTIFICATE REQUEST----- +-----BEGIN CERTIFICATE REQUEST----- +MIICoTCCAYkCAQAwXDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzAN +BgNVBAcMBk90dGF3YTETMBEGA1UECgwKQW55Q29tcGFueTEVMBMGA1UEAwwMKi5l +eGFtcGxlLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1KeBwpZ +9hwdCDm9MpeiC5IDY1n0YHz2tsu/x84CWaxaQcTyKXMGeMQdhwxO9yZD6x49HMx4 +a6YMPA2djXzWEK/Mpg3LrgCkZruvcGGAlT0buMfWoyj0v00l7nFz7Sd3gvr+Moms +0kaNkbvn+eqzdYS6HPKtBotgdyRqcXgZNzGEtmAfFQDufVYEXtYAepEJTd7RTSKd +8bd7IQtkkqWAUgcapD2ceY5Vd5aykvUA08laSQJuADVul4PZvd5fRFXiTt9WHNEF +VlVjmfsOdYWEsZ1su1auTmWc+KDhGWnzxz8t5NWKRJY+ccum8KFGp8Dc8AhnaOwf +JhH/0HA/iBzhlwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAInEXZvnfnwZxexn +502ak12AzUKZjp0i3lIkPNYlawtzHnCizyxasy6N5IobcGxLrJsIjBkxQE8q8bpm +kkNqzlLJ2kStcsIu6cp1gTSfjwULdB7PV+VK2ruORSAa/RVZ3jC4VQeIqF+qFgLd +WgW/79sid9O6Ev87NfX/OvkbYaBNbX4AGdccG3GJqJqC+UumXiLTYZ5tmaNTPJex +4ya7rY+Yo8KqJLvdwi+YXNDFyzgfvCz8u6RltwRaS4Owd1ownIf1vo4tfhoWp5Tr +61FcbgnuZsWUI1SFAVHuhF7k8pYDaU872RtXKer1pDAnulZ+0BGtHpV3sQ3u6Zlk +tcrf6dU= +-----END CERTIFICATE REQUEST----- diff --git a/reference-artifacts/Certs-Sample/example1-cert.key b/reference-artifacts/Certs-Sample/example1-cert.key index 9fb867953..31548f128 100644 --- a/reference-artifacts/Certs-Sample/example1-cert.key +++ b/reference-artifacts/Certs-Sample/example1-cert.key @@ -1,28 +1,28 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3Up4HCln2HB0I -Ob0yl6ILkgNjWfRgfPa2y7/HzgJZrFpBxPIpcwZ4xB2HDE73JkPrHj0czHhrpgw8 -DZ2NfNYQr8ymDcuuAKRmu69wYYCVPRu4x9ajKPS/TSXucXPtJ3eC+v4yiazSRo2R -u+f56rN1hLoc8q0Gi2B3JGpxeBk3MYS2YB8VAO59VgRe1gB6kQlN3tFNIp3xt3sh -C2SSpYBSBxqkPZx5jlV3lrKS9QDTyVpJAm4ANW6Xg9m93l9EVeJO31Yc0QVWVWOZ -+w51hYSxnWy7Vq5OZZz4oOEZafPHPy3k1YpElj5xy6bwoUanwNzwCGdo7B8mEf/Q -cD+IHOGXAgMBAAECggEAIY75KLbHYxsgYWoYbVN+sXmILz6/Uo5tp2bC87ONkJbR -auq/ncDVtXPJJ/ij1/BkTH0bmNMBVEtwP+oKJmVs1l8oKlmqKG8rqTbAVeUzYZ5v -HbNPYkzUCNT5lZ2lKAuqgAqsT9oODewmbEAmpgRF18R1QWlXLTSEcyryZVUj4Itb -uJ5rjvSpTSxme9YunbZxdJEr5w1iLsw4xAeQbIAGxl7lw1OpDrDIYrNd/ghkvFW1 -72izxj28EN/pgIVQ+ldfG0z5+wh+IQ4VEhmdnh9ce+xICEID7q7kwS4YoIKovbmf -uOx85Dx7eF8K0qbFROautyDjervSNOdA7Mi7NHLF8QKBgQDc8Iawq2UslesbISUA -1P3uIQixqimPa2mKl6zc1x2AwIkaMXlvVN4BXzMRNbLdmcjSyPrH1u4VnCisG8HH -+GgpHNg1kGcZwZ4JHVnzjkl3lwkl2/knaZvdWXJ6i5GZUkMY8mDZSjaNcQl5Cbkl -iLoMSVwtZEMYx7I0wf2D3gglqQKBgQDUafDQj/h9Y5f8VYMyOL8Efe5rFdqqW2e0 -ZhxZbR+VFHRgCm66ZdbSY3bBnqyqSOiEfSKz3KQDzmVkNVS+ZXaqWceuaGJMgsQR -kZcwSkoD262FfXDw6R+gmAO/rDmsdAm6oVJcgQ40jxkLfT8Qlzp2elbm06kGsdHl -C888hlbVPwKBgQDbEmgLT7efUPvxR5kgTRGIiBrNx5M0EWZyNNkDlQ08+Cw526q0 -WKtVIudI/jzf/DejwgLgGl6y8MdneJJZzRbDBUXhPtDsOg6QrRjfJkv0l79LWeWg -Tdhtz95yYme5Zlb/qn2blzmmX9nruVdrPzpzKl6K56qcLI6oP1433fWoGQKBgQCp -KGEVxsGuIYUk93iOozBDxIH9F59W8Ynp2TOUZ9mx4GM5JLW/jWCBlaI6WUHKLlu1 -Pu5G7FxVh6WpIuuE4MqaqPrjQs+dfLnl/9q2I0NERUqvtxEdWZnNS6IYn3AijRo+ -XUB42HHWm2rngmuZq8VsGstf8Yl3Al9UF46G9bjrAwKBgQCLR4uljB8CZvQPJWJa -4+PSuEiTP6GDvG2L7AIgSrGN9KqVlBE90DwYNk55sCJiLS3DA/u1SyiwZYvFYc6j -ubFfaWn/ZxSz5sQSvaYMeiCg6YJqo65A2slmFxYRYspES6kW1dGAkJBHseo06OHL -ZWJPF7jUEwTCo0xwQHkiabrmNQ== ------END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3Up4HCln2HB0I +Ob0yl6ILkgNjWfRgfPa2y7/HzgJZrFpBxPIpcwZ4xB2HDE73JkPrHj0czHhrpgw8 +DZ2NfNYQr8ymDcuuAKRmu69wYYCVPRu4x9ajKPS/TSXucXPtJ3eC+v4yiazSRo2R +u+f56rN1hLoc8q0Gi2B3JGpxeBk3MYS2YB8VAO59VgRe1gB6kQlN3tFNIp3xt3sh +C2SSpYBSBxqkPZx5jlV3lrKS9QDTyVpJAm4ANW6Xg9m93l9EVeJO31Yc0QVWVWOZ ++w51hYSxnWy7Vq5OZZz4oOEZafPHPy3k1YpElj5xy6bwoUanwNzwCGdo7B8mEf/Q +cD+IHOGXAgMBAAECggEAIY75KLbHYxsgYWoYbVN+sXmILz6/Uo5tp2bC87ONkJbR +auq/ncDVtXPJJ/ij1/BkTH0bmNMBVEtwP+oKJmVs1l8oKlmqKG8rqTbAVeUzYZ5v +HbNPYkzUCNT5lZ2lKAuqgAqsT9oODewmbEAmpgRF18R1QWlXLTSEcyryZVUj4Itb +uJ5rjvSpTSxme9YunbZxdJEr5w1iLsw4xAeQbIAGxl7lw1OpDrDIYrNd/ghkvFW1 +72izxj28EN/pgIVQ+ldfG0z5+wh+IQ4VEhmdnh9ce+xICEID7q7kwS4YoIKovbmf +uOx85Dx7eF8K0qbFROautyDjervSNOdA7Mi7NHLF8QKBgQDc8Iawq2UslesbISUA +1P3uIQixqimPa2mKl6zc1x2AwIkaMXlvVN4BXzMRNbLdmcjSyPrH1u4VnCisG8HH ++GgpHNg1kGcZwZ4JHVnzjkl3lwkl2/knaZvdWXJ6i5GZUkMY8mDZSjaNcQl5Cbkl +iLoMSVwtZEMYx7I0wf2D3gglqQKBgQDUafDQj/h9Y5f8VYMyOL8Efe5rFdqqW2e0 +ZhxZbR+VFHRgCm66ZdbSY3bBnqyqSOiEfSKz3KQDzmVkNVS+ZXaqWceuaGJMgsQR +kZcwSkoD262FfXDw6R+gmAO/rDmsdAm6oVJcgQ40jxkLfT8Qlzp2elbm06kGsdHl +C888hlbVPwKBgQDbEmgLT7efUPvxR5kgTRGIiBrNx5M0EWZyNNkDlQ08+Cw526q0 +WKtVIudI/jzf/DejwgLgGl6y8MdneJJZzRbDBUXhPtDsOg6QrRjfJkv0l79LWeWg +Tdhtz95yYme5Zlb/qn2blzmmX9nruVdrPzpzKl6K56qcLI6oP1433fWoGQKBgQCp +KGEVxsGuIYUk93iOozBDxIH9F59W8Ynp2TOUZ9mx4GM5JLW/jWCBlaI6WUHKLlu1 +Pu5G7FxVh6WpIuuE4MqaqPrjQs+dfLnl/9q2I0NERUqvtxEdWZnNS6IYn3AijRo+ +XUB42HHWm2rngmuZq8VsGstf8Yl3Al9UF46G9bjrAwKBgQCLR4uljB8CZvQPJWJa +4+PSuEiTP6GDvG2L7AIgSrGN9KqVlBE90DwYNk55sCJiLS3DA/u1SyiwZYvFYc6j +ubFfaWn/ZxSz5sQSvaYMeiCg6YJqo65A2slmFxYRYspES6kW1dGAkJBHseo06OHL +ZWJPF7jUEwTCo0xwQHkiabrmNQ== +-----END PRIVATE KEY----- diff --git a/reference-artifacts/Certs-Sample/example2-cert.crt b/reference-artifacts/Certs-Sample/example2-cert.crt index 079f2ef5a..a032e3917 100644 --- a/reference-artifacts/Certs-Sample/example2-cert.crt +++ b/reference-artifacts/Certs-Sample/example2-cert.crt @@ -1,20 +1,20 @@ ------BEGIN CERTIFICATE----- -MIIDRTCCAi0CFDxfrEBrIUekDVTcqfzA49ubVbY4MA0GCSqGSIb3DQEBCwUAMF8x -CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2Ex -EzARBgNVBAoMCkFueUNvbXBhbnkxGDAWBgNVBAMMDyouZXhhbXBsZS5sb2NhbDAe -Fw0yMDA2MTExMTMyMjdaFw0yMzA2MTExMTMyMjdaMF8xCzAJBgNVBAYTAkNBMRAw -DgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExEzARBgNVBAoMCkFueUNv -bXBhbnkxGDAWBgNVBAMMDyouZXhhbXBsZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOY9DZL9wRP7iKq6fO4fw+JBGUoeg/EL1MdUeuIp2Mr5 -rMnqHZu38+M/4avtQCESFXlx6f8EZiqs/Atpd151UqtF3InEdGY2ucynySp9rZqY -/UeggP0Jl36X2c8ipZtMjo7Uu6iOPI2iWx7Zs8LZU0Sy2RGab2kF6tuCcKB4qFZL -JGv0nYh2E9CSjfbnSfmmVDFef/6FsXGnDfd/OWwTnqxyvFvldzZ1L1dz7QrGgV53 -murxrlgurcvWTBc3Hwlte7T2RWcTzSMjm7gbOW7rkaM4/4YVtUjeEScx9QYQdZ6B -orHT3wr6Mq+xV+jUVJogEi0CjPh4a76P+i7ZRG2NMBcCAwEAATANBgkqhkiG9w0B -AQsFAAOCAQEAuxtuKK2zCIrO259d4tz28MQyhYuOcTBnDf4cTNx5vrqm5jT8LlQS -/D5ehOgdLgtNaYCeZ7NzEgXXOv01dMbcqBT04NOP2Y2nMJzi1q1Lx6Rs/NwRfp+j -6di+fVksTGI7UteB48RbCrA5bUxjNyEFt3W8Ppzkd3EJd/bqp2GZNBrrt6u2shkq -9ay+YqNoTRlD9OJmCoR9eP5xPRuCNbkjhFDHWW/3qMFr2T5x8UAdoFhuWhqimP3j -mXaBJjmwc+IevpydBhUTPQAxSXOM7DJNz8DOYNYd2FvjNMYGJ+UXD7dBg+VSoLXw -hFCZp45WRcKd0VXGk5l6WHiY8nUCpD03AA== ------END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDRTCCAi0CFDxfrEBrIUekDVTcqfzA49ubVbY4MA0GCSqGSIb3DQEBCwUAMF8x +CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2Ex +EzARBgNVBAoMCkFueUNvbXBhbnkxGDAWBgNVBAMMDyouZXhhbXBsZS5sb2NhbDAe +Fw0yMDA2MTExMTMyMjdaFw0yMzA2MTExMTMyMjdaMF8xCzAJBgNVBAYTAkNBMRAw +DgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExEzARBgNVBAoMCkFueUNv +bXBhbnkxGDAWBgNVBAMMDyouZXhhbXBsZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAOY9DZL9wRP7iKq6fO4fw+JBGUoeg/EL1MdUeuIp2Mr5 +rMnqHZu38+M/4avtQCESFXlx6f8EZiqs/Atpd151UqtF3InEdGY2ucynySp9rZqY +/UeggP0Jl36X2c8ipZtMjo7Uu6iOPI2iWx7Zs8LZU0Sy2RGab2kF6tuCcKB4qFZL +JGv0nYh2E9CSjfbnSfmmVDFef/6FsXGnDfd/OWwTnqxyvFvldzZ1L1dz7QrGgV53 +murxrlgurcvWTBc3Hwlte7T2RWcTzSMjm7gbOW7rkaM4/4YVtUjeEScx9QYQdZ6B +orHT3wr6Mq+xV+jUVJogEi0CjPh4a76P+i7ZRG2NMBcCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAuxtuKK2zCIrO259d4tz28MQyhYuOcTBnDf4cTNx5vrqm5jT8LlQS +/D5ehOgdLgtNaYCeZ7NzEgXXOv01dMbcqBT04NOP2Y2nMJzi1q1Lx6Rs/NwRfp+j +6di+fVksTGI7UteB48RbCrA5bUxjNyEFt3W8Ppzkd3EJd/bqp2GZNBrrt6u2shkq +9ay+YqNoTRlD9OJmCoR9eP5xPRuCNbkjhFDHWW/3qMFr2T5x8UAdoFhuWhqimP3j +mXaBJjmwc+IevpydBhUTPQAxSXOM7DJNz8DOYNYd2FvjNMYGJ+UXD7dBg+VSoLXw +hFCZp45WRcKd0VXGk5l6WHiY8nUCpD03AA== +-----END CERTIFICATE----- diff --git a/reference-artifacts/Certs-Sample/example2-cert.csr b/reference-artifacts/Certs-Sample/example2-cert.csr index 7503b2ad1..e60d983a2 100644 --- a/reference-artifacts/Certs-Sample/example2-cert.csr +++ b/reference-artifacts/Certs-Sample/example2-cert.csr @@ -1,17 +1,17 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICpDCCAYwCAQAwXzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzAN -BgNVBAcMBk90dGF3YTETMBEGA1UECgwKQW55Q29tcGFueTEYMBYGA1UEAwwPKi5l -eGFtcGxlLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5j0N -kv3BE/uIqrp87h/D4kEZSh6D8QvUx1R64inYyvmsyeodm7fz4z/hq+1AIRIVeXHp -/wRmKqz8C2l3XnVSq0XcicR0Zja5zKfJKn2tmpj9R6CA/QmXfpfZzyKlm0yOjtS7 -qI48jaJbHtmzwtlTRLLZEZpvaQXq24JwoHioVkska/SdiHYT0JKN9udJ+aZUMV5/ -/oWxcacN9385bBOerHK8W+V3NnUvV3PtCsaBXnea6vGuWC6ty9ZMFzcfCW17tPZF -ZxPNIyObuBs5buuRozj/hhW1SN4RJzH1BhB1noGisdPfCvoyr7FX6NRUmiASLQKM -+Hhrvo/6LtlEbY0wFwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAFj6ERRtb2We -Kt/nLEhdHTsq8WhP26kTnELeMAj/y48UENl0jqTO3R2ZngBujtELEC4A3zf9sc7a -eQlzctlvL4cfFFu47jHJac+ivO7OOM7yMk5WHIgEE4iM2SStQzXoEAdEuR+Q0QJu -YOZV4ttTf5Wqsf2HUxLuotx0VWbMdPEnsycYlywnyfTpwuxmmcNbQbcY5BBagJqx -kBuBZIOSIq00tnOpkr49TVtn9htJMmRQMYCoo/zeU+xA8qORlkBMOXQBqVf8M3D7 -NVlv+bIgmF+DJQKa0nVzoeb4aPyIF9wHJS4LyjBceorgj4V617p9dw0raPaMkBEN -6V0/9/lQ5KY= ------END CERTIFICATE REQUEST----- +-----BEGIN CERTIFICATE REQUEST----- +MIICpDCCAYwCAQAwXzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzAN +BgNVBAcMBk90dGF3YTETMBEGA1UECgwKQW55Q29tcGFueTEYMBYGA1UEAwwPKi5l +eGFtcGxlLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5j0N +kv3BE/uIqrp87h/D4kEZSh6D8QvUx1R64inYyvmsyeodm7fz4z/hq+1AIRIVeXHp +/wRmKqz8C2l3XnVSq0XcicR0Zja5zKfJKn2tmpj9R6CA/QmXfpfZzyKlm0yOjtS7 +qI48jaJbHtmzwtlTRLLZEZpvaQXq24JwoHioVkska/SdiHYT0JKN9udJ+aZUMV5/ +/oWxcacN9385bBOerHK8W+V3NnUvV3PtCsaBXnea6vGuWC6ty9ZMFzcfCW17tPZF +ZxPNIyObuBs5buuRozj/hhW1SN4RJzH1BhB1noGisdPfCvoyr7FX6NRUmiASLQKM ++Hhrvo/6LtlEbY0wFwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAFj6ERRtb2We +Kt/nLEhdHTsq8WhP26kTnELeMAj/y48UENl0jqTO3R2ZngBujtELEC4A3zf9sc7a +eQlzctlvL4cfFFu47jHJac+ivO7OOM7yMk5WHIgEE4iM2SStQzXoEAdEuR+Q0QJu +YOZV4ttTf5Wqsf2HUxLuotx0VWbMdPEnsycYlywnyfTpwuxmmcNbQbcY5BBagJqx +kBuBZIOSIq00tnOpkr49TVtn9htJMmRQMYCoo/zeU+xA8qORlkBMOXQBqVf8M3D7 +NVlv+bIgmF+DJQKa0nVzoeb4aPyIF9wHJS4LyjBceorgj4V617p9dw0raPaMkBEN +6V0/9/lQ5KY= +-----END CERTIFICATE REQUEST----- diff --git a/reference-artifacts/Certs-Sample/example2-cert.key b/reference-artifacts/Certs-Sample/example2-cert.key index 24ba61f3a..c61c8fb59 100644 --- a/reference-artifacts/Certs-Sample/example2-cert.key +++ b/reference-artifacts/Certs-Sample/example2-cert.key @@ -1,28 +1,28 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmPQ2S/cET+4iq -unzuH8PiQRlKHoPxC9THVHriKdjK+azJ6h2bt/PjP+Gr7UAhEhV5cen/BGYqrPwL -aXdedVKrRdyJxHRmNrnMp8kqfa2amP1HoID9CZd+l9nPIqWbTI6O1LuojjyNolse -2bPC2VNEstkRmm9pBerbgnCgeKhWSyRr9J2IdhPQko3250n5plQxXn/+hbFxpw33 -fzlsE56scrxb5Xc2dS9Xc+0KxoFed5rq8a5YLq3L1kwXNx8JbXu09kVnE80jI5u4 -Gzlu65GjOP+GFbVI3hEnMfUGEHWegaKx098K+jKvsVfo1FSaIBItAoz4eGu+j/ou -2URtjTAXAgMBAAECggEAaYw7mNMznFGHiZ0MgK2XQzXMvinXGr3twaN84gmFFSf4 -imgFQsnFyLwUXJja+U4tAguy1fHSVGYQ9bpXurnWOCZCv/WL1v/nlWal1hDfcSwJ -kLiH6XhoNuSuOUMM4HDsOZZUoSTzpYp0c2QiAIVYovnKgUNnJ6JK1G6r6yTlJwlU -5zAyZGPDokQrHlHNgRYq1seLrq/u5/VpzdXfp7M1r6AVdpV6A8oe4VRiZlR9QqNT -lOwap1czvwYPzID9fHCYUcIMKdNC3bs+2Okl3/6c1UMFRilZ7C6pI/USW1p4BdUm -CRHLA153Q+om3qelElQ2eymWMwsXs0EwvDp5jmZOYQKBgQD6tDyBOsSD2TakcN/w -qrcOmmvi8M3RqYcdhKq3L7X/Mh53/rhyl75bpv5QJi38WovLPPiLlnIOiRToV6P6 -5uYNzdmdGHT7knzLexokrnJrt18McvqNHlNZMT8sBNsXXELWDyi1HXFjnHTGZaJf -GibdzjBcmALvx9dyPjKQpEWIKwKBgQDrGiR7bNPQ4LH+s8K9l0vgfYkJUT2ahno+ -vpDopJFzsNA4CYKhW8X4o+xLGpfgIKX9WWGJYu9qAOzSZSUaaLBbYB8pynM4Whmr -W9mFSQqBrLryNmTg4oTPl570Wuim40d1KJ4b8ZyfeXl8VwBwLuDT/O7gI6SqkdxR -kKUnQM+1xQKBgQCJYYUaZ+LSQZCQ8g21a0de6D4goUaYEucoxM9sDOgVjRhnNx1K -Jl85CDyqHRHsDI44dBPbIjkkP/hGDeidEDSW8evDC2jnhvF969p6qWGoJ1cdklA8 -Tpbr9HGipJKOrY8ukCYFgbnmFRFkusMMjF8qAtg7lU1eqksknnLFEk/L+wKBgQC/ -VGQySivLhsF0riijELkAdkmK2qHO2vgrjfzyR9PTmiaqJBs6ZCymIAmSSY8mKIvN -terp2ylKVHxm8UeTyXUUuBJEeWzxhGn1iedpUDsLs13k9p18YvyA0TzcUguancau -syKRTT0Qj9Rte4Rwx8XS37orkPZWliP+AUBWxKkFnQKBgFzffnVT+QewF3LZMb0G -X/boeyzy/MKRqdpa8GzKPZHcpnBINIXeHeXug1n7D+IrtEkciYwc864UHvcrn/Xx -y9+x4tE9RjiarGy2sFnBqdEWVYeEPb6jB+bslhzDzK4GsF2TLtYknZ/Q0JYdq0vq -uH1Vl0wMED55H4pSzYpsK4nU ------END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmPQ2S/cET+4iq +unzuH8PiQRlKHoPxC9THVHriKdjK+azJ6h2bt/PjP+Gr7UAhEhV5cen/BGYqrPwL +aXdedVKrRdyJxHRmNrnMp8kqfa2amP1HoID9CZd+l9nPIqWbTI6O1LuojjyNolse +2bPC2VNEstkRmm9pBerbgnCgeKhWSyRr9J2IdhPQko3250n5plQxXn/+hbFxpw33 +fzlsE56scrxb5Xc2dS9Xc+0KxoFed5rq8a5YLq3L1kwXNx8JbXu09kVnE80jI5u4 +Gzlu65GjOP+GFbVI3hEnMfUGEHWegaKx098K+jKvsVfo1FSaIBItAoz4eGu+j/ou +2URtjTAXAgMBAAECggEAaYw7mNMznFGHiZ0MgK2XQzXMvinXGr3twaN84gmFFSf4 +imgFQsnFyLwUXJja+U4tAguy1fHSVGYQ9bpXurnWOCZCv/WL1v/nlWal1hDfcSwJ +kLiH6XhoNuSuOUMM4HDsOZZUoSTzpYp0c2QiAIVYovnKgUNnJ6JK1G6r6yTlJwlU +5zAyZGPDokQrHlHNgRYq1seLrq/u5/VpzdXfp7M1r6AVdpV6A8oe4VRiZlR9QqNT +lOwap1czvwYPzID9fHCYUcIMKdNC3bs+2Okl3/6c1UMFRilZ7C6pI/USW1p4BdUm +CRHLA153Q+om3qelElQ2eymWMwsXs0EwvDp5jmZOYQKBgQD6tDyBOsSD2TakcN/w +qrcOmmvi8M3RqYcdhKq3L7X/Mh53/rhyl75bpv5QJi38WovLPPiLlnIOiRToV6P6 +5uYNzdmdGHT7knzLexokrnJrt18McvqNHlNZMT8sBNsXXELWDyi1HXFjnHTGZaJf +GibdzjBcmALvx9dyPjKQpEWIKwKBgQDrGiR7bNPQ4LH+s8K9l0vgfYkJUT2ahno+ +vpDopJFzsNA4CYKhW8X4o+xLGpfgIKX9WWGJYu9qAOzSZSUaaLBbYB8pynM4Whmr +W9mFSQqBrLryNmTg4oTPl570Wuim40d1KJ4b8ZyfeXl8VwBwLuDT/O7gI6SqkdxR +kKUnQM+1xQKBgQCJYYUaZ+LSQZCQ8g21a0de6D4goUaYEucoxM9sDOgVjRhnNx1K +Jl85CDyqHRHsDI44dBPbIjkkP/hGDeidEDSW8evDC2jnhvF969p6qWGoJ1cdklA8 +Tpbr9HGipJKOrY8ukCYFgbnmFRFkusMMjF8qAtg7lU1eqksknnLFEk/L+wKBgQC/ +VGQySivLhsF0riijELkAdkmK2qHO2vgrjfzyR9PTmiaqJBs6ZCymIAmSSY8mKIvN +terp2ylKVHxm8UeTyXUUuBJEeWzxhGn1iedpUDsLs13k9p18YvyA0TzcUguancau +syKRTT0Qj9Rte4Rwx8XS37orkPZWliP+AUBWxKkFnQKBgFzffnVT+QewF3LZMb0G +X/boeyzy/MKRqdpa8GzKPZHcpnBINIXeHeXug1n7D+IrtEkciYwc864UHvcrn/Xx +y9+x4tE9RjiarGy2sFnBqdEWVYeEPb6jB+bslhzDzK4GsF2TLtYknZ/Q0JYdq0vq +uH1Vl0wMED55H4pSzYpsK4nU +-----END PRIVATE KEY----- diff --git a/reference-artifacts/Import-Account/cfn-awscloudformationstacksetexecutionrole.template.yml b/reference-artifacts/Import-Account/cfn-awscloudformationstacksetexecutionrole.template.yml index ce404f083..e5f276e6d 100644 --- a/reference-artifacts/Import-Account/cfn-awscloudformationstacksetexecutionrole.template.yml +++ b/reference-artifacts/Import-Account/cfn-awscloudformationstacksetexecutionrole.template.yml @@ -1,31 +1,31 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: >- - Configure the AWSCloudFormationStackSetExecutionRole to enable use of your - account as a target instance in AWS CloudFormation StackSet. -Parameters: - MasterAccountId: - Type: String - Description: Master account Id where StackSet will be created - MaxLength: 12 - MinLength: 12 - OrgAdminRoleName: - Type: String - Default: AWSCloudFormationStackSetExecutionRole - Description: Organization admin role name -Resources: - ExecutionRole: - Type: 'AWS::IAM::Role' - Properties: - RoleName: !Ref OrgAdminRoleName - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: - - !Ref MasterAccountId - Action: - - 'sts:AssumeRole' - Path: / - ManagedPolicyArns: - - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess' +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + Configure the AWSCloudFormationStackSetExecutionRole to enable use of your + account as a target instance in AWS CloudFormation StackSet. +Parameters: + MasterAccountId: + Type: String + Description: Master account Id where StackSet will be created + MaxLength: 12 + MinLength: 12 + OrgAdminRoleName: + Type: String + Default: AWSCloudFormationStackSetExecutionRole + Description: Organization admin role name +Resources: + ExecutionRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Ref OrgAdminRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !Ref MasterAccountId + Action: + - 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess' diff --git a/reference-artifacts/SCPs/FullAWSAccess.json b/reference-artifacts/SCPs/FullAWSAccess.json index e26e4b5e3..12bf2188f 100644 --- a/reference-artifacts/SCPs/FullAWSAccess.json +++ b/reference-artifacts/SCPs/FullAWSAccess.json @@ -1,10 +1,10 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] +} diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-PBMM-Only.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-PBMM-Only.json index efa461a79..c799b7734 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-PBMM-Only.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-PBMM-Only.json @@ -1,133 +1,133 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyNetworkPBMMONLY", - "Effect": "Deny", - "Action": [ - "ec2:AcceptVpcPeeringConnection", - "ec2:AttachEgressOnlyInternetGateway", - "ec2:AttachInternetGateway", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateTransitGateway", - "ec2:CreateTransitGatewayRoute", - "ec2:CreateTransitGatewayRouteTable", - "ec2:CreateTransitGatewayVpcAttachment", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateVpcPeeringConnection", - "ec2:DeleteNatGateway", - "ec2:DeleteTransitGatewayRoute", - "ec2:DeleteTransitGatewayRouteTable", - "ec2:DeleteTransitGatewayVpcAttachment", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcPeeringConnection", - "globalaccelerator:Create*", - "globalaccelerator:Update*", - "kms:ScheduleKeyDeletion", - "kms:Delete*", - "iam:CreateGroup", - "iam:CreateUser", - "iam:CreateAccessKey", - "iam:DeleteUser", - "iam:UpdateUser", - "iam:DeleteGroup", - "iam:UpdateGroup", - "iam:DeleteRolePermissionsBoundary", - "iam:AddUserToGroup", - "iam:UpdateAccountPasswordPolicy", - "iam:DeleteAccountPasswordPolicy", - "iam:TagUser" - ], - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalArn": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/StackSet-AWS-Landing-Zone*", - "arn:aws:iam::*:role/PBMMAccel-*", - "arn:aws:iam::*:role/PBMMOps-*" - ] - } - } - }, - { - "Sid": "ScopeSpecificGlobalActionsToCanadaUSE1", - "Effect": "Deny", - "Action": ["acm:*", "kms:*"], - "Resource": "*", - "Condition": { - "StringNotEquals": { - "aws:RequestedRegion": ["ca-central-1", "us-east-1"] - }, - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyAllOutsideCanadaPBMMONLY", - "Effect": "Deny", - "NotAction": [ - "a4b:*", - "access-analyzer:*", - "acm:*", - "aws-marketplace-management:*", - "aws-marketplace:*", - "aws-portal:*", - "awsbillingconsole:*", - "budgets:*", - "ce:*", - "chime:*", - "cloudfront:*", - "config:*", - "cur:*", - "directconnect:*", - "ec2:DescribeRegions", - "ec2:DescribeTransitGateways", - "ec2:DescribeVpnGateways", - "fms:*", - "globalaccelerator:*", - "health:*", - "iam:*", - "importexport:*", - "kms:*", - "mobileanalytics:*", - "organizations:*", - "pricing:*", - "route53:*", - "route53domains:*", - "s3:GetAccountPublic*", - "s3:ListAllMyBuckets", - "s3:ListBuckets", - "s3:PutAccountPublic*", - "shield:*", - "sts:*", - "support:*", - "trustedadvisor:*", - "waf-regional:*", - "waf:*", - "wafv2:*", - "wellarchitected:*" - ], - "Resource": "*", - "Condition": { - "StringNotEquals": { - "aws:RequestedRegion": ["ca-central-1"] - }, - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyNetworkPBMMONLY", + "Effect": "Deny", + "Action": [ + "ec2:AcceptVpcPeeringConnection", + "ec2:AttachEgressOnlyInternetGateway", + "ec2:AttachInternetGateway", + "ec2:CreateEgressOnlyInternetGateway", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateTransitGateway", + "ec2:CreateTransitGatewayRoute", + "ec2:CreateTransitGatewayRouteTable", + "ec2:CreateTransitGatewayVpcAttachment", + "ec2:CreateVpc", + "ec2:CreateVpcEndpoint", + "ec2:CreateVpcPeeringConnection", + "ec2:DeleteNatGateway", + "ec2:DeleteTransitGatewayRoute", + "ec2:DeleteTransitGatewayRouteTable", + "ec2:DeleteTransitGatewayVpcAttachment", + "ec2:DeleteVpc", + "ec2:DeleteVpcEndpoints", + "ec2:DeleteVpcPeeringConnection", + "globalaccelerator:Create*", + "globalaccelerator:Update*", + "kms:ScheduleKeyDeletion", + "kms:Delete*", + "iam:CreateGroup", + "iam:CreateUser", + "iam:CreateAccessKey", + "iam:DeleteUser", + "iam:UpdateUser", + "iam:DeleteGroup", + "iam:UpdateGroup", + "iam:DeleteRolePermissionsBoundary", + "iam:AddUserToGroup", + "iam:UpdateAccountPasswordPolicy", + "iam:DeleteAccountPasswordPolicy", + "iam:TagUser" + ], + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/StackSet-AWS-Landing-Zone*", + "arn:aws:iam::*:role/PBMMAccel-*", + "arn:aws:iam::*:role/PBMMOps-*" + ] + } + } + }, + { + "Sid": "ScopeSpecificGlobalActionsToCanadaUSE1", + "Effect": "Deny", + "Action": ["acm:*", "kms:*"], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": ["ca-central-1", "us-east-1"] + }, + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyAllOutsideCanadaPBMMONLY", + "Effect": "Deny", + "NotAction": [ + "a4b:*", + "access-analyzer:*", + "acm:*", + "aws-marketplace-management:*", + "aws-marketplace:*", + "aws-portal:*", + "awsbillingconsole:*", + "budgets:*", + "ce:*", + "chime:*", + "cloudfront:*", + "config:*", + "cur:*", + "directconnect:*", + "ec2:DescribeRegions", + "ec2:DescribeTransitGateways", + "ec2:DescribeVpnGateways", + "fms:*", + "globalaccelerator:*", + "health:*", + "iam:*", + "importexport:*", + "kms:*", + "mobileanalytics:*", + "organizations:*", + "pricing:*", + "route53:*", + "route53domains:*", + "s3:GetAccountPublic*", + "s3:ListAllMyBuckets", + "s3:ListBuckets", + "s3:PutAccountPublic*", + "shield:*", + "sts:*", + "support:*", + "trustedadvisor:*", + "waf-regional:*", + "waf:*", + "wafv2:*", + "wellarchitected:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": ["ca-central-1"] + }, + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + } + ] +} diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json index 464604b34..6b0a1dceb 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part1.json @@ -1,259 +1,259 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyTag1", - "Effect": "Deny", - "Action": [ - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroup*", - "ec2:AuthorizeSecurityGroup*", - "ec2:CreateSecurityGroup" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/Accel-P": "PBMM" - }, - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyTag2", - "Effect": "Deny", - "NotAction": [ - "iam:PassRole", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:GetInstanceProfile", - "iam:GetLoginProfile", - "iam:ListInstanceProfiles" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:ResourceTag/Accelerator": "PBMM" - }, - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyS3", - "Effect": "Deny", - "Action": [ - "s3:Delete*", - "s3:PutBucketVersioning", - "s3:PutEncryptionConfiguration", - "s3:PutLifecycleConfiguration", - "s3:PutReplicationConfiguration", - "s3:PutBucketPolicy", - "s3:ReplicateDelete", - "s3:PutObjectRetention", - "s3:PutObjectTagging" - ], - "Resource": ["arn:aws:s3:::pbmmaccel-*", "arn:aws:s3:::cdktoolkit-*", "arn:aws:s3:::cf-templates-*"], - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "ProtectCloudFormation", - "Effect": "Deny", - "Action": ["cloudformation:*"], - "Resource": [ - "arn:aws:cloudformation:*:*:stack/StackSet-AWS-Landing-Zone-*", - "arn:aws:cloudformation:*:*:stack/StackSet-PBMMAccel-*", - "arn:aws:cloudformation:*:*:stack/PBMMAccel-*" - ], - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyAlarmDeletion", - "Effect": "Deny", - "Action": [ - "cloudwatch:DeleteAlarms", - "cloudwatch:DisableAlarmActions", - "cloudwatch:DeleteDashboards", - "cloudwatch:PutDashboard", - "cloudwatch:PutMetricAlarm", - "cloudwatch:SetAlarmState" - ], - "Resource": [ - "arn:aws:cloudwatch:*:*:alarm:CloudTrail*", - "arn:aws:cloudwatch:*:*:alarm:PBMMAccel-*", - "arn:aws:cloudwatch:*:*:alarm:IAMPolicyChanges", - "arn:aws:cloudwatch:*:*:alarm:RootLogin" - ], - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "ProtectKeyRoles", - "Effect": "Deny", - "Action": ["iam:*"], - "Resource": [ - "arn:aws:iam::*:role/PBMMAccel-*", - "arn:aws:iam::*:role/PBMMOps-*", - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - ], - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenySSMDel", - "Effect": "Deny", - "Action": [ - "ssm:DeleteParameter", - "ssm:DeleteParameters", - "ssm:PutParameter", - "ssm:DeleteDocument", - "ssm:UpdateDocument", - "ssm:CreateDocument" - ], - "Resource": [ - "arn:aws:ssm:*:*:parameter/PBMMAccel-*", - "arn:aws:ssm:*:*:parameter/cloudformation*", - "arn:aws:ssm:*:*:document/PBMMAccel-*" - ], - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyLogDel", - "Effect": "Deny", - "Action": [ - "ec2:DeleteFlowLogs", - "logs:DeleteResourcePolicy", - "logs:DeleteMetricFilter", - "logs:DeleteSubscriptionFilter", - "logs:DeleteLogGroup", - "logs:DeleteRetentionPolicy", - "logs:DeleteLogDelivery", - "logs:DeleteDestination", - "logs:PutRetentionPolicy", - "logs:DeleteLogStream" - ], - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyLeaveOrg", - "Effect": "Deny", - "Action": "organizations:LeaveOrganization", - "Resource": "*" - }, - { - "Sid": "DenyLambdaDel", - "Effect": "Deny", - "Action": [ - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:CreateFunction", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:PutFunctionConcurrency", - "lambda:RemovePermission", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": [ - "arn:aws:lambda:*:*:function:StackSet-AWS-Landing-Zone-*", - "arn:aws:lambda:*:*:function:PBMMAccel-*" - ], - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "BlockOther", - "Effect": "Deny", - "Action": [ - "aws-portal:ModifyAccount", - "aws-portal:ModifyBilling", - "aws-portal:ModifyPaymentMethods", - "ec2:DisableEbsEncryptionByDefault", - "s3:PutAccountPublicAccessBlock", - "ds:AcceptSharedDirectory", - "ds:UnshareDirectory", - "ds:ShareDirectory", - "ds:EnableSso", - "ds:DisableSso", - "ram:AssociateResourceShare", - "ram:CreateResourceShare", - "ram:DeleteResourceShare", - "ram:EnableSharingWithAwsOrganization", - "config:DeleteAggregationAuthorization", - "config:DeleteConfigurationAggregator", - "config:PutAggregationAuthorization", - "config:PutConfigurationAggregator" - ], - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyTag1", + "Effect": "Deny", + "Action": [ + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroup*", + "ec2:AuthorizeSecurityGroup*", + "ec2:CreateSecurityGroup" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Accel-P": "PBMM" + }, + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyTag2", + "Effect": "Deny", + "NotAction": [ + "iam:PassRole", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:GetInstanceProfile", + "iam:GetLoginProfile", + "iam:ListInstanceProfiles" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:ResourceTag/Accelerator": "PBMM" + }, + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyS3", + "Effect": "Deny", + "Action": [ + "s3:Delete*", + "s3:PutBucketVersioning", + "s3:PutEncryptionConfiguration", + "s3:PutLifecycleConfiguration", + "s3:PutReplicationConfiguration", + "s3:PutBucketPolicy", + "s3:ReplicateDelete", + "s3:PutObjectRetention", + "s3:PutObjectTagging" + ], + "Resource": ["arn:aws:s3:::pbmmaccel-*", "arn:aws:s3:::cdktoolkit-*", "arn:aws:s3:::cf-templates-*"], + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "ProtectCloudFormation", + "Effect": "Deny", + "Action": ["cloudformation:*"], + "Resource": [ + "arn:aws:cloudformation:*:*:stack/StackSet-AWS-Landing-Zone-*", + "arn:aws:cloudformation:*:*:stack/StackSet-PBMMAccel-*", + "arn:aws:cloudformation:*:*:stack/PBMMAccel-*" + ], + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyAlarmDeletion", + "Effect": "Deny", + "Action": [ + "cloudwatch:DeleteAlarms", + "cloudwatch:DisableAlarmActions", + "cloudwatch:DeleteDashboards", + "cloudwatch:PutDashboard", + "cloudwatch:PutMetricAlarm", + "cloudwatch:SetAlarmState" + ], + "Resource": [ + "arn:aws:cloudwatch:*:*:alarm:CloudTrail*", + "arn:aws:cloudwatch:*:*:alarm:PBMMAccel-*", + "arn:aws:cloudwatch:*:*:alarm:IAMPolicyChanges", + "arn:aws:cloudwatch:*:*:alarm:RootLogin" + ], + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "ProtectKeyRoles", + "Effect": "Deny", + "Action": ["iam:*"], + "Resource": [ + "arn:aws:iam::*:role/PBMMAccel-*", + "arn:aws:iam::*:role/PBMMOps-*", + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + ], + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenySSMDel", + "Effect": "Deny", + "Action": [ + "ssm:DeleteParameter", + "ssm:DeleteParameters", + "ssm:PutParameter", + "ssm:DeleteDocument", + "ssm:UpdateDocument", + "ssm:CreateDocument" + ], + "Resource": [ + "arn:aws:ssm:*:*:parameter/PBMMAccel-*", + "arn:aws:ssm:*:*:parameter/cloudformation*", + "arn:aws:ssm:*:*:document/PBMMAccel-*" + ], + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyLogDel", + "Effect": "Deny", + "Action": [ + "ec2:DeleteFlowLogs", + "logs:DeleteResourcePolicy", + "logs:DeleteMetricFilter", + "logs:DeleteSubscriptionFilter", + "logs:DeleteLogGroup", + "logs:DeleteRetentionPolicy", + "logs:DeleteLogDelivery", + "logs:DeleteDestination", + "logs:PutRetentionPolicy", + "logs:DeleteLogStream" + ], + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyLeaveOrg", + "Effect": "Deny", + "Action": "organizations:LeaveOrganization", + "Resource": "*" + }, + { + "Sid": "DenyLambdaDel", + "Effect": "Deny", + "Action": [ + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:CreateFunction", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:PutFunctionConcurrency", + "lambda:RemovePermission", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": [ + "arn:aws:lambda:*:*:function:StackSet-AWS-Landing-Zone-*", + "arn:aws:lambda:*:*:function:PBMMAccel-*" + ], + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "BlockOther", + "Effect": "Deny", + "Action": [ + "aws-portal:ModifyAccount", + "aws-portal:ModifyBilling", + "aws-portal:ModifyPaymentMethods", + "ec2:DisableEbsEncryptionByDefault", + "s3:PutAccountPublicAccessBlock", + "ds:AcceptSharedDirectory", + "ds:UnshareDirectory", + "ds:ShareDirectory", + "ds:EnableSso", + "ds:DisableSso", + "ram:AssociateResourceShare", + "ram:CreateResourceShare", + "ram:DeleteResourceShare", + "ram:EnableSharingWithAwsOrganization", + "config:DeleteAggregationAuthorization", + "config:DeleteConfigurationAggregator", + "config:PutAggregationAuthorization", + "config:PutConfigurationAggregator" + ], + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + } + ] +} diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json index 418a466ad..aec4f82a2 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json @@ -1,153 +1,153 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BlockMarketplacePMP", - "Effect": "Deny", - "Action": [ - "aws-marketplace:CreatePrivateMarketplace", - "aws-marketplace:AssociateProductsWithPrivateMarketplace", - "aws-marketplace:CreatePrivateMarketplaceProfile", - "aws-marketplace:DescribePrivateMarketplaceProducts", - "aws-marketplace:DescribePrivateMarketplaceProfile", - "aws-marketplace:DescribePrivateMarketplaceStatus", - "aws-marketplace:DisassociateProductsFromPrivateMarketplace", - "aws-marketplace:ListPrivateMarketplaceProducts", - "aws-marketplace:StartPrivateMarketplace", - "aws-marketplace:StopPrivateMarketplace", - "aws-marketplace:UpdatePrivateMarketplaceProfile" - ], - "Resource": "*", - "Condition": {} - }, - { - "Sid": "DenyRoot", - "Effect": "Deny", - "NotAction": [ - "iam:CreateVirtualMFADevice", - "iam:EnableMFADevice", - "iam:GetUser", - "iam:ListMFADevices", - "iam:ListVirtualMFADevices", - "iam:ResyncMFADevice", - "sts:GetSessionToken" - ], - "Resource": "*", - "Condition": { - "ArnLike": { - "aws:PrincipalARN": ["arn:aws:iam::*:root"] - } - } - }, - { - "Sid": "EnforceEbsEncryption", - "Effect": "Deny", - "Action": "ec2:RunInstances", - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "Bool": { - "ec2:Encrypted": "false" - } - } - }, - { - "Sid": "EnforceEBSVolumeEncryption", - "Effect": "Deny", - "Action": "ec2:CreateVolume", - "Resource": "*", - "Condition": { - "Bool": { - "ec2:Encrypted": "false" - } - } - }, - { - "Sid": "EnforceRdsEncryption", - "Effect": "Deny", - "Action": "rds:CreateDBInstance", - "Resource": "arn:aws:rds:*:*:db:*", - "Condition": { - "StringNotLike": { - "rds:DatabaseEngine": "aurora*" - }, - "Bool": { - "rds:StorageEncrypted": "false" - } - } - }, - { - "Sid": "EnforceAuroraEncryption", - "Effect": "Deny", - "Action": "rds:CreateDBCluster", - "Resource": "*", - "Condition": { - "StringLike": { - "rds:DatabaseEngine": "aurora*" - }, - "Bool": { - "rds:StorageEncrypted": "false" - } - } - }, - { - "Sid": "DenyRDGWRole", - "Effect": "Deny", - "Action": ["iam:*"], - "Resource": "arn:aws:iam::*:role/PBMMAccel-RDGW-Role", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - }, - { - "Sid": "DenyGDSHFMAAChange", - "Effect": "Deny", - "Action": [ - "guardduty:AcceptInvitation", - "guardduty:DeclineInvitations", - "guardduty:DeleteDetector", - "guardduty:DeleteInvitations", - "guardduty:DeleteMembers", - "guardduty:DeletePublishingDestination", - "guardduty:DisassociateFromMasterAccount", - "guardduty:DisassociateMembers", - "guardduty:StopMonitoringMembers", - "guardduty:UpdateDetector", - "guardduty:UpdateFindingsFeedback", - "guardduty:UpdatePublishingDestination", - "guardduty:CreateMembers", - "guardduty:InviteMembers", - "securityhub:AcceptInvitation", - "securityhub:DeclineInvitations", - "securityhub:DeleteInvitations", - "securityhub:DeleteMembers", - "securityhub:InviteMembers", - "securityhub:CreateMembers", - "securityhub:DisableSecurityHub", - "securityhub:DisassociateFromMasterAccount", - "securityhub:DeleteInsight", - "securityhub:DisassociateMembers", - "securityhub:DeleteActionTarget", - "securityhub:BatchDisableStandards", - "fms:DisassociateAdminAccount", - "access-analyzer:DeleteAnalyzer", - "account:EnableRegion", - "account:DisableRegion", - "ec2:CreateDefaultVpc" - ], - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "BlockMarketplacePMP", + "Effect": "Deny", + "Action": [ + "aws-marketplace:CreatePrivateMarketplace", + "aws-marketplace:AssociateProductsWithPrivateMarketplace", + "aws-marketplace:CreatePrivateMarketplaceProfile", + "aws-marketplace:DescribePrivateMarketplaceProducts", + "aws-marketplace:DescribePrivateMarketplaceProfile", + "aws-marketplace:DescribePrivateMarketplaceStatus", + "aws-marketplace:DisassociateProductsFromPrivateMarketplace", + "aws-marketplace:ListPrivateMarketplaceProducts", + "aws-marketplace:StartPrivateMarketplace", + "aws-marketplace:StopPrivateMarketplace", + "aws-marketplace:UpdatePrivateMarketplaceProfile" + ], + "Resource": "*", + "Condition": {} + }, + { + "Sid": "DenyRoot", + "Effect": "Deny", + "NotAction": [ + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" + ], + "Resource": "*", + "Condition": { + "ArnLike": { + "aws:PrincipalARN": ["arn:aws:iam::*:root"] + } + } + }, + { + "Sid": "EnforceEbsEncryption", + "Effect": "Deny", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "Bool": { + "ec2:Encrypted": "false" + } + } + }, + { + "Sid": "EnforceEBSVolumeEncryption", + "Effect": "Deny", + "Action": "ec2:CreateVolume", + "Resource": "*", + "Condition": { + "Bool": { + "ec2:Encrypted": "false" + } + } + }, + { + "Sid": "EnforceRdsEncryption", + "Effect": "Deny", + "Action": "rds:CreateDBInstance", + "Resource": "arn:aws:rds:*:*:db:*", + "Condition": { + "StringNotLike": { + "rds:DatabaseEngine": "aurora*" + }, + "Bool": { + "rds:StorageEncrypted": "false" + } + } + }, + { + "Sid": "EnforceAuroraEncryption", + "Effect": "Deny", + "Action": "rds:CreateDBCluster", + "Resource": "*", + "Condition": { + "StringLike": { + "rds:DatabaseEngine": "aurora*" + }, + "Bool": { + "rds:StorageEncrypted": "false" + } + } + }, + { + "Sid": "DenyRDGWRole", + "Effect": "Deny", + "Action": ["iam:*"], + "Resource": "arn:aws:iam::*:role/PBMMAccel-RDGW-Role", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + }, + { + "Sid": "DenyGDSHFMAAChange", + "Effect": "Deny", + "Action": [ + "guardduty:AcceptInvitation", + "guardduty:DeclineInvitations", + "guardduty:DeleteDetector", + "guardduty:DeleteInvitations", + "guardduty:DeleteMembers", + "guardduty:DeletePublishingDestination", + "guardduty:DisassociateFromMasterAccount", + "guardduty:DisassociateMembers", + "guardduty:StopMonitoringMembers", + "guardduty:UpdateDetector", + "guardduty:UpdateFindingsFeedback", + "guardduty:UpdatePublishingDestination", + "guardduty:CreateMembers", + "guardduty:InviteMembers", + "securityhub:AcceptInvitation", + "securityhub:DeclineInvitations", + "securityhub:DeleteInvitations", + "securityhub:DeleteMembers", + "securityhub:InviteMembers", + "securityhub:CreateMembers", + "securityhub:DisableSecurityHub", + "securityhub:DisassociateFromMasterAccount", + "securityhub:DeleteInsight", + "securityhub:DisassociateMembers", + "securityhub:DeleteActionTarget", + "securityhub:BatchDisableStandards", + "fms:DisassociateAdminAccount", + "access-analyzer:DeleteAnalyzer", + "account:EnableRegion", + "account:DisableRegion", + "ec2:CreateDefaultVpc" + ], + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + } + ] +} diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Unclass-Only.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Unclass-Only.json index a5d34fccb..81012b14f 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Unclass-Only.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Unclass-Only.json @@ -1,82 +1,82 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyUnclass", - "Effect": "Deny", - "Action": [ - "kms:ScheduleKeyDeletion", - "kms:Delete*", - "iam:DeleteAccountPasswordPolicy", - "iam:UpdateAccountPasswordPolicy" - ], - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalArn": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/StackSet-AWS-Landing-Zone*", - "arn:aws:iam::*:role/PBMMAccel-*", - "arn:aws:iam::*:role/PBMMOps-*" - ] - } - } - }, - { - "Sid": "DenyAllOutsideCanadaUS", - "Effect": "Deny", - "NotAction": [ - "a4b:*", - "access-analyzer:*", - "aws-marketplace-management:*", - "aws-marketplace:*", - "aws-portal:*", - "awsbillingconsole:*", - "budgets:*", - "ce:*", - "chime:*", - "cloudfront:*", - "config:*", - "cur:*", - "directconnect:*", - "ec2:DescribeRegions", - "ec2:DescribeTransitGateways", - "ec2:DescribeVpnGateways", - "fms:*", - "globalaccelerator:*", - "health:*", - "iam:*", - "importexport:*", - "mobileanalytics:*", - "organizations:*", - "pricing:*", - "route53:*", - "route53domains:*", - "s3:GetAccountPublic*", - "s3:ListAllMyBuckets", - "s3:ListBuckets", - "s3:PutAccountPublic*", - "shield:*", - "sts:*", - "support:*", - "trustedadvisor:*", - "waf-regional:*", - "waf:*", - "wafv2:*", - "wellarchitected:*" - ], - "Resource": "*", - "Condition": { - "StringNotEquals": { - "aws:RequestedRegion": ["ca-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"] - }, - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyUnclass", + "Effect": "Deny", + "Action": [ + "kms:ScheduleKeyDeletion", + "kms:Delete*", + "iam:DeleteAccountPasswordPolicy", + "iam:UpdateAccountPasswordPolicy" + ], + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/StackSet-AWS-Landing-Zone*", + "arn:aws:iam::*:role/PBMMAccel-*", + "arn:aws:iam::*:role/PBMMOps-*" + ] + } + } + }, + { + "Sid": "DenyAllOutsideCanadaUS", + "Effect": "Deny", + "NotAction": [ + "a4b:*", + "access-analyzer:*", + "aws-marketplace-management:*", + "aws-marketplace:*", + "aws-portal:*", + "awsbillingconsole:*", + "budgets:*", + "ce:*", + "chime:*", + "cloudfront:*", + "config:*", + "cur:*", + "directconnect:*", + "ec2:DescribeRegions", + "ec2:DescribeTransitGateways", + "ec2:DescribeVpnGateways", + "fms:*", + "globalaccelerator:*", + "health:*", + "iam:*", + "importexport:*", + "mobileanalytics:*", + "organizations:*", + "pricing:*", + "route53:*", + "route53domains:*", + "s3:GetAccountPublic*", + "s3:ListAllMyBuckets", + "s3:ListBuckets", + "s3:PutAccountPublic*", + "shield:*", + "sts:*", + "support:*", + "trustedadvisor:*", + "waf-regional:*", + "waf:*", + "wafv2:*", + "wellarchitected:*" + ], + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": ["ca-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"] + }, + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + } + ] +} diff --git a/reference-artifacts/SCPs/Quarantine-Deny-All.json b/reference-artifacts/SCPs/Quarantine-Deny-All.json index 12b48f097..85a8e2853 100644 --- a/reference-artifacts/SCPs/Quarantine-Deny-All.json +++ b/reference-artifacts/SCPs/Quarantine-Deny-All.json @@ -1,19 +1,19 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyAllAWSServicesExceptBreakglassRoles", - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllAWSServicesExceptBreakglassRoles", + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + } + ] +} diff --git a/reference-artifacts/SCPs/Quarantine-New-Object.json b/reference-artifacts/SCPs/Quarantine-New-Object.json index f603c0080..cb2ff5bce 100644 --- a/reference-artifacts/SCPs/Quarantine-New-Object.json +++ b/reference-artifacts/SCPs/Quarantine-New-Object.json @@ -1,20 +1,20 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyAllAWSServicesExceptBreakglassRoles", - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/aws*", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - } - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyAllAWSServicesExceptBreakglassRoles", + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/aws*", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + } + } + ] } \ No newline at end of file diff --git a/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json b/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json index d50e56dd3..8957abb99 100644 --- a/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json +++ b/reference-artifacts/SCPs/aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json @@ -1,285 +1,285 @@ -{ - "Version":"2012-10-17", - "Statement":[ - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Resource":[ - "arn:aws:sns:*:*:AWS-Landing-Zone*" - ], - "Effect":"Deny", - "Sid":"GRSNSSUBSCRIPTIONPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "cloudtrail:DeleteTrail", - "cloudtrail:PutEventSelectors", - "cloudtrail:StopLogging", - "cloudtrail:UpdateTrail" - ], - "Resource":[ - "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" - ], - "Effect":"Deny", - "Sid":"GRCLOUDTRAILENABLED" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes" - ], - "Resource":[ - "arn:aws:sns:*:*:AWS-Landing-Zone-*" - ], - "Effect":"Deny", - "Sid":"GRSNSTOPICPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:CreateFunction", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:PutFunctionConcurrency", - "lambda:RemovePermission", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource":[ - "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", - "arn:aws:lambda:*:*:function:LandingZone*" - ], - "Effect":"Deny", - "Sid":"GRLAMBDAFUNCTIONPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "config:DeleteConfigurationRecorder", - "config:DeleteDeliveryChannel", - "config:DeleteRetentionConfiguration", - "config:PutConfigurationRecorder", - "config:PutDeliveryChannel", - "config:PutRetentionConfiguration", - "config:StopConfigurationRecorder" - ], - "Resource":[ - "*" - ], - "Effect":"Deny", - "Sid":"GRCONFIGENABLED" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource":[ - "arn:aws:iam::*:role/AWS-Landing-Zone-*", - "arn:aws:iam::*:role/*AWSLandingZone*" - ], - "Effect":"Deny", - "Sid":"GRIAMROLEPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:DisableRule", - "events:DeleteRule" - ], - "Resource":[ - "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" - ], - "Effect":"Deny", - "Sid":"GRCLOUDWATCHEVENTPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "config:TagResource", - "config:UntagResource" - ], - "Resource":[ - "*" - ], - "Effect":"Deny", - "Sid":"GRCONFIGRULETAGSPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "s3:PutEncryptionConfiguration" - ], - "Resource":[ - "arn:aws:s3:::aws-landing*" - ], - "Effect":"Deny", - "Sid":"GRAUDITBUCKETENCRYPTIONENABLED" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "s3:PutBucketPolicy" - ], - "Resource":[ - "arn:aws:s3:::aws-landing*" - ], - "Effect":"Deny", - "Sid":"GRAUDITBUCKETPOLICYCHANGESPROHIBITED" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "s3:PutLifecycleConfiguration" - ], - "Resource":[ - "arn:aws:s3:::aws-landing*" - ], - "Effect":"Deny", - "Sid":"GRAUDITBUCKETRETENTIONPOLICY" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "s3:PutBucketLogging" - ], - "Resource":[ - "arn:aws:s3:::aws-landing*" - ], - "Effect":"Deny", - "Sid":"GRAUDITBUCKETLOGGINGENABLED" - }, - { - "Condition":{ - "ArnNotLike":{ - "aws:PrincipalARN":[ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action":[ - "config:PutConfigRule", - "config:DeleteConfigRule", - "config:DeleteEvaluationResults", - "config:DeleteConfigurationAggregator", - "config:PutConfigurationAggregator" - ], - "Resource":[ - "arn:aws:config:*:*:config-rule/StackSet-AWS-Landing*", - "arn:aws:config:*:*:config-rule/PBMMAccel-*" - ], - "Effect":"Deny", - "Sid":"GRCONFIGRULEPOLICY" - } - ] +{ + "Version":"2012-10-17", + "Statement":[ + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "sns:Subscribe", + "sns:Unsubscribe" + ], + "Resource":[ + "arn:aws:sns:*:*:AWS-Landing-Zone*" + ], + "Effect":"Deny", + "Sid":"GRSNSSUBSCRIPTIONPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "cloudtrail:DeleteTrail", + "cloudtrail:PutEventSelectors", + "cloudtrail:StopLogging", + "cloudtrail:UpdateTrail" + ], + "Resource":[ + "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" + ], + "Effect":"Deny", + "Sid":"GRCLOUDTRAILENABLED" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "sns:AddPermission", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:RemovePermission", + "sns:SetTopicAttributes" + ], + "Resource":[ + "arn:aws:sns:*:*:AWS-Landing-Zone-*" + ], + "Effect":"Deny", + "Sid":"GRSNSTOPICPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:CreateFunction", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:PutFunctionConcurrency", + "lambda:RemovePermission", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource":[ + "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", + "arn:aws:lambda:*:*:function:LandingZone*" + ], + "Effect":"Deny", + "Sid":"GRLAMBDAFUNCTIONPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "config:DeleteConfigurationRecorder", + "config:DeleteDeliveryChannel", + "config:DeleteRetentionConfiguration", + "config:PutConfigurationRecorder", + "config:PutDeliveryChannel", + "config:PutRetentionConfiguration", + "config:StopConfigurationRecorder" + ], + "Resource":[ + "*" + ], + "Effect":"Deny", + "Sid":"GRCONFIGENABLED" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:DeleteRole", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:PutRolePermissionsBoundary", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateRole", + "iam:UpdateRoleDescription" + ], + "Resource":[ + "arn:aws:iam::*:role/AWS-Landing-Zone-*", + "arn:aws:iam::*:role/*AWSLandingZone*" + ], + "Effect":"Deny", + "Sid":"GRIAMROLEPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets", + "events:DisableRule", + "events:DeleteRule" + ], + "Resource":[ + "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" + ], + "Effect":"Deny", + "Sid":"GRCLOUDWATCHEVENTPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "config:TagResource", + "config:UntagResource" + ], + "Resource":[ + "*" + ], + "Effect":"Deny", + "Sid":"GRCONFIGRULETAGSPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "s3:PutEncryptionConfiguration" + ], + "Resource":[ + "arn:aws:s3:::aws-landing*" + ], + "Effect":"Deny", + "Sid":"GRAUDITBUCKETENCRYPTIONENABLED" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "s3:PutBucketPolicy" + ], + "Resource":[ + "arn:aws:s3:::aws-landing*" + ], + "Effect":"Deny", + "Sid":"GRAUDITBUCKETPOLICYCHANGESPROHIBITED" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "s3:PutLifecycleConfiguration" + ], + "Resource":[ + "arn:aws:s3:::aws-landing*" + ], + "Effect":"Deny", + "Sid":"GRAUDITBUCKETRETENTIONPOLICY" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "s3:PutBucketLogging" + ], + "Resource":[ + "arn:aws:s3:::aws-landing*" + ], + "Effect":"Deny", + "Sid":"GRAUDITBUCKETLOGGINGENABLED" + }, + { + "Condition":{ + "ArnNotLike":{ + "aws:PrincipalARN":[ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action":[ + "config:PutConfigRule", + "config:DeleteConfigRule", + "config:DeleteEvaluationResults", + "config:DeleteConfigurationAggregator", + "config:PutConfigurationAggregator" + ], + "Resource":[ + "arn:aws:config:*:*:config-rule/StackSet-AWS-Landing*", + "arn:aws:config:*:*:config-rule/PBMMAccel-*" + ], + "Effect":"Deny", + "Sid":"GRCONFIGRULEPOLICY" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/SCPs/aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json b/reference-artifacts/SCPs/aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json index 999a474bc..70e27ac59 100644 --- a/reference-artifacts/SCPs/aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json +++ b/reference-artifacts/SCPs/aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json @@ -1,213 +1,213 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Resource": [ - "arn:aws:sns:*:*:AWS-Landing-Zone*" - ], - "Effect": "Deny", - "Sid": "GRSNSSUBSCRIPTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "cloudtrail:DeleteTrail", - "cloudtrail:PutEventSelectors", - "cloudtrail:StopLogging", - "cloudtrail:UpdateTrail" - ], - "Resource": [ - "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRCLOUDTRAILENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes" - ], - "Resource": [ - "arn:aws:sns:*:*:AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRSNSTOPICPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:CreateFunction", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:PutFunctionConcurrency", - "lambda:RemovePermission", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": [ - "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", - "arn:aws:lambda:*:*:function:LandingZone*" - ], - "Effect": "Deny", - "Sid": "GRLAMBDAFUNCTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "config:DeleteConfigurationRecorder", - "config:DeleteDeliveryChannel", - "config:DeleteRetentionConfiguration", - "config:PutConfigurationRecorder", - "config:PutDeliveryChannel", - "config:PutRetentionConfiguration", - "config:StopConfigurationRecorder" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:aws:iam::*:role/AWS-Landing-Zone-*", - "arn:aws:iam::*:role/*AWSLandingZone*" - ], - "Effect": "Deny", - "Sid": "GRIAMROLEPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:DisableRule", - "events:DeleteRule" - ], - "Resource": [ - "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRCLOUDWATCHEVENTPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "config:TagResource", - "config:UntagResource" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGRULETAGSPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": [ - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", - "arn:aws:iam::*:role/PBMMAccel-*" - ] - } - }, - "Action": [ - "config:PutConfigRule", - "config:DeleteConfigRule", - "config:DeleteEvaluationResults", - "config:DeleteConfigurationAggregator", - "config:PutConfigurationAggregator" - ], - "Resource": [ - "arn:aws:config:*:*:config-rule/StackSet-AWS-Landing*", - "arn:aws:config:*:*:config-rule/PBMMAccel-*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGRULEPOLICY" - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "sns:Subscribe", + "sns:Unsubscribe" + ], + "Resource": [ + "arn:aws:sns:*:*:AWS-Landing-Zone*" + ], + "Effect": "Deny", + "Sid": "GRSNSSUBSCRIPTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "cloudtrail:DeleteTrail", + "cloudtrail:PutEventSelectors", + "cloudtrail:StopLogging", + "cloudtrail:UpdateTrail" + ], + "Resource": [ + "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRCLOUDTRAILENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "sns:AddPermission", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:RemovePermission", + "sns:SetTopicAttributes" + ], + "Resource": [ + "arn:aws:sns:*:*:AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRSNSTOPICPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:CreateFunction", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:PutFunctionConcurrency", + "lambda:RemovePermission", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": [ + "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", + "arn:aws:lambda:*:*:function:LandingZone*" + ], + "Effect": "Deny", + "Sid": "GRLAMBDAFUNCTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "config:DeleteConfigurationRecorder", + "config:DeleteDeliveryChannel", + "config:DeleteRetentionConfiguration", + "config:PutConfigurationRecorder", + "config:PutDeliveryChannel", + "config:PutRetentionConfiguration", + "config:StopConfigurationRecorder" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:DeleteRole", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:PutRolePermissionsBoundary", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateRole", + "iam:UpdateRoleDescription" + ], + "Resource": [ + "arn:aws:iam::*:role/AWS-Landing-Zone-*", + "arn:aws:iam::*:role/*AWSLandingZone*" + ], + "Effect": "Deny", + "Sid": "GRIAMROLEPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets", + "events:DisableRule", + "events:DeleteRule" + ], + "Resource": [ + "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRCLOUDWATCHEVENTPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "config:TagResource", + "config:UntagResource" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGRULETAGSPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": [ + "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "arn:aws:iam::*:role/PBMMAccel-*" + ] + } + }, + "Action": [ + "config:PutConfigRule", + "config:DeleteConfigRule", + "config:DeleteEvaluationResults", + "config:DeleteConfigurationAggregator", + "config:PutConfigurationAggregator" + ], + "Resource": [ + "arn:aws:config:*:*:config-rule/StackSet-AWS-Landing*", + "arn:aws:config:*:*:config-rule/PBMMAccel-*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGRULEPOLICY" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/Third-Party/firewall-example.txt b/reference-artifacts/Third-Party/firewall-example.txt index 90665e2a8..ac7a0dbc6 100644 --- a/reference-artifacts/Third-Party/firewall-example.txt +++ b/reference-artifacts/Third-Party/firewall-example.txt @@ -1,687 +1,687 @@ -config system global - set hostname ${Hostname} - set admintimeout 60 - set vdom-mode split-vdom - set pre-login-banner enable - set admin-maintainer disable - set admin-https-ssl-versions tlsv1-2 tlsv1-3 - set admin-ssh-grace-time 30 - set fds-statistics disable - set security-rating-result-submission disable - set admin-lockout-duration 1800 - set admin-telnet disable - set admintimeout 15 - set timezone 12 -end -config system settings - set allow-subnet-overlap enable -end -config global - config system interface - edit port1 - set vdom FG-traffic - set alias public - set mode static - set ip ${PublicIp1} ${PublicMask} - set allowaccess ping https ssh fgfm - set secondary-IP enable - set mtu-override enable - set mtu 9001 - set allowaccess ping https ssh probe-response - set role wan - next - edit port2 - set vdom FG-traffic - set alias private - set mode static - set ip ${OnPremiseIp1} ${OnPremiseMask} - set allowaccess ping - set mtu-override enable - set mtu 9001 - set role lan - next - edit port3 - set vdom root - set alias mgmt - set mode static - set ip ${FWMgmtIp1} ${FWMgmtMask} - set allowaccess ping https ssh fgfm - set mtu-override enable - set mtu 9001 - set role dmz - next - edit port4 - set vdom FG-traffic - set alias DMZ - set mode static - set ip ${ProxyIp1} ${ProxyMask} - set allowaccess ping - set mtu-override enable - set mtu 9001 - set role dmz - next - end - config system accprofile - edit "Read Only Admin" - set secfabgrp read - set ftviewgrp read - set authgrp read - set sysgrp read - set netgrp read - set loggrp read - set fwgrp read - set vpngrp read - set utmgrp read - set wanoptgrp read - set wifi read - next - end - config system password-policy - set status enable - set min-lower-case-letter 1 - set min-upper-case-letter 1 - set min-non-alphanumeric 1 - set min-number 1 - set expire-status enable - set reuse-password disable - end - config system dns - set primary 169.254.169.253 - set secondary 1.1.1.1 - end - config system autoupdate push-update - set status enable - end - config ips sensor - edit "g-default" - set scan-botnet-connections block - next - edit "g-wifi-default" - set scan-botnet-connections block - next - end - config system probe-response - set mode http-probe - end -end -config vdom -edit FG-traffic - config router static - edit 1 - set device port1 - set gateway ${PublicRouterIp} - next - edit 2 - set dst ${VpcNetworkIp} ${VpcMask} - set device port2 - set gateway ${OnPremiseRouterIp} - next - edit 3 - set dst ${FWMgmtNetworkIp} ${FWMgmtMask} - set device port2 - set gateway ${OnPremiseRouterIp} - next - end - next -edit root - config router static - edit 1 - set device port3 - set gateway ${FWMgmtRouterIp} - next - end - config log disk setting - set full-first-warning-threshold 70 - end - config log setting - set log-invalid-packet enable - end -end -config vdom -edit FG-traffic - config vpn ipsec phase1-interface - edit "tgw-vpn1" - set interface "port1" - set local-gw ${PublicIp1} - set keylife 28800 - set peertype any - set proposal aes256-sha256 - set dhgrp 2 - set remote-gw ${PublicVpnTunnelOutsideAddress1} - set psksecret ${PublicPreSharedSecret1} - set dpd-retryinterval 10 - next - end - config vpn ipsec phase2-interface - edit "tgw-vpn1" - set phase1name "tgw-vpn1" - set proposal aes256-sha256 - set dhgrp 2 - set keylifeseconds 3600 - next - end - config system interface - edit "tgw-vpn1" - set ip ${PublicCgwTunnelInsideAddress1} 255.255.255.255 - set remote-ip ${PublicVpnTunnelInsideAddress1} 255.255.255.255 - set explicit-web-proxy enable - next - end - config firewall ippool - edit "cluster-ippool" - set startip ${PublicIp1} - set endip ${PublicIp1} - next - end - config firewall internet-service-group - edit "GROUP-Fortinet-ISDB" - set direction destination - set member 1245187 1245326 1245324 1245325 1245191 1245186 1245193 1245198 1245208 1245199 1245192 1245184 1245188 1245200 1245190 1245185 - next - end - config system settings - set gui-dns-database enable - set gui-explicit-proxy enable - set gui-wireless-controller disable - set gui-waf-profile enable - end - config firewall address - edit "Dev1-ALB-FQDN" - set type fqdn - set associated-interface "tgw-vpn1" - set fqdn "Future-Manual-Dev1-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Dev2-ALB-FQDN" - set type fqdn - set associated-interface "tgw-vpn1" - set fqdn "Future-Manual-Dev2-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Test1-ALB-FQDN" - set type fqdn - set associated-interface "tgw-vpn1" - set fqdn "Future-Manual-Test1-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Test2-ALB-FQDN" - set type fqdn - set associated-interface "tgw-vpn1" - set fqdn "Future-Manual-Test2-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Prod1-ALB-FQDN" - set type fqdn - set associated-interface "tgw-vpn1" - set fqdn "Future-Manual-Prod1-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Prod2-ALB-FQDN" - set type fqdn - set associated-interface "tgw-vpn1" - set fqdn "Future-Manual-Prod2-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Public-Prod-ALB-FQDN" - set type fqdn - set fqdn "Future-Manual-PubProd-alb-FQN.ca-central-1.elb.amazonaws.com" - next - edit "Public-DevTestALB-FQDN" - set type fqdn - set fqdn "Future-Manual-PubDevTest-alb-FQN.ca-central-1.elb.amazonaws.com" - next - end - config ips sensor - edit "FG-Traffic-Baseline-IPS" - set comment "IPS baseline" - set block-malicious-url enable - set scan-botnet-connections block - config entries - edit 1 - set os Windows - next - edit 2 - set application IIS - next - edit 3 - set application Apache - next - edit 4 - set os Linux - next - end - next - end - config web-proxy explicit - set ipv6-status enable - end - config application list - edit "FG-Traffic-Baseline-App-Ctrl" - set comment "App Control Baseline" - set other-application-log enable - set unknown-application-action pass - set unknown-application-log enable - config entries - edit 1 - set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32 - next - end - next - end - config antivirus profile - edit "FG-Traffic-Baseline-AV" - set comment "AV Baseline" - config http - set options scan - end - config ftp - set options scan - end - config imap - set options scan - set executables virus - end - config pop3 - set options scan - set executables virus - end - config smtp - set options scan - set executables virus - end - config mapi - set options scan - set executables virus - end - next - end - config webfilter profile - edit "FG-Traffic-Baseline-Web-Filter" - set comment "Web Filter baseline" - config ftgd-wf - set options error-allow - config filters - edit 12 - set category 12 - set action warning - next - edit 2 - set category 2 - set action warning - next - edit 7 - set category 7 - set action warning - next - edit 8 - set category 8 - set action warning - next - edit 9 - set category 9 - set action warning - next - edit 11 - set category 11 - set action warning - next - edit 13 - set category 13 - set action warning - next - edit 14 - set category 14 - set action warning - next - edit 15 - set category 15 - set action warning - next - edit 16 - set category 16 - set action warning - next - edit 57 - set category 57 - set action warning - next - edit 63 - set category 63 - set action warning - next - edit 64 - set category 64 - set action warning - next - edit 65 - set category 65 - set action warning - next - edit 66 - set category 66 - set action warning - next - edit 67 - set category 67 - set action warning - next - edit 26 - set category 26 - set action block - next - edit 61 - set category 61 - set action block - next - edit 86 - set category 86 - set action block - next - edit 88 - set category 88 - set action block - next - edit 90 - set category 90 - set action block - next - edit 91 - set category 91 - set action block - next - edit 23 - set action warning - next - end - end - next - end - config firewall vip - edit "Dev1-ALB" - set type fqdn - set extip ${PublicIp1} - set extintf "port1" - set portforward enable - set mapped-addr "Dev1-ALB-FQDN" - set extport 7002 - set mappedport 443 - next - edit "Dev2-ALB" - set type fqdn - set extip ${PublicIp1} - set extintf "port1" - set portforward enable - set mapped-addr "Dev2-ALB-FQDN" - set extport 7003 - set mappedport 443 - next - edit "Test1-ALB" - set type fqdn - set extip ${PublicIp1} - set extintf "port1" - set portforward enable - set mapped-addr "Test1-ALB-FQDN" - set extport 7004 - set mappedport 443 - next - edit "Test2-ALB" - set type fqdn - set extip ${PublicIp1} - set extintf "port1" - set portforward enable - set mapped-addr "Test2-ALB-FQDN" - set extport 7005 - set mappedport 443 - next - edit "Prod1-ALB" - set type fqdn - set extip ${PublicIp1} - set extintf "port1" - set portforward enable - set mapped-addr "Prod1-ALB-FQDN" - set extport 7001 - set mappedport 443 - next - edit "Prod2-ALB" - set type fqdn - set extip ${PublicIp1} - set extintf "port1" - set portforward enable - set mapped-addr "Prod2-ALB-FQDN" - set extport 7007 - set mappedport 443 - next - end - config firewall ssl-ssh-profile - edit "FG-Traffic-Baseline-SSL" - set comment "Baseline SSL deep Server Inspection" - config https - set ports 443 - set status deep-inspection - end - config ftps - set ports 990 - set status deep-inspection - end - config imaps - set ports 993 - set status deep-inspection - end - config pop3s - set ports 995 - set status deep-inspection - end - config smtps - set ports 465 - set status deep-inspection - end - config ssh - set ports 22 - set status disable - end - next - end - config firewall policy - edit 3 - set name "in-vpn" - set srcintf "tgw-vpn1" - set dstintf "port2" - set srcaddr "all" - set dstaddr "all" - set action accept - set schedule "always" - set service "ALL" - set logtraffic all - set fsso disable - set logtraffic-start enable - next - edit 2 - set name "out-vpn" - set srcintf "port2" - set dstintf "tgw-vpn1" - set srcaddr "all" - set dstaddr "all" - set action accept - set schedule "always" - set service "ALL" - set logtraffic all - set fsso disable - set logtraffic-start enable - next - edit 1 - set name "outbound-all" - set srcintf "port2" - set dstintf "port1" - set srcaddr "all" - set dstaddr "all" - set action accept - set schedule "always" - set service "ALL" - set logtraffic all - set ippool enable - set poolname "cluster-ippool" - set nat enable - set logtraffic-start enable - next - edit 4 - set name "Fortinet-activation-traffic" - set srcintf "port2" - set dstintf "port1" - set srcaddr "all" - set internet-service enable - set internet-service-group "GROUP-Fortinet-ISDB" - set action accept - set schedule "always" - set nat enable - next - edit 5 - set name "Outbound Internet-All-Ports" - set srcintf "tgw-vpn1" - set dstintf "port1" - set srcaddr "all" - set dstaddr "all" - set action accept - set schedule "always" - set service "ALL" - set utm-status enable - set ssl-ssh-profile "certificate-inspection" - set av-profile "g-default" - set webfilter-profile "g-default" - set dnsfilter-profile "default" - set ips-sensor "g-default" - set application-list "g-default" - set logtraffic all - set nat enable - set fsso disable - set comments "DISABLED - Only allow outbound http/https traffic" - set status disable - next - edit 6 - set name "in-TGW-out-internet-ALL-HTTP" - set srcintf "tgw-vpn1" - set dstintf "port1" - set srcaddr "all" - set dstaddr "all" - set action accept - set schedule "always" - set service "HTTPS" "HTTP" - set utm-status enable - set inspection-mode proxy - set http-policy-redirect enable - set ssl-ssh-profile "certificate-inspection" - set webfilter-profile "FG-Traffic-Baseline-Web-Filter" - set logtraffic all - set logtraffic-start enable - set auto-asic-offload disable - set fsso disable - set comments "All outbound cloud HTTP/HTTPS to Internet - Proxy" - set nat enable - next - edit 7 - set name "in-internet-out-TGW-HTTP-PROD" - set srcintf "port1" - set dstintf "tgw-vpn1" - set srcaddr "all" - set dstaddr "Prod1-ALB" "Prod2-ALB" - set action accept - set schedule "always" - set service "HTTP" "HTTPS" - set utm-status enable - set ssl-ssh-profile "FG-Traffic-Baseline-SSL" - set av-profile "FG-Traffic-Baseline-AV" - set ips-sensor "FG-Traffic-Baseline-IPS" - set logtraffic all - set logtraffic-start enable - set ippool enable - set poolname "cluster-ippool" - set fsso disable - set comments "Inbound HTTP / HTTPS Traffic to Production cloud ALBs" - set nat enable - next - edit 8 - set name "in-internet-out-TGW-HTTP-Dev-Test" - set srcintf "port1" - set dstintf "tgw-vpn1" - set srcaddr "all" - set dstaddr "Dev1-ALB" "Dev2-ALB" "Test1-ALB" "Test2-ALB" - set action accept - set schedule "always" - set service "HTTP" "HTTPS" - set utm-status enable - set ssl-ssh-profile "FG-Traffic-Baseline-SSL" - set av-profile "FG-Traffic-Baseline-AV" - set ips-sensor "FG-Traffic-Baseline-IPS" - set logtraffic all - set logtraffic-start enable - set ippool enable - set poolname "cluster-ippool" - set fsso disable - set comments "Inbound HTTP / HTTPS Traffic to Dev/Test/Ops cloud ALBs" - set nat enable - next - end - config firewall proxy-policy - edit 2 - set proxy transparent-web - set srcintf "tgw-vpn1" - set dstintf "port1" - set srcaddr "all" - set dstaddr "all" - set service "webproxy" - set action accept - set schedule "always" - set logtraffic all - set utm-status enable - set ssl-ssh-profile "certificate-inspection" - set webfilter-profile "FG-Traffic-Baseline-Web-Filter" - next - end - config router prefix-list - edit "pflist-default-route" - config rule - edit 1 - set prefix 0.0.0.0 0.0.0.0 - unset ge - unset le - next - end - next - edit "pflist-port1-ip" - config rule - edit 1 - set prefix ${PublicIp1} 255.255.255.255 # 100.96.251.69 - unset ge - unset le - next - end - next - end - config router route-map - edit "rmap-outbound" - config rule - edit 1 - set match-ip-address "pflist-default-route" - next - edit 2 - set match-ip-address "pflist-port1-ip" - next - end - next - end - config router bgp - set as ${PublicCgwBgpAsn1} - set router-id ${PublicIp1} - set ebgp-multipath enable - set network-import-check disable - config neighbor - edit ${PublicVpnTunnelInsideAddress1} - set capability-default-originate enable - set remote-as ${PublicVpnBgpAsn1} - set route-map-out "rmap-outbound" - set link-down-failover enable - next - end - config network - edit 1 - set prefix ${PublicIp1} 255.255.255.255 - next - edit 2 - set prefix ${OnPremiseNetworkIp} ${OnPremiseMask} - next - end - end +config system global + set hostname ${Hostname} + set admintimeout 60 + set vdom-mode split-vdom + set pre-login-banner enable + set admin-maintainer disable + set admin-https-ssl-versions tlsv1-2 tlsv1-3 + set admin-ssh-grace-time 30 + set fds-statistics disable + set security-rating-result-submission disable + set admin-lockout-duration 1800 + set admin-telnet disable + set admintimeout 15 + set timezone 12 +end +config system settings + set allow-subnet-overlap enable +end +config global + config system interface + edit port1 + set vdom FG-traffic + set alias public + set mode static + set ip ${PublicIp1} ${PublicMask} + set allowaccess ping https ssh fgfm + set secondary-IP enable + set mtu-override enable + set mtu 9001 + set allowaccess ping https ssh probe-response + set role wan + next + edit port2 + set vdom FG-traffic + set alias private + set mode static + set ip ${OnPremiseIp1} ${OnPremiseMask} + set allowaccess ping + set mtu-override enable + set mtu 9001 + set role lan + next + edit port3 + set vdom root + set alias mgmt + set mode static + set ip ${FWMgmtIp1} ${FWMgmtMask} + set allowaccess ping https ssh fgfm + set mtu-override enable + set mtu 9001 + set role dmz + next + edit port4 + set vdom FG-traffic + set alias DMZ + set mode static + set ip ${ProxyIp1} ${ProxyMask} + set allowaccess ping + set mtu-override enable + set mtu 9001 + set role dmz + next + end + config system accprofile + edit "Read Only Admin" + set secfabgrp read + set ftviewgrp read + set authgrp read + set sysgrp read + set netgrp read + set loggrp read + set fwgrp read + set vpngrp read + set utmgrp read + set wanoptgrp read + set wifi read + next + end + config system password-policy + set status enable + set min-lower-case-letter 1 + set min-upper-case-letter 1 + set min-non-alphanumeric 1 + set min-number 1 + set expire-status enable + set reuse-password disable + end + config system dns + set primary 169.254.169.253 + set secondary 1.1.1.1 + end + config system autoupdate push-update + set status enable + end + config ips sensor + edit "g-default" + set scan-botnet-connections block + next + edit "g-wifi-default" + set scan-botnet-connections block + next + end + config system probe-response + set mode http-probe + end +end +config vdom +edit FG-traffic + config router static + edit 1 + set device port1 + set gateway ${PublicRouterIp} + next + edit 2 + set dst ${VpcNetworkIp} ${VpcMask} + set device port2 + set gateway ${OnPremiseRouterIp} + next + edit 3 + set dst ${FWMgmtNetworkIp} ${FWMgmtMask} + set device port2 + set gateway ${OnPremiseRouterIp} + next + end + next +edit root + config router static + edit 1 + set device port3 + set gateway ${FWMgmtRouterIp} + next + end + config log disk setting + set full-first-warning-threshold 70 + end + config log setting + set log-invalid-packet enable + end +end +config vdom +edit FG-traffic + config vpn ipsec phase1-interface + edit "tgw-vpn1" + set interface "port1" + set local-gw ${PublicIp1} + set keylife 28800 + set peertype any + set proposal aes256-sha256 + set dhgrp 2 + set remote-gw ${PublicVpnTunnelOutsideAddress1} + set psksecret ${PublicPreSharedSecret1} + set dpd-retryinterval 10 + next + end + config vpn ipsec phase2-interface + edit "tgw-vpn1" + set phase1name "tgw-vpn1" + set proposal aes256-sha256 + set dhgrp 2 + set keylifeseconds 3600 + next + end + config system interface + edit "tgw-vpn1" + set ip ${PublicCgwTunnelInsideAddress1} 255.255.255.255 + set remote-ip ${PublicVpnTunnelInsideAddress1} 255.255.255.255 + set explicit-web-proxy enable + next + end + config firewall ippool + edit "cluster-ippool" + set startip ${PublicIp1} + set endip ${PublicIp1} + next + end + config firewall internet-service-group + edit "GROUP-Fortinet-ISDB" + set direction destination + set member 1245187 1245326 1245324 1245325 1245191 1245186 1245193 1245198 1245208 1245199 1245192 1245184 1245188 1245200 1245190 1245185 + next + end + config system settings + set gui-dns-database enable + set gui-explicit-proxy enable + set gui-wireless-controller disable + set gui-waf-profile enable + end + config firewall address + edit "Dev1-ALB-FQDN" + set type fqdn + set associated-interface "tgw-vpn1" + set fqdn "Future-Manual-Dev1-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Dev2-ALB-FQDN" + set type fqdn + set associated-interface "tgw-vpn1" + set fqdn "Future-Manual-Dev2-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Test1-ALB-FQDN" + set type fqdn + set associated-interface "tgw-vpn1" + set fqdn "Future-Manual-Test1-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Test2-ALB-FQDN" + set type fqdn + set associated-interface "tgw-vpn1" + set fqdn "Future-Manual-Test2-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Prod1-ALB-FQDN" + set type fqdn + set associated-interface "tgw-vpn1" + set fqdn "Future-Manual-Prod1-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Prod2-ALB-FQDN" + set type fqdn + set associated-interface "tgw-vpn1" + set fqdn "Future-Manual-Prod2-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Public-Prod-ALB-FQDN" + set type fqdn + set fqdn "Future-Manual-PubProd-alb-FQN.ca-central-1.elb.amazonaws.com" + next + edit "Public-DevTestALB-FQDN" + set type fqdn + set fqdn "Future-Manual-PubDevTest-alb-FQN.ca-central-1.elb.amazonaws.com" + next + end + config ips sensor + edit "FG-Traffic-Baseline-IPS" + set comment "IPS baseline" + set block-malicious-url enable + set scan-botnet-connections block + config entries + edit 1 + set os Windows + next + edit 2 + set application IIS + next + edit 3 + set application Apache + next + edit 4 + set os Linux + next + end + next + end + config web-proxy explicit + set ipv6-status enable + end + config application list + edit "FG-Traffic-Baseline-App-Ctrl" + set comment "App Control Baseline" + set other-application-log enable + set unknown-application-action pass + set unknown-application-log enable + config entries + edit 1 + set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32 + next + end + next + end + config antivirus profile + edit "FG-Traffic-Baseline-AV" + set comment "AV Baseline" + config http + set options scan + end + config ftp + set options scan + end + config imap + set options scan + set executables virus + end + config pop3 + set options scan + set executables virus + end + config smtp + set options scan + set executables virus + end + config mapi + set options scan + set executables virus + end + next + end + config webfilter profile + edit "FG-Traffic-Baseline-Web-Filter" + set comment "Web Filter baseline" + config ftgd-wf + set options error-allow + config filters + edit 12 + set category 12 + set action warning + next + edit 2 + set category 2 + set action warning + next + edit 7 + set category 7 + set action warning + next + edit 8 + set category 8 + set action warning + next + edit 9 + set category 9 + set action warning + next + edit 11 + set category 11 + set action warning + next + edit 13 + set category 13 + set action warning + next + edit 14 + set category 14 + set action warning + next + edit 15 + set category 15 + set action warning + next + edit 16 + set category 16 + set action warning + next + edit 57 + set category 57 + set action warning + next + edit 63 + set category 63 + set action warning + next + edit 64 + set category 64 + set action warning + next + edit 65 + set category 65 + set action warning + next + edit 66 + set category 66 + set action warning + next + edit 67 + set category 67 + set action warning + next + edit 26 + set category 26 + set action block + next + edit 61 + set category 61 + set action block + next + edit 86 + set category 86 + set action block + next + edit 88 + set category 88 + set action block + next + edit 90 + set category 90 + set action block + next + edit 91 + set category 91 + set action block + next + edit 23 + set action warning + next + end + end + next + end + config firewall vip + edit "Dev1-ALB" + set type fqdn + set extip ${PublicIp1} + set extintf "port1" + set portforward enable + set mapped-addr "Dev1-ALB-FQDN" + set extport 7002 + set mappedport 443 + next + edit "Dev2-ALB" + set type fqdn + set extip ${PublicIp1} + set extintf "port1" + set portforward enable + set mapped-addr "Dev2-ALB-FQDN" + set extport 7003 + set mappedport 443 + next + edit "Test1-ALB" + set type fqdn + set extip ${PublicIp1} + set extintf "port1" + set portforward enable + set mapped-addr "Test1-ALB-FQDN" + set extport 7004 + set mappedport 443 + next + edit "Test2-ALB" + set type fqdn + set extip ${PublicIp1} + set extintf "port1" + set portforward enable + set mapped-addr "Test2-ALB-FQDN" + set extport 7005 + set mappedport 443 + next + edit "Prod1-ALB" + set type fqdn + set extip ${PublicIp1} + set extintf "port1" + set portforward enable + set mapped-addr "Prod1-ALB-FQDN" + set extport 7001 + set mappedport 443 + next + edit "Prod2-ALB" + set type fqdn + set extip ${PublicIp1} + set extintf "port1" + set portforward enable + set mapped-addr "Prod2-ALB-FQDN" + set extport 7007 + set mappedport 443 + next + end + config firewall ssl-ssh-profile + edit "FG-Traffic-Baseline-SSL" + set comment "Baseline SSL deep Server Inspection" + config https + set ports 443 + set status deep-inspection + end + config ftps + set ports 990 + set status deep-inspection + end + config imaps + set ports 993 + set status deep-inspection + end + config pop3s + set ports 995 + set status deep-inspection + end + config smtps + set ports 465 + set status deep-inspection + end + config ssh + set ports 22 + set status disable + end + next + end + config firewall policy + edit 3 + set name "in-vpn" + set srcintf "tgw-vpn1" + set dstintf "port2" + set srcaddr "all" + set dstaddr "all" + set action accept + set schedule "always" + set service "ALL" + set logtraffic all + set fsso disable + set logtraffic-start enable + next + edit 2 + set name "out-vpn" + set srcintf "port2" + set dstintf "tgw-vpn1" + set srcaddr "all" + set dstaddr "all" + set action accept + set schedule "always" + set service "ALL" + set logtraffic all + set fsso disable + set logtraffic-start enable + next + edit 1 + set name "outbound-all" + set srcintf "port2" + set dstintf "port1" + set srcaddr "all" + set dstaddr "all" + set action accept + set schedule "always" + set service "ALL" + set logtraffic all + set ippool enable + set poolname "cluster-ippool" + set nat enable + set logtraffic-start enable + next + edit 4 + set name "Fortinet-activation-traffic" + set srcintf "port2" + set dstintf "port1" + set srcaddr "all" + set internet-service enable + set internet-service-group "GROUP-Fortinet-ISDB" + set action accept + set schedule "always" + set nat enable + next + edit 5 + set name "Outbound Internet-All-Ports" + set srcintf "tgw-vpn1" + set dstintf "port1" + set srcaddr "all" + set dstaddr "all" + set action accept + set schedule "always" + set service "ALL" + set utm-status enable + set ssl-ssh-profile "certificate-inspection" + set av-profile "g-default" + set webfilter-profile "g-default" + set dnsfilter-profile "default" + set ips-sensor "g-default" + set application-list "g-default" + set logtraffic all + set nat enable + set fsso disable + set comments "DISABLED - Only allow outbound http/https traffic" + set status disable + next + edit 6 + set name "in-TGW-out-internet-ALL-HTTP" + set srcintf "tgw-vpn1" + set dstintf "port1" + set srcaddr "all" + set dstaddr "all" + set action accept + set schedule "always" + set service "HTTPS" "HTTP" + set utm-status enable + set inspection-mode proxy + set http-policy-redirect enable + set ssl-ssh-profile "certificate-inspection" + set webfilter-profile "FG-Traffic-Baseline-Web-Filter" + set logtraffic all + set logtraffic-start enable + set auto-asic-offload disable + set fsso disable + set comments "All outbound cloud HTTP/HTTPS to Internet - Proxy" + set nat enable + next + edit 7 + set name "in-internet-out-TGW-HTTP-PROD" + set srcintf "port1" + set dstintf "tgw-vpn1" + set srcaddr "all" + set dstaddr "Prod1-ALB" "Prod2-ALB" + set action accept + set schedule "always" + set service "HTTP" "HTTPS" + set utm-status enable + set ssl-ssh-profile "FG-Traffic-Baseline-SSL" + set av-profile "FG-Traffic-Baseline-AV" + set ips-sensor "FG-Traffic-Baseline-IPS" + set logtraffic all + set logtraffic-start enable + set ippool enable + set poolname "cluster-ippool" + set fsso disable + set comments "Inbound HTTP / HTTPS Traffic to Production cloud ALBs" + set nat enable + next + edit 8 + set name "in-internet-out-TGW-HTTP-Dev-Test" + set srcintf "port1" + set dstintf "tgw-vpn1" + set srcaddr "all" + set dstaddr "Dev1-ALB" "Dev2-ALB" "Test1-ALB" "Test2-ALB" + set action accept + set schedule "always" + set service "HTTP" "HTTPS" + set utm-status enable + set ssl-ssh-profile "FG-Traffic-Baseline-SSL" + set av-profile "FG-Traffic-Baseline-AV" + set ips-sensor "FG-Traffic-Baseline-IPS" + set logtraffic all + set logtraffic-start enable + set ippool enable + set poolname "cluster-ippool" + set fsso disable + set comments "Inbound HTTP / HTTPS Traffic to Dev/Test/Ops cloud ALBs" + set nat enable + next + end + config firewall proxy-policy + edit 2 + set proxy transparent-web + set srcintf "tgw-vpn1" + set dstintf "port1" + set srcaddr "all" + set dstaddr "all" + set service "webproxy" + set action accept + set schedule "always" + set logtraffic all + set utm-status enable + set ssl-ssh-profile "certificate-inspection" + set webfilter-profile "FG-Traffic-Baseline-Web-Filter" + next + end + config router prefix-list + edit "pflist-default-route" + config rule + edit 1 + set prefix 0.0.0.0 0.0.0.0 + unset ge + unset le + next + end + next + edit "pflist-port1-ip" + config rule + edit 1 + set prefix ${PublicIp1} 255.255.255.255 # 100.96.251.69 + unset ge + unset le + next + end + next + end + config router route-map + edit "rmap-outbound" + config rule + edit 1 + set match-ip-address "pflist-default-route" + next + edit 2 + set match-ip-address "pflist-port1-ip" + next + end + next + end + config router bgp + set as ${PublicCgwBgpAsn1} + set router-id ${PublicIp1} + set ebgp-multipath enable + set network-import-check disable + config neighbor + edit ${PublicVpnTunnelInsideAddress1} + set capability-default-originate enable + set remote-as ${PublicVpnBgpAsn1} + set route-map-out "rmap-outbound" + set link-down-failover enable + next + end + config network + edit 1 + set prefix ${PublicIp1} 255.255.255.255 + next + edit 2 + set prefix ${OnPremiseNetworkIp} ${OnPremiseMask} + next + end + end end \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/manifest.yaml b/reference-artifacts/aws-landing-zone-configuration/manifest.yaml index 6c4c3bee5..288fadaf0 100644 --- a/reference-artifacts/aws-landing-zone-configuration/manifest.yaml +++ b/reference-artifacts/aws-landing-zone-configuration/manifest.yaml @@ -1,326 +1,326 @@ ---- -#Default region for deploying AWS Landing Zone assets: Code Pipeline, Step functions, Lambda, SSM parameters, Service Catalog Portfolio/Products and StackSets -region: us-east-1 -version: 2018-06-14 -lock_down_stack_sets_role: No -nested_ou_delimiter: ':' # the value for this key must be in single quotes - -# Landing Zone Core Account Structure -organizational_units: - # Landing Zone OU for Core accounts - - name: core - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - core_accounts: - # Security account - - name: security - email: bmycroft+landing-zone-security@amazon.com - ssm_parameters: - - name: /org/member/security/account_id - value: $[AccountId] - core_resources: - - name: SecurityRoles - template_file: templates/core_accounts/aws-landing-zone-security.template - parameter_file: parameters/core_accounts/aws-landing-zone-security.json - deploy_method: stack_set - ssm_parameters: - - name: /org/member/security/admin_role_arn - value: $[output_CrossAccountAdminRole] - - name: /org/member/security/readonly_role_arn - value: $[output_CrossAccountReadOnlyRole] - - name: SharedTopic - template_file: templates/core_accounts/aws-landing-zone-notification.template - parameter_file: parameters/core_accounts/aws-landing-zone-notification.json - deploy_method: stack_set - # This SNS Topic needs to be deployed in ALL the regions where AWS Config service is enabled. (See baseline_resources: EnableConfig) - regions: - - ap-east-1 - - ap-northeast-1 - - ap-northeast-2 - - ap-south-1 - - ap-southeast-1 - - ap-southeast-2 - - ca-central-1 - - eu-central-1 - - eu-north-1 - - eu-west-1 - - eu-west-2 - - eu-west-3 - - me-south-1 - - sa-east-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - ssm_parameters: - - name: /org/primary/sns_topic_arn - value: $[output_TopicARN] - - name: /org/primary/sns_notification_arn - value: $[output_NotificationARN] - - name: GuardDutyMaster - template_file: templates/core_accounts/aws-landing-zone-guardduty-master.template - parameter_file: parameters/core_accounts/aws-landing-zone-guardduty-master.json - deploy_method: stack_set - regions: - - ap-east-1 - - ap-northeast-1 - - ap-northeast-2 - - ap-south-1 - - ap-southeast-1 - - ap-southeast-2 - - ca-central-1 - - eu-central-1 - - eu-north-1 - - eu-west-1 - - eu-west-2 - - eu-west-3 - - me-south-1 - - sa-east-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - # Logging account - - name: log-archive - email: bmycroft+landing-zone-log-archive@amazon.com - ssm_parameters: - - name: /org/member/logging/account_id - value: $[AccountId] - core_resources: - - name: SharedBucket - template_file: templates/core_accounts/aws-landing-zone-logging.template - parameter_file: parameters/core_accounts/aws-landing-zone-logging.json - deploy_method: stack_set - ssm_parameters: - - name: /org/member/logging/bucket_name # This key will always be created in region mentioned at the top of the Manifest file. - value: $[output_BucketName] - # Shared Services account - - name: shared-services - email: bmycroft+landing-zone-shared-service@amazon.com - ssm_parameters: - - name: /org/member/sharedservices/account_id - value: $[AccountId] - core_resources: - - name: SharedServicesAccountVPC - template_file: templates/aws_baseline/aws-landing-zone-vpc.template - parameter_file: parameters/core_accounts/aws-landing-zone-shared-services-vpc.json - deploy_method: stack_set - regions: - - us-east-1 - ssm_parameters: - - name: /org/member/sharedservices/vpc_region - value: $[output_VPCRegion] - - name: /org/member/sharedservices/vpc_cidr - value: $[output_VPCCIDR] - - name: /org/member/sharedservices/vpc_id - value: $[output_VPCID] - - name: /org/member/sharedservices/private_subnet1_cidr - value: $[output_PrivateSubnet1ACIDR] - - name: /org/member/sharedservices/private_subnet1_id - value: $[output_PrivateSubnet1AID] - - name: /org/member/sharedservices/private_subnet2_cidr - value: $[output_PrivateSubnet2ACIDR] - - name: /org/member/sharedservices/private_subnet2_id - value: $[output_PrivateSubnet2AID] - - name: /org/member/sharedservices/public_subnet1_cidr - value: $[output_PublicSubnet1CIDR] - - name: /org/member/sharedservices/public_subnet1_id - value: $[output_PublicSubnet1ID] - - name: /org/member/sharedservices/public_subnet2_cidr - value: $[output_PublicSubnet2CIDR] - - name: /org/member/sharedservices/public_subnet2_id - value: $[output_PublicSubnet2ID] - - name: /org/member/sharedservices/vpc_private_route_ids - value: $[output_PrivateSubnetRouteTables] - # Organization's Master account - - name: primary # NOTE: DO NOT MODIFY THIS ACCOUNT NAME AND IT SHOULD BE THE LAST CORE ACCOUNT IN THE LIST - ssm_parameters: - # SSM parameter to hold the AWS Account ID of Organization's Master Account - - name: /org/primary/account_id - value: $[AccountId] - # SSM parameter to hold the Email ID of Organization's Master Account - - name: /org/primary/email_id - value: $[AccountEmail] - # SSM parameter to hold the Organization ID - - name: /org/primary/organization_id - value: $[OrganizationId] - core_resources: [] - - name: central - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - - name: dev - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - - name: test - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - - name: prod - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - - name: unclass - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - - name: sandbox - include_in_baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - -# Landing Zone Service Control Policies -organization_policies: - - name: aws-landing-zone-core-mandatory-preventive-guardrails - description: To prevent from deleting or disabling resources in core accounts managed by AWS Landing Zone - policy_file: policies/aws-landing-zone-core-mandatory-preventive-guardrails.json - #Apply to accounts in the following OU(s) - apply_to_accounts_in_ou: - - core - - name: aws-landing-zone-non-core-mandatory-preventive-guardrails - description: To prevent from deleting or disabling resources in non-core accounts managed by AWS Landing Zone - policy_file: policies/aws-landing-zone-non-core-mandatory-preventive-guardrails.json - #Apply to accounts in the following OU(s) - apply_to_accounts_in_ou: - - central - - dev - - test - - prod - - unclass - - sandbox -# Landing Zone Service Catalog portolfios/products (Optional/Baseline) -portfolios: - - name: AWS Landing Zone - Baseline - description: Baseline Products for AWS Landing Zone - owner: AWS Solutions - principal_role: $[alfred_ssm_/org/primary/service_catalog/principal/role_arn] - products: - - name: AWS-Landing-Zone-Account-Vending-Machine - description: (SO0045) - AWS Landing Zone - Account Vending Machine Template - # This is the skeleton template for the AVM - skeleton_file: templates/aws_baseline/aws-landing-zone-avm.template.j2 - parameter_file: parameters/aws_baseline/aws-landing-zone-avm.json - rules_file: template_constraints/aws-landing-zone-avm-rules.json - # Hide/Disable the old version of the product in Service Catalog - hide_old_versions: true - # Is this is a baseline product? e.g. AVM ? - product_type: baseline - launch_constraint_role: $[alfred_ssm_/org/primary/service_catalog/constraint/role_arn] - -# Landing Zone Service Baseline Resources -baseline_resources: - - name: EnableCloudTrail - # This resource is part of which baseline(s) product - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - template_file: templates/aws_baseline/aws-landing-zone-enable-cloudtrail.template - parameter_file: parameters/aws_baseline/aws-landing-zone-enable-cloudtrail.json - deploy_method: stack_set - - # This template deploys the ConfigRecorder IAM role required for enabling AWS Config service - # It needs to be deployed in Home region ONLY - - name: ConfigRole - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - template_file: templates/aws_baseline/aws-landing-zone-enable-config-role.template - deploy_method: stack_set - - # This template deploys the AWS Config service. - # It can be deployed in multiple regions. - - name: EnableConfig - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - depends_on: - - ConfigRole - template_file: templates/aws_baseline/aws-landing-zone-enable-config.template - parameter_file: parameters/aws_baseline/aws-landing-zone-enable-config.json - deploy_method: stack_set - regions: - - ap-east-1 - - ap-northeast-1 - - ap-northeast-2 - - ap-south-1 - - ap-southeast-1 - - ap-southeast-2 - - ca-central-1 - - eu-central-1 - - eu-north-1 - - eu-west-1 - - eu-west-2 - - eu-west-3 - - me-south-1 - - sa-east-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - # This template deploys the Config Rules that monitor the Global resources i.e. IAM - # It needs to be deployed in Home region ONLY - - name: EnableConfigRulesGlobal - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - depends_on: - - EnableConfig - template_file: templates/aws_baseline/aws-landing-zone-config-rules-global.template - parameter_file: parameters/aws_baseline/aws-landing-zone-config-rules-global.json - deploy_method: stack_set - - # This template deploys the Config Rules that monitor the local resources. - # It can be deployed in multiple regions - - name: EnableConfigRules - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - depends_on: - - EnableConfig - template_file: templates/aws_baseline/aws-landing-zone-config-rules.template - parameter_file: parameters/aws_baseline/aws-landing-zone-config-rules.json - deploy_method: stack_set - regions: - - ap-east-1 - - ap-northeast-1 - - ap-northeast-2 - - ap-south-1 - - ap-southeast-1 - - ap-southeast-2 - - ca-central-1 - - eu-central-1 - - eu-north-1 - - eu-west-1 - - eu-west-2 - - eu-west-3 - - me-south-1 - - sa-east-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - - name: EnableNotifications - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - depends_on: - - EnableCloudTrail - - EnableConfig - template_file: templates/aws_baseline/aws-landing-zone-notifications.template - parameter_file: parameters/aws_baseline/aws-landing-zone-notifications.json - deploy_method: stack_set - - - name: SecurityRoles - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - template_file: templates/aws_baseline/aws-landing-zone-security-roles.template - parameter_file: parameters/aws_baseline/aws-landing-zone-security-roles.json - deploy_method: stack_set - - - name: IamPasswordPolicy - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - template_file: templates/aws_baseline/aws-landing-zone-iam-password-policy.template - parameter_file: parameters/aws_baseline/aws-landing-zone-iam-password-policy.json - deploy_method: stack_set - - - name: PrimaryVPC - baseline_products: - - AWS-Landing-Zone-Account-Vending-Machine - depends_on: - - VPCCalculator - template_file: templates/aws_baseline/aws-landing-zone-vpc.template - parameter_file: parameters/aws_baseline/aws-landing-zone-primary-vpc.json - deploy_method: stack_set +--- +#Default region for deploying AWS Landing Zone assets: Code Pipeline, Step functions, Lambda, SSM parameters, Service Catalog Portfolio/Products and StackSets +region: us-east-1 +version: 2018-06-14 +lock_down_stack_sets_role: No +nested_ou_delimiter: ':' # the value for this key must be in single quotes + +# Landing Zone Core Account Structure +organizational_units: + # Landing Zone OU for Core accounts + - name: core + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + core_accounts: + # Security account + - name: security + email: bmycroft+landing-zone-security@amazon.com + ssm_parameters: + - name: /org/member/security/account_id + value: $[AccountId] + core_resources: + - name: SecurityRoles + template_file: templates/core_accounts/aws-landing-zone-security.template + parameter_file: parameters/core_accounts/aws-landing-zone-security.json + deploy_method: stack_set + ssm_parameters: + - name: /org/member/security/admin_role_arn + value: $[output_CrossAccountAdminRole] + - name: /org/member/security/readonly_role_arn + value: $[output_CrossAccountReadOnlyRole] + - name: SharedTopic + template_file: templates/core_accounts/aws-landing-zone-notification.template + parameter_file: parameters/core_accounts/aws-landing-zone-notification.json + deploy_method: stack_set + # This SNS Topic needs to be deployed in ALL the regions where AWS Config service is enabled. (See baseline_resources: EnableConfig) + regions: + - ap-east-1 + - ap-northeast-1 + - ap-northeast-2 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - ca-central-1 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - me-south-1 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + ssm_parameters: + - name: /org/primary/sns_topic_arn + value: $[output_TopicARN] + - name: /org/primary/sns_notification_arn + value: $[output_NotificationARN] + - name: GuardDutyMaster + template_file: templates/core_accounts/aws-landing-zone-guardduty-master.template + parameter_file: parameters/core_accounts/aws-landing-zone-guardduty-master.json + deploy_method: stack_set + regions: + - ap-east-1 + - ap-northeast-1 + - ap-northeast-2 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - ca-central-1 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - me-south-1 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + # Logging account + - name: log-archive + email: bmycroft+landing-zone-log-archive@amazon.com + ssm_parameters: + - name: /org/member/logging/account_id + value: $[AccountId] + core_resources: + - name: SharedBucket + template_file: templates/core_accounts/aws-landing-zone-logging.template + parameter_file: parameters/core_accounts/aws-landing-zone-logging.json + deploy_method: stack_set + ssm_parameters: + - name: /org/member/logging/bucket_name # This key will always be created in region mentioned at the top of the Manifest file. + value: $[output_BucketName] + # Shared Services account + - name: shared-services + email: bmycroft+landing-zone-shared-service@amazon.com + ssm_parameters: + - name: /org/member/sharedservices/account_id + value: $[AccountId] + core_resources: + - name: SharedServicesAccountVPC + template_file: templates/aws_baseline/aws-landing-zone-vpc.template + parameter_file: parameters/core_accounts/aws-landing-zone-shared-services-vpc.json + deploy_method: stack_set + regions: + - us-east-1 + ssm_parameters: + - name: /org/member/sharedservices/vpc_region + value: $[output_VPCRegion] + - name: /org/member/sharedservices/vpc_cidr + value: $[output_VPCCIDR] + - name: /org/member/sharedservices/vpc_id + value: $[output_VPCID] + - name: /org/member/sharedservices/private_subnet1_cidr + value: $[output_PrivateSubnet1ACIDR] + - name: /org/member/sharedservices/private_subnet1_id + value: $[output_PrivateSubnet1AID] + - name: /org/member/sharedservices/private_subnet2_cidr + value: $[output_PrivateSubnet2ACIDR] + - name: /org/member/sharedservices/private_subnet2_id + value: $[output_PrivateSubnet2AID] + - name: /org/member/sharedservices/public_subnet1_cidr + value: $[output_PublicSubnet1CIDR] + - name: /org/member/sharedservices/public_subnet1_id + value: $[output_PublicSubnet1ID] + - name: /org/member/sharedservices/public_subnet2_cidr + value: $[output_PublicSubnet2CIDR] + - name: /org/member/sharedservices/public_subnet2_id + value: $[output_PublicSubnet2ID] + - name: /org/member/sharedservices/vpc_private_route_ids + value: $[output_PrivateSubnetRouteTables] + # Organization's Master account + - name: primary # NOTE: DO NOT MODIFY THIS ACCOUNT NAME AND IT SHOULD BE THE LAST CORE ACCOUNT IN THE LIST + ssm_parameters: + # SSM parameter to hold the AWS Account ID of Organization's Master Account + - name: /org/primary/account_id + value: $[AccountId] + # SSM parameter to hold the Email ID of Organization's Master Account + - name: /org/primary/email_id + value: $[AccountEmail] + # SSM parameter to hold the Organization ID + - name: /org/primary/organization_id + value: $[OrganizationId] + core_resources: [] + - name: central + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + - name: dev + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + - name: test + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + - name: prod + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + - name: unclass + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + - name: sandbox + include_in_baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + +# Landing Zone Service Control Policies +organization_policies: + - name: aws-landing-zone-core-mandatory-preventive-guardrails + description: To prevent from deleting or disabling resources in core accounts managed by AWS Landing Zone + policy_file: policies/aws-landing-zone-core-mandatory-preventive-guardrails.json + #Apply to accounts in the following OU(s) + apply_to_accounts_in_ou: + - core + - name: aws-landing-zone-non-core-mandatory-preventive-guardrails + description: To prevent from deleting or disabling resources in non-core accounts managed by AWS Landing Zone + policy_file: policies/aws-landing-zone-non-core-mandatory-preventive-guardrails.json + #Apply to accounts in the following OU(s) + apply_to_accounts_in_ou: + - central + - dev + - test + - prod + - unclass + - sandbox +# Landing Zone Service Catalog portolfios/products (Optional/Baseline) +portfolios: + - name: AWS Landing Zone - Baseline + description: Baseline Products for AWS Landing Zone + owner: AWS Solutions + principal_role: $[alfred_ssm_/org/primary/service_catalog/principal/role_arn] + products: + - name: AWS-Landing-Zone-Account-Vending-Machine + description: (SO0045) - AWS Landing Zone - Account Vending Machine Template + # This is the skeleton template for the AVM + skeleton_file: templates/aws_baseline/aws-landing-zone-avm.template.j2 + parameter_file: parameters/aws_baseline/aws-landing-zone-avm.json + rules_file: template_constraints/aws-landing-zone-avm-rules.json + # Hide/Disable the old version of the product in Service Catalog + hide_old_versions: true + # Is this is a baseline product? e.g. AVM ? + product_type: baseline + launch_constraint_role: $[alfred_ssm_/org/primary/service_catalog/constraint/role_arn] + +# Landing Zone Service Baseline Resources +baseline_resources: + - name: EnableCloudTrail + # This resource is part of which baseline(s) product + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + template_file: templates/aws_baseline/aws-landing-zone-enable-cloudtrail.template + parameter_file: parameters/aws_baseline/aws-landing-zone-enable-cloudtrail.json + deploy_method: stack_set + + # This template deploys the ConfigRecorder IAM role required for enabling AWS Config service + # It needs to be deployed in Home region ONLY + - name: ConfigRole + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + template_file: templates/aws_baseline/aws-landing-zone-enable-config-role.template + deploy_method: stack_set + + # This template deploys the AWS Config service. + # It can be deployed in multiple regions. + - name: EnableConfig + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + depends_on: + - ConfigRole + template_file: templates/aws_baseline/aws-landing-zone-enable-config.template + parameter_file: parameters/aws_baseline/aws-landing-zone-enable-config.json + deploy_method: stack_set + regions: + - ap-east-1 + - ap-northeast-1 + - ap-northeast-2 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - ca-central-1 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - me-south-1 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + + # This template deploys the Config Rules that monitor the Global resources i.e. IAM + # It needs to be deployed in Home region ONLY + - name: EnableConfigRulesGlobal + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + depends_on: + - EnableConfig + template_file: templates/aws_baseline/aws-landing-zone-config-rules-global.template + parameter_file: parameters/aws_baseline/aws-landing-zone-config-rules-global.json + deploy_method: stack_set + + # This template deploys the Config Rules that monitor the local resources. + # It can be deployed in multiple regions + - name: EnableConfigRules + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + depends_on: + - EnableConfig + template_file: templates/aws_baseline/aws-landing-zone-config-rules.template + parameter_file: parameters/aws_baseline/aws-landing-zone-config-rules.json + deploy_method: stack_set + regions: + - ap-east-1 + - ap-northeast-1 + - ap-northeast-2 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - ca-central-1 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - me-south-1 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + + - name: EnableNotifications + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + depends_on: + - EnableCloudTrail + - EnableConfig + template_file: templates/aws_baseline/aws-landing-zone-notifications.template + parameter_file: parameters/aws_baseline/aws-landing-zone-notifications.json + deploy_method: stack_set + + - name: SecurityRoles + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + template_file: templates/aws_baseline/aws-landing-zone-security-roles.template + parameter_file: parameters/aws_baseline/aws-landing-zone-security-roles.json + deploy_method: stack_set + + - name: IamPasswordPolicy + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + template_file: templates/aws_baseline/aws-landing-zone-iam-password-policy.template + parameter_file: parameters/aws_baseline/aws-landing-zone-iam-password-policy.json + deploy_method: stack_set + + - name: PrimaryVPC + baseline_products: + - AWS-Landing-Zone-Account-Vending-Machine + depends_on: + - VPCCalculator + template_file: templates/aws_baseline/aws-landing-zone-vpc.template + parameter_file: parameters/aws_baseline/aws-landing-zone-primary-vpc.json + deploy_method: stack_set parameter_override: true \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-avm.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-avm.json index c2105dcff..a3681e657 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-avm.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-avm.json @@ -1,30 +1,30 @@ -[ - { - "ParameterKey": "AccountEmail", - "ParameterValue": "$[AccountEmail]" - }, - { - "ParameterKey": "AccountName", - "ParameterValue": "$[AccountName]" - }, - { - "ParameterKey": "OrgUnitName", - "ParameterValue": "$[OrgUnitName]" - }, - { - "ParameterKey": "VPCOptions", - "ParameterValue": "" - }, - { - "ParameterKey": "VPCCidr", - "ParameterValue": "" - }, - { - "ParameterKey": "PeerVPC", - "ParameterValue": "" - }, - { - "ParameterKey": "VPCRegion", - "ParameterValue": "" - } -] +[ + { + "ParameterKey": "AccountEmail", + "ParameterValue": "$[AccountEmail]" + }, + { + "ParameterKey": "AccountName", + "ParameterValue": "$[AccountName]" + }, + { + "ParameterKey": "OrgUnitName", + "ParameterValue": "$[OrgUnitName]" + }, + { + "ParameterKey": "VPCOptions", + "ParameterValue": "" + }, + { + "ParameterKey": "VPCCidr", + "ParameterValue": "" + }, + { + "ParameterKey": "PeerVPC", + "ParameterValue": "" + }, + { + "ParameterKey": "VPCRegion", + "ParameterValue": "" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules-global.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules-global.json index 15df246b8..61fa549ed 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules-global.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules-global.json @@ -1,46 +1,46 @@ -[ - { - "ParameterKey": "EnableRootMfaRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableIamPasswordPolicyRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "KMSId", - "ParameterValue": "" - }, - { - "ParameterKey": "MaximumExecutionFrequency", - "ParameterValue": "TwentyFour_Hours" - }, - { - "ParameterKey": "RequireUppercaseCharacters", - "ParameterValue": "true" - }, - { - "ParameterKey": "RequireLowercaseCharacters", - "ParameterValue": "true" - }, - { - "ParameterKey": "RequireSymbols", - "ParameterValue": "true" - }, - { - "ParameterKey": "RequireNumbers", - "ParameterValue": "true" - }, - { - "ParameterKey": "MinimumPasswordLength", - "ParameterValue": "12" - }, - { - "ParameterKey": "PasswordReusePrevention", - "ParameterValue": "6" - }, - { - "ParameterKey": "MaxPasswordAge", - "ParameterValue": "90" - } +[ + { + "ParameterKey": "EnableRootMfaRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableIamPasswordPolicyRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "KMSId", + "ParameterValue": "" + }, + { + "ParameterKey": "MaximumExecutionFrequency", + "ParameterValue": "TwentyFour_Hours" + }, + { + "ParameterKey": "RequireUppercaseCharacters", + "ParameterValue": "true" + }, + { + "ParameterKey": "RequireLowercaseCharacters", + "ParameterValue": "true" + }, + { + "ParameterKey": "RequireSymbols", + "ParameterValue": "true" + }, + { + "ParameterKey": "RequireNumbers", + "ParameterValue": "true" + }, + { + "ParameterKey": "MinimumPasswordLength", + "ParameterValue": "12" + }, + { + "ParameterKey": "PasswordReusePrevention", + "ParameterValue": "6" + }, + { + "ParameterKey": "MaxPasswordAge", + "ParameterValue": "90" + } ] \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules.json index 07eac56fd..79d372cc5 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-config-rules.json @@ -1,58 +1,58 @@ -[ - { - "ParameterKey": "EnableEncryptedVolumesRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableRdsEncryptionRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableS3PublicReadRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableS3PublicWriteRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableS3ServerSideEncryptionRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableRestrictedCommonPortsRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableRestrictedSshRule", - "ParameterValue": "true" - }, - { - "ParameterKey": "KMSId", - "ParameterValue": "" - }, - { - "ParameterKey": "MaximumExecutionFrequency", - "ParameterValue": "TwentyFour_Hours" - }, - { - "ParameterKey": "blockedPort1", - "ParameterValue": "20" - }, - { - "ParameterKey": "blockedPort2", - "ParameterValue": "21" - }, - { - "ParameterKey": "blockedPort3", - "ParameterValue": "3389" - }, - { - "ParameterKey": "blockedPort4", - "ParameterValue": "3306" - }, - { - "ParameterKey": "blockedPort5", - "ParameterValue": "4333" - } +[ + { + "ParameterKey": "EnableEncryptedVolumesRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableRdsEncryptionRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableS3PublicReadRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableS3PublicWriteRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableS3ServerSideEncryptionRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableRestrictedCommonPortsRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableRestrictedSshRule", + "ParameterValue": "true" + }, + { + "ParameterKey": "KMSId", + "ParameterValue": "" + }, + { + "ParameterKey": "MaximumExecutionFrequency", + "ParameterValue": "TwentyFour_Hours" + }, + { + "ParameterKey": "blockedPort1", + "ParameterValue": "20" + }, + { + "ParameterKey": "blockedPort2", + "ParameterValue": "21" + }, + { + "ParameterKey": "blockedPort3", + "ParameterValue": "3389" + }, + { + "ParameterKey": "blockedPort4", + "ParameterValue": "3306" + }, + { + "ParameterKey": "blockedPort5", + "ParameterValue": "4333" + } ] \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-cloudtrail.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-cloudtrail.json index e464ed23b..736edbd74 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-cloudtrail.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-cloudtrail.json @@ -1,42 +1,42 @@ -[ - { - "ParameterKey": "PublishToTopic", - "ParameterValue": "true" - }, - { - "ParameterKey": "PublishToCloudWatchLogs", - "ParameterValue": "true" - }, - { - "ParameterKey": "LogsRetentionInDays", - "ParameterValue": "14" - }, - { - "ParameterKey": "CloudWatchLogsGroupName", - "ParameterValue": "CloudTrail/Landing-Zone-Logs" - }, - { - "ParameterKey": "EnableLogFileValidation", - "ParameterValue": "true" - }, - { - "ParameterKey": "IncludeGlobalEvents", - "ParameterValue": "true" - }, - { - "ParameterKey": "MultiRegion", - "ParameterValue": "true" - }, - { - "ParameterKey": "SNSTopic", - "ParameterValue": "$[alfred_ssm_/org/primary/sns_topic_arn]" - }, - { - "ParameterKey": "TrailBucket", - "ParameterValue": "$[alfred_ssm_/org/member/logging/bucket_name]" - }, - { - "ParameterKey": "AWSLogsS3KeyPrefix", - "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" - } -] +[ + { + "ParameterKey": "PublishToTopic", + "ParameterValue": "true" + }, + { + "ParameterKey": "PublishToCloudWatchLogs", + "ParameterValue": "true" + }, + { + "ParameterKey": "LogsRetentionInDays", + "ParameterValue": "14" + }, + { + "ParameterKey": "CloudWatchLogsGroupName", + "ParameterValue": "CloudTrail/Landing-Zone-Logs" + }, + { + "ParameterKey": "EnableLogFileValidation", + "ParameterValue": "true" + }, + { + "ParameterKey": "IncludeGlobalEvents", + "ParameterValue": "true" + }, + { + "ParameterKey": "MultiRegion", + "ParameterValue": "true" + }, + { + "ParameterKey": "SNSTopic", + "ParameterValue": "$[alfred_ssm_/org/primary/sns_topic_arn]" + }, + { + "ParameterKey": "TrailBucket", + "ParameterValue": "$[alfred_ssm_/org/member/logging/bucket_name]" + }, + { + "ParameterKey": "AWSLogsS3KeyPrefix", + "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-config.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-config.json index c3b46d19a..548ee88ba 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-config.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-enable-config.json @@ -1,54 +1,54 @@ -[ - { - "ParameterKey": "AllSupported", - "ParameterValue": "true" - }, - { - "ParameterKey": "IncludeGlobalResourceTypes", - "ParameterValue": "true" - }, - { - "ParameterKey": "ResourceTypes", - "ParameterValue": "AWS::CloudTrail::Trail" - }, - { - "ParameterKey": "DeliveryChannelName", - "ParameterValue": "Landing-Zone-Delivery-Channel" - }, - { - "ParameterKey": "Frequency", - "ParameterValue": "24hours" - }, - { - "ParameterKey": "TopicArn", - "ParameterValue": "$[alfred_ssm_/org/primary/sns_topic_arn]" - }, - { - "ParameterKey": "BucketName", - "ParameterValue": "$[alfred_ssm_/org/member/logging/bucket_name]" - }, - { - "ParameterKey": "NotifyDisplayName", - "ParameterValue": "LZNotify" - }, - { - "ParameterKey": "NotifyTopicName", - "ParameterValue": "AWS-Landing-Zone-Security-Notification" - }, - { - "ParameterKey": "LogsRetentionInDays", - "ParameterValue": "14" - }, - { - "ParameterKey": "EnableConfigRuleComplianceChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "SecurityNotificationTopicArn", - "ParameterValue": "$[alfred_ssm_/org/primary/sns_notification_arn]" - }, - { - "ParameterKey": "AWSLogsS3KeyPrefix", - "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" - } -] +[ + { + "ParameterKey": "AllSupported", + "ParameterValue": "true" + }, + { + "ParameterKey": "IncludeGlobalResourceTypes", + "ParameterValue": "true" + }, + { + "ParameterKey": "ResourceTypes", + "ParameterValue": "AWS::CloudTrail::Trail" + }, + { + "ParameterKey": "DeliveryChannelName", + "ParameterValue": "Landing-Zone-Delivery-Channel" + }, + { + "ParameterKey": "Frequency", + "ParameterValue": "24hours" + }, + { + "ParameterKey": "TopicArn", + "ParameterValue": "$[alfred_ssm_/org/primary/sns_topic_arn]" + }, + { + "ParameterKey": "BucketName", + "ParameterValue": "$[alfred_ssm_/org/member/logging/bucket_name]" + }, + { + "ParameterKey": "NotifyDisplayName", + "ParameterValue": "LZNotify" + }, + { + "ParameterKey": "NotifyTopicName", + "ParameterValue": "AWS-Landing-Zone-Security-Notification" + }, + { + "ParameterKey": "LogsRetentionInDays", + "ParameterValue": "14" + }, + { + "ParameterKey": "EnableConfigRuleComplianceChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "SecurityNotificationTopicArn", + "ParameterValue": "$[alfred_ssm_/org/primary/sns_notification_arn]" + }, + { + "ParameterKey": "AWSLogsS3KeyPrefix", + "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-iam-password-policy.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-iam-password-policy.json index a269a853f..ecf8dffd0 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-iam-password-policy.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-iam-password-policy.json @@ -1,42 +1,42 @@ -[ - { - "ParameterKey": "AllowUsersToChangePassword", - "ParameterValue": "true" - }, - { - "ParameterKey": "HardExpiry", - "ParameterValue": "false" - }, - { - "ParameterKey": "RequireUppercaseCharacters", - "ParameterValue": "true" - }, - { - "ParameterKey": "RequireLowercaseCharacters", - "ParameterValue": "true" - }, - { - "ParameterKey": "RequireSymbols", - "ParameterValue": "true" - }, - { - "ParameterKey": "RequireNumbers", - "ParameterValue": "true" - }, - { - "ParameterKey": "MinimumPasswordLength", - "ParameterValue": "12" - }, - { - "ParameterKey": "PasswordReusePrevention", - "ParameterValue": "6" - }, - { - "ParameterKey": "MaxPasswordAge", - "ParameterValue": "90" - }, - { - "ParameterKey": "LogsRetentionInDays", - "ParameterValue": "14" - } -] +[ + { + "ParameterKey": "AllowUsersToChangePassword", + "ParameterValue": "true" + }, + { + "ParameterKey": "HardExpiry", + "ParameterValue": "false" + }, + { + "ParameterKey": "RequireUppercaseCharacters", + "ParameterValue": "true" + }, + { + "ParameterKey": "RequireLowercaseCharacters", + "ParameterValue": "true" + }, + { + "ParameterKey": "RequireSymbols", + "ParameterValue": "true" + }, + { + "ParameterKey": "RequireNumbers", + "ParameterValue": "true" + }, + { + "ParameterKey": "MinimumPasswordLength", + "ParameterValue": "12" + }, + { + "ParameterKey": "PasswordReusePrevention", + "ParameterValue": "6" + }, + { + "ParameterKey": "MaxPasswordAge", + "ParameterValue": "90" + }, + { + "ParameterKey": "LogsRetentionInDays", + "ParameterValue": "14" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-notifications.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-notifications.json index cbc40b11a..888077c76 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-notifications.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-notifications.json @@ -1,54 +1,54 @@ -[ - { - "ParameterKey": "LogGroupName", - "ParameterValue": "CloudTrail/Landing-Zone-Logs" - }, - { - "ParameterKey": "EnableSecurityGroupChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableNetworkAclChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableGatewayChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableVpcChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableEc2InstanceChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableEc2LargeInstanceChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableCloudTrailChangeAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableConsoleSignInFailureAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableAuthorizationFailureAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableIamPolicyChangesAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableRootLoginAlarm", - "ParameterValue": "true" - }, - { - "ParameterKey": "SNSNotificationTopic", - "ParameterValue": "/org/member/local_sns_arn" - } -] +[ + { + "ParameterKey": "LogGroupName", + "ParameterValue": "CloudTrail/Landing-Zone-Logs" + }, + { + "ParameterKey": "EnableSecurityGroupChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableNetworkAclChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableGatewayChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableVpcChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableEc2InstanceChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableEc2LargeInstanceChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableCloudTrailChangeAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableConsoleSignInFailureAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableAuthorizationFailureAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableIamPolicyChangesAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableRootLoginAlarm", + "ParameterValue": "true" + }, + { + "ParameterKey": "SNSNotificationTopic", + "ParameterValue": "/org/member/local_sns_arn" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-primary-vpc.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-primary-vpc.json index 561e71740..e58085ffa 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-primary-vpc.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-primary-vpc.json @@ -1,20 +1,20 @@ -[ - { - "ParameterKey": "AvailabilityZones", - "ParameterValue": "$[alfred_genaz_2]", - "ssm_parameters": [ - { - "name": "/org/member/primary_vpc/dummy_az_list", - "value": "$[AZ]" - } - ] - }, - { - "ParameterKey": "NumberOfAZs", - "ParameterValue": "2" - }, - { - "ParameterKey": "ManagedResourcePrefix", - "ParameterValue": "aws-landing-zone" - } -] +[ + { + "ParameterKey": "AvailabilityZones", + "ParameterValue": "$[alfred_genaz_2]", + "ssm_parameters": [ + { + "name": "/org/member/primary_vpc/dummy_az_list", + "value": "$[AZ]" + } + ] + }, + { + "ParameterKey": "NumberOfAZs", + "ParameterValue": "2" + }, + { + "ParameterKey": "ManagedResourcePrefix", + "ParameterValue": "aws-landing-zone" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-security-roles.json b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-security-roles.json index 8c156d034..80706da55 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-security-roles.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/aws_baseline/aws-landing-zone-security-roles.json @@ -1,26 +1,26 @@ -[ - { - "ParameterKey": "EnableAdminRole", - "ParameterValue": "true" - }, - { - "ParameterKey": "EnableReadOnlyRole", - "ParameterValue": "true" - }, - { - "ParameterKey": "AdminRoleName", - "ParameterValue": "AWSLandingZoneAdminExecutionRole" - }, - { - "ParameterKey": "ReadOnlyRoleName", - "ParameterValue": "AWSLandingZoneReadOnlyExecutionRole" - }, - { - "ParameterKey": "SecurityAccountAdminRoleArn", - "ParameterValue": "$[alfred_ssm_/org/member/security/admin_role_arn]" - }, - { - "ParameterKey": "SecurityAccountReadOnlyRoleArn", - "ParameterValue": "$[alfred_ssm_/org/member/security/readonly_role_arn]" - } -] +[ + { + "ParameterKey": "EnableAdminRole", + "ParameterValue": "true" + }, + { + "ParameterKey": "EnableReadOnlyRole", + "ParameterValue": "true" + }, + { + "ParameterKey": "AdminRoleName", + "ParameterValue": "AWSLandingZoneAdminExecutionRole" + }, + { + "ParameterKey": "ReadOnlyRoleName", + "ParameterValue": "AWSLandingZoneReadOnlyExecutionRole" + }, + { + "ParameterKey": "SecurityAccountAdminRoleArn", + "ParameterValue": "$[alfred_ssm_/org/member/security/admin_role_arn]" + }, + { + "ParameterKey": "SecurityAccountReadOnlyRoleArn", + "ParameterValue": "$[alfred_ssm_/org/member/security/readonly_role_arn]" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-guardduty-master.json b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-guardduty-master.json index 2d3087a94..67a56f177 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-guardduty-master.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-guardduty-master.json @@ -1,22 +1,22 @@ -[ - { - "ParameterKey": "AlarmNotificationTopic", - "ParameterValue": "$[alfred_ssm_/org/primary/sns_notification_arn]" - }, - { - "ParameterKey": "NotifyDisplayName", - "ParameterValue": "GDNotify" - }, - { - "ParameterKey": "NotifyTopicName", - "ParameterValue": "AWS-Landing-Zone-GuardDuty-Notifications" - }, - { - "ParameterKey": "GuardDutyFindingNotifications", - "ParameterValue": "true" - }, - { - "ParameterKey": "LogsRetentionInDays", - "ParameterValue": "14" - } -] +[ + { + "ParameterKey": "AlarmNotificationTopic", + "ParameterValue": "$[alfred_ssm_/org/primary/sns_notification_arn]" + }, + { + "ParameterKey": "NotifyDisplayName", + "ParameterValue": "GDNotify" + }, + { + "ParameterKey": "NotifyTopicName", + "ParameterValue": "AWS-Landing-Zone-GuardDuty-Notifications" + }, + { + "ParameterKey": "GuardDutyFindingNotifications", + "ParameterValue": "true" + }, + { + "ParameterKey": "LogsRetentionInDays", + "ParameterValue": "14" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-logging.json b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-logging.json index 60b446264..ff9119cc8 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-logging.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-logging.json @@ -1,14 +1,14 @@ -[ - { - "ParameterKey": "SSEAlgorithm", - "ParameterValue": "AES256" - }, - { - "ParameterKey": "KMSMasterKeyID", - "ParameterValue": "" - }, - { - "ParameterKey": "AWSLogsS3KeyPrefix", - "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" - } -] +[ + { + "ParameterKey": "SSEAlgorithm", + "ParameterValue": "AES256" + }, + { + "ParameterKey": "KMSMasterKeyID", + "ParameterValue": "" + }, + { + "ParameterKey": "AWSLogsS3KeyPrefix", + "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-notification.json b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-notification.json index 513758355..4d57566e7 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-notification.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-notification.json @@ -1,34 +1,34 @@ -[ - { - "ParameterKey": "AllConfigurationEmail", - "ParameterValue": "$[alfred_ssm_/org/primary/all_alerts_email_id]" - }, - { - "ParameterKey": "AllConfigurationDisplayName", - "ParameterValue": "LZConfig" - }, - { - "ParameterKey": "AllConfigurationTopicName", - "ParameterValue": "AWS-Landing-Zone-All-Config-Notifications" - }, - { - "ParameterKey": "NotifyEmail", - "ParameterValue": "$[alfred_ssm_/org/primary/security_alert_email_id]" - }, - { - "ParameterKey": "NotifyDisplayName", - "ParameterValue": "LZ Security Notification" - }, - { - "ParameterKey": "NotifyTopicName", - "ParameterValue": "AWS-Landing-Zone-Aggregate-Security-Notifications" - }, - { - "ParameterKey": "OrgID", - "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" - }, - { - "ParameterKey": "SubscribeToAllConfigurationTopic", - "ParameterValue": "false" - } +[ + { + "ParameterKey": "AllConfigurationEmail", + "ParameterValue": "$[alfred_ssm_/org/primary/all_alerts_email_id]" + }, + { + "ParameterKey": "AllConfigurationDisplayName", + "ParameterValue": "LZConfig" + }, + { + "ParameterKey": "AllConfigurationTopicName", + "ParameterValue": "AWS-Landing-Zone-All-Config-Notifications" + }, + { + "ParameterKey": "NotifyEmail", + "ParameterValue": "$[alfred_ssm_/org/primary/security_alert_email_id]" + }, + { + "ParameterKey": "NotifyDisplayName", + "ParameterValue": "LZ Security Notification" + }, + { + "ParameterKey": "NotifyTopicName", + "ParameterValue": "AWS-Landing-Zone-Aggregate-Security-Notifications" + }, + { + "ParameterKey": "OrgID", + "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]" + }, + { + "ParameterKey": "SubscribeToAllConfigurationTopic", + "ParameterValue": "false" + } ] \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-security.json b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-security.json index 01bc18312..27d6ab1d7 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-security.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-security.json @@ -1,10 +1,10 @@ -[ - { - "ParameterKey": "AdminRoleName", - "ParameterValue": "AWSLandingZoneSecurityAdministratorRole" - }, - { - "ParameterKey": "ReadOnlyRoleName", - "ParameterValue": "AWSLandingZoneSecurityReadOnlyRole" - } -] +[ + { + "ParameterKey": "AdminRoleName", + "ParameterValue": "AWSLandingZoneSecurityAdministratorRole" + }, + { + "ParameterKey": "ReadOnlyRoleName", + "ParameterValue": "AWSLandingZoneSecurityReadOnlyRole" + } +] diff --git a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-shared-services-vpc.json b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-shared-services-vpc.json index f2e005d74..670289716 100644 --- a/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-shared-services-vpc.json +++ b/reference-artifacts/aws-landing-zone-configuration/parameters/core_accounts/aws-landing-zone-shared-services-vpc.json @@ -1,92 +1,92 @@ -[ - { - "ParameterKey": "AvailabilityZones", - "ParameterValue": "$[alfred_genaz_3]", - "ssm_parameters": [ - { - "name": "/org/member/sharedservices/primary_vpc/az_list", - "value": "$[AZ]" - } - ] - }, - { - "ParameterKey": "NumberOfAZs", - "ParameterValue": "3" - }, - { - "ParameterKey": "CreateAdditionalPrivateSubnets", - "ParameterValue": "false" - }, - { - "ParameterKey": "CreatePrivateSubnets", - "ParameterValue": "true" - }, - { - "ParameterKey": "CreatePublicSubnets", - "ParameterValue": "true" - }, - { - "ParameterKey": "PrivateSubnet1ACIDR", - "ParameterValue": "100.64.96.0/19" - }, - { - "ParameterKey": "PrivateSubnet1BCIDR", - "ParameterValue": "None" - }, - { - "ParameterKey": "PrivateSubnet2ACIDR", - "ParameterValue": "100.64.128.0/19" - }, - { - "ParameterKey": "PrivateSubnet2BCIDR", - "ParameterValue": "None" - }, - { - "ParameterKey": "PrivateSubnet3ACIDR", - "ParameterValue": "100.64.160.0/19" - }, - { - "ParameterKey": "PrivateSubnet3BCIDR", - "ParameterValue": "None" - }, - { - "ParameterKey": "PrivateSubnet4ACIDR", - "ParameterValue": "None" - }, - { - "ParameterKey": "PrivateSubnet4BCIDR", - "ParameterValue": "None" - }, - { - "ParameterKey": "PublicSubnet1CIDR", - "ParameterValue": "100.64.0.0/19" - }, - { - "ParameterKey": "PublicSubnet2CIDR", - "ParameterValue": "100.64.32.0/19" - }, - { - "ParameterKey": "PublicSubnet3CIDR", - "ParameterValue": "100.64.64.0/19" - }, - { - "ParameterKey": "PublicSubnet4CIDR", - "ParameterValue": "None" - }, - { - "ParameterKey": "VPCCIDR", - "ParameterValue": "100.64.0.0/16" - }, - { - "ParameterKey": "TransitVPC", - "ParameterValue": "false" - }, - { - "ParameterKey": "LogsRetentionInDays", - "ParameterValue": "90" - }, - { - "ParameterKey": "ManagedResourcePrefix", - "ParameterValue": "aws-landing-zone" - } +[ + { + "ParameterKey": "AvailabilityZones", + "ParameterValue": "$[alfred_genaz_3]", + "ssm_parameters": [ + { + "name": "/org/member/sharedservices/primary_vpc/az_list", + "value": "$[AZ]" + } + ] + }, + { + "ParameterKey": "NumberOfAZs", + "ParameterValue": "3" + }, + { + "ParameterKey": "CreateAdditionalPrivateSubnets", + "ParameterValue": "false" + }, + { + "ParameterKey": "CreatePrivateSubnets", + "ParameterValue": "true" + }, + { + "ParameterKey": "CreatePublicSubnets", + "ParameterValue": "true" + }, + { + "ParameterKey": "PrivateSubnet1ACIDR", + "ParameterValue": "100.64.96.0/19" + }, + { + "ParameterKey": "PrivateSubnet1BCIDR", + "ParameterValue": "None" + }, + { + "ParameterKey": "PrivateSubnet2ACIDR", + "ParameterValue": "100.64.128.0/19" + }, + { + "ParameterKey": "PrivateSubnet2BCIDR", + "ParameterValue": "None" + }, + { + "ParameterKey": "PrivateSubnet3ACIDR", + "ParameterValue": "100.64.160.0/19" + }, + { + "ParameterKey": "PrivateSubnet3BCIDR", + "ParameterValue": "None" + }, + { + "ParameterKey": "PrivateSubnet4ACIDR", + "ParameterValue": "None" + }, + { + "ParameterKey": "PrivateSubnet4BCIDR", + "ParameterValue": "None" + }, + { + "ParameterKey": "PublicSubnet1CIDR", + "ParameterValue": "100.64.0.0/19" + }, + { + "ParameterKey": "PublicSubnet2CIDR", + "ParameterValue": "100.64.32.0/19" + }, + { + "ParameterKey": "PublicSubnet3CIDR", + "ParameterValue": "100.64.64.0/19" + }, + { + "ParameterKey": "PublicSubnet4CIDR", + "ParameterValue": "None" + }, + { + "ParameterKey": "VPCCIDR", + "ParameterValue": "100.64.0.0/16" + }, + { + "ParameterKey": "TransitVPC", + "ParameterValue": "false" + }, + { + "ParameterKey": "LogsRetentionInDays", + "ParameterValue": "90" + }, + { + "ParameterKey": "ManagedResourcePrefix", + "ParameterValue": "aws-landing-zone" + } ] \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-core-mandatory-preventive-guardrails.json b/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-core-mandatory-preventive-guardrails.json index fa0b9b470..106811a3f 100644 --- a/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-core-mandatory-preventive-guardrails.json +++ b/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-core-mandatory-preventive-guardrails.json @@ -1,245 +1,245 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Resource": [ - "arn:aws:sns:*:*:AWS-Landing-Zone*" - ], - "Effect": "Deny", - "Sid": "GRSNSSUBSCRIPTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "cloudtrail:DeleteTrail", - "cloudtrail:PutEventSelectors", - "cloudtrail:StopLogging", - "cloudtrail:UpdateTrail" - ], - "Resource": [ - "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRCLOUDTRAILENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes" - ], - "Resource": [ - "arn:aws:sns:*:*:AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRSNSTOPICPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:CreateFunction", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:PutFunctionConcurrency", - "lambda:RemovePermission", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": [ - "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", - "arn:aws:lambda:*:*:function:LandingZone*" - ], - "Effect": "Deny", - "Sid": "GRLAMBDAFUNCTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "config:DeleteConfigurationRecorder", - "config:DeleteDeliveryChannel", - "config:DeleteRetentionConfiguration", - "config:PutConfigurationRecorder", - "config:PutDeliveryChannel", - "config:PutRetentionConfiguration", - "config:StopConfigurationRecorder" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:aws:iam::*:role/AWS-Landing-Zone-*", - "arn:aws:iam::*:role/*AWSLandingZone*" - ], - "Effect": "Deny", - "Sid": "GRIAMROLEPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:DisableRule", - "events:DeleteRule" - ], - "Resource": [ - "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRCLOUDWATCHEVENTPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "config:TagResource", - "config:UntagResource" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGRULETAGSPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "s3:PutEncryptionConfiguration" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRAUDITBUCKETENCRYPTIONENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "s3:PutBucketPolicy" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRAUDITBUCKETPOLICYCHANGESPROHIBITED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "s3:PutLifecycleConfiguration" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRAUDITBUCKETRETENTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "s3:PutBucketLogging" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRAUDITBUCKETLOGGINGENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "config:PutConfigRule", - "config:DeleteConfigRule", - "config:DeleteEvaluationResults", - "config:DeleteConfigurationAggregator", - "config:PutConfigurationAggregator" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGRULEPOLICY" - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "sns:Subscribe", + "sns:Unsubscribe" + ], + "Resource": [ + "arn:aws:sns:*:*:AWS-Landing-Zone*" + ], + "Effect": "Deny", + "Sid": "GRSNSSUBSCRIPTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "cloudtrail:DeleteTrail", + "cloudtrail:PutEventSelectors", + "cloudtrail:StopLogging", + "cloudtrail:UpdateTrail" + ], + "Resource": [ + "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRCLOUDTRAILENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "sns:AddPermission", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:RemovePermission", + "sns:SetTopicAttributes" + ], + "Resource": [ + "arn:aws:sns:*:*:AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRSNSTOPICPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:CreateFunction", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:PutFunctionConcurrency", + "lambda:RemovePermission", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": [ + "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", + "arn:aws:lambda:*:*:function:LandingZone*" + ], + "Effect": "Deny", + "Sid": "GRLAMBDAFUNCTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "config:DeleteConfigurationRecorder", + "config:DeleteDeliveryChannel", + "config:DeleteRetentionConfiguration", + "config:PutConfigurationRecorder", + "config:PutDeliveryChannel", + "config:PutRetentionConfiguration", + "config:StopConfigurationRecorder" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:DeleteRole", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:PutRolePermissionsBoundary", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateRole", + "iam:UpdateRoleDescription" + ], + "Resource": [ + "arn:aws:iam::*:role/AWS-Landing-Zone-*", + "arn:aws:iam::*:role/*AWSLandingZone*" + ], + "Effect": "Deny", + "Sid": "GRIAMROLEPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets", + "events:DisableRule", + "events:DeleteRule" + ], + "Resource": [ + "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRCLOUDWATCHEVENTPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "config:TagResource", + "config:UntagResource" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGRULETAGSPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "s3:PutEncryptionConfiguration" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRAUDITBUCKETENCRYPTIONENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "s3:PutBucketPolicy" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRAUDITBUCKETPOLICYCHANGESPROHIBITED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "s3:PutLifecycleConfiguration" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRAUDITBUCKETRETENTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "s3:PutBucketLogging" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRAUDITBUCKETLOGGINGENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "config:PutConfigRule", + "config:DeleteConfigRule", + "config:DeleteEvaluationResults", + "config:DeleteConfigurationAggregator", + "config:PutConfigurationAggregator" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGRULEPOLICY" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-non-core-mandatory-preventive-guardrails.json b/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-non-core-mandatory-preventive-guardrails.json index 6cc15e865..90f5f2c62 100644 --- a/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-non-core-mandatory-preventive-guardrails.json +++ b/reference-artifacts/aws-landing-zone-configuration/policies/aws-landing-zone-non-core-mandatory-preventive-guardrails.json @@ -1,185 +1,185 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Resource": [ - "arn:aws:sns:*:*:AWS-Landing-Zone*" - ], - "Effect": "Deny", - "Sid": "GRSNSSUBSCRIPTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "cloudtrail:DeleteTrail", - "cloudtrail:PutEventSelectors", - "cloudtrail:StopLogging", - "cloudtrail:UpdateTrail" - ], - "Resource": [ - "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRCLOUDTRAILENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes" - ], - "Resource": [ - "arn:aws:sns:*:*:AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRSNSTOPICPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:CreateFunction", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:PutFunctionConcurrency", - "lambda:RemovePermission", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": [ - "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", - "arn:aws:lambda:*:*:function:LandingZone*" - ], - "Effect": "Deny", - "Sid": "GRLAMBDAFUNCTIONPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "config:DeleteConfigurationRecorder", - "config:DeleteDeliveryChannel", - "config:DeleteRetentionConfiguration", - "config:PutConfigurationRecorder", - "config:PutDeliveryChannel", - "config:PutRetentionConfiguration", - "config:StopConfigurationRecorder" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGENABLED" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:aws:iam::*:role/AWS-Landing-Zone-*", - "arn:aws:iam::*:role/*AWSLandingZone*" - ], - "Effect": "Deny", - "Sid": "GRIAMROLEPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:DisableRule", - "events:DeleteRule" - ], - "Resource": [ - "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" - ], - "Effect": "Deny", - "Sid": "GRCLOUDWATCHEVENTPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "config:TagResource", - "config:UntagResource" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGRULETAGSPOLICY" - }, - { - "Condition": { - "ArnNotLike": { - "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - } - }, - "Action": [ - "config:PutConfigRule", - "config:DeleteConfigRule", - "config:DeleteEvaluationResults", - "config:DeleteConfigurationAggregator", - "config:PutConfigurationAggregator" - ], - "Resource": [ - "*" - ], - "Effect": "Deny", - "Sid": "GRCONFIGRULEPOLICY" - } - ] -} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "sns:Subscribe", + "sns:Unsubscribe" + ], + "Resource": [ + "arn:aws:sns:*:*:AWS-Landing-Zone*" + ], + "Effect": "Deny", + "Sid": "GRSNSSUBSCRIPTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "cloudtrail:DeleteTrail", + "cloudtrail:PutEventSelectors", + "cloudtrail:StopLogging", + "cloudtrail:UpdateTrail" + ], + "Resource": [ + "arn:aws:cloudtrail:*:*:trail/*AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRCLOUDTRAILENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "sns:AddPermission", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:RemovePermission", + "sns:SetTopicAttributes" + ], + "Resource": [ + "arn:aws:sns:*:*:AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRSNSTOPICPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:CreateFunction", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:PutFunctionConcurrency", + "lambda:RemovePermission", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": [ + "arn:aws:lambda:*:*:function:AWS-Landing-Zone-*", + "arn:aws:lambda:*:*:function:LandingZone*" + ], + "Effect": "Deny", + "Sid": "GRLAMBDAFUNCTIONPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "config:DeleteConfigurationRecorder", + "config:DeleteDeliveryChannel", + "config:DeleteRetentionConfiguration", + "config:PutConfigurationRecorder", + "config:PutDeliveryChannel", + "config:PutRetentionConfiguration", + "config:StopConfigurationRecorder" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGENABLED" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:DeleteRole", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:PutRolePermissionsBoundary", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateRole", + "iam:UpdateRoleDescription" + ], + "Resource": [ + "arn:aws:iam::*:role/AWS-Landing-Zone-*", + "arn:aws:iam::*:role/*AWSLandingZone*" + ], + "Effect": "Deny", + "Sid": "GRIAMROLEPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets", + "events:DisableRule", + "events:DeleteRule" + ], + "Resource": [ + "arn:aws:events:*:*:rule/AWS-Landing-Zone-*" + ], + "Effect": "Deny", + "Sid": "GRCLOUDWATCHEVENTPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "config:TagResource", + "config:UntagResource" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGRULETAGSPOLICY" + }, + { + "Condition": { + "ArnNotLike": { + "aws:PrincipalARN": "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + } + }, + "Action": [ + "config:PutConfigRule", + "config:DeleteConfigRule", + "config:DeleteEvaluationResults", + "config:DeleteConfigurationAggregator", + "config:PutConfigurationAggregator" + ], + "Resource": [ + "*" + ], + "Effect": "Deny", + "Sid": "GRCONFIGRULEPOLICY" + } + ] +} diff --git a/reference-artifacts/aws-landing-zone-configuration/template_constraints/aws-landing-zone-avm-rules.json b/reference-artifacts/aws-landing-zone-configuration/template_constraints/aws-landing-zone-avm-rules.json index e5d931030..e1d616456 100644 --- a/reference-artifacts/aws-landing-zone-configuration/template_constraints/aws-landing-zone-avm-rules.json +++ b/reference-artifacts/aws-landing-zone-configuration/template_constraints/aws-landing-zone-avm-rules.json @@ -1,30 +1,30 @@ -{ - "VPCPeeringRule": { - "RuleCondition": { - "Fn::Contains": [ - [ - "No-Primary-VPC", - "Public-Only-2-AZ", - "Public-Only-3-AZ", - "Public-Only-4-AZ" - ], - { - "Ref": "VPCOptions" - } - ] - }, - "Assertions": [ - { - "Assert": { - "Fn::Equals": [ - { - "Ref": "PeerVPC" - }, - "false" - ] - }, - "AssertDescription": "The VPC must have private subnets to peer with. Choose a supported VPC design for peering or choose no peering." - } - ] - } -} +{ + "VPCPeeringRule": { + "RuleCondition": { + "Fn::Contains": [ + [ + "No-Primary-VPC", + "Public-Only-2-AZ", + "Public-Only-3-AZ", + "Public-Only-4-AZ" + ], + { + "Ref": "VPCOptions" + } + ] + }, + "Assertions": [ + { + "Assert": { + "Fn::Equals": [ + { + "Ref": "PeerVPC" + }, + "false" + ] + }, + "AssertDescription": "The VPC must have private subnets to peer with. Choose a supported VPC design for peering or choose no peering." + } + ] + } +} diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-avm.template.j2 b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-avm.template.j2 index 404d7f084..f029609f3 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-avm.template.j2 +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-avm.template.j2 @@ -1,528 +1,528 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: {{manifest.portfolios[portfolio_index].products[product_index].description}} - -Parameters: - AccountName: - Description: Name for the Account - Type: String - MinLength: 1 - MaxLength: 50 - AccountEmail: - Description: Email for the Account - Type: String - MinLength: 6 - MaxLength: 64 - AllowedPattern: ^[_A-Za-z0-9-\+\.]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$ - ConstraintDescription: Account Email can contain only ASCII characters. This must be in the format of something@email.com - OrgUnitName: - Description: Name of Organizations Unit - Type: String - AllowedValues: - {%- for ou in manifest.organizational_units %} - {%- for product_name in ou['include_in_baseline_products'] %} - {%- if product_name == manifest.portfolios[portfolio_index].products[product_index].name %} - - {{ ou['name'] }} - {%- endif %} - {%- endfor %} - {%- endfor %} - VPCOptions: - Type: String - Default: No-Primary-VPC - Description: VPC options - AllowedValues: - - No-Primary-VPC - - Public-Only-2-AZ - - Public-Only-3-AZ - - Public-Only-4-AZ - - Private-Only-2-AZ - - Private-Only-3-AZ - - Private-Only-4-AZ - - Public-and-Private-Subnets-2-AZ - - Public-and-Private-Subnets-3-AZ - - Public-and-Private-Subnets-4-AZ - - Public-and-2-Private-Subnets-2-AZ - - Public-and-2-Private-Subnets-3-AZ - - Public-and-2-Private-Subnets-4-AZ - - VPCRegion: - Description: VPC Region - Type: String - AllowedValues: - {%- for region in regions %} - - {{ region }} - {%- endfor %} - Default: {{ manifest.region }} - - VPCCidr: - Type: String - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ - ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 - Description: CIDR block for the VPC - Default: 10.0.0.0/16 - - PeerVPC: - Type: String - Default: No - AllowedValues: - - Yes - - No - Description: Would you like to peer this account's Primary VPC's Private Subnets with the Shared Service VPC's Private Subnets? - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: Account Information - Parameters: - - AccountName - - AccountEmail - - OrgUnitName - - Label: - default: Network Information - Parameters: - - VPCOptions - - VPCRegion - - VPCCidr - - PeerVPC - ParameterLabels: - AccountName: - default: Account Name - AccountEmail: - default: Account Email - OrgUnitName: - default: Organization Unit Name - VPCOptions: - default: Network Type - VPCCidr: - default: Network CIDR Range - PeerVPC: - default: Peer with Shared-Services VPC - VPCRegion: - default: Network Region - -Mappings: - VPC: - Public-Only-2-AZ: - AvailabilityZones: 2 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - PrivateSubnets: [] - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'false' - CreatePublicSubnets: 'true' - Public-Only-3-AZ: - AvailabilityZones: 3 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - PrivateSubnets: [] - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'false' - CreatePublicSubnets: 'true' - Public-Only-4-AZ: - AvailabilityZones: 4 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - - PublicSubnet4CIDR - PrivateSubnets: [] - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'false' - CreatePublicSubnets: 'true' - Private-Only-2-AZ: - AvailabilityZones: 2 - PublicSubnets: [] - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'false' - Private-Only-3-AZ: - AvailabilityZones: 3 - PublicSubnets: [] - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'false' - Private-Only-4-AZ: - AvailabilityZones: 4 - PublicSubnets: [] - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - - PrivateSubnet4ACIDR - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'false' - Public-and-Private-Subnets-2-AZ: - AvailabilityZones: 2 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'true' - Public-and-Private-Subnets-3-AZ: - AvailabilityZones: 3 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'true' - Public-and-Private-Subnets-4-AZ: - AvailabilityZones: 4 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - - PublicSubnet4CIDR - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - - PrivateSubnet4ACIDR - CreateAdditionalPrivateSubnets: 'false' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'true' - Public-and-2-Private-Subnets-2-AZ: - AvailabilityZones: 2 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet1BCIDR - - PrivateSubnet2BCIDR - CreateAdditionalPrivateSubnets: 'true' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'true' - Public-and-2-Private-Subnets-3-AZ: - AvailabilityZones: 3 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - - PrivateSubnet1BCIDR - - PrivateSubnet2BCIDR - - PrivateSubnet3BCIDR - CreateAdditionalPrivateSubnets: 'true' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'true' - Public-and-2-Private-Subnets-4-AZ: - AvailabilityZones: 4 - PublicSubnets: - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - - PublicSubnet4CIDR - PrivateSubnets: - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - - PrivateSubnet4ACIDR - - PrivateSubnet1BCIDR - - PrivateSubnet2BCIDR - - PrivateSubnet3BCIDR - - PrivateSubnet4BCIDR - CreateAdditionalPrivateSubnets: 'true' - CreatePrivateSubnets: 'true' - CreatePublicSubnets: 'true' - -Conditions: - CreateVPC: !Not - - !Equals - - !Ref VPCOptions - - No-Primary-VPC - PeerVPC: !Equals - - !Ref PeerVPC - - Yes - -Resources: - -# -# Check if AVM was run for this account before -# - - CheckAVMExistsForAccount: - Type: Custom::CheckAVMExistsForAccount - Properties: - PortfolioName: {{manifest.portfolios[portfolio_index].name}} - ProductName: {{manifest.portfolios[portfolio_index].products[product_index].name}} - ProdParams: - OUName: !Ref OrgUnitName - AccountName: !Ref AccountName - AccountEmail: !Ref AccountEmail - ServiceToken: {{ lambda_arn }} - - -# -# AWS Organizations Custom Resource - Creates one new account -# - - Organizations: - DependsOn: - - CheckAVMExistsForAccount - Type: Custom::Organizations - Properties: - OUName: !Ref OrgUnitName - AccountName: !Ref AccountName - AccountEmail: !Ref AccountEmail - {%- if manifest.nested_ou_delimiter != '' %} - OUNameDelimiter: '{{manifest.nested_ou_delimiter}}' - {%- endif %} - ServiceToken: {{ lambda_arn }} - -# -# Cloudformation StackSets Custom Resource -# - -{%- for resource in manifest.baseline_resources %} - {%- if resource.deploy_method == 'stack_set' and resource.parameter_override != 'true' %} - {%- if manifest.portfolios[portfolio_index].products[product_index].name in resource.baseline_products %} - - StackSet{{resource.name | replace("-","") | replace("_","")}}: - DependsOn: - - Organizations - {%- if resource.depends_on %} - {%- for depends_on in resource.depends_on %} - - StackSet{{ depends_on | replace("-","") | replace("_","")}} - {%- endfor %} - {%- endif %} - Type: Custom::StackInstance - Properties: - StackSetName: AWS-Landing-Zone-Baseline-{{resource.name}} - TemplateURL: '' ## **** VERY IMPORTANT *** This tells stack set state machine to NOT create/update the StackSet, rather just add a StackInstance - AccountList: - - !GetAtt 'Organizations.AccountId' - RegionList: - {%- if resource.regions %} - {%- for regions in resource.regions %} - - {{ regions }} - {%- endfor %} - {%- else %} - - {{ manifest.region }} - {%- endif %} - ServiceToken: {{ lambda_arn }} - {%- endif %} - {%- endif %} -{%- endfor %} - -# -# CloudFormation StackSets Custom Resource - PrimaryVPC -# -{%- for resource in manifest.baseline_resources %} - {%- if resource.name == 'PrimaryVPC' %} - {%- if manifest.portfolios[portfolio_index].products[product_index].name in resource.baseline_products %} - - StackSet{{resource.name | replace("-","") | replace("_","")}}: - Condition: CreateVPC - DependsOn: - - Organizations - {%- if resource.depends_on %} - {%- for depends_on in resource.depends_on %} - - {{ depends_on }} - {%- endfor %} - {%- endif %} - Type: Custom::StackInstance - Properties: - StackSetName: AWS-Landing-Zone-Baseline-{{resource.name}} - TemplateURL: '' ## **** VERY IMPORTANT *** This tells stack set state machine to NOT create/update the StackSet, rather just add a StackInstance - AccountList: - - !GetAtt 'Organizations.AccountId' - RegionList: - - !Ref VPCRegion - ServiceToken: {{ lambda_arn }} - ParameterOverrides: - !GetAtt VPCCalculator.Parameters - {%- endif %} - {%- endif %} -{%- endfor %} - -# -# VPC Custom Resource - Subnet and AZ Calculator -# - - VPCCalculator: - Condition: CreateVPC - Type: Custom::VPCCalculator - DependsOn: - - Organizations - Properties: - AccountList: - - !GetAtt 'Organizations.AccountId' - VPCCidr: !Ref VPCCidr - PublicSubnets: !FindInMap - - VPC - - !Ref VPCOptions - - PublicSubnets - PrivateSubnets: !FindInMap - - VPC - - !Ref VPCOptions - - PrivateSubnets - AvailabilityZones: !FindInMap - - VPC - - !Ref VPCOptions - - AvailabilityZones - CreatePrivateSubnets: !FindInMap - - VPC - - !Ref VPCOptions - - CreatePrivateSubnets - CreatePublicSubnets: !FindInMap - - VPC - - !Ref VPCOptions - - CreatePublicSubnets - CreateAdditionalPrivateSubnets: !FindInMap - - VPC - - !Ref VPCOptions - - CreateAdditionalPrivateSubnets - Region: !Ref VPCRegion - ServiceToken: {{ lambda_arn }} - -# -# VPC Custom Resource - Get SSM Parameter Values -# - - SSMGetParameters: - Type: Custom::SSMParameters - Properties: - SSMParameterKeys: - - /org/member/sharedservices/vpc_private_route_ids - - /org/member/sharedservices/vpc_id - - /org/member/sharedservices/account_id - - /org/member/sharedservices/vpc_region - - /org/member/security/account_id - - /org/member/logging/account_id - ServiceToken: {{ lambda_arn }} - -{%- for ou in manifest.organizational_units %} -{%- for account in ou.core_accounts %} -{%- for resource in account.core_resources %} -{%- if 'guardduty' in resource.name.lower() %} - {% if resource.regions %} - {% set region_list = resource.regions %} - {% else %} - {% set region_list = [manifest.region] %} - {%- endif %} -{%- for region in region_list %} - -# -# GuardDuty Custom Resource - {{ region }} (depends on release/v2.0) -# - - GuardDutyMemberof{{ account.name.title() | replace("-","") | replace("_","")}}Account{{region.title() | replace("-","") }}: - DependsOn: - - Organizations - Type: Custom::HandShakeStateMachine - Properties: - ServiceType: GuardDuty - HubAccountId: !GetAtt 'SSMGetParameters./org/member/security/account_id' - HubRegion: {{ region }} - SpokeAccountId: !GetAtt 'Organizations.AccountId' - SpokeRegion: {{ region }} - SpokeEmailId: !Ref AccountEmail - ServiceToken: {{ lambda_arn }} - -{%- endfor %} -{%- endif %} -{%- endfor %} -{%- endfor %} -{%- endfor %} - -# -# Expunge VPC Custom Resource - Delete Default VPC -# - - ExpungeVPC: - DependsOn: - - Organizations - Type: Custom::ExpungeVPC - Properties: - AccountList: - - !GetAtt 'Organizations.AccountId' - Region: !Ref VPCRegion - ServiceToken: {{ lambda_arn }} - - -# -# VPC Custom Resource - Peering -# - - VPCPeeringCR: - Condition: PeerVPC - Type: Custom::HandShakeStateMachine - DependsOn: - - StackSetPrimaryVPC - Properties: - ServiceType: VPCPeering - HubAccountId: !GetAtt 'SSMGetParameters./org/member/sharedservices/account_id' - HubRegion: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_region' - HubVPCId: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_id' - SpokeAccountId: !GetAtt 'Organizations.AccountId' - SpokeVPCId: !GetAtt 'StackSetPrimaryVPC.output_vpcid' - SpokeRegion: !Ref VPCRegion - ServiceToken: {{ lambda_arn }} - -# -# VPC Custom Resource - Peer Routing -# - - NewVPCPeerRouting: - Condition: PeerVPC - Type: Custom::VPCPeering - DependsOn: - - StackSetPrimaryVPC - - VPCPeeringCR - Properties: - AccountID : !GetAtt 'Organizations.AccountId' - Region: !Ref VPCRegion - RouteTableIDs: !GetAtt 'StackSetPrimaryVPC.output_privatesubnetroutetables' - PeerConnectionID : !GetAtt 'VPCPeeringCR.ConnectionId' - VPCCIDR: !GetAtt 'VPCPeeringCR.HubVPCCIDR' - ServiceToken: {{ lambda_arn }} - - SharedVPCPeerRouting: - Condition: PeerVPC - Type: Custom::VPCPeering - DependsOn: - - StackSetPrimaryVPC - - VPCPeeringCR - Properties: - AccountID: !GetAtt 'SSMGetParameters./org/member/sharedservices/account_id' - Region: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_region' - RouteTableIDs: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_private_route_ids' - PeerConnectionID : !GetAtt 'VPCPeeringCR.ConnectionId' - VPCCIDR: !GetAtt 'VPCPeeringCR.SpokeVPCCIDR' - ServiceToken: {{ lambda_arn }} - -Outputs: - AccountName: - Description: Account Name - Value: !Ref AccountName - AccountEmail: - Description: Account Email - Value: !Ref AccountEmail - AccountID: - Description: Account ID - Value: !GetAtt 'Organizations.AccountId' +AWSTemplateFormatVersion: '2010-09-09' +Description: {{manifest.portfolios[portfolio_index].products[product_index].description}} + +Parameters: + AccountName: + Description: Name for the Account + Type: String + MinLength: 1 + MaxLength: 50 + AccountEmail: + Description: Email for the Account + Type: String + MinLength: 6 + MaxLength: 64 + AllowedPattern: ^[_A-Za-z0-9-\+\.]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$ + ConstraintDescription: Account Email can contain only ASCII characters. This must be in the format of something@email.com + OrgUnitName: + Description: Name of Organizations Unit + Type: String + AllowedValues: + {%- for ou in manifest.organizational_units %} + {%- for product_name in ou['include_in_baseline_products'] %} + {%- if product_name == manifest.portfolios[portfolio_index].products[product_index].name %} + - {{ ou['name'] }} + {%- endif %} + {%- endfor %} + {%- endfor %} + VPCOptions: + Type: String + Default: No-Primary-VPC + Description: VPC options + AllowedValues: + - No-Primary-VPC + - Public-Only-2-AZ + - Public-Only-3-AZ + - Public-Only-4-AZ + - Private-Only-2-AZ + - Private-Only-3-AZ + - Private-Only-4-AZ + - Public-and-Private-Subnets-2-AZ + - Public-and-Private-Subnets-3-AZ + - Public-and-Private-Subnets-4-AZ + - Public-and-2-Private-Subnets-2-AZ + - Public-and-2-Private-Subnets-3-AZ + - Public-and-2-Private-Subnets-4-AZ + + VPCRegion: + Description: VPC Region + Type: String + AllowedValues: + {%- for region in regions %} + - {{ region }} + {%- endfor %} + Default: {{ manifest.region }} + + VPCCidr: + Type: String + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Description: CIDR block for the VPC + Default: 10.0.0.0/16 + + PeerVPC: + Type: String + Default: No + AllowedValues: + - Yes + - No + Description: Would you like to peer this account's Primary VPC's Private Subnets with the Shared Service VPC's Private Subnets? + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Account Information + Parameters: + - AccountName + - AccountEmail + - OrgUnitName + - Label: + default: Network Information + Parameters: + - VPCOptions + - VPCRegion + - VPCCidr + - PeerVPC + ParameterLabels: + AccountName: + default: Account Name + AccountEmail: + default: Account Email + OrgUnitName: + default: Organization Unit Name + VPCOptions: + default: Network Type + VPCCidr: + default: Network CIDR Range + PeerVPC: + default: Peer with Shared-Services VPC + VPCRegion: + default: Network Region + +Mappings: + VPC: + Public-Only-2-AZ: + AvailabilityZones: 2 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + PrivateSubnets: [] + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'false' + CreatePublicSubnets: 'true' + Public-Only-3-AZ: + AvailabilityZones: 3 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + PrivateSubnets: [] + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'false' + CreatePublicSubnets: 'true' + Public-Only-4-AZ: + AvailabilityZones: 4 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + PrivateSubnets: [] + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'false' + CreatePublicSubnets: 'true' + Private-Only-2-AZ: + AvailabilityZones: 2 + PublicSubnets: [] + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'false' + Private-Only-3-AZ: + AvailabilityZones: 3 + PublicSubnets: [] + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'false' + Private-Only-4-AZ: + AvailabilityZones: 4 + PublicSubnets: [] + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + - PrivateSubnet4ACIDR + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'false' + Public-and-Private-Subnets-2-AZ: + AvailabilityZones: 2 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'true' + Public-and-Private-Subnets-3-AZ: + AvailabilityZones: 3 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'true' + Public-and-Private-Subnets-4-AZ: + AvailabilityZones: 4 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + - PrivateSubnet4ACIDR + CreateAdditionalPrivateSubnets: 'false' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'true' + Public-and-2-Private-Subnets-2-AZ: + AvailabilityZones: 2 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet1BCIDR + - PrivateSubnet2BCIDR + CreateAdditionalPrivateSubnets: 'true' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'true' + Public-and-2-Private-Subnets-3-AZ: + AvailabilityZones: 3 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + - PrivateSubnet1BCIDR + - PrivateSubnet2BCIDR + - PrivateSubnet3BCIDR + CreateAdditionalPrivateSubnets: 'true' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'true' + Public-and-2-Private-Subnets-4-AZ: + AvailabilityZones: 4 + PublicSubnets: + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + PrivateSubnets: + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + - PrivateSubnet4ACIDR + - PrivateSubnet1BCIDR + - PrivateSubnet2BCIDR + - PrivateSubnet3BCIDR + - PrivateSubnet4BCIDR + CreateAdditionalPrivateSubnets: 'true' + CreatePrivateSubnets: 'true' + CreatePublicSubnets: 'true' + +Conditions: + CreateVPC: !Not + - !Equals + - !Ref VPCOptions + - No-Primary-VPC + PeerVPC: !Equals + - !Ref PeerVPC + - Yes + +Resources: + +# +# Check if AVM was run for this account before +# + + CheckAVMExistsForAccount: + Type: Custom::CheckAVMExistsForAccount + Properties: + PortfolioName: {{manifest.portfolios[portfolio_index].name}} + ProductName: {{manifest.portfolios[portfolio_index].products[product_index].name}} + ProdParams: + OUName: !Ref OrgUnitName + AccountName: !Ref AccountName + AccountEmail: !Ref AccountEmail + ServiceToken: {{ lambda_arn }} + + +# +# AWS Organizations Custom Resource - Creates one new account +# + + Organizations: + DependsOn: + - CheckAVMExistsForAccount + Type: Custom::Organizations + Properties: + OUName: !Ref OrgUnitName + AccountName: !Ref AccountName + AccountEmail: !Ref AccountEmail + {%- if manifest.nested_ou_delimiter != '' %} + OUNameDelimiter: '{{manifest.nested_ou_delimiter}}' + {%- endif %} + ServiceToken: {{ lambda_arn }} + +# +# Cloudformation StackSets Custom Resource +# + +{%- for resource in manifest.baseline_resources %} + {%- if resource.deploy_method == 'stack_set' and resource.parameter_override != 'true' %} + {%- if manifest.portfolios[portfolio_index].products[product_index].name in resource.baseline_products %} + + StackSet{{resource.name | replace("-","") | replace("_","")}}: + DependsOn: + - Organizations + {%- if resource.depends_on %} + {%- for depends_on in resource.depends_on %} + - StackSet{{ depends_on | replace("-","") | replace("_","")}} + {%- endfor %} + {%- endif %} + Type: Custom::StackInstance + Properties: + StackSetName: AWS-Landing-Zone-Baseline-{{resource.name}} + TemplateURL: '' ## **** VERY IMPORTANT *** This tells stack set state machine to NOT create/update the StackSet, rather just add a StackInstance + AccountList: + - !GetAtt 'Organizations.AccountId' + RegionList: + {%- if resource.regions %} + {%- for regions in resource.regions %} + - {{ regions }} + {%- endfor %} + {%- else %} + - {{ manifest.region }} + {%- endif %} + ServiceToken: {{ lambda_arn }} + {%- endif %} + {%- endif %} +{%- endfor %} + +# +# CloudFormation StackSets Custom Resource - PrimaryVPC +# +{%- for resource in manifest.baseline_resources %} + {%- if resource.name == 'PrimaryVPC' %} + {%- if manifest.portfolios[portfolio_index].products[product_index].name in resource.baseline_products %} + + StackSet{{resource.name | replace("-","") | replace("_","")}}: + Condition: CreateVPC + DependsOn: + - Organizations + {%- if resource.depends_on %} + {%- for depends_on in resource.depends_on %} + - {{ depends_on }} + {%- endfor %} + {%- endif %} + Type: Custom::StackInstance + Properties: + StackSetName: AWS-Landing-Zone-Baseline-{{resource.name}} + TemplateURL: '' ## **** VERY IMPORTANT *** This tells stack set state machine to NOT create/update the StackSet, rather just add a StackInstance + AccountList: + - !GetAtt 'Organizations.AccountId' + RegionList: + - !Ref VPCRegion + ServiceToken: {{ lambda_arn }} + ParameterOverrides: + !GetAtt VPCCalculator.Parameters + {%- endif %} + {%- endif %} +{%- endfor %} + +# +# VPC Custom Resource - Subnet and AZ Calculator +# + + VPCCalculator: + Condition: CreateVPC + Type: Custom::VPCCalculator + DependsOn: + - Organizations + Properties: + AccountList: + - !GetAtt 'Organizations.AccountId' + VPCCidr: !Ref VPCCidr + PublicSubnets: !FindInMap + - VPC + - !Ref VPCOptions + - PublicSubnets + PrivateSubnets: !FindInMap + - VPC + - !Ref VPCOptions + - PrivateSubnets + AvailabilityZones: !FindInMap + - VPC + - !Ref VPCOptions + - AvailabilityZones + CreatePrivateSubnets: !FindInMap + - VPC + - !Ref VPCOptions + - CreatePrivateSubnets + CreatePublicSubnets: !FindInMap + - VPC + - !Ref VPCOptions + - CreatePublicSubnets + CreateAdditionalPrivateSubnets: !FindInMap + - VPC + - !Ref VPCOptions + - CreateAdditionalPrivateSubnets + Region: !Ref VPCRegion + ServiceToken: {{ lambda_arn }} + +# +# VPC Custom Resource - Get SSM Parameter Values +# + + SSMGetParameters: + Type: Custom::SSMParameters + Properties: + SSMParameterKeys: + - /org/member/sharedservices/vpc_private_route_ids + - /org/member/sharedservices/vpc_id + - /org/member/sharedservices/account_id + - /org/member/sharedservices/vpc_region + - /org/member/security/account_id + - /org/member/logging/account_id + ServiceToken: {{ lambda_arn }} + +{%- for ou in manifest.organizational_units %} +{%- for account in ou.core_accounts %} +{%- for resource in account.core_resources %} +{%- if 'guardduty' in resource.name.lower() %} + {% if resource.regions %} + {% set region_list = resource.regions %} + {% else %} + {% set region_list = [manifest.region] %} + {%- endif %} +{%- for region in region_list %} + +# +# GuardDuty Custom Resource - {{ region }} (depends on release/v2.0) +# + + GuardDutyMemberof{{ account.name.title() | replace("-","") | replace("_","")}}Account{{region.title() | replace("-","") }}: + DependsOn: + - Organizations + Type: Custom::HandShakeStateMachine + Properties: + ServiceType: GuardDuty + HubAccountId: !GetAtt 'SSMGetParameters./org/member/security/account_id' + HubRegion: {{ region }} + SpokeAccountId: !GetAtt 'Organizations.AccountId' + SpokeRegion: {{ region }} + SpokeEmailId: !Ref AccountEmail + ServiceToken: {{ lambda_arn }} + +{%- endfor %} +{%- endif %} +{%- endfor %} +{%- endfor %} +{%- endfor %} + +# +# Expunge VPC Custom Resource - Delete Default VPC +# + + ExpungeVPC: + DependsOn: + - Organizations + Type: Custom::ExpungeVPC + Properties: + AccountList: + - !GetAtt 'Organizations.AccountId' + Region: !Ref VPCRegion + ServiceToken: {{ lambda_arn }} + + +# +# VPC Custom Resource - Peering +# + + VPCPeeringCR: + Condition: PeerVPC + Type: Custom::HandShakeStateMachine + DependsOn: + - StackSetPrimaryVPC + Properties: + ServiceType: VPCPeering + HubAccountId: !GetAtt 'SSMGetParameters./org/member/sharedservices/account_id' + HubRegion: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_region' + HubVPCId: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_id' + SpokeAccountId: !GetAtt 'Organizations.AccountId' + SpokeVPCId: !GetAtt 'StackSetPrimaryVPC.output_vpcid' + SpokeRegion: !Ref VPCRegion + ServiceToken: {{ lambda_arn }} + +# +# VPC Custom Resource - Peer Routing +# + + NewVPCPeerRouting: + Condition: PeerVPC + Type: Custom::VPCPeering + DependsOn: + - StackSetPrimaryVPC + - VPCPeeringCR + Properties: + AccountID : !GetAtt 'Organizations.AccountId' + Region: !Ref VPCRegion + RouteTableIDs: !GetAtt 'StackSetPrimaryVPC.output_privatesubnetroutetables' + PeerConnectionID : !GetAtt 'VPCPeeringCR.ConnectionId' + VPCCIDR: !GetAtt 'VPCPeeringCR.HubVPCCIDR' + ServiceToken: {{ lambda_arn }} + + SharedVPCPeerRouting: + Condition: PeerVPC + Type: Custom::VPCPeering + DependsOn: + - StackSetPrimaryVPC + - VPCPeeringCR + Properties: + AccountID: !GetAtt 'SSMGetParameters./org/member/sharedservices/account_id' + Region: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_region' + RouteTableIDs: !GetAtt 'SSMGetParameters./org/member/sharedservices/vpc_private_route_ids' + PeerConnectionID : !GetAtt 'VPCPeeringCR.ConnectionId' + VPCCIDR: !GetAtt 'VPCPeeringCR.SpokeVPCCIDR' + ServiceToken: {{ lambda_arn }} + +Outputs: + AccountName: + Description: Account Name + Value: !Ref AccountName + AccountEmail: + Description: Account Email + Value: !Ref AccountEmail + AccountID: + Description: Account ID + Value: !GetAtt 'Organizations.AccountId' diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules-global.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules-global.template index c44c64c10..f30d266fb 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules-global.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules-global.template @@ -1,206 +1,206 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Enables an AWS Landing Zone account baseline AWS Config rules. - -Parameters: - EnableRootMfaRule: - Type: String - Description: "Enables the AWS managed root-account-mfa-enabled config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - EnableIamPasswordPolicyRule: - Type: String - Description: "Enables the AWS managed iam-password-policy config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - KMSId: - Type: String - Description: "[Optional] Id or ARN of the KMS key that is used to encrypt the volume." - Default: "" - MaximumExecutionFrequency: - Type: String - Default: TwentyFour_Hours - Description: The frequency that you want AWS Config to run evaluations for the - rule. - MinLength: '1' - ConstraintDescription: This parameter is required. - AllowedValues: - - One_Hour - - Three_Hours - - Six_Hours - - Twelve_Hours - - TwentyFour_Hours - RequireUppercaseCharacters: - Type: String - Default: 'true' - Description: Require at least one uppercase character in password. - AllowedValues: - - true - - false - RequireLowercaseCharacters: - Type: String - Default: 'true' - Description: Require at least one lowercase character in password. - AllowedValues: - - true - - false - RequireSymbols: - Type: String - Default: 'true' - Description: Require at least one symbol in password. - AllowedValues: - - true - - false - RequireNumbers: - Type: String - Default: 'true' - Description: Require at least one number in password. - AllowedValues: - - true - - false - MinimumPasswordLength: - Type: String - Default: '12' - Description: Password minimum length. - PasswordReusePrevention: - Type: String - Default: '6' - Description: Number of passwords before allowing reuse. - MaxPasswordAge: - Type: String - Default: '90' - Description: Number of days before password expiration. - -Conditions: - EnableRootMfa: !Equals - - !Ref EnableRootMfaRule - - 'true' - EnableIamPasswordPolicy: !Equals - - !Ref EnableIamPasswordPolicyRule - - 'true' - HasKMSKeyId: !Not - - !Equals - - !Ref KMSId - - "" - RequireUppercaseCharacters: - Fn::Not: - - Fn::Equals: - - '' - - Ref: RequireUppercaseCharacters - RequireLowercaseCharacters: - Fn::Not: - - Fn::Equals: - - '' - - Ref: RequireLowercaseCharacters - RequireSymbols: - Fn::Not: - - Fn::Equals: - - '' - - Ref: RequireSymbols - RequireNumbers: - Fn::Not: - - Fn::Equals: - - '' - - Ref: RequireNumbers - MinimumPasswordLength: - Fn::Not: - - Fn::Equals: - - '' - - Ref: MinimumPasswordLength - PasswordReusePrevention: - Fn::Not: - - Fn::Equals: - - '' - - Ref: PasswordReusePrevention - MaxPasswordAge: - Fn::Not: - - Fn::Equals: - - '' - - Ref: MaxPasswordAge - - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: Config Rules - Parameters: - - EnableRootMfaRule - - EnableIamPasswordPolicyRule - - Label: - default: Misc Parameters - Parameters: - - KMSId - - MaximumExecutionFrequency - - Label: - default: IAM Password Policy - Parameters: - - RequireUppercaseCharacters - - RequireLowercaseCharacters - - RequireSymbols - - RequireNumbers - - MinimumPasswordLength - - PasswordReusePrevention - - MaxPasswordAge - -Resources: - CheckForRootMfa: - Type: AWS::Config::ConfigRule - Condition: EnableRootMfa - Properties: - Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. - Source: - Owner: AWS - SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED - MaximumExecutionFrequency: - Ref: MaximumExecutionFrequency - - CheckForIamPasswordPolicy: - Type: AWS::Config::ConfigRule - Condition: EnableIamPasswordPolicy - Properties: - Description: Checks whether the account password policy for IAM users meets the specified requirements. - Source: - Owner: AWS - SourceIdentifier: IAM_PASSWORD_POLICY - InputParameters: - RequireUppercaseCharacters: - Fn::If: - - RequireUppercaseCharacters - - Ref: RequireUppercaseCharacters - - Ref: AWS::NoValue - RequireLowercaseCharacters: - Fn::If: - - RequireLowercaseCharacters - - Ref: RequireLowercaseCharacters - - Ref: AWS::NoValue - RequireSymbols: - Fn::If: - - RequireSymbols - - Ref: RequireSymbols - - Ref: AWS::NoValue - RequireNumbers: - Fn::If: - - RequireNumbers - - Ref: RequireNumbers - - Ref: AWS::NoValue - MinimumPasswordLength: - Fn::If: - - MinimumPasswordLength - - Ref: MinimumPasswordLength - - Ref: AWS::NoValue - PasswordReusePrevention: - Fn::If: - - PasswordReusePrevention - - Ref: PasswordReusePrevention - - Ref: AWS::NoValue - MaxPasswordAge: - Fn::If: - - MaxPasswordAge - - Ref: MaxPasswordAge - - Ref: AWS::NoValue - MaximumExecutionFrequency: - Ref: MaximumExecutionFrequency +AWSTemplateFormatVersion: 2010-09-09 +Description: Enables an AWS Landing Zone account baseline AWS Config rules. + +Parameters: + EnableRootMfaRule: + Type: String + Description: "Enables the AWS managed root-account-mfa-enabled config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + EnableIamPasswordPolicyRule: + Type: String + Description: "Enables the AWS managed iam-password-policy config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + KMSId: + Type: String + Description: "[Optional] Id or ARN of the KMS key that is used to encrypt the volume." + Default: "" + MaximumExecutionFrequency: + Type: String + Default: TwentyFour_Hours + Description: The frequency that you want AWS Config to run evaluations for the + rule. + MinLength: '1' + ConstraintDescription: This parameter is required. + AllowedValues: + - One_Hour + - Three_Hours + - Six_Hours + - Twelve_Hours + - TwentyFour_Hours + RequireUppercaseCharacters: + Type: String + Default: 'true' + Description: Require at least one uppercase character in password. + AllowedValues: + - true + - false + RequireLowercaseCharacters: + Type: String + Default: 'true' + Description: Require at least one lowercase character in password. + AllowedValues: + - true + - false + RequireSymbols: + Type: String + Default: 'true' + Description: Require at least one symbol in password. + AllowedValues: + - true + - false + RequireNumbers: + Type: String + Default: 'true' + Description: Require at least one number in password. + AllowedValues: + - true + - false + MinimumPasswordLength: + Type: String + Default: '12' + Description: Password minimum length. + PasswordReusePrevention: + Type: String + Default: '6' + Description: Number of passwords before allowing reuse. + MaxPasswordAge: + Type: String + Default: '90' + Description: Number of days before password expiration. + +Conditions: + EnableRootMfa: !Equals + - !Ref EnableRootMfaRule + - 'true' + EnableIamPasswordPolicy: !Equals + - !Ref EnableIamPasswordPolicyRule + - 'true' + HasKMSKeyId: !Not + - !Equals + - !Ref KMSId + - "" + RequireUppercaseCharacters: + Fn::Not: + - Fn::Equals: + - '' + - Ref: RequireUppercaseCharacters + RequireLowercaseCharacters: + Fn::Not: + - Fn::Equals: + - '' + - Ref: RequireLowercaseCharacters + RequireSymbols: + Fn::Not: + - Fn::Equals: + - '' + - Ref: RequireSymbols + RequireNumbers: + Fn::Not: + - Fn::Equals: + - '' + - Ref: RequireNumbers + MinimumPasswordLength: + Fn::Not: + - Fn::Equals: + - '' + - Ref: MinimumPasswordLength + PasswordReusePrevention: + Fn::Not: + - Fn::Equals: + - '' + - Ref: PasswordReusePrevention + MaxPasswordAge: + Fn::Not: + - Fn::Equals: + - '' + - Ref: MaxPasswordAge + + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Config Rules + Parameters: + - EnableRootMfaRule + - EnableIamPasswordPolicyRule + - Label: + default: Misc Parameters + Parameters: + - KMSId + - MaximumExecutionFrequency + - Label: + default: IAM Password Policy + Parameters: + - RequireUppercaseCharacters + - RequireLowercaseCharacters + - RequireSymbols + - RequireNumbers + - MinimumPasswordLength + - PasswordReusePrevention + - MaxPasswordAge + +Resources: + CheckForRootMfa: + Type: AWS::Config::ConfigRule + Condition: EnableRootMfa + Properties: + Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. + Source: + Owner: AWS + SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED + MaximumExecutionFrequency: + Ref: MaximumExecutionFrequency + + CheckForIamPasswordPolicy: + Type: AWS::Config::ConfigRule + Condition: EnableIamPasswordPolicy + Properties: + Description: Checks whether the account password policy for IAM users meets the specified requirements. + Source: + Owner: AWS + SourceIdentifier: IAM_PASSWORD_POLICY + InputParameters: + RequireUppercaseCharacters: + Fn::If: + - RequireUppercaseCharacters + - Ref: RequireUppercaseCharacters + - Ref: AWS::NoValue + RequireLowercaseCharacters: + Fn::If: + - RequireLowercaseCharacters + - Ref: RequireLowercaseCharacters + - Ref: AWS::NoValue + RequireSymbols: + Fn::If: + - RequireSymbols + - Ref: RequireSymbols + - Ref: AWS::NoValue + RequireNumbers: + Fn::If: + - RequireNumbers + - Ref: RequireNumbers + - Ref: AWS::NoValue + MinimumPasswordLength: + Fn::If: + - MinimumPasswordLength + - Ref: MinimumPasswordLength + - Ref: AWS::NoValue + PasswordReusePrevention: + Fn::If: + - PasswordReusePrevention + - Ref: PasswordReusePrevention + - Ref: AWS::NoValue + MaxPasswordAge: + Fn::If: + - MaxPasswordAge + - Ref: MaxPasswordAge + - Ref: AWS::NoValue + MaximumExecutionFrequency: + Ref: MaximumExecutionFrequency diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules.template index 0224b3f72..f5ce58543 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-config-rules.template @@ -1,293 +1,293 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Enables an AWS Landing Zone account baseline AWS Config rules. - -Parameters: - EnableEncryptedVolumesRule: - Type: String - Description: "Enables the AWS managed encrypted-volumes config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - EnableRdsEncryptionRule: - Type: String - Description: "Enables the AWS managed rds-storage-encrypted config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - EnableS3PublicReadRule: - Type: String - Description: "Enables the AWS managed s3-bucket-public-read-prohibited config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - EnableS3PublicWriteRule: - Type: String - Description: "Enables the AWS managed s3-bucket-public-write-prohibited config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - EnableS3ServerSideEncryptionRule: - Type: String - Description: "Enables the AWS managed s3-bucket-server-side-encryption-enabled config rule. To enable, change the parameter value to true." - Default: false - AllowedValues: - - true - - false - EnableRestrictedCommonPortsRule: - Type: String - Description: "Enables the AWS managed restricted-common-ports config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - EnableRestrictedSshRule: - Type: String - Description: "Enables the AWS managed restricted-ssh config rule. To disable, change the parameter value to false." - Default: true - AllowedValues: - - true - - false - KMSId: - Type: String - Description: "[Optional] Id or ARN of the KMS key that is used to encrypt the volume." - Default: "" - MaximumExecutionFrequency: - Type: String - Default: TwentyFour_Hours - Description: The frequency that you want AWS Config to run evaluations for the - rule. - MinLength: '1' - ConstraintDescription: This parameter is required. - AllowedValues: - - One_Hour - - Three_Hours - - Six_Hours - - Twelve_Hours - - TwentyFour_Hours - blockedPort1: - Type: String - Default: '20' - Description: Blocked TCP port number. - blockedPort2: - Type: String - Default: '21' - Description: Blocked TCP port number. - blockedPort3: - Type: String - Default: '3389' - Description: Blocked TCP port number. - blockedPort4: - Type: String - Default: '3306' - Description: Blocked TCP port number. - blockedPort5: - Type: String - Default: '4333' - Description: Blocked TCP port number. - -Conditions: - EnableEncryptedVolumes: !Equals - - !Ref EnableEncryptedVolumesRule - - 'true' - EnableRdsEncryption: !Equals - - !Ref EnableRdsEncryptionRule - - 'true' - EnableS3PublicRead: !Equals - - !Ref EnableS3PublicReadRule - - 'true' - EnableS3PublicWrite: !Equals - - !Ref EnableS3PublicWriteRule - - 'true' - EnableS3ServerSideEncryption: !Equals - - !Ref EnableS3ServerSideEncryptionRule - - 'true' - EnableRestrictedCommonPortsPolicy: !Equals - - !Ref EnableRestrictedCommonPortsRule - - 'true' - EnableRestrictedSshPolicy: !Equals - - !Ref EnableRestrictedSshRule - - 'true' - HasKMSKeyId: !Not - - !Equals - - !Ref KMSId - - "" - blockedPort1: - Fn::Not: - - Fn::Equals: - - '' - - Ref: blockedPort1 - blockedPort2: - Fn::Not: - - Fn::Equals: - - '' - - Ref: blockedPort2 - blockedPort3: - Fn::Not: - - Fn::Equals: - - '' - - Ref: blockedPort3 - blockedPort4: - Fn::Not: - - Fn::Equals: - - '' - - Ref: blockedPort4 - blockedPort5: - Fn::Not: - - Fn::Equals: - - '' - - Ref: blockedPort5 - - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: Config Rules - Parameters: - - EnableEncryptedVolumesRule - - EnableRdsEncryptionRule - - EnableS3PublicReadRule - - EnableS3PublicWriteRule - - EnableS3ServerSideEncryptionRule - - EnableRestrictedCommonPortsRule - - EnableRestrictedSshRule - - Label: - default: Misc Parameters - Parameters: - - KMSId - - MaximumExecutionFrequency - - Label: - default: Restricted Common Ports - Parameters: - - blockedPort1 - - blockedPort2 - - blockedPort3 - - blockedPort4 - - blockedPort5 - -Resources: - CheckForEncryptedVolumes: - Type: AWS::Config::ConfigRule - Condition: EnableEncryptedVolumes - Properties: - Description: Checks whether EBS volumes that are in an attached state are encrypted. - Source: - Owner: AWS - SourceIdentifier: ENCRYPTED_VOLUMES - Scope: - ComplianceResourceTypes: - - AWS::EC2::Volume - InputParameters: - kmsId: !If - - HasKMSKeyId - - !Ref KMSId - - !Ref AWS::NoValue - - CheckForRdsEncryption: - Type: AWS::Config::ConfigRule - Condition: EnableRdsEncryption - Properties: - Description: Checks whether storage encryption is enabled for your RDS DB instances. - Source: - Owner: AWS - SourceIdentifier: RDS_STORAGE_ENCRYPTED - Scope: - ComplianceResourceTypes: - - AWS::RDS::DBInstance - InputParameters: - kmsId: !If - - HasKMSKeyId - - !Ref KMSId - - !Ref AWS::NoValue - - CheckForS3PublicRead: - Type: AWS::Config::ConfigRule - Condition: EnableS3PublicRead - Properties: - Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. - Source: - Owner: AWS - SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED - Scope: - ComplianceResourceTypes: - - AWS::S3::Bucket - - CheckForS3PublicWrite: - Type: AWS::Config::ConfigRule - Condition: EnableS3PublicWrite - Properties: - Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. - Source: - Owner: AWS - SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED - Scope: - ComplianceResourceTypes: - - AWS::S3::Bucket - - CheckForS3ServerSideEncryption: - Type: AWS::Config::ConfigRule - Condition: EnableS3ServerSideEncryption - Properties: - Description: Checks for explicit denies on put-object requests without server side encryption. - Source: - Owner: AWS - SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED - Scope: - ComplianceResourceTypes: - - AWS::S3::Bucket - - CheckForRestrictedCommonPortsPolicy: - Type: AWS::Config::ConfigRule - Condition: EnableRestrictedCommonPortsPolicy - Properties: - Description: Checks whether security groups that are in use disallow unrestricted - incoming TCP traffic to the specified ports. - InputParameters: - blockedPort1: - Fn::If: - - blockedPort1 - - Ref: blockedPort1 - - Ref: AWS::NoValue - blockedPort2: - Fn::If: - - blockedPort2 - - Ref: blockedPort2 - - Ref: AWS::NoValue - blockedPort3: - Fn::If: - - blockedPort3 - - Ref: blockedPort3 - - Ref: AWS::NoValue - blockedPort4: - Fn::If: - - blockedPort4 - - Ref: blockedPort4 - - Ref: AWS::NoValue - blockedPort5: - Fn::If: - - blockedPort5 - - Ref: blockedPort5 - - Ref: AWS::NoValue - Scope: - ComplianceResourceTypes: - - AWS::EC2::SecurityGroup - Source: - Owner: AWS - SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC - - CheckForRestrictedSshPolicy: - Type: AWS::Config::ConfigRule - Condition: EnableRestrictedSshPolicy - Properties: - Description: Checks whether security groups that are in use disallow unrestricted - incoming SSH traffic. - Scope: - ComplianceResourceTypes: - - AWS::EC2::SecurityGroup - Source: - Owner: AWS - SourceIdentifier: INCOMING_SSH_DISABLED +AWSTemplateFormatVersion: 2010-09-09 +Description: Enables an AWS Landing Zone account baseline AWS Config rules. + +Parameters: + EnableEncryptedVolumesRule: + Type: String + Description: "Enables the AWS managed encrypted-volumes config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + EnableRdsEncryptionRule: + Type: String + Description: "Enables the AWS managed rds-storage-encrypted config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + EnableS3PublicReadRule: + Type: String + Description: "Enables the AWS managed s3-bucket-public-read-prohibited config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + EnableS3PublicWriteRule: + Type: String + Description: "Enables the AWS managed s3-bucket-public-write-prohibited config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + EnableS3ServerSideEncryptionRule: + Type: String + Description: "Enables the AWS managed s3-bucket-server-side-encryption-enabled config rule. To enable, change the parameter value to true." + Default: false + AllowedValues: + - true + - false + EnableRestrictedCommonPortsRule: + Type: String + Description: "Enables the AWS managed restricted-common-ports config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + EnableRestrictedSshRule: + Type: String + Description: "Enables the AWS managed restricted-ssh config rule. To disable, change the parameter value to false." + Default: true + AllowedValues: + - true + - false + KMSId: + Type: String + Description: "[Optional] Id or ARN of the KMS key that is used to encrypt the volume." + Default: "" + MaximumExecutionFrequency: + Type: String + Default: TwentyFour_Hours + Description: The frequency that you want AWS Config to run evaluations for the + rule. + MinLength: '1' + ConstraintDescription: This parameter is required. + AllowedValues: + - One_Hour + - Three_Hours + - Six_Hours + - Twelve_Hours + - TwentyFour_Hours + blockedPort1: + Type: String + Default: '20' + Description: Blocked TCP port number. + blockedPort2: + Type: String + Default: '21' + Description: Blocked TCP port number. + blockedPort3: + Type: String + Default: '3389' + Description: Blocked TCP port number. + blockedPort4: + Type: String + Default: '3306' + Description: Blocked TCP port number. + blockedPort5: + Type: String + Default: '4333' + Description: Blocked TCP port number. + +Conditions: + EnableEncryptedVolumes: !Equals + - !Ref EnableEncryptedVolumesRule + - 'true' + EnableRdsEncryption: !Equals + - !Ref EnableRdsEncryptionRule + - 'true' + EnableS3PublicRead: !Equals + - !Ref EnableS3PublicReadRule + - 'true' + EnableS3PublicWrite: !Equals + - !Ref EnableS3PublicWriteRule + - 'true' + EnableS3ServerSideEncryption: !Equals + - !Ref EnableS3ServerSideEncryptionRule + - 'true' + EnableRestrictedCommonPortsPolicy: !Equals + - !Ref EnableRestrictedCommonPortsRule + - 'true' + EnableRestrictedSshPolicy: !Equals + - !Ref EnableRestrictedSshRule + - 'true' + HasKMSKeyId: !Not + - !Equals + - !Ref KMSId + - "" + blockedPort1: + Fn::Not: + - Fn::Equals: + - '' + - Ref: blockedPort1 + blockedPort2: + Fn::Not: + - Fn::Equals: + - '' + - Ref: blockedPort2 + blockedPort3: + Fn::Not: + - Fn::Equals: + - '' + - Ref: blockedPort3 + blockedPort4: + Fn::Not: + - Fn::Equals: + - '' + - Ref: blockedPort4 + blockedPort5: + Fn::Not: + - Fn::Equals: + - '' + - Ref: blockedPort5 + + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Config Rules + Parameters: + - EnableEncryptedVolumesRule + - EnableRdsEncryptionRule + - EnableS3PublicReadRule + - EnableS3PublicWriteRule + - EnableS3ServerSideEncryptionRule + - EnableRestrictedCommonPortsRule + - EnableRestrictedSshRule + - Label: + default: Misc Parameters + Parameters: + - KMSId + - MaximumExecutionFrequency + - Label: + default: Restricted Common Ports + Parameters: + - blockedPort1 + - blockedPort2 + - blockedPort3 + - blockedPort4 + - blockedPort5 + +Resources: + CheckForEncryptedVolumes: + Type: AWS::Config::ConfigRule + Condition: EnableEncryptedVolumes + Properties: + Description: Checks whether EBS volumes that are in an attached state are encrypted. + Source: + Owner: AWS + SourceIdentifier: ENCRYPTED_VOLUMES + Scope: + ComplianceResourceTypes: + - AWS::EC2::Volume + InputParameters: + kmsId: !If + - HasKMSKeyId + - !Ref KMSId + - !Ref AWS::NoValue + + CheckForRdsEncryption: + Type: AWS::Config::ConfigRule + Condition: EnableRdsEncryption + Properties: + Description: Checks whether storage encryption is enabled for your RDS DB instances. + Source: + Owner: AWS + SourceIdentifier: RDS_STORAGE_ENCRYPTED + Scope: + ComplianceResourceTypes: + - AWS::RDS::DBInstance + InputParameters: + kmsId: !If + - HasKMSKeyId + - !Ref KMSId + - !Ref AWS::NoValue + + CheckForS3PublicRead: + Type: AWS::Config::ConfigRule + Condition: EnableS3PublicRead + Properties: + Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. + Source: + Owner: AWS + SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED + Scope: + ComplianceResourceTypes: + - AWS::S3::Bucket + + CheckForS3PublicWrite: + Type: AWS::Config::ConfigRule + Condition: EnableS3PublicWrite + Properties: + Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. + Source: + Owner: AWS + SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED + Scope: + ComplianceResourceTypes: + - AWS::S3::Bucket + + CheckForS3ServerSideEncryption: + Type: AWS::Config::ConfigRule + Condition: EnableS3ServerSideEncryption + Properties: + Description: Checks for explicit denies on put-object requests without server side encryption. + Source: + Owner: AWS + SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED + Scope: + ComplianceResourceTypes: + - AWS::S3::Bucket + + CheckForRestrictedCommonPortsPolicy: + Type: AWS::Config::ConfigRule + Condition: EnableRestrictedCommonPortsPolicy + Properties: + Description: Checks whether security groups that are in use disallow unrestricted + incoming TCP traffic to the specified ports. + InputParameters: + blockedPort1: + Fn::If: + - blockedPort1 + - Ref: blockedPort1 + - Ref: AWS::NoValue + blockedPort2: + Fn::If: + - blockedPort2 + - Ref: blockedPort2 + - Ref: AWS::NoValue + blockedPort3: + Fn::If: + - blockedPort3 + - Ref: blockedPort3 + - Ref: AWS::NoValue + blockedPort4: + Fn::If: + - blockedPort4 + - Ref: blockedPort4 + - Ref: AWS::NoValue + blockedPort5: + Fn::If: + - blockedPort5 + - Ref: blockedPort5 + - Ref: AWS::NoValue + Scope: + ComplianceResourceTypes: + - AWS::EC2::SecurityGroup + Source: + Owner: AWS + SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC + + CheckForRestrictedSshPolicy: + Type: AWS::Config::ConfigRule + Condition: EnableRestrictedSshPolicy + Properties: + Description: Checks whether security groups that are in use disallow unrestricted + incoming SSH traffic. + Scope: + ComplianceResourceTypes: + - AWS::EC2::SecurityGroup + Source: + Owner: AWS + SourceIdentifier: INCOMING_SSH_DISABLED diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-cloudtrail.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-cloudtrail.template index a2653800b..959efd5ce 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-cloudtrail.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-cloudtrail.template @@ -1,139 +1,139 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent. - -Parameters: - EnableLogFileValidation: - Type: String - Default: 'true' - Description: Indicates whether CloudTrail validates the integrity of log files. - AllowedValues: - - 'true' - - 'false' - - IncludeGlobalEvents: - Type: String - Default: 'false' - Description: Indicates whether the trail is publishing events from global services, such as IAM, to the log files. - AllowedValues: - - 'true' - - 'false' - - MultiRegion: - Type: String - Default: 'false' - Description: Indicates whether the CloudTrail trail is created in the region in which you create the stack (false) or in all regions (true). - AllowedValues: - - 'true' - - 'false' - - PublishToTopic: - Type: String - Default: 'false' - Description: Indicates whether notifications are published to SNS. - AllowedValues: - - 'true' - - 'false' - - SNSTopic: - Type: String - Description: Topic for your notifications. - - PublishToCloudWatchLogs: - Type: String - Default: 'false' - Description: Indicates whether notifications are published to CloudWatch Logs. - AllowedValues: - - 'true' - - 'false' - - CloudWatchLogsGroupName: - Type: String - Default: 'CloudTrail/Landing-Zone-Logs' - Description: CloudWatchLogs Group name. - - TrailBucket: - Type: String - Description: Bucket name for logs. - - LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain CloudTrail log events in the CloudWatch Logs.' - Type: Number - Default: 14 - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] - - AWSLogsS3KeyPrefix: - Type: 'String' - Description: 'Organization ID to use as the S3 Key prefix for storing the audit logs' - -Conditions: - IsMultiRegion: !Equals - - !Ref MultiRegion - - 'true' - - IsPublishToTopic: !Equals - - !Ref PublishToTopic - - 'true' - - IsPublishToCloudWatchLogs: !Equals - - !Ref PublishToCloudWatchLogs - - 'true' - -Resources: - Trail: - Type: AWS::CloudTrail::Trail - Properties: - TrailName: AWS-Landing-Zone-BaselineCloudTrail - S3BucketName: !Ref TrailBucket - S3KeyPrefix: !Ref AWSLogsS3KeyPrefix - SnsTopicName: !If - - IsPublishToTopic - - !Ref SNSTopic - - !Ref AWS::NoValue - IsLogging: True - EnableLogFileValidation: !Ref EnableLogFileValidation - IncludeGlobalServiceEvents: !If - - IsMultiRegion - - True - - !Ref IncludeGlobalEvents - IsMultiRegionTrail: !Ref MultiRegion - CloudWatchLogsLogGroupArn: !If - - IsPublishToCloudWatchLogs - - !GetAtt TrailLogGroup.Arn - - !Ref AWS::NoValue - CloudWatchLogsRoleArn: !If - - IsPublishToCloudWatchLogs - - !GetAtt TrailLogGroupRole.Arn - - !Ref AWS::NoValue - - TrailLogGroup: - Type: 'AWS::Logs::LogGroup' - Condition: IsPublishToCloudWatchLogs - Properties: - LogGroupName: !Ref CloudWatchLogsGroupName - RetentionInDays: !Ref LogsRetentionInDays - - TrailLogGroupRole: - Type: 'AWS::IAM::Role' - Condition: IsPublishToCloudWatchLogs - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: CloudTrailAssumeRole - Effect: Allow - Principal: - Service: 'cloudtrail.amazonaws.com' - Action: 'sts:AssumeRole' - Policies: - - PolicyName: 'cloudtrail-policy' - PolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: AWSCloudTrailCreateLogStream - Effect: Allow - Action: 'logs:CreateLogStream' - Resource: !GetAtt 'TrailLogGroup.Arn' - - Sid: AWSCloudTrailPutLogEvents - Effect: Allow - Action: 'logs:PutLogEvents' - Resource: !GetAtt 'TrailLogGroup.Arn' +AWSTemplateFormatVersion: 2010-09-09 +Description: Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent. + +Parameters: + EnableLogFileValidation: + Type: String + Default: 'true' + Description: Indicates whether CloudTrail validates the integrity of log files. + AllowedValues: + - 'true' + - 'false' + + IncludeGlobalEvents: + Type: String + Default: 'false' + Description: Indicates whether the trail is publishing events from global services, such as IAM, to the log files. + AllowedValues: + - 'true' + - 'false' + + MultiRegion: + Type: String + Default: 'false' + Description: Indicates whether the CloudTrail trail is created in the region in which you create the stack (false) or in all regions (true). + AllowedValues: + - 'true' + - 'false' + + PublishToTopic: + Type: String + Default: 'false' + Description: Indicates whether notifications are published to SNS. + AllowedValues: + - 'true' + - 'false' + + SNSTopic: + Type: String + Description: Topic for your notifications. + + PublishToCloudWatchLogs: + Type: String + Default: 'false' + Description: Indicates whether notifications are published to CloudWatch Logs. + AllowedValues: + - 'true' + - 'false' + + CloudWatchLogsGroupName: + Type: String + Default: 'CloudTrail/Landing-Zone-Logs' + Description: CloudWatchLogs Group name. + + TrailBucket: + Type: String + Description: Bucket name for logs. + + LogsRetentionInDays: + Description: 'Specifies the number of days you want to retain CloudTrail log events in the CloudWatch Logs.' + Type: Number + Default: 14 + AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + + AWSLogsS3KeyPrefix: + Type: 'String' + Description: 'Organization ID to use as the S3 Key prefix for storing the audit logs' + +Conditions: + IsMultiRegion: !Equals + - !Ref MultiRegion + - 'true' + + IsPublishToTopic: !Equals + - !Ref PublishToTopic + - 'true' + + IsPublishToCloudWatchLogs: !Equals + - !Ref PublishToCloudWatchLogs + - 'true' + +Resources: + Trail: + Type: AWS::CloudTrail::Trail + Properties: + TrailName: AWS-Landing-Zone-BaselineCloudTrail + S3BucketName: !Ref TrailBucket + S3KeyPrefix: !Ref AWSLogsS3KeyPrefix + SnsTopicName: !If + - IsPublishToTopic + - !Ref SNSTopic + - !Ref AWS::NoValue + IsLogging: True + EnableLogFileValidation: !Ref EnableLogFileValidation + IncludeGlobalServiceEvents: !If + - IsMultiRegion + - True + - !Ref IncludeGlobalEvents + IsMultiRegionTrail: !Ref MultiRegion + CloudWatchLogsLogGroupArn: !If + - IsPublishToCloudWatchLogs + - !GetAtt TrailLogGroup.Arn + - !Ref AWS::NoValue + CloudWatchLogsRoleArn: !If + - IsPublishToCloudWatchLogs + - !GetAtt TrailLogGroupRole.Arn + - !Ref AWS::NoValue + + TrailLogGroup: + Type: 'AWS::Logs::LogGroup' + Condition: IsPublishToCloudWatchLogs + Properties: + LogGroupName: !Ref CloudWatchLogsGroupName + RetentionInDays: !Ref LogsRetentionInDays + + TrailLogGroupRole: + Type: 'AWS::IAM::Role' + Condition: IsPublishToCloudWatchLogs + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: CloudTrailAssumeRole + Effect: Allow + Principal: + Service: 'cloudtrail.amazonaws.com' + Action: 'sts:AssumeRole' + Policies: + - PolicyName: 'cloudtrail-policy' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AWSCloudTrailCreateLogStream + Effect: Allow + Action: 'logs:CreateLogStream' + Resource: !GetAtt 'TrailLogGroup.Arn' + - Sid: AWSCloudTrailPutLogEvents + Effect: Allow + Action: 'logs:PutLogEvents' + Resource: !GetAtt 'TrailLogGroup.Arn' diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config-role.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config-role.template index 0eb0d4944..3e3f062d8 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config-role.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config-role.template @@ -1,26 +1,26 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy AWS Config Recorder Role - -Resources: - - ConfigRecorderRole: - Type: AWS::IAM::Role - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The role name is defined to identify AWS Landing Zone resources." - Properties: - RoleName: AWS-Landing-Zone-ConfigRecorderRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: - - config.amazonaws.com - Action: - - sts:AssumeRole - Path: / - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AWSConfigRole +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy AWS Config Recorder Role + +Resources: + + ConfigRecorderRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The role name is defined to identify AWS Landing Zone resources." + Properties: + RoleName: AWS-Landing-Zone-ConfigRecorderRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - config.amazonaws.com + Action: + - sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AWSConfigRole diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config.template index e3075f635..8c02e9038 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-enable-config.template @@ -1,306 +1,306 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Enable AWS Config, - -Parameters: - AllSupported: - Type: String - Default: 'true' - Description: Indicates whether to record all supported resource types. - AllowedValues: - - 'true' - - 'false' - - IncludeGlobalResourceTypes: - Type: String - Default: 'true' - Description: Indicates whether AWS Config records all supported global resource types. - AllowedValues: - - 'true' - - 'false' - - ResourceTypes: - Type: CommaDelimitedList - Description: A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail - Default: AWS::CloudTrail::Trail - - DeliveryChannelName: - Type: String - Default: 'DeliveryChannel' - Description: The name of the delivery channel. - - Frequency: - Type: String - Default: 24hours - Description: The frequency with which AWS Config delivers configuration snapshots. - AllowedValues: - - 1hour - - 3hours - - 6hours - - 12hours - - 24hours - - TopicArn: - Type: String - Default: '' - Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. - - BucketName: - Type: String - Default: '' - Description: Bucket name from the Logging Account - - NotifyDisplayName: - Type: 'String' - Default: LZNotify - Description: SNS display name for security administrator(s) - - NotifyTopicName: - Type: 'String' - Default: AWS-Landing-Zone-Security-Notification - Description: SNS topic name for security notification - - LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain notification forwarding log events in the Lambda log group.' - Type: Number - Default: 14 - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] - - EnableConfigRuleComplianceChangeAlarm: - Type: String - Description: "Enable notifications for AWS Config rule compliance status changes?" - Default: true - AllowedValues: - - true - - false - - SecurityNotificationTopicArn: - Type: String - Default: '' - Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that aggregates All security notifications. - - AWSLogsS3KeyPrefix: - Type: 'String' - Description: 'Organization ID to use as the S3 Key prefix for storing the audit logs' - -Conditions: - IsAllSupported: !Equals - - !Ref AllSupported - - 'true' - IsGeneratedDeliveryChannelName: !Equals - - !Ref DeliveryChannelName - - '' - EnableConfigRuleChangeNotification: !Equals - - !Ref EnableConfigRuleComplianceChangeAlarm - - 'true' - -Mappings: - Settings: - FrequencyMap: - 1hour : One_Hour - 3hours : Three_Hours - 6hours : Six_Hours - 12hours : Twelve_Hours - 24hours : TwentyFour_Hours - -Resources: - - ConfigRecorder: - Type: AWS::Config::ConfigurationRecorder - Properties: - Name: AWS-Landing-Zone-BaselineConfigRecorder - RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/AWS-Landing-Zone-ConfigRecorderRole - RecordingGroup: - AllSupported: !Ref AllSupported - IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes - ResourceTypes: !If - - IsAllSupported - - !Ref AWS::NoValue - - !Ref ResourceTypes - - ConfigDeliveryChannel: - Type: AWS::Config::DeliveryChannel - Properties: - Name: !If - - IsGeneratedDeliveryChannelName - - !Ref AWS::NoValue - - !Ref DeliveryChannelName - ConfigSnapshotDeliveryProperties: - DeliveryFrequency: !FindInMap - - Settings - - FrequencyMap - - !Ref Frequency - S3BucketName: !Ref BucketName - S3KeyPrefix: !Ref AWSLogsS3KeyPrefix - SnsTopicARN: !Join - - ':' - - - 'arn:aws' - - !Select [2, !Split [":", !Ref TopicArn]] - - !Sub ${AWS::Region} - - !Select [4, !Split [":", !Ref TopicArn]] - - !Select [5, !Split [":", !Ref TopicArn]] - - ForwardSnsNotificationLambdaRole: - Type: 'AWS::IAM::Role' - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: 'lambda.amazonaws.com' - Action: - - 'sts:AssumeRole' - Path: '/' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' - Policies: - - PolicyName: sns - PolicyDocument: - Statement: - - Effect: Allow - Action: - - 'sns:publish' - Resource: !Join - - ':' - - - 'arn:aws' - - !Select [2, !Split [":", !Ref SecurityNotificationTopicArn]] - - !Sub ${AWS::Region} - - !Select [4, !Split [":", !Ref SecurityNotificationTopicArn]] - - !Select [5, !Split [":", !Ref SecurityNotificationTopicArn]] - ForwardSnsNotification: - Type: 'AWS::Lambda::Function' - Properties: - FunctionName: LandingZoneLocalSNSNotificationForwarder - Description: AWS Landing Zone SNS message forwarding function for aggregating account notifications. - Code: - ZipFile: - !Sub | - from __future__ import print_function - import boto3 - import json - import os - def lambda_handler(event, context): - #print("Received event: " + json.dumps(event, indent=2)) - sns = boto3.client('sns') - subject=event['Records'][0]['Sns']['Subject'] - if subject is None: - subject = 'None' - message = event['Records'][0]['Sns']['Message'] - try: - msg = json.loads(message) - message = json.dumps(msg, indent=4) - if 'detail-type' in msg: - subject = msg['detail-type'] - except: - print('Not json') - response = sns.publish( - TopicArn=os.environ.get('sns_arn'), - Subject=subject, - Message=message - ) - print(response) - return response - Handler: 'index.lambda_handler' - MemorySize: 128 - Role: !GetAtt 'ForwardSnsNotificationLambdaRole.Arn' - Runtime: 'python3.6' - Timeout: 60 - Environment: - Variables: - sns_arn: !Join - - ':' - - - 'arn:aws' - - !Select [2, !Split [":", !Ref SecurityNotificationTopicArn]] - - !Sub ${AWS::Region} - - !Select [4, !Split [":", !Ref SecurityNotificationTopicArn]] - - !Select [5, !Split [":", !Ref SecurityNotificationTopicArn]] - ForwardSnsNotificationGroup: - Type: 'AWS::Logs::LogGroup' - Properties: - LogGroupName: !Sub '/aws/lambda/${ForwardSnsNotification}' - RetentionInDays: !Ref LogsRetentionInDays - SNSNotificationTopic: - Type: AWS::SNS::Topic - Properties: - DisplayName: !Ref NotifyDisplayName - TopicName: !Ref NotifyTopicName - SNSNotificationPolicy: - Type: AWS::SNS::TopicPolicy - Metadata: - cfn_nag: - rules_to_suppress: - - id: F18 - reason: "Condition restricts permissions to current account." - Properties: - Topics: - - !Ref SNSNotificationTopic - PolicyDocument: - Statement: - - Sid: __default_statement_ID - Effect: Allow - Principal: - AWS: "*" - Action: - - SNS:GetTopicAttributes - - SNS:SetTopicAttributes - - SNS:AddPermission - - SNS:RemovePermission - - SNS:DeleteTopic - - SNS:Subscribe - - SNS:ListSubscriptionsByTopic - - SNS:Publish - - SNS:Receive - Resource: !Ref SNSNotificationTopic - Condition: - StringEquals: - AWS:SourceOwner: !Sub ${AWS::AccountId} - - Sid: TrustCWEToPublishEventsToMyTopic - Effect: Allow - Principal: - Service: events.amazonaws.com - Action: sns:Publish - Resource: !Ref SNSNotificationTopic - SNSNotificationSubscription: - Type: "AWS::SNS::Subscription" - Properties: - Endpoint: !GetAtt ForwardSnsNotification.Arn - Protocol: lambda - TopicArn: !Ref SNSNotificationTopic - SNSInvokeLambdaPermission: - Type: AWS::Lambda::Permission - Properties: - Action: lambda:InvokeFunction - Principal: sns.amazonaws.com - SourceArn: !Ref SNSNotificationTopic - FunctionName: !GetAtt ForwardSnsNotification.Arn - - LandingZoneLocalSNSTopicParameter: - DependsOn: - - SNSNotificationTopic - Type: AWS::SSM::Parameter - Properties: - Name: '/org/member/local_sns_arn' - Description: Contains the Local SNS Topic Arn for Landing Zone - Type: String - Value: !Ref SNSNotificationTopic - - # Enable notifications for AWS Config Rule compliance changes - ConfigRuleComplianceChangeEvent: - Type: AWS::Events::Rule - Condition: EnableConfigRuleChangeNotification - Properties: - Name: Config-Rule-Compliance-Change-CloudWatch-Rule - Description: 'Landing Zone rule to send notification on Config Rule compliance changes.' - EventPattern: - { - "source": [ - "aws.config" - ], - "detail-type": [ - "Config Rules Compliance Change" - ] - } - State: ENABLED - Targets: - - Id: !Sub 'AWS-Landing-Zone-Compliance-Change-Topic' - Arn: !Ref SNSNotificationTopic +AWSTemplateFormatVersion: 2010-09-09 +Description: Enable AWS Config, + +Parameters: + AllSupported: + Type: String + Default: 'true' + Description: Indicates whether to record all supported resource types. + AllowedValues: + - 'true' + - 'false' + + IncludeGlobalResourceTypes: + Type: String + Default: 'true' + Description: Indicates whether AWS Config records all supported global resource types. + AllowedValues: + - 'true' + - 'false' + + ResourceTypes: + Type: CommaDelimitedList + Description: A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail + Default: AWS::CloudTrail::Trail + + DeliveryChannelName: + Type: String + Default: 'DeliveryChannel' + Description: The name of the delivery channel. + + Frequency: + Type: String + Default: 24hours + Description: The frequency with which AWS Config delivers configuration snapshots. + AllowedValues: + - 1hour + - 3hours + - 6hours + - 12hours + - 24hours + + TopicArn: + Type: String + Default: '' + Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that AWS Config delivers notifications to. + + BucketName: + Type: String + Default: '' + Description: Bucket name from the Logging Account + + NotifyDisplayName: + Type: 'String' + Default: LZNotify + Description: SNS display name for security administrator(s) + + NotifyTopicName: + Type: 'String' + Default: AWS-Landing-Zone-Security-Notification + Description: SNS topic name for security notification + + LogsRetentionInDays: + Description: 'Specifies the number of days you want to retain notification forwarding log events in the Lambda log group.' + Type: Number + Default: 14 + AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + + EnableConfigRuleComplianceChangeAlarm: + Type: String + Description: "Enable notifications for AWS Config rule compliance status changes?" + Default: true + AllowedValues: + - true + - false + + SecurityNotificationTopicArn: + Type: String + Default: '' + Description: The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic that aggregates All security notifications. + + AWSLogsS3KeyPrefix: + Type: 'String' + Description: 'Organization ID to use as the S3 Key prefix for storing the audit logs' + +Conditions: + IsAllSupported: !Equals + - !Ref AllSupported + - 'true' + IsGeneratedDeliveryChannelName: !Equals + - !Ref DeliveryChannelName + - '' + EnableConfigRuleChangeNotification: !Equals + - !Ref EnableConfigRuleComplianceChangeAlarm + - 'true' + +Mappings: + Settings: + FrequencyMap: + 1hour : One_Hour + 3hours : Three_Hours + 6hours : Six_Hours + 12hours : Twelve_Hours + 24hours : TwentyFour_Hours + +Resources: + + ConfigRecorder: + Type: AWS::Config::ConfigurationRecorder + Properties: + Name: AWS-Landing-Zone-BaselineConfigRecorder + RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/AWS-Landing-Zone-ConfigRecorderRole + RecordingGroup: + AllSupported: !Ref AllSupported + IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes + ResourceTypes: !If + - IsAllSupported + - !Ref AWS::NoValue + - !Ref ResourceTypes + + ConfigDeliveryChannel: + Type: AWS::Config::DeliveryChannel + Properties: + Name: !If + - IsGeneratedDeliveryChannelName + - !Ref AWS::NoValue + - !Ref DeliveryChannelName + ConfigSnapshotDeliveryProperties: + DeliveryFrequency: !FindInMap + - Settings + - FrequencyMap + - !Ref Frequency + S3BucketName: !Ref BucketName + S3KeyPrefix: !Ref AWSLogsS3KeyPrefix + SnsTopicARN: !Join + - ':' + - - 'arn:aws' + - !Select [2, !Split [":", !Ref TopicArn]] + - !Sub ${AWS::Region} + - !Select [4, !Split [":", !Ref TopicArn]] + - !Select [5, !Split [":", !Ref TopicArn]] + + ForwardSnsNotificationLambdaRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: 'lambda.amazonaws.com' + Action: + - 'sts:AssumeRole' + Path: '/' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' + Policies: + - PolicyName: sns + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'sns:publish' + Resource: !Join + - ':' + - - 'arn:aws' + - !Select [2, !Split [":", !Ref SecurityNotificationTopicArn]] + - !Sub ${AWS::Region} + - !Select [4, !Split [":", !Ref SecurityNotificationTopicArn]] + - !Select [5, !Split [":", !Ref SecurityNotificationTopicArn]] + ForwardSnsNotification: + Type: 'AWS::Lambda::Function' + Properties: + FunctionName: LandingZoneLocalSNSNotificationForwarder + Description: AWS Landing Zone SNS message forwarding function for aggregating account notifications. + Code: + ZipFile: + !Sub | + from __future__ import print_function + import boto3 + import json + import os + def lambda_handler(event, context): + #print("Received event: " + json.dumps(event, indent=2)) + sns = boto3.client('sns') + subject=event['Records'][0]['Sns']['Subject'] + if subject is None: + subject = 'None' + message = event['Records'][0]['Sns']['Message'] + try: + msg = json.loads(message) + message = json.dumps(msg, indent=4) + if 'detail-type' in msg: + subject = msg['detail-type'] + except: + print('Not json') + response = sns.publish( + TopicArn=os.environ.get('sns_arn'), + Subject=subject, + Message=message + ) + print(response) + return response + Handler: 'index.lambda_handler' + MemorySize: 128 + Role: !GetAtt 'ForwardSnsNotificationLambdaRole.Arn' + Runtime: 'python3.6' + Timeout: 60 + Environment: + Variables: + sns_arn: !Join + - ':' + - - 'arn:aws' + - !Select [2, !Split [":", !Ref SecurityNotificationTopicArn]] + - !Sub ${AWS::Region} + - !Select [4, !Split [":", !Ref SecurityNotificationTopicArn]] + - !Select [5, !Split [":", !Ref SecurityNotificationTopicArn]] + ForwardSnsNotificationGroup: + Type: 'AWS::Logs::LogGroup' + Properties: + LogGroupName: !Sub '/aws/lambda/${ForwardSnsNotification}' + RetentionInDays: !Ref LogsRetentionInDays + SNSNotificationTopic: + Type: AWS::SNS::Topic + Properties: + DisplayName: !Ref NotifyDisplayName + TopicName: !Ref NotifyTopicName + SNSNotificationPolicy: + Type: AWS::SNS::TopicPolicy + Metadata: + cfn_nag: + rules_to_suppress: + - id: F18 + reason: "Condition restricts permissions to current account." + Properties: + Topics: + - !Ref SNSNotificationTopic + PolicyDocument: + Statement: + - Sid: __default_statement_ID + Effect: Allow + Principal: + AWS: "*" + Action: + - SNS:GetTopicAttributes + - SNS:SetTopicAttributes + - SNS:AddPermission + - SNS:RemovePermission + - SNS:DeleteTopic + - SNS:Subscribe + - SNS:ListSubscriptionsByTopic + - SNS:Publish + - SNS:Receive + Resource: !Ref SNSNotificationTopic + Condition: + StringEquals: + AWS:SourceOwner: !Sub ${AWS::AccountId} + - Sid: TrustCWEToPublishEventsToMyTopic + Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sns:Publish + Resource: !Ref SNSNotificationTopic + SNSNotificationSubscription: + Type: "AWS::SNS::Subscription" + Properties: + Endpoint: !GetAtt ForwardSnsNotification.Arn + Protocol: lambda + TopicArn: !Ref SNSNotificationTopic + SNSInvokeLambdaPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + Principal: sns.amazonaws.com + SourceArn: !Ref SNSNotificationTopic + FunctionName: !GetAtt ForwardSnsNotification.Arn + + LandingZoneLocalSNSTopicParameter: + DependsOn: + - SNSNotificationTopic + Type: AWS::SSM::Parameter + Properties: + Name: '/org/member/local_sns_arn' + Description: Contains the Local SNS Topic Arn for Landing Zone + Type: String + Value: !Ref SNSNotificationTopic + + # Enable notifications for AWS Config Rule compliance changes + ConfigRuleComplianceChangeEvent: + Type: AWS::Events::Rule + Condition: EnableConfigRuleChangeNotification + Properties: + Name: Config-Rule-Compliance-Change-CloudWatch-Rule + Description: 'Landing Zone rule to send notification on Config Rule compliance changes.' + EventPattern: + { + "source": [ + "aws.config" + ], + "detail-type": [ + "Config Rules Compliance Change" + ] + } + State: ENABLED + Targets: + - Id: !Sub 'AWS-Landing-Zone-Compliance-Change-Topic' + Arn: !Ref SNSNotificationTopic diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-iam-password-policy.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-iam-password-policy.template index 17838f1b6..55eb2b33a 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-iam-password-policy.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-iam-password-policy.template @@ -1,212 +1,212 @@ ---- -# Copyright 2018 widdix GmbH -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -AWSTemplateFormatVersion: '2010-09-09' -Description: 'Security: Account Password Policy, a cloudonaut.io template' -Metadata: - 'AWS::CloudFormation::Interface': - ParameterGroups: - - Label: - default: 'Password Policy Parameters' - Parameters: - - AllowUsersToChangePassword - - HardExpiry - - MaxPasswordAge - - MinimumPasswordLength - - PasswordReusePrevention - - RequireLowercaseCharacters - - RequireNumbers - - RequireSymbols - - RequireUppercaseCharacters - - Label: - default: 'Operational Parameters' - Parameters: - - LogsRetentionInDays -Parameters: - AllowUsersToChangePassword: - Description: 'You can permit all IAM users in your account to use the IAM console to change their own passwords.' - Type: String - Default: true - AllowedValues: - - true - - false - HardExpiry: - Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' - Type: String - Default: false - AllowedValues: - - true - - false - MaxPasswordAge: - Description: 'You can set IAM user passwords to be valid for only the specified number of days.' - Type: Number - Default: 90 - ConstraintDescription: 'Must be in the range [0-1095]' - MinValue: 0 - MaxValue: 1095 - MinimumPasswordLength: - Description: 'You can specify the minimum number of characters allowed in an IAM user password.' - Type: Number - Default: 12 - ConstraintDescription: 'Must be in the range [6-128]' - MinValue: 6 - MaxValue: 128 - PasswordReusePrevention: - Description: 'You can prevent IAM users from reusing a specified number of previous passwords.' - Type: Number - Default: 6 - ConstraintDescription: 'Must be in the range [0-24]' - MinValue: 0 - MaxValue: 24 - RequireLowercaseCharacters: - Description: 'You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).' - Type: String - Default: true - AllowedValues: - - true - - false - RequireNumbers: - Description: 'You can require that IAM user passwords contain at least one numeric character (0 to 9).' - Type: String - Default: true - AllowedValues: - - true - - false - RequireSymbols: - Description: 'You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | ''' - Type: String - Default: true - AllowedValues: - - true - - false - RequireUppercaseCharacters: - Description: 'You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).' - Type: String - Default: true - AllowedValues: - - true - - false - LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain log events in the specified log group.' - Type: Number - Default: 14 - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] -Resources: - LambdaRole: - Type: 'AWS::IAM::Role' - Metadata: - cfn_nag: - rules_to_suppress: - - id: W11 - reason: "Allow Resource * for IAM APIs. The password policy does not have the ARN namespace." - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: 'lambda.amazonaws.com' - Action: - - 'sts:AssumeRole' - Path: '/' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' - Policies: - - PolicyName: iam - PolicyDocument: - Statement: - - Effect: Allow - Action: - - 'iam:UpdateAccountPasswordPolicy' - - 'iam:DeleteAccountPasswordPolicy' - Resource: '*' - IamPasswordPolicyCustomResource: # needs no monitoring because it is used as a custom resource - Type: 'AWS::Lambda::Function' - Properties: - Code: - ZipFile: - !Sub | - 'use strict'; - const AWS = require('aws-sdk'); - const response = require('./cfn-response'); - const iam = new AWS.IAM({apiVersion: '2010-05-08'}); - exports.handler = (event, context, cb) => { - console.log(`Invoke: ${!JSON.stringify(event)}`); - const done = (err) => { - if (err) { - console.log(`Error: ${!JSON.stringify(err)}`); - response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID'); - } else { - response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID'); - } - }; - if (event.RequestType === 'Delete') { - iam.deleteAccountPasswordPolicy({}, done); - } else if (event.RequestType === 'Create' || event.RequestType === 'Update') { - - let maxPasswordAge = undefined; - let passwordReusePrevention = undefined; - - if (Number(event.ResourceProperties.MaxPasswordAge) !== 0) { - maxPasswordAge = event.ResourceProperties.MaxPasswordAge - } - - if (Number(event.ResourceProperties.PasswordReusePrevention) !== 0) { - passwordReusePrevention = event.ResourceProperties.PasswordReusePrevention; - } - - iam.updateAccountPasswordPolicy({ - AllowUsersToChangePassword: Boolean(event.ResourceProperties.AllowUsersToChangePassword === 'true'), - HardExpiry: Boolean(event.ResourceProperties.HardExpiry === 'true'), - MaxPasswordAge: maxPasswordAge, - MinimumPasswordLength: event.ResourceProperties.MinimumPasswordLength, - PasswordReusePrevention: passwordReusePrevention, - RequireLowercaseCharacters: Boolean(event.ResourceProperties.RequireLowercaseCharacters === 'true'), - RequireNumbers: Boolean(event.ResourceProperties.RequireNumbers === 'true'), - RequireSymbols: Boolean(event.ResourceProperties.RequireSymbols === 'true'), - RequireUppercaseCharacters: Boolean(event.ResourceProperties.RequireUppercaseCharacters === 'true'), - }, done); - } else { - cb(new Error(`unsupported RequestType: ${!event.RequestType}`)); - } - }; - Handler: 'index.handler' - MemorySize: 128 - Role: !GetAtt 'LambdaRole.Arn' - Runtime: 'nodejs10.x' - Timeout: 60 - LambdaLogGroup: - Type: 'AWS::Logs::LogGroup' - Properties: - LogGroupName: !Sub '/aws/lambda/${IamPasswordPolicyCustomResource}' - RetentionInDays: !Ref LogsRetentionInDays - PasswordPolicy: - Type: 'Custom::PasswordPolicy' - DependsOn: LambdaLogGroup - Version: '1.0' - Properties: - HardExpiry: !Ref HardExpiry - AllowUsersToChangePassword: !Ref AllowUsersToChangePassword - MaxPasswordAge: !Ref MaxPasswordAge - MinimumPasswordLength: !Ref MinimumPasswordLength - PasswordReusePrevention: !Ref PasswordReusePrevention - RequireLowercaseCharacters: !Ref RequireLowercaseCharacters - RequireNumbers: !Ref RequireNumbers - RequireSymbols: !Ref RequireSymbols - RequireUppercaseCharacters: !Ref RequireUppercaseCharacters - ServiceToken: !GetAtt 'IamPasswordPolicyCustomResource.Arn' -Outputs: - StackName: - Description: 'Stack name.' - Value: !Sub '${AWS::StackName}' +--- +# Copyright 2018 widdix GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +AWSTemplateFormatVersion: '2010-09-09' +Description: 'Security: Account Password Policy, a cloudonaut.io template' +Metadata: + 'AWS::CloudFormation::Interface': + ParameterGroups: + - Label: + default: 'Password Policy Parameters' + Parameters: + - AllowUsersToChangePassword + - HardExpiry + - MaxPasswordAge + - MinimumPasswordLength + - PasswordReusePrevention + - RequireLowercaseCharacters + - RequireNumbers + - RequireSymbols + - RequireUppercaseCharacters + - Label: + default: 'Operational Parameters' + Parameters: + - LogsRetentionInDays +Parameters: + AllowUsersToChangePassword: + Description: 'You can permit all IAM users in your account to use the IAM console to change their own passwords.' + Type: String + Default: true + AllowedValues: + - true + - false + HardExpiry: + Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' + Type: String + Default: false + AllowedValues: + - true + - false + MaxPasswordAge: + Description: 'You can set IAM user passwords to be valid for only the specified number of days.' + Type: Number + Default: 90 + ConstraintDescription: 'Must be in the range [0-1095]' + MinValue: 0 + MaxValue: 1095 + MinimumPasswordLength: + Description: 'You can specify the minimum number of characters allowed in an IAM user password.' + Type: Number + Default: 12 + ConstraintDescription: 'Must be in the range [6-128]' + MinValue: 6 + MaxValue: 128 + PasswordReusePrevention: + Description: 'You can prevent IAM users from reusing a specified number of previous passwords.' + Type: Number + Default: 6 + ConstraintDescription: 'Must be in the range [0-24]' + MinValue: 0 + MaxValue: 24 + RequireLowercaseCharacters: + Description: 'You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).' + Type: String + Default: true + AllowedValues: + - true + - false + RequireNumbers: + Description: 'You can require that IAM user passwords contain at least one numeric character (0 to 9).' + Type: String + Default: true + AllowedValues: + - true + - false + RequireSymbols: + Description: 'You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | ''' + Type: String + Default: true + AllowedValues: + - true + - false + RequireUppercaseCharacters: + Description: 'You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).' + Type: String + Default: true + AllowedValues: + - true + - false + LogsRetentionInDays: + Description: 'Specifies the number of days you want to retain log events in the specified log group.' + Type: Number + Default: 14 + AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] +Resources: + LambdaRole: + Type: 'AWS::IAM::Role' + Metadata: + cfn_nag: + rules_to_suppress: + - id: W11 + reason: "Allow Resource * for IAM APIs. The password policy does not have the ARN namespace." + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: 'lambda.amazonaws.com' + Action: + - 'sts:AssumeRole' + Path: '/' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' + Policies: + - PolicyName: iam + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'iam:UpdateAccountPasswordPolicy' + - 'iam:DeleteAccountPasswordPolicy' + Resource: '*' + IamPasswordPolicyCustomResource: # needs no monitoring because it is used as a custom resource + Type: 'AWS::Lambda::Function' + Properties: + Code: + ZipFile: + !Sub | + 'use strict'; + const AWS = require('aws-sdk'); + const response = require('./cfn-response'); + const iam = new AWS.IAM({apiVersion: '2010-05-08'}); + exports.handler = (event, context, cb) => { + console.log(`Invoke: ${!JSON.stringify(event)}`); + const done = (err) => { + if (err) { + console.log(`Error: ${!JSON.stringify(err)}`); + response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID'); + } else { + response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID'); + } + }; + if (event.RequestType === 'Delete') { + iam.deleteAccountPasswordPolicy({}, done); + } else if (event.RequestType === 'Create' || event.RequestType === 'Update') { + + let maxPasswordAge = undefined; + let passwordReusePrevention = undefined; + + if (Number(event.ResourceProperties.MaxPasswordAge) !== 0) { + maxPasswordAge = event.ResourceProperties.MaxPasswordAge + } + + if (Number(event.ResourceProperties.PasswordReusePrevention) !== 0) { + passwordReusePrevention = event.ResourceProperties.PasswordReusePrevention; + } + + iam.updateAccountPasswordPolicy({ + AllowUsersToChangePassword: Boolean(event.ResourceProperties.AllowUsersToChangePassword === 'true'), + HardExpiry: Boolean(event.ResourceProperties.HardExpiry === 'true'), + MaxPasswordAge: maxPasswordAge, + MinimumPasswordLength: event.ResourceProperties.MinimumPasswordLength, + PasswordReusePrevention: passwordReusePrevention, + RequireLowercaseCharacters: Boolean(event.ResourceProperties.RequireLowercaseCharacters === 'true'), + RequireNumbers: Boolean(event.ResourceProperties.RequireNumbers === 'true'), + RequireSymbols: Boolean(event.ResourceProperties.RequireSymbols === 'true'), + RequireUppercaseCharacters: Boolean(event.ResourceProperties.RequireUppercaseCharacters === 'true'), + }, done); + } else { + cb(new Error(`unsupported RequestType: ${!event.RequestType}`)); + } + }; + Handler: 'index.handler' + MemorySize: 128 + Role: !GetAtt 'LambdaRole.Arn' + Runtime: 'nodejs10.x' + Timeout: 60 + LambdaLogGroup: + Type: 'AWS::Logs::LogGroup' + Properties: + LogGroupName: !Sub '/aws/lambda/${IamPasswordPolicyCustomResource}' + RetentionInDays: !Ref LogsRetentionInDays + PasswordPolicy: + Type: 'Custom::PasswordPolicy' + DependsOn: LambdaLogGroup + Version: '1.0' + Properties: + HardExpiry: !Ref HardExpiry + AllowUsersToChangePassword: !Ref AllowUsersToChangePassword + MaxPasswordAge: !Ref MaxPasswordAge + MinimumPasswordLength: !Ref MinimumPasswordLength + PasswordReusePrevention: !Ref PasswordReusePrevention + RequireLowercaseCharacters: !Ref RequireLowercaseCharacters + RequireNumbers: !Ref RequireNumbers + RequireSymbols: !Ref RequireSymbols + RequireUppercaseCharacters: !Ref RequireUppercaseCharacters + ServiceToken: !GetAtt 'IamPasswordPolicyCustomResource.Arn' +Outputs: + StackName: + Description: 'Stack name.' + Value: !Sub '${AWS::StackName}' diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-notifications.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-notifications.template index 7dccfab3c..c0948694a 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-notifications.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-notifications.template @@ -1,527 +1,527 @@ ---- -AWSTemplateFormatVersion: '2010-09-09' -Description: AWS CloudTrail API Activity Alarm Template for CloudWatch Logs -Parameters: - LogGroupName: - Type: String - Default: CloudTrail/DefaultLogGroup - Description: Enter CloudWatch Logs log group name. Default is CloudTrail/DefaultLogGroup - EnableSecurityGroupChangeAlarm: - Type: String - Description: "Enable alarm for security group changes?" - Default: true - AllowedValues: - - true - - false - EnableNetworkAclChangeAlarm: - Type: String - Description: "Enable alarm for network ACL changes?" - Default: true - AllowedValues: - - true - - false - EnableGatewayChangeAlarm: - Type: String - Description: "Enable alarm for network gateway changes?" - Default: true - AllowedValues: - - true - - false - EnableVpcChangeAlarm: - Type: String - Description: "Enable alarm for VPC network changes?" - Default: true - AllowedValues: - - true - - false - EnableEc2InstanceChangeAlarm: - Type: String - Description: "Enable alarm for EC2 instance changes?" - Default: true - AllowedValues: - - true - - false - EnableEc2LargeInstanceChangeAlarm: - Type: String - Description: "Enable alarm for EC2 large instance changes?" - Default: true - AllowedValues: - - true - - false - EnableCloudTrailChangeAlarm: - Type: String - Description: "Enable alarm for CloudTrail changes?" - Default: true - AllowedValues: - - true - - false - EnableConsoleSignInFailureAlarm: - Type: String - Description: "Enable alarm for Console sign-in failures?" - Default: true - AllowedValues: - - true - - false - EnableAuthorizationFailureAlarm: - Type: String - Description: "Enable alarm for API authorization failures?" - Default: true - AllowedValues: - - true - - false - EnableIamPolicyChangesAlarm: - Type: String - Description: "Enable alarm for IAM policy changes?" - Default: true - AllowedValues: - - true - - false - EnableRootLoginAlarm: - Type: String - Description: "Enable alarm for root login?" - Default: true - AllowedValues: - - true - - false - SNSNotificationTopic: - Type: AWS::SSM::Parameter::Value - Default: /org/member/local_sns_arn - Description: "Local Admin SNS Topic for Landing Zone" - -Conditions: - EnableSecurityGroupChange: !Equals - - !Ref EnableSecurityGroupChangeAlarm - - 'true' - EnableNetworkAclChange: !Equals - - !Ref EnableNetworkAclChangeAlarm - - 'true' - EnableGatewayChange: !Equals - - !Ref EnableGatewayChangeAlarm - - 'true' - EnableVpcChange: !Equals - - !Ref EnableVpcChangeAlarm - - 'true' - EnableEc2InstanceChange: !Equals - - !Ref EnableEc2InstanceChangeAlarm - - 'true' - EnableEc2LargeInstanceChange: !Equals - - !Ref EnableEc2LargeInstanceChangeAlarm - - 'true' - EnableCloudTrailChange: !Equals - - !Ref EnableCloudTrailChangeAlarm - - 'true' - EnableConsoleSignInFailure: !Equals - - !Ref EnableConsoleSignInFailureAlarm - - 'true' - EnableAuthorizationFailure: !Equals - - !Ref EnableAuthorizationFailureAlarm - - 'true' - EnableIamPolicyChanges: !Equals - - !Ref EnableIamPolicyChangesAlarm - - 'true' - EnableRootLogin: !Equals - - !Ref EnableRootLoginAlarm - - 'true' - - -Resources: - SecurityGroupChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableSecurityGroupChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName - = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) - || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) - || ($.eventName = DeleteSecurityGroup) }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: SecurityGroupEventCount - MetricValue: '1' - SecurityGroupChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - Condition: EnableSecurityGroupChange - Properties: - AlarmName: CloudTrailSecurityGroupChanges - AlarmDescription: Alarms when an API call is made to create, update or delete - a Security Group. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: SecurityGroupEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - NetworkAclChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableNetworkAclChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) - || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) - || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) - }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: NetworkAclEventCount - MetricValue: '1' - NetworkAclChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: SecurityGroupChangesAlarm - Condition: EnableNetworkAclChange - Properties: - AlarmName: CloudTrailNetworkAclChanges - AlarmDescription: Alarms when an API call is made to create, update or delete - a Network ACL. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: NetworkAclEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - GatewayChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableGatewayChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) - || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) - || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) - }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: GatewayEventCount - MetricValue: '1' - GatewayChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: NetworkAclChangesAlarm - Condition: EnableGatewayChange - Properties: - AlarmName: CloudTrailGatewayChanges - AlarmDescription: Alarms when an API call is made to create, update or delete - a Customer or Internet Gateway. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: GatewayEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - VpcChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableVpcChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || - ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) - || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) - || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) - || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) - || ($.eventName = EnableVpcClassicLink) }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: VpcEventCount - MetricValue: '1' - VpcChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: GatewayChangesAlarm - Condition: EnableVpcChange - Properties: - AlarmName: CloudTrailVpcChanges - AlarmDescription: Alarms when an API call is made to create, update or delete - a VPC, VPC peering connection or VPC connection to classic. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: VpcEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - EC2InstanceChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableEc2InstanceChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) - || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName - = TerminateInstances) }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: EC2InstanceEventCount - MetricValue: '1' - EC2InstanceChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: VpcChangesAlarm - Condition: EnableEc2InstanceChange - Properties: - AlarmName: CloudTrailEC2InstanceChanges - AlarmDescription: Alarms when an API call is made to create, terminate, start, - stop or reboot an EC2 instance. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: EC2InstanceEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - EC2LargeInstanceChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableEc2LargeInstanceChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ (($.eventName = RunInstances) || ($.eventName = RebootInstances) - || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName - = TerminateInstances)) && (($.requestParameters.instanceType - = *.32xlarge) || ($.requestParameters.instanceType - = *.24xlarge) || ($.requestParameters.instanceType - = *.18xlarge) || ($.requestParameters.instanceType - = *.16xlarge) || ($.requestParameters.instanceType - = *.12xlarge) || ($.requestParameters.instanceType - = *.10xlarge) || ($.requestParameters.instanceType - = *.9xlarge) || ($.requestParameters.instanceType - = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: EC2LargeInstanceEventCount - MetricValue: '1' - EC2LargeInstanceChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: EC2InstanceChangesAlarm - Condition: EnableEc2LargeInstanceChange - Properties: - AlarmName: CloudTrailEC2LargeInstanceChanges - AlarmDescription: Alarms when an API call is made to create, terminate, start, - stop or reboot a 4x, 8x, 9x, 10x, 12x, 16x, 18x, 24x, 32x-large EC2 instance. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: EC2LargeInstanceEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - CloudTrailChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableCloudTrailChange - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) - || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName - = StopLogging) }" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: CloudTrailEventCount - MetricValue: '1' - CloudTrailChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: EC2LargeInstanceChangesAlarm - Condition: EnableCloudTrailChange - Properties: - AlarmName: CloudTrailChanges - AlarmDescription: Alarms when an API call is made to create, update or delete - a CloudTrail trail, or to start or stop logging to a trail. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: CloudTrailEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - ConsoleSignInFailuresMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableConsoleSignInFailure - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed - authentication") }' - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: ConsoleSignInFailureCount - MetricValue: '1' - ConsoleSignInFailuresAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: CloudTrailChangesAlarm - Condition: EnableConsoleSignInFailure - Properties: - AlarmName: CloudTrailConsoleSignInFailures - AlarmDescription: Alarms when an unauthenticated API call is made to sign into - the console. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: ConsoleSignInFailureCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '3' - TreatMissingData: notBreaching - AuthorizationFailuresMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableAuthorizationFailure - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = - "AccessDenied*") }' - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: AuthorizationFailureCount - MetricValue: '1' - AuthorizationFailuresAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: ConsoleSignInFailuresAlarm - Condition: EnableAuthorizationFailure - Properties: - AlarmName: CloudTrailAuthorizationFailures - AlarmDescription: Alarms when an unauthorized API call is made. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: AuthorizationFailureCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - IAMPolicyChangesMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableIamPolicyChanges - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: IAMPolicyEventCount - MetricValue: '1' - IAMPolicyChangesAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: AuthorizationFailuresAlarm - Condition: EnableIamPolicyChanges - Properties: - AlarmName: IAMPolicyChanges - AlarmDescription: Alarms when IAM policy changs are made. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: IAMPolicyEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching - RootLoginMetricFilter: - Type: AWS::Logs::MetricFilter - Condition: EnableRootLogin - Properties: - LogGroupName: - Ref: LogGroupName - FilterPattern: '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' - MetricTransformations: - - MetricNamespace: CloudTrailMetrics - MetricName: RootLoginEventCount - MetricValue: '1' - RootLoginAlarm: - Type: AWS::CloudWatch::Alarm - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The alarm name is defined to identify AWS Landing Zone resources." - DependsOn: IAMPolicyChangesAlarm - Condition: EnableRootLogin - Properties: - AlarmName: RootLogin - AlarmDescription: Alarms when the root user logs in. - AlarmActions: - - !Ref SNSNotificationTopic - MetricName: RootLoginEventCount - Namespace: CloudTrailMetrics - ComparisonOperator: GreaterThanOrEqualToThreshold - EvaluationPeriods: '1' - Period: '300' - Statistic: Sum - Threshold: '1' - TreatMissingData: notBreaching +--- +AWSTemplateFormatVersion: '2010-09-09' +Description: AWS CloudTrail API Activity Alarm Template for CloudWatch Logs +Parameters: + LogGroupName: + Type: String + Default: CloudTrail/DefaultLogGroup + Description: Enter CloudWatch Logs log group name. Default is CloudTrail/DefaultLogGroup + EnableSecurityGroupChangeAlarm: + Type: String + Description: "Enable alarm for security group changes?" + Default: true + AllowedValues: + - true + - false + EnableNetworkAclChangeAlarm: + Type: String + Description: "Enable alarm for network ACL changes?" + Default: true + AllowedValues: + - true + - false + EnableGatewayChangeAlarm: + Type: String + Description: "Enable alarm for network gateway changes?" + Default: true + AllowedValues: + - true + - false + EnableVpcChangeAlarm: + Type: String + Description: "Enable alarm for VPC network changes?" + Default: true + AllowedValues: + - true + - false + EnableEc2InstanceChangeAlarm: + Type: String + Description: "Enable alarm for EC2 instance changes?" + Default: true + AllowedValues: + - true + - false + EnableEc2LargeInstanceChangeAlarm: + Type: String + Description: "Enable alarm for EC2 large instance changes?" + Default: true + AllowedValues: + - true + - false + EnableCloudTrailChangeAlarm: + Type: String + Description: "Enable alarm for CloudTrail changes?" + Default: true + AllowedValues: + - true + - false + EnableConsoleSignInFailureAlarm: + Type: String + Description: "Enable alarm for Console sign-in failures?" + Default: true + AllowedValues: + - true + - false + EnableAuthorizationFailureAlarm: + Type: String + Description: "Enable alarm for API authorization failures?" + Default: true + AllowedValues: + - true + - false + EnableIamPolicyChangesAlarm: + Type: String + Description: "Enable alarm for IAM policy changes?" + Default: true + AllowedValues: + - true + - false + EnableRootLoginAlarm: + Type: String + Description: "Enable alarm for root login?" + Default: true + AllowedValues: + - true + - false + SNSNotificationTopic: + Type: AWS::SSM::Parameter::Value + Default: /org/member/local_sns_arn + Description: "Local Admin SNS Topic for Landing Zone" + +Conditions: + EnableSecurityGroupChange: !Equals + - !Ref EnableSecurityGroupChangeAlarm + - 'true' + EnableNetworkAclChange: !Equals + - !Ref EnableNetworkAclChangeAlarm + - 'true' + EnableGatewayChange: !Equals + - !Ref EnableGatewayChangeAlarm + - 'true' + EnableVpcChange: !Equals + - !Ref EnableVpcChangeAlarm + - 'true' + EnableEc2InstanceChange: !Equals + - !Ref EnableEc2InstanceChangeAlarm + - 'true' + EnableEc2LargeInstanceChange: !Equals + - !Ref EnableEc2LargeInstanceChangeAlarm + - 'true' + EnableCloudTrailChange: !Equals + - !Ref EnableCloudTrailChangeAlarm + - 'true' + EnableConsoleSignInFailure: !Equals + - !Ref EnableConsoleSignInFailureAlarm + - 'true' + EnableAuthorizationFailure: !Equals + - !Ref EnableAuthorizationFailureAlarm + - 'true' + EnableIamPolicyChanges: !Equals + - !Ref EnableIamPolicyChangesAlarm + - 'true' + EnableRootLogin: !Equals + - !Ref EnableRootLoginAlarm + - 'true' + + +Resources: + SecurityGroupChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableSecurityGroupChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName + = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) + || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) + || ($.eventName = DeleteSecurityGroup) }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: SecurityGroupEventCount + MetricValue: '1' + SecurityGroupChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + Condition: EnableSecurityGroupChange + Properties: + AlarmName: CloudTrailSecurityGroupChanges + AlarmDescription: Alarms when an API call is made to create, update or delete + a Security Group. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: SecurityGroupEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + NetworkAclChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableNetworkAclChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) + || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) + || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) + }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: NetworkAclEventCount + MetricValue: '1' + NetworkAclChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: SecurityGroupChangesAlarm + Condition: EnableNetworkAclChange + Properties: + AlarmName: CloudTrailNetworkAclChanges + AlarmDescription: Alarms when an API call is made to create, update or delete + a Network ACL. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: NetworkAclEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + GatewayChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableGatewayChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) + || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) + || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) + }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: GatewayEventCount + MetricValue: '1' + GatewayChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: NetworkAclChangesAlarm + Condition: EnableGatewayChange + Properties: + AlarmName: CloudTrailGatewayChanges + AlarmDescription: Alarms when an API call is made to create, update or delete + a Customer or Internet Gateway. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: GatewayEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + VpcChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableVpcChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || + ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) + || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) + || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) + || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) + || ($.eventName = EnableVpcClassicLink) }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: VpcEventCount + MetricValue: '1' + VpcChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: GatewayChangesAlarm + Condition: EnableVpcChange + Properties: + AlarmName: CloudTrailVpcChanges + AlarmDescription: Alarms when an API call is made to create, update or delete + a VPC, VPC peering connection or VPC connection to classic. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: VpcEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + EC2InstanceChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableEc2InstanceChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) + || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName + = TerminateInstances) }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: EC2InstanceEventCount + MetricValue: '1' + EC2InstanceChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: VpcChangesAlarm + Condition: EnableEc2InstanceChange + Properties: + AlarmName: CloudTrailEC2InstanceChanges + AlarmDescription: Alarms when an API call is made to create, terminate, start, + stop or reboot an EC2 instance. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: EC2InstanceEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + EC2LargeInstanceChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableEc2LargeInstanceChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ (($.eventName = RunInstances) || ($.eventName = RebootInstances) + || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName + = TerminateInstances)) && (($.requestParameters.instanceType + = *.32xlarge) || ($.requestParameters.instanceType + = *.24xlarge) || ($.requestParameters.instanceType + = *.18xlarge) || ($.requestParameters.instanceType + = *.16xlarge) || ($.requestParameters.instanceType + = *.12xlarge) || ($.requestParameters.instanceType + = *.10xlarge) || ($.requestParameters.instanceType + = *.9xlarge) || ($.requestParameters.instanceType + = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: EC2LargeInstanceEventCount + MetricValue: '1' + EC2LargeInstanceChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: EC2InstanceChangesAlarm + Condition: EnableEc2LargeInstanceChange + Properties: + AlarmName: CloudTrailEC2LargeInstanceChanges + AlarmDescription: Alarms when an API call is made to create, terminate, start, + stop or reboot a 4x, 8x, 9x, 10x, 12x, 16x, 18x, 24x, 32x-large EC2 instance. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: EC2LargeInstanceEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + CloudTrailChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableCloudTrailChange + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) + || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName + = StopLogging) }" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: CloudTrailEventCount + MetricValue: '1' + CloudTrailChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: EC2LargeInstanceChangesAlarm + Condition: EnableCloudTrailChange + Properties: + AlarmName: CloudTrailChanges + AlarmDescription: Alarms when an API call is made to create, update or delete + a CloudTrail trail, or to start or stop logging to a trail. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: CloudTrailEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + ConsoleSignInFailuresMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableConsoleSignInFailure + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed + authentication") }' + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: ConsoleSignInFailureCount + MetricValue: '1' + ConsoleSignInFailuresAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: CloudTrailChangesAlarm + Condition: EnableConsoleSignInFailure + Properties: + AlarmName: CloudTrailConsoleSignInFailures + AlarmDescription: Alarms when an unauthenticated API call is made to sign into + the console. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: ConsoleSignInFailureCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '3' + TreatMissingData: notBreaching + AuthorizationFailuresMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableAuthorizationFailure + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = + "AccessDenied*") }' + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: AuthorizationFailureCount + MetricValue: '1' + AuthorizationFailuresAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: ConsoleSignInFailuresAlarm + Condition: EnableAuthorizationFailure + Properties: + AlarmName: CloudTrailAuthorizationFailures + AlarmDescription: Alarms when an unauthorized API call is made. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: AuthorizationFailureCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + IAMPolicyChangesMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableIamPolicyChanges + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: IAMPolicyEventCount + MetricValue: '1' + IAMPolicyChangesAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: AuthorizationFailuresAlarm + Condition: EnableIamPolicyChanges + Properties: + AlarmName: IAMPolicyChanges + AlarmDescription: Alarms when IAM policy changs are made. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: IAMPolicyEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching + RootLoginMetricFilter: + Type: AWS::Logs::MetricFilter + Condition: EnableRootLogin + Properties: + LogGroupName: + Ref: LogGroupName + FilterPattern: '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' + MetricTransformations: + - MetricNamespace: CloudTrailMetrics + MetricName: RootLoginEventCount + MetricValue: '1' + RootLoginAlarm: + Type: AWS::CloudWatch::Alarm + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The alarm name is defined to identify AWS Landing Zone resources." + DependsOn: IAMPolicyChangesAlarm + Condition: EnableRootLogin + Properties: + AlarmName: RootLogin + AlarmDescription: Alarms when the root user logs in. + AlarmActions: + - !Ref SNSNotificationTopic + MetricName: RootLoginEventCount + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: '1' + Period: '300' + Statistic: Sum + Threshold: '1' + TreatMissingData: notBreaching diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-security-roles.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-security-roles.template index 5a9d985c9..89baac860 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-security-roles.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-security-roles.template @@ -1,87 +1,87 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Configure the AWSLandingZoneAdminExecutionRole to enable read only access the target account. - -Parameters: - SecurityAccountAdminRoleArn: - Type: String - Description: Admin role ARN from the security account. - SecurityAccountReadOnlyRoleArn: - Type: String - Description: Admin role ARN from the security account. - AdminRoleName: - Type: String - Description: Role name for administrator access. - Default: AWSLandingZoneAdminExecutionRole - ReadOnlyRoleName: - Type: String - Description: Role name for read-only access. - Default: AWSLandingZoneReadOnlyExecutionRole - EnableAdminRole: - Type: String - Default: 'true' - Description: Create an administrative cross-account role from SecurityAccountId to this account. - AllowedValues: - - 'true' - - 'false' - EnableReadOnlyRole: - Type: String - Default: 'true' - Description: Create a read-only cross-account role from SecurityAccountId to this account. - AllowedValues: - - 'true' - - 'false' - -Conditions: - CreateAdminRole: !Equals - - !Ref EnableAdminRole - - 'true' - CreateReadOnlyRole: !Equals - - !Ref EnableReadOnlyRole - - 'true' - -Resources: - AdminExecutionRole: - Type: AWS::IAM::Role - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The role name is defined to allow cross account access from the security account." - Condition: CreateAdminRole - Properties: - RoleName: !Ref AdminRoleName - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: - - !Ref SecurityAccountAdminRoleArn - Action: - - sts:AssumeRole - Path: / - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AdministratorAccess - - ReadOnlyExecutionRole: - Type: AWS::IAM::Role - Metadata: - cfn_nag: - rules_to_suppress: - - id: W28 - reason: "The role name is defined to allow cross account access from the security account." - Condition: CreateReadOnlyRole - Properties: - RoleName: !Ref ReadOnlyRoleName - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: - - !Ref SecurityAccountReadOnlyRoleArn - Action: - - sts:AssumeRole - Path: / - ManagedPolicyArns: - - arn:aws:iam::aws:policy/ReadOnlyAccess +AWSTemplateFormatVersion: 2010-09-09 +Description: Configure the AWSLandingZoneAdminExecutionRole to enable read only access the target account. + +Parameters: + SecurityAccountAdminRoleArn: + Type: String + Description: Admin role ARN from the security account. + SecurityAccountReadOnlyRoleArn: + Type: String + Description: Admin role ARN from the security account. + AdminRoleName: + Type: String + Description: Role name for administrator access. + Default: AWSLandingZoneAdminExecutionRole + ReadOnlyRoleName: + Type: String + Description: Role name for read-only access. + Default: AWSLandingZoneReadOnlyExecutionRole + EnableAdminRole: + Type: String + Default: 'true' + Description: Create an administrative cross-account role from SecurityAccountId to this account. + AllowedValues: + - 'true' + - 'false' + EnableReadOnlyRole: + Type: String + Default: 'true' + Description: Create a read-only cross-account role from SecurityAccountId to this account. + AllowedValues: + - 'true' + - 'false' + +Conditions: + CreateAdminRole: !Equals + - !Ref EnableAdminRole + - 'true' + CreateReadOnlyRole: !Equals + - !Ref EnableReadOnlyRole + - 'true' + +Resources: + AdminExecutionRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The role name is defined to allow cross account access from the security account." + Condition: CreateAdminRole + Properties: + RoleName: !Ref AdminRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !Ref SecurityAccountAdminRoleArn + Action: + - sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AdministratorAccess + + ReadOnlyExecutionRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: "The role name is defined to allow cross account access from the security account." + Condition: CreateReadOnlyRole + Properties: + RoleName: !Ref ReadOnlyRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !Ref SecurityAccountReadOnlyRoleArn + Action: + - sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/ReadOnlyAccess diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-vpc.template b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-vpc.template index c9dbded97..c0a51ba67 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-vpc.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/aws_baseline/aws-landing-zone-vpc.template @@ -1,1291 +1,1291 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure with - managed NAT gateways in the public subnet for each Availability Zone. You can also - create additional private subnets with dedicated custom network access control lists - (ACLs) - (SO0051). -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: Availability Zone Configuration - Parameters: - - AvailabilityZones - - NumberOfAZs - - Label: - default: Network Configuration - Parameters: - - VPCCIDR - - CreatePublicSubnets - - CreatePrivateSubnets - - PrivateSubnet1ACIDR - - PrivateSubnet2ACIDR - - PrivateSubnet3ACIDR - - PrivateSubnet4ACIDR - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - - PublicSubnet4CIDR - - CreateAdditionalPrivateSubnets - - PrivateSubnet1BCIDR - - PrivateSubnet2BCIDR - - PrivateSubnet3BCIDR - - PrivateSubnet4BCIDR - - LogsRetentionInDays - ParameterLabels: - AvailabilityZones: - default: Availability Zones - CreateAdditionalPrivateSubnets: - default: Create additional private subnets with dedicated network ACLs - CreatePrivateSubnets: - default: Create private subnets - CreatePublicSubnets: - default: Create public subnets - NumberOfAZs: - default: Number of Availability Zones - PrivateSubnet1ACIDR: - default: Private subnet 1A CIDR - PrivateSubnet1BCIDR: - default: Private subnet 1B with dedicated network ACL CIDR - PrivateSubnet2ACIDR: - default: Private subnet 2A CIDR - PrivateSubnet2BCIDR: - default: Private subnet 2B with dedicated network ACL CIDR - PrivateSubnet3ACIDR: - default: Private subnet 3A CIDR - PrivateSubnet3BCIDR: - default: Private subnet 3B with dedicated network ACL CIDR - PrivateSubnet4ACIDR: - default: Private subnet 4A CIDR - PrivateSubnet4BCIDR: - default: Private subnet 4B with dedicated network ACL CIDR - PublicSubnet1CIDR: - default: Public subnet 1 CIDR - PublicSubnet2CIDR: - default: Public subnet 2 CIDR - PublicSubnet3CIDR: - default: Public subnet 3 CIDR - PublicSubnet4CIDR: - default: Public subnet 4 CIDR - VPCCIDR: - default: VPC CIDR - LogsRetentionInDays: - default: Flow Logs Retention In Days -Parameters: - ManagedResourcePrefix: - Type: 'String' - Description: 'Prefix for the managed resources' - AvailabilityZones: - Description: 'List of Availability Zones to use for the subnets in the VPC.' - Type: CommaDelimitedList - CreateAdditionalPrivateSubnets: - AllowedValues: - - 'true' - - 'false' - Default: 'false' - Description: Set to true to create a network ACL protected subnet in each Availability - Zone. If false, the CIDR parameters for those subnets will be ignored. If true, - it also requires that the 'Create private subnets' parameter is also true to - have any effect. - Type: String - CreatePrivateSubnets: - AllowedValues: - - 'true' - - 'false' - Default: 'true' - Description: Set to false to create only public subnets. If false, the CIDR parameters - for ALL private subnets will be ignored. - Type: String - CreatePublicSubnets: - AllowedValues: - - 'true' - - 'false' - Default: 'true' - Description: Set to false to create only private subnets. If false, the CIDR parameters - for ALL public subnets will be ignored. - Type: String - NumberOfAZs: - AllowedValues: - - '2' - - '3' - - '4' - Default: '2' - Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. - Type: String - PrivateSubnet1ACIDR: - Default: 10.0.0.0/19 - Description: CIDR block for private subnet 1A located in Availability Zone 1 - Type: String - PrivateSubnet1BCIDR: - Default: 10.0.192.0/21 - Description: CIDR block for private subnet 1B with dedicated network ACL located in Availability Zone 1 - Type: String - PrivateSubnet2ACIDR: - Default: 10.0.32.0/19 - Description: CIDR block for private subnet 2A located in Availability Zone 2 - Type: String - PrivateSubnet2BCIDR: - Default: 10.0.200.0/21 - Description: CIDR block for private subnet 2B with dedicated network ACL located in Availability Zone 2 - Type: String - PrivateSubnet3ACIDR: - Default: 10.0.64.0/19 - Description: CIDR block for private subnet 3A located in Availability Zone 3 - Type: String - PrivateSubnet3BCIDR: - Default: 10.0.208.0/21 - Description: CIDR block for private subnet 3B with dedicated network ACL located in Availability Zone 3 - Type: String - PrivateSubnet4ACIDR: - Default: 10.0.96.0/19 - Description: CIDR block for private subnet 4A located in Availability Zone 4 - Type: String - PrivateSubnet4BCIDR: - Default: 10.0.216.0/21 - Description: CIDR block for private subnet 4B with dedicated network ACL located in Availability Zone 4 - Type: String - PublicSubnet1CIDR: - Default: 10.0.128.0/20 - Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1 - Type: String - PublicSubnet2CIDR: - Default: 10.0.144.0/20 - Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2 - Type: String - PublicSubnet3CIDR: - Default: 10.0.160.0/20 - Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3 - Type: String - PublicSubnet4CIDR: - Default: 10.0.176.0/20 - Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4 - Type: String - VPCCIDR: - Default: 10.0.0.0/16 - Description: CIDR block for the VPC - Type: String - TransitVPC: - Default: 'false' - Description: Do you want to connect this VPC to a transit VPC via tagging? - AllowedValues: - - 'true' - - 'false' - Type: String - LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain log events in the specified log group.' - Type: Number - Default: 90 - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] - -Conditions: - PublicSubnetsCondition: !Equals [!Ref 'CreatePublicSubnets', 'true'] - 3AZCondition: !Or [!Equals [!Ref 'NumberOfAZs', '3'], !Condition '4AZCondition'] - 4AZCondition: !Equals [!Ref 'NumberOfAZs', '4'] - 3AZPublicCondition: !And [!Condition '3AZCondition', !Condition 'PublicSubnetsCondition'] - 4AZPublicCondition: !And [!Condition '4AZCondition', !Condition 'PublicSubnetsCondition'] - AdditionalPrivateSubnetsCondition: !And [!Equals [!Ref 'CreatePrivateSubnets', 'true'], - !Equals [!Ref 'CreateAdditionalPrivateSubnets', 'true']] - AdditionalPrivateSubnets&3AZCondition: !And [!Condition 'AdditionalPrivateSubnetsCondition', - !Condition '3AZCondition'] - AdditionalPrivateSubnets&4AZCondition: !And [!Condition 'AdditionalPrivateSubnetsCondition', - !Condition '4AZCondition'] - NATGatewayCondition: !And [!Condition 'PrivateSubnetsCondition', !Condition 'PublicSubnetsCondition'] - NATGateway&3AZCondition: !And [!Condition 'NATGatewayCondition', !Condition '3AZCondition'] - NATGateway&4AZCondition: !And [!Condition 'NATGatewayCondition', !Condition '4AZCondition'] - AdditionalPrivateSubnets&NATGatewayCondition: !And [!Condition 'AdditionalPrivateSubnetsCondition', !Condition 'NATGatewayCondition'] - AdditionalPrivateSubnets&NATGateway&3AZCondition: !And [!Condition 'AdditionalPrivateSubnets&3AZCondition', !Condition 'NATGateway&3AZCondition'] - AdditionalPrivateSubnets&NATGateway&4AZCondition: !And [!Condition 'AdditionalPrivateSubnets&4AZCondition', !Condition 'NATGateway&4AZCondition'] - NVirginiaRegionCondition: !Equals [!Ref 'AWS::Region', us-east-1] - PrivateSubnetsCondition: !Equals [!Ref 'CreatePrivateSubnets', 'true'] - PrivateSubnets&3AZCondition: !And [!Condition 'PrivateSubnetsCondition', !Condition '3AZCondition'] - PrivateSubnets&4AZCondition: !And [!Condition 'PrivateSubnetsCondition', !Condition '4AZCondition'] - Public&PrivateSubnetsCondition: !And [!Condition 'PublicSubnetsCondition', !Condition 'PrivateSubnetsCondition'] - Public&PrivateSubnets&3AZCondition: !And [!Condition 'PublicSubnetsCondition', !Condition 'PrivateSubnetsCondition', !Condition '3AZCondition'] - Public&PrivateSubnets&4AZCondition: !And [!Condition 'PublicSubnetsCondition', !Condition 'PrivateSubnetsCondition', !Condition '4AZCondition'] - S3VPCEndpointCondition: !And [!Condition 'PrivateSubnetsCondition', !Not [!Or [ - !Equals [!Ref 'AWS::Region', us-gov-west-1], !Equals [!Ref 'AWS::Region', - cn-north-1]]]] - TransitVPCCondition: !Equals [!Ref 'TransitVPC', 'true'] - -Resources: - DHCPOptions: - Type: AWS::EC2::DHCPOptions - DeletionPolicy: Retain - Properties: - DomainName: !If [NVirginiaRegionCondition, ec2.internal, !Join ['', [!Ref 'AWS::Region', - .compute.internal]]] - DomainNameServers: - - AmazonProvidedDNS - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-DHCPOptionsSet - - VPC: - Type: AWS::EC2::VPC - DeletionPolicy: Retain - Properties: - CidrBlock: !Ref 'VPCCIDR' - EnableDnsSupport: 'true' - EnableDnsHostnames: 'true' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-VPC - - !If - - TransitVPCCondition - - - Key: transitvpc:spoke - Value: true - - !Ref 'AWS::NoValue' - - VPCDHCPOptionsAssociation: - Type: AWS::EC2::VPCDHCPOptionsAssociation - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - DhcpOptionsId: !Ref 'DHCPOptions' - - InternetGateway: - Type: AWS::EC2::InternetGateway - DeletionPolicy: Retain - Condition: PublicSubnetsCondition - Properties: - Tags: - - Key: Network - Value: Public - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-InternetGateway - - VPCGatewayAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Condition: PublicSubnetsCondition - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - InternetGatewayId: !Ref 'InternetGateway' - - PrivateSubnet1A: - Condition: PrivateSubnetsCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet1ACIDR' - AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1A - - Key: Network - Value: Private - - PrivateSubnet1B: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet1BCIDR' - AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1B - - Key: Network - Value: Private - - PrivateSubnet2A: - Condition: PrivateSubnetsCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet2ACIDR' - AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-Private subnet 2A - - Key: Network - Value: Private - - PrivateSubnet2B: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet2BCIDR' - AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet2B - - Key: Network - Value: Private - - PrivateSubnet3A: - Condition: PrivateSubnets&3AZCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet3ACIDR' - AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-Private subnet 3A - - Key: Network - Value: Private - - PrivateSubnet3B: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet3BCIDR' - AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet3B - - Key: Network - Value: Private - - PrivateSubnet4A: - Condition: PrivateSubnets&4AZCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet4ACIDR' - AvailabilityZone: !Select ['3', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet4A - - Key: Network - Value: Private - - PrivateSubnet4B: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PrivateSubnet4BCIDR' - AvailabilityZone: !Select ['3', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet4B - - Key: Network - Value: Private - - PublicSubnet1: - Condition: PublicSubnetsCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PublicSubnet1CIDR' - AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PublicSubnet1 - - Key: Network - Value: Public - - PublicSubnet2: - Condition: PublicSubnetsCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PublicSubnet2CIDR' - AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PublicSubnet2 - - Key: Network - Value: Public - - PublicSubnet3: - Condition: 3AZPublicCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PublicSubnet3CIDR' - AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PublicSubnet3 - - Key: Network - Value: Public - - PublicSubnet4: - Condition: 4AZPublicCondition - Type: AWS::EC2::Subnet - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - CidrBlock: !Ref 'PublicSubnet4CIDR' - AvailabilityZone: !Select ['3', !Ref 'AvailabilityZones'] - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PublicSubnet4 - - Key: Network - Value: Public - - PrivateSubnet1ARouteTable: - Condition: PrivateSubnetsCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1A - - Key: Network - Value: Private - - PrivateSubnet1ARoute: - Condition: NATGatewayCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet1ARouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway1', !Ref 'AWS::NoValue'] - - PrivateSubnet1ARouteTableAssociation: - Condition: PrivateSubnetsCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet1A' - RouteTableId: !Ref 'PrivateSubnet1ARouteTable' - - PrivateSubnet2ARouteTable: - Condition: PrivateSubnetsCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet2A - - Key: Network - Value: Private - - PrivateSubnet2ARoute: - Condition: NATGatewayCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet2ARouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway2', !Ref 'AWS::NoValue'] - - PrivateSubnet2ARouteTableAssociation: - Condition: PrivateSubnetsCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet2A' - RouteTableId: !Ref 'PrivateSubnet2ARouteTable' - - PrivateSubnet3ARouteTable: - Condition: PrivateSubnets&3AZCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet3A - - Key: Network - Value: Private - - PrivateSubnet3ARoute: - Condition: NATGateway&3AZCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet3ARouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway3', !Ref 'AWS::NoValue'] - - PrivateSubnet3ARouteTableAssociation: - Condition: PrivateSubnets&3AZCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet3A' - RouteTableId: !Ref 'PrivateSubnet3ARouteTable' - - PrivateSubnet4ARouteTable: - Condition: PrivateSubnets&4AZCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet4A - - Key: Network - Value: Private - - PrivateSubnet4ARoute: - Condition: NATGateway&4AZCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet4ARouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway4', !Ref 'AWS::NoValue'] - - PrivateSubnet4ARouteTableAssociation: - Condition: PrivateSubnets&4AZCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet4A' - RouteTableId: !Ref 'PrivateSubnet4ARouteTable' - - PrivateSubnet1BRouteTable: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1B - - Key: Network - Value: Private - - PrivateSubnet1BRoute: - Condition: AdditionalPrivateSubnets&NATGatewayCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet1BRouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway1', !Ref 'AWS::NoValue'] - - PrivateSubnet1BRouteTableAssociation: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet1B' - RouteTableId: !Ref 'PrivateSubnet1BRouteTable' - - PrivateSubnet1BNetworkAcl: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::NetworkAcl - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1BNetworkAcl - - Key: Network - Value: NACL Protected - - PrivateSubnet1BNetworkAclEntryInbound: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'false' - NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - PrivateSubnet1BNetworkAclEntryOutbound: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'true' - NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - PrivateSubnet1BNetworkAclAssociation: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::SubnetNetworkAclAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet1B' - NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' - - PrivateSubnet2BRouteTable: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-Private subnet 2B - - Key: Network - Value: Private - - PrivateSubnet2BRoute: - Condition: AdditionalPrivateSubnets&NATGatewayCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet2BRouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway2', !Ref 'AWS::NoValue'] - - PrivateSubnet2BRouteTableAssociation: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet2B' - RouteTableId: !Ref 'PrivateSubnet2BRouteTable' - - PrivateSubnet2BNetworkAcl: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::NetworkAcl - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-NACL Protected subnet 2 - - Key: Network - Value: NACL Protected - - PrivateSubnet2BNetworkAclEntryInbound: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'false' - NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - PrivateSubnet2BNetworkAclEntryOutbound: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'true' - NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - - PrivateSubnet2BNetworkAclAssociation: - Condition: AdditionalPrivateSubnetsCondition - Type: AWS::EC2::SubnetNetworkAclAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet2B' - NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' - - PrivateSubnet3BRouteTable: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-Private subnet 3B - - Key: Network - Value: Private - - PrivateSubnet3BRoute: - Condition: AdditionalPrivateSubnets&NATGateway&3AZCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet3BRouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway3', !Ref 'AWS::NoValue'] - - PrivateSubnet3BRouteTableAssociation: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet3B' - RouteTableId: !Ref 'PrivateSubnet3BRouteTable' - - PrivateSubnet3BNetworkAcl: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::NetworkAcl - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-NACL Protected subnet 3 - - Key: Network - Value: NACL Protected - - PrivateSubnet3BNetworkAclEntryInbound: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'false' - NetworkAclId: !Ref 'PrivateSubnet3BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - PrivateSubnet3BNetworkAclEntryOutbound: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'true' - NetworkAclId: !Ref 'PrivateSubnet3BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - PrivateSubnet3BNetworkAclAssociation: - Condition: AdditionalPrivateSubnets&3AZCondition - Type: AWS::EC2::SubnetNetworkAclAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet3B' - NetworkAclId: !Ref 'PrivateSubnet3BNetworkAcl' - - PrivateSubnet4BRouteTable: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-Private subnet 4B - - Key: Network - Value: Private - - PrivateSubnet4BRoute: - Condition: AdditionalPrivateSubnets&NATGateway&4AZCondition - Type: AWS::EC2::Route - DeletionPolicy: Retain - Properties: - RouteTableId: !Ref 'PrivateSubnet4BRouteTable' - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway4', !Ref 'AWS::NoValue'] - - PrivateSubnet4BRouteTableAssociation: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet4B' - RouteTableId: !Ref 'PrivateSubnet4BRouteTable' - - PrivateSubnet4BNetworkAcl: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::NetworkAcl - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-NACL Protected subnet 4 - - Key: Network - Value: NACL Protected - - PrivateSubnet4BNetworkAclEntryInbound: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'false' - NetworkAclId: !Ref 'PrivateSubnet4BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - PrivateSubnet4BNetworkAclEntryOutbound: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::NetworkAclEntry - DeletionPolicy: Retain - Properties: - CidrBlock: 0.0.0.0/0 - Egress: 'true' - NetworkAclId: !Ref 'PrivateSubnet4BNetworkAcl' - Protocol: '-1' - RuleAction: allow - RuleNumber: '100' - - PrivateSubnet4BNetworkAclAssociation: - Condition: AdditionalPrivateSubnets&4AZCondition - Type: AWS::EC2::SubnetNetworkAclAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PrivateSubnet4B' - NetworkAclId: !Ref 'PrivateSubnet4BNetworkAcl' - - PublicSubnetRouteTable: - Condition: PublicSubnetsCondition - Type: AWS::EC2::RouteTable - DeletionPolicy: Retain - Properties: - VpcId: !Ref 'VPC' - Tags: - - Key: Name - Value: !Sub ${ManagedResourcePrefix}-Public Subnets - - Key: Network - Value: Public - - PublicSubnetRoute: - Condition: PublicSubnetsCondition - DependsOn: VPCGatewayAttachment - DeletionPolicy: Retain - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref 'PublicSubnetRouteTable' - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref 'InternetGateway' - - PublicSubnet1RouteTableAssociation: - Condition: PublicSubnetsCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PublicSubnet1' - RouteTableId: !Ref 'PublicSubnetRouteTable' - - PublicSubnet2RouteTableAssociation: - Condition: PublicSubnetsCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PublicSubnet2' - RouteTableId: !Ref 'PublicSubnetRouteTable' - - PublicSubnet3RouteTableAssociation: - Condition: 3AZPublicCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PublicSubnet3' - RouteTableId: !Ref 'PublicSubnetRouteTable' - - PublicSubnet4RouteTableAssociation: - Condition: 4AZPublicCondition - Type: AWS::EC2::SubnetRouteTableAssociation - DeletionPolicy: Retain - Properties: - SubnetId: !Ref 'PublicSubnet4' - RouteTableId: !Ref 'PublicSubnetRouteTable' - - NAT1EIP: - Condition: Public&PrivateSubnetsCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::EIP - DeletionPolicy: Retain - Properties: - Domain: vpc - - NAT2EIP: - Condition: Public&PrivateSubnetsCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::EIP - DeletionPolicy: Retain - Properties: - Domain: vpc - - NAT3EIP: - Condition: Public&PrivateSubnets&3AZCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::EIP - DeletionPolicy: Retain - Properties: - Domain: vpc - - NAT4EIP: - Condition: Public&PrivateSubnets&4AZCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::EIP - DeletionPolicy: Retain - Properties: - Domain: vpc - - NATGateway1: - Condition: NATGatewayCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::NatGateway - DeletionPolicy: Retain - Properties: - AllocationId: !GetAtt 'NAT1EIP.AllocationId' - SubnetId: !Ref 'PublicSubnet1' - - NATGateway2: - Condition: NATGatewayCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::NatGateway - DeletionPolicy: Retain - Properties: - AllocationId: !GetAtt 'NAT2EIP.AllocationId' - SubnetId: !Ref 'PublicSubnet2' - - NATGateway3: - Condition: NATGateway&3AZCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::NatGateway - DeletionPolicy: Retain - Properties: - AllocationId: !GetAtt 'NAT3EIP.AllocationId' - SubnetId: !Ref 'PublicSubnet3' - - NATGateway4: - Condition: NATGateway&4AZCondition - DependsOn: VPCGatewayAttachment - Type: AWS::EC2::NatGateway - DeletionPolicy: Retain - Properties: - AllocationId: !GetAtt 'NAT4EIP.AllocationId' - SubnetId: !Ref 'PublicSubnet4' - - S3VPCEndpoint: - Condition: S3VPCEndpointCondition - Type: AWS::EC2::VPCEndpoint - DeletionPolicy: Retain - Properties: - PolicyDocument: - Version: '2012-10-17' - Statement: - - Action: '*' - Effect: Allow - Resource: '*' - Principal: '*' - RouteTableIds: - - !Ref 'PrivateSubnet1ARouteTable' - - !Ref 'PrivateSubnet2ARouteTable' - - !If [PrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3ARouteTable', !Ref 'AWS::NoValue'] - - !If [PrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4ARouteTable', !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet1BRouteTable', - !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet2BRouteTable', - !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3BRouteTable', - !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4BRouteTable', - !Ref 'AWS::NoValue'] - ServiceName: !Join ['', [com.amazonaws., !Ref 'AWS::Region', .s3]] - VpcId: !Ref 'VPC' - - VPCFlowLogsLogGroup: - Type: AWS::Logs::LogGroup - DeletionPolicy: Retain - Properties: - RetentionInDays: !Ref LogsRetentionInDays - - VPCFlowLogsRole: - Type: AWS::IAM::Role - DeletionPolicy: Retain - Metadata: - cfn_nag: - rules_to_suppress: - - id: W11 - reason: "Allow Resource * for CloudWatch Logs API since the resources are customer defined." - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - vpc-flow-logs.amazonaws.com - Action: - - sts:AssumeRole - Path: / - Policies: - - PolicyName: LogRolePolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - logs:CreateLogGroup - - logs:CreateLogStream - - logs:DescribeLogGroups - - logs:DescribeLogStreams - - logs:PutLogEvents - Resource: '*' - VPCFlowLog: - Type: AWS::EC2::FlowLog - DeletionPolicy: Retain - Properties: - DeliverLogsPermissionArn: !GetAtt 'VPCFlowLogsRole.Arn' - LogGroupName: !Ref 'VPCFlowLogsLogGroup' - ResourceId: !Ref 'VPC' - ResourceType: VPC - TrafficType: ALL -Outputs: -# NAT1EIP: -# Condition: Public&PrivateSubnetsCondition -# Description: NAT 1 IP address -# Value: !Ref 'NAT1EIP' -# Export: -# Name: !Sub '${AWS::StackName}-NAT1EIP' -# NAT2EIP: -# Condition: Public&PrivateSubnetsCondition -# Description: NAT 2 IP address -# Value: !Ref 'NAT2EIP' -# Export: -# Name: !Sub '${AWS::StackName}-NAT2EIP' -# NAT3EIP: -# Condition: Public&PrivateSubnets&3AZCondition -# Description: NAT 3 IP address -# Value: !Ref 'NAT3EIP' -# Export: -# Name: !Sub '${AWS::StackName}-NAT3EIP' -# NAT4EIP: -# Condition: Public&PrivateSubnets&4AZCondition -# Description: NAT 4 IP address -# Value: !Ref 'NAT4EIP' -# Export: -# Name: !Sub '${AWS::StackName}-NAT4EIP' - PrivateSubnet1ACIDR: - Condition: PrivateSubnetsCondition - Description: Private subnet 1A CIDR in Availability Zone 1 - Value: !Ref 'PrivateSubnet1ACIDR' - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet1ACIDR' - PrivateSubnet1AID: - Condition: PrivateSubnetsCondition - Description: Private subnet 1A ID in Availability Zone 1 - Value: !Ref 'PrivateSubnet1A' - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet1AID' -# PrivateSubnet1BCIDR: -# Condition: AdditionalPrivateSubnetsCondition -# Description: Private subnet 1B CIDR in Availability Zone 1 -# Value: !Ref 'PrivateSubnet1BCIDR' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet1BCIDR' -# PrivateSubnet1BID: -# Condition: AdditionalPrivateSubnetsCondition -# Description: Private subnet 1B ID in Availability Zone 1 -# Value: !Ref 'PrivateSubnet1B' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet1BID' - PrivateSubnet2ACIDR: - Condition: PrivateSubnetsCondition - Description: Private subnet 2A CIDR in Availability Zone 2 - Value: !Ref 'PrivateSubnet2ACIDR' - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet2ACIDR' - PrivateSubnet2AID: - Condition: PrivateSubnetsCondition - Description: Private subnet 2A ID in Availability Zone 2 - Value: !Ref 'PrivateSubnet2A' - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet2AID' -# PrivateSubnet2BCIDR: -# Condition: AdditionalPrivateSubnetsCondition -# Description: Private subnet 2B CIDR in Availability Zone 2 -# Value: !Ref 'PrivateSubnet2BCIDR' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet2BCIDR' -# PrivateSubnet2BID: -# Condition: AdditionalPrivateSubnetsCondition -# Description: Private subnet 2B ID in Availability Zone 2 -# Value: !Ref 'PrivateSubnet2B' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet2BID' - PrivateSubnet3ACIDR: - Condition: PrivateSubnets&3AZCondition - Description: Private subnet 3A CIDR in Availability Zone 3 - Value: !Ref 'PrivateSubnet3ACIDR' - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet3ACIDR' - PrivateSubnet3AID: - Condition: PrivateSubnets&3AZCondition - Description: Private subnet 3A ID in Availability Zone 3 - Value: !Ref 'PrivateSubnet3A' - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet3AID' -# PrivateSubnet3BCIDR: -# Condition: AdditionalPrivateSubnets&3AZCondition -# Description: Private subnet 3B CIDR in Availability Zone 3 -# Value: !Ref 'PrivateSubnet3BCIDR' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet3BCIDR' -# PrivateSubnet3BID: -# Condition: AdditionalPrivateSubnets&3AZCondition -# Description: Private subnet 3B ID in Availability Zone 3 -# Value: !Ref 'PrivateSubnet3B' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet3BID' -# PrivateSubnet4ACIDR: -# Condition: PrivateSubnets&4AZCondition -# Description: Private subnet 4A CIDR in Availability Zone 4 -# Value: !Ref 'PrivateSubnet4ACIDR' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet4ACIDR' -# PrivateSubnet4AID: -# Condition: PrivateSubnets&4AZCondition -# Description: Private subnet 4A ID in Availability Zone 4 -# Value: !Ref 'PrivateSubnet4A' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet4AID' -# PrivateSubnet4BCIDR: -# Condition: AdditionalPrivateSubnets&4AZCondition -# Description: Private subnet 4B CIDR in Availability Zone 4 -# Value: !Ref 'PrivateSubnet4BCIDR' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet4BCIDR' -# PrivateSubnet4BID: -# Condition: AdditionalPrivateSubnets&4AZCondition -# Description: Private subnet 4B ID in Availability Zone 4 -# Value: !Ref 'PrivateSubnet4B' -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet4BID' - PublicSubnet1CIDR: - Condition: PublicSubnetsCondition - Description: Public subnet 1 CIDR in Availability Zone 1 - Value: !Ref 'PublicSubnet1CIDR' - Export: - Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR' - PublicSubnet1ID: - Condition: PublicSubnetsCondition - Description: Public subnet 1 ID in Availability Zone 1 - Value: !Ref 'PublicSubnet1' - Export: - Name: !Sub '${AWS::StackName}-PublicSubnet1ID' - PublicSubnet2CIDR: - Condition: PublicSubnetsCondition - Description: Public subnet 2 CIDR in Availability Zone 2 - Value: !Ref 'PublicSubnet2CIDR' - Export: - Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR' - PublicSubnet2ID: - Condition: PublicSubnetsCondition - Description: Public subnet 2 ID in Availability Zone 2 - Value: !Ref 'PublicSubnet2' - Export: - Name: !Sub '${AWS::StackName}-PublicSubnet2ID' - PublicSubnet3CIDR: - Condition: 3AZPublicCondition - Description: Public subnet 3 CIDR in Availability Zone 3 - Value: !Ref 'PublicSubnet3CIDR' - Export: - Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR' - PublicSubnet3ID: - Condition: 3AZPublicCondition - Description: Public subnet 3 ID in Availability Zone 3 - Value: !Ref 'PublicSubnet3' - Export: - Name: !Sub '${AWS::StackName}-PublicSubnet3ID' -# PublicSubnet4CIDR: -# Condition: 4AZPublicCondition -# Description: Public subnet 4 CIDR in Availability Zone 4 -# Value: !Ref 'PublicSubnet4CIDR' -# Export: -# Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR' -# PublicSubnet4ID: -# Condition: 4AZPublicCondition -# Description: Public subnet 4 ID in Availability Zone 4 -# Value: !Ref 'PublicSubnet4' -# Export: -# Name: !Sub '${AWS::StackName}-PublicSubnet4ID' -# S3VPCEndpoint: -# Condition: S3VPCEndpointCondition -# Description: S3 VPC Endpoint -# Value: !Ref 'S3VPCEndpoint' -# Export: -# Name: !Sub '${AWS::StackName}-S3VPCEndpoint' - PrivateSubnet1ARouteTable: - Condition: PrivateSubnetsCondition - Value: !Ref 'PrivateSubnet1ARouteTable' - Description: Private subnet 1A route table - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet1ARouteTable' -# PrivateSubnet1BRouteTable: -# Condition: AdditionalPrivateSubnetsCondition -# Value: !Ref 'PrivateSubnet1BRouteTable' -# Description: Private subnet 1B route table -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet1BRouteTable' - PrivateSubnet2ARouteTable: - Condition: PrivateSubnetsCondition - Value: !Ref 'PrivateSubnet2ARouteTable' - Description: Private subnet 2A route table - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet2ARouteTable' -# PrivateSubnet2BRouteTable: -# Condition: AdditionalPrivateSubnetsCondition -# Value: !Ref 'PrivateSubnet2BRouteTable' -# Description: Private subnet 2B route table -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet2BRouteTable' - PrivateSubnet3ARouteTable: - Condition: PrivateSubnets&3AZCondition - Value: !Ref 'PrivateSubnet3ARouteTable' - Description: Private subnet 3A route table - Export: - Name: !Sub '${AWS::StackName}-PrivateSubnet3ARouteTable' -# PrivateSubnet3BRouteTable: -# Condition: AdditionalPrivateSubnets&3AZCondition -# Value: !Ref 'PrivateSubnet3BRouteTable' -# Description: Private subnet 3B route table -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet3BRouteTable' -# PrivateSubnet4ARouteTable: -# Condition: PrivateSubnets&4AZCondition -# Value: !Ref 'PrivateSubnet4ARouteTable' -# Description: Private subnet 4A route table -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet4ARouteTable' -# PrivateSubnet4BRouteTable: -# Condition: AdditionalPrivateSubnets&4AZCondition -# Value: !Ref 'PrivateSubnet4BRouteTable' -# Description: Private subnet 4B route table -# Export: -# Name: !Sub '${AWS::StackName}-PrivateSubnet4BRouteTable' - PublicSubnetRouteTable: - Condition: PublicSubnetsCondition - Value: !Ref 'PublicSubnetRouteTable' - Description: Public subnet route table - Export: - Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable' - PrivateSubnetRouteTables: - Value: - !Join - - ',' - - - !If [PrivateSubnetsCondition, !Ref 'PrivateSubnet1ARouteTable', !Ref 'AWS::NoValue'] - - !If [PrivateSubnetsCondition, !Ref 'PrivateSubnet2ARouteTable', !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet1BRouteTable', !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet2BRouteTable', !Ref 'AWS::NoValue'] - - !If [PrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3ARouteTable', !Ref 'AWS::NoValue'] - - !If [PrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4ARouteTable', !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3BRouteTable', !Ref 'AWS::NoValue'] - - !If [AdditionalPrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4BRouteTable', !Ref 'AWS::NoValue'] - Description: List of private subnet route tables - VPCCIDR: - Value: !Ref 'VPCCIDR' - Description: VPC CIDR - Export: - Name: !Sub '${AWS::StackName}-VPCCIDR' - VPCID: - Value: !Ref 'VPC' - Description: VPC ID - Export: - Name: DefaultVPCId - VPCRegion: - Value: !Ref AWS::Region - Description: VPC Region +AWSTemplateFormatVersion: '2010-09-09' +Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure with + managed NAT gateways in the public subnet for each Availability Zone. You can also + create additional private subnets with dedicated custom network access control lists + (ACLs) - (SO0051). +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Availability Zone Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - Label: + default: Network Configuration + Parameters: + - VPCCIDR + - CreatePublicSubnets + - CreatePrivateSubnets + - PrivateSubnet1ACIDR + - PrivateSubnet2ACIDR + - PrivateSubnet3ACIDR + - PrivateSubnet4ACIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - CreateAdditionalPrivateSubnets + - PrivateSubnet1BCIDR + - PrivateSubnet2BCIDR + - PrivateSubnet3BCIDR + - PrivateSubnet4BCIDR + - LogsRetentionInDays + ParameterLabels: + AvailabilityZones: + default: Availability Zones + CreateAdditionalPrivateSubnets: + default: Create additional private subnets with dedicated network ACLs + CreatePrivateSubnets: + default: Create private subnets + CreatePublicSubnets: + default: Create public subnets + NumberOfAZs: + default: Number of Availability Zones + PrivateSubnet1ACIDR: + default: Private subnet 1A CIDR + PrivateSubnet1BCIDR: + default: Private subnet 1B with dedicated network ACL CIDR + PrivateSubnet2ACIDR: + default: Private subnet 2A CIDR + PrivateSubnet2BCIDR: + default: Private subnet 2B with dedicated network ACL CIDR + PrivateSubnet3ACIDR: + default: Private subnet 3A CIDR + PrivateSubnet3BCIDR: + default: Private subnet 3B with dedicated network ACL CIDR + PrivateSubnet4ACIDR: + default: Private subnet 4A CIDR + PrivateSubnet4BCIDR: + default: Private subnet 4B with dedicated network ACL CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PublicSubnet3CIDR: + default: Public subnet 3 CIDR + PublicSubnet4CIDR: + default: Public subnet 4 CIDR + VPCCIDR: + default: VPC CIDR + LogsRetentionInDays: + default: Flow Logs Retention In Days +Parameters: + ManagedResourcePrefix: + Type: 'String' + Description: 'Prefix for the managed resources' + AvailabilityZones: + Description: 'List of Availability Zones to use for the subnets in the VPC.' + Type: CommaDelimitedList + CreateAdditionalPrivateSubnets: + AllowedValues: + - 'true' + - 'false' + Default: 'false' + Description: Set to true to create a network ACL protected subnet in each Availability + Zone. If false, the CIDR parameters for those subnets will be ignored. If true, + it also requires that the 'Create private subnets' parameter is also true to + have any effect. + Type: String + CreatePrivateSubnets: + AllowedValues: + - 'true' + - 'false' + Default: 'true' + Description: Set to false to create only public subnets. If false, the CIDR parameters + for ALL private subnets will be ignored. + Type: String + CreatePublicSubnets: + AllowedValues: + - 'true' + - 'false' + Default: 'true' + Description: Set to false to create only private subnets. If false, the CIDR parameters + for ALL public subnets will be ignored. + Type: String + NumberOfAZs: + AllowedValues: + - '2' + - '3' + - '4' + Default: '2' + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: String + PrivateSubnet1ACIDR: + Default: 10.0.0.0/19 + Description: CIDR block for private subnet 1A located in Availability Zone 1 + Type: String + PrivateSubnet1BCIDR: + Default: 10.0.192.0/21 + Description: CIDR block for private subnet 1B with dedicated network ACL located in Availability Zone 1 + Type: String + PrivateSubnet2ACIDR: + Default: 10.0.32.0/19 + Description: CIDR block for private subnet 2A located in Availability Zone 2 + Type: String + PrivateSubnet2BCIDR: + Default: 10.0.200.0/21 + Description: CIDR block for private subnet 2B with dedicated network ACL located in Availability Zone 2 + Type: String + PrivateSubnet3ACIDR: + Default: 10.0.64.0/19 + Description: CIDR block for private subnet 3A located in Availability Zone 3 + Type: String + PrivateSubnet3BCIDR: + Default: 10.0.208.0/21 + Description: CIDR block for private subnet 3B with dedicated network ACL located in Availability Zone 3 + Type: String + PrivateSubnet4ACIDR: + Default: 10.0.96.0/19 + Description: CIDR block for private subnet 4A located in Availability Zone 4 + Type: String + PrivateSubnet4BCIDR: + Default: 10.0.216.0/21 + Description: CIDR block for private subnet 4B with dedicated network ACL located in Availability Zone 4 + Type: String + PublicSubnet1CIDR: + Default: 10.0.128.0/20 + Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1 + Type: String + PublicSubnet2CIDR: + Default: 10.0.144.0/20 + Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2 + Type: String + PublicSubnet3CIDR: + Default: 10.0.160.0/20 + Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3 + Type: String + PublicSubnet4CIDR: + Default: 10.0.176.0/20 + Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4 + Type: String + VPCCIDR: + Default: 10.0.0.0/16 + Description: CIDR block for the VPC + Type: String + TransitVPC: + Default: 'false' + Description: Do you want to connect this VPC to a transit VPC via tagging? + AllowedValues: + - 'true' + - 'false' + Type: String + LogsRetentionInDays: + Description: 'Specifies the number of days you want to retain log events in the specified log group.' + Type: Number + Default: 90 + AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + +Conditions: + PublicSubnetsCondition: !Equals [!Ref 'CreatePublicSubnets', 'true'] + 3AZCondition: !Or [!Equals [!Ref 'NumberOfAZs', '3'], !Condition '4AZCondition'] + 4AZCondition: !Equals [!Ref 'NumberOfAZs', '4'] + 3AZPublicCondition: !And [!Condition '3AZCondition', !Condition 'PublicSubnetsCondition'] + 4AZPublicCondition: !And [!Condition '4AZCondition', !Condition 'PublicSubnetsCondition'] + AdditionalPrivateSubnetsCondition: !And [!Equals [!Ref 'CreatePrivateSubnets', 'true'], + !Equals [!Ref 'CreateAdditionalPrivateSubnets', 'true']] + AdditionalPrivateSubnets&3AZCondition: !And [!Condition 'AdditionalPrivateSubnetsCondition', + !Condition '3AZCondition'] + AdditionalPrivateSubnets&4AZCondition: !And [!Condition 'AdditionalPrivateSubnetsCondition', + !Condition '4AZCondition'] + NATGatewayCondition: !And [!Condition 'PrivateSubnetsCondition', !Condition 'PublicSubnetsCondition'] + NATGateway&3AZCondition: !And [!Condition 'NATGatewayCondition', !Condition '3AZCondition'] + NATGateway&4AZCondition: !And [!Condition 'NATGatewayCondition', !Condition '4AZCondition'] + AdditionalPrivateSubnets&NATGatewayCondition: !And [!Condition 'AdditionalPrivateSubnetsCondition', !Condition 'NATGatewayCondition'] + AdditionalPrivateSubnets&NATGateway&3AZCondition: !And [!Condition 'AdditionalPrivateSubnets&3AZCondition', !Condition 'NATGateway&3AZCondition'] + AdditionalPrivateSubnets&NATGateway&4AZCondition: !And [!Condition 'AdditionalPrivateSubnets&4AZCondition', !Condition 'NATGateway&4AZCondition'] + NVirginiaRegionCondition: !Equals [!Ref 'AWS::Region', us-east-1] + PrivateSubnetsCondition: !Equals [!Ref 'CreatePrivateSubnets', 'true'] + PrivateSubnets&3AZCondition: !And [!Condition 'PrivateSubnetsCondition', !Condition '3AZCondition'] + PrivateSubnets&4AZCondition: !And [!Condition 'PrivateSubnetsCondition', !Condition '4AZCondition'] + Public&PrivateSubnetsCondition: !And [!Condition 'PublicSubnetsCondition', !Condition 'PrivateSubnetsCondition'] + Public&PrivateSubnets&3AZCondition: !And [!Condition 'PublicSubnetsCondition', !Condition 'PrivateSubnetsCondition', !Condition '3AZCondition'] + Public&PrivateSubnets&4AZCondition: !And [!Condition 'PublicSubnetsCondition', !Condition 'PrivateSubnetsCondition', !Condition '4AZCondition'] + S3VPCEndpointCondition: !And [!Condition 'PrivateSubnetsCondition', !Not [!Or [ + !Equals [!Ref 'AWS::Region', us-gov-west-1], !Equals [!Ref 'AWS::Region', + cn-north-1]]]] + TransitVPCCondition: !Equals [!Ref 'TransitVPC', 'true'] + +Resources: + DHCPOptions: + Type: AWS::EC2::DHCPOptions + DeletionPolicy: Retain + Properties: + DomainName: !If [NVirginiaRegionCondition, ec2.internal, !Join ['', [!Ref 'AWS::Region', + .compute.internal]]] + DomainNameServers: + - AmazonProvidedDNS + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-DHCPOptionsSet + + VPC: + Type: AWS::EC2::VPC + DeletionPolicy: Retain + Properties: + CidrBlock: !Ref 'VPCCIDR' + EnableDnsSupport: 'true' + EnableDnsHostnames: 'true' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-VPC + - !If + - TransitVPCCondition + - - Key: transitvpc:spoke + Value: true + - !Ref 'AWS::NoValue' + + VPCDHCPOptionsAssociation: + Type: AWS::EC2::VPCDHCPOptionsAssociation + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + DhcpOptionsId: !Ref 'DHCPOptions' + + InternetGateway: + Type: AWS::EC2::InternetGateway + DeletionPolicy: Retain + Condition: PublicSubnetsCondition + Properties: + Tags: + - Key: Network + Value: Public + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-InternetGateway + + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Condition: PublicSubnetsCondition + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + InternetGatewayId: !Ref 'InternetGateway' + + PrivateSubnet1A: + Condition: PrivateSubnetsCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet1ACIDR' + AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1A + - Key: Network + Value: Private + + PrivateSubnet1B: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet1BCIDR' + AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1B + - Key: Network + Value: Private + + PrivateSubnet2A: + Condition: PrivateSubnetsCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet2ACIDR' + AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-Private subnet 2A + - Key: Network + Value: Private + + PrivateSubnet2B: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet2BCIDR' + AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet2B + - Key: Network + Value: Private + + PrivateSubnet3A: + Condition: PrivateSubnets&3AZCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet3ACIDR' + AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-Private subnet 3A + - Key: Network + Value: Private + + PrivateSubnet3B: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet3BCIDR' + AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet3B + - Key: Network + Value: Private + + PrivateSubnet4A: + Condition: PrivateSubnets&4AZCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet4ACIDR' + AvailabilityZone: !Select ['3', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet4A + - Key: Network + Value: Private + + PrivateSubnet4B: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PrivateSubnet4BCIDR' + AvailabilityZone: !Select ['3', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet4B + - Key: Network + Value: Private + + PublicSubnet1: + Condition: PublicSubnetsCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PublicSubnet1CIDR' + AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PublicSubnet1 + - Key: Network + Value: Public + + PublicSubnet2: + Condition: PublicSubnetsCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PublicSubnet2CIDR' + AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PublicSubnet2 + - Key: Network + Value: Public + + PublicSubnet3: + Condition: 3AZPublicCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PublicSubnet3CIDR' + AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PublicSubnet3 + - Key: Network + Value: Public + + PublicSubnet4: + Condition: 4AZPublicCondition + Type: AWS::EC2::Subnet + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + CidrBlock: !Ref 'PublicSubnet4CIDR' + AvailabilityZone: !Select ['3', !Ref 'AvailabilityZones'] + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PublicSubnet4 + - Key: Network + Value: Public + + PrivateSubnet1ARouteTable: + Condition: PrivateSubnetsCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1A + - Key: Network + Value: Private + + PrivateSubnet1ARoute: + Condition: NATGatewayCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet1ARouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway1', !Ref 'AWS::NoValue'] + + PrivateSubnet1ARouteTableAssociation: + Condition: PrivateSubnetsCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet1A' + RouteTableId: !Ref 'PrivateSubnet1ARouteTable' + + PrivateSubnet2ARouteTable: + Condition: PrivateSubnetsCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet2A + - Key: Network + Value: Private + + PrivateSubnet2ARoute: + Condition: NATGatewayCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet2ARouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway2', !Ref 'AWS::NoValue'] + + PrivateSubnet2ARouteTableAssociation: + Condition: PrivateSubnetsCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet2A' + RouteTableId: !Ref 'PrivateSubnet2ARouteTable' + + PrivateSubnet3ARouteTable: + Condition: PrivateSubnets&3AZCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet3A + - Key: Network + Value: Private + + PrivateSubnet3ARoute: + Condition: NATGateway&3AZCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet3ARouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway3', !Ref 'AWS::NoValue'] + + PrivateSubnet3ARouteTableAssociation: + Condition: PrivateSubnets&3AZCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet3A' + RouteTableId: !Ref 'PrivateSubnet3ARouteTable' + + PrivateSubnet4ARouteTable: + Condition: PrivateSubnets&4AZCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet4A + - Key: Network + Value: Private + + PrivateSubnet4ARoute: + Condition: NATGateway&4AZCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet4ARouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway4', !Ref 'AWS::NoValue'] + + PrivateSubnet4ARouteTableAssociation: + Condition: PrivateSubnets&4AZCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet4A' + RouteTableId: !Ref 'PrivateSubnet4ARouteTable' + + PrivateSubnet1BRouteTable: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1B + - Key: Network + Value: Private + + PrivateSubnet1BRoute: + Condition: AdditionalPrivateSubnets&NATGatewayCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet1BRouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway1', !Ref 'AWS::NoValue'] + + PrivateSubnet1BRouteTableAssociation: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet1B' + RouteTableId: !Ref 'PrivateSubnet1BRouteTable' + + PrivateSubnet1BNetworkAcl: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::NetworkAcl + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-PrivateSubnet1BNetworkAcl + - Key: Network + Value: NACL Protected + + PrivateSubnet1BNetworkAclEntryInbound: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'false' + NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + PrivateSubnet1BNetworkAclEntryOutbound: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'true' + NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + PrivateSubnet1BNetworkAclAssociation: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::SubnetNetworkAclAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet1B' + NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' + + PrivateSubnet2BRouteTable: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-Private subnet 2B + - Key: Network + Value: Private + + PrivateSubnet2BRoute: + Condition: AdditionalPrivateSubnets&NATGatewayCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet2BRouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway2', !Ref 'AWS::NoValue'] + + PrivateSubnet2BRouteTableAssociation: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet2B' + RouteTableId: !Ref 'PrivateSubnet2BRouteTable' + + PrivateSubnet2BNetworkAcl: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::NetworkAcl + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-NACL Protected subnet 2 + - Key: Network + Value: NACL Protected + + PrivateSubnet2BNetworkAclEntryInbound: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'false' + NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + PrivateSubnet2BNetworkAclEntryOutbound: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'true' + NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + + PrivateSubnet2BNetworkAclAssociation: + Condition: AdditionalPrivateSubnetsCondition + Type: AWS::EC2::SubnetNetworkAclAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet2B' + NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' + + PrivateSubnet3BRouteTable: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-Private subnet 3B + - Key: Network + Value: Private + + PrivateSubnet3BRoute: + Condition: AdditionalPrivateSubnets&NATGateway&3AZCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet3BRouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway3', !Ref 'AWS::NoValue'] + + PrivateSubnet3BRouteTableAssociation: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet3B' + RouteTableId: !Ref 'PrivateSubnet3BRouteTable' + + PrivateSubnet3BNetworkAcl: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::NetworkAcl + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-NACL Protected subnet 3 + - Key: Network + Value: NACL Protected + + PrivateSubnet3BNetworkAclEntryInbound: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'false' + NetworkAclId: !Ref 'PrivateSubnet3BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + PrivateSubnet3BNetworkAclEntryOutbound: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'true' + NetworkAclId: !Ref 'PrivateSubnet3BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + PrivateSubnet3BNetworkAclAssociation: + Condition: AdditionalPrivateSubnets&3AZCondition + Type: AWS::EC2::SubnetNetworkAclAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet3B' + NetworkAclId: !Ref 'PrivateSubnet3BNetworkAcl' + + PrivateSubnet4BRouteTable: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-Private subnet 4B + - Key: Network + Value: Private + + PrivateSubnet4BRoute: + Condition: AdditionalPrivateSubnets&NATGateway&4AZCondition + Type: AWS::EC2::Route + DeletionPolicy: Retain + Properties: + RouteTableId: !Ref 'PrivateSubnet4BRouteTable' + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If [NATGatewayCondition, !Ref 'NATGateway4', !Ref 'AWS::NoValue'] + + PrivateSubnet4BRouteTableAssociation: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet4B' + RouteTableId: !Ref 'PrivateSubnet4BRouteTable' + + PrivateSubnet4BNetworkAcl: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::NetworkAcl + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-NACL Protected subnet 4 + - Key: Network + Value: NACL Protected + + PrivateSubnet4BNetworkAclEntryInbound: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'false' + NetworkAclId: !Ref 'PrivateSubnet4BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + PrivateSubnet4BNetworkAclEntryOutbound: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::NetworkAclEntry + DeletionPolicy: Retain + Properties: + CidrBlock: 0.0.0.0/0 + Egress: 'true' + NetworkAclId: !Ref 'PrivateSubnet4BNetworkAcl' + Protocol: '-1' + RuleAction: allow + RuleNumber: '100' + + PrivateSubnet4BNetworkAclAssociation: + Condition: AdditionalPrivateSubnets&4AZCondition + Type: AWS::EC2::SubnetNetworkAclAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PrivateSubnet4B' + NetworkAclId: !Ref 'PrivateSubnet4BNetworkAcl' + + PublicSubnetRouteTable: + Condition: PublicSubnetsCondition + Type: AWS::EC2::RouteTable + DeletionPolicy: Retain + Properties: + VpcId: !Ref 'VPC' + Tags: + - Key: Name + Value: !Sub ${ManagedResourcePrefix}-Public Subnets + - Key: Network + Value: Public + + PublicSubnetRoute: + Condition: PublicSubnetsCondition + DependsOn: VPCGatewayAttachment + DeletionPolicy: Retain + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref 'PublicSubnetRouteTable' + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref 'InternetGateway' + + PublicSubnet1RouteTableAssociation: + Condition: PublicSubnetsCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PublicSubnet1' + RouteTableId: !Ref 'PublicSubnetRouteTable' + + PublicSubnet2RouteTableAssociation: + Condition: PublicSubnetsCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PublicSubnet2' + RouteTableId: !Ref 'PublicSubnetRouteTable' + + PublicSubnet3RouteTableAssociation: + Condition: 3AZPublicCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PublicSubnet3' + RouteTableId: !Ref 'PublicSubnetRouteTable' + + PublicSubnet4RouteTableAssociation: + Condition: 4AZPublicCondition + Type: AWS::EC2::SubnetRouteTableAssociation + DeletionPolicy: Retain + Properties: + SubnetId: !Ref 'PublicSubnet4' + RouteTableId: !Ref 'PublicSubnetRouteTable' + + NAT1EIP: + Condition: Public&PrivateSubnetsCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::EIP + DeletionPolicy: Retain + Properties: + Domain: vpc + + NAT2EIP: + Condition: Public&PrivateSubnetsCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::EIP + DeletionPolicy: Retain + Properties: + Domain: vpc + + NAT3EIP: + Condition: Public&PrivateSubnets&3AZCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::EIP + DeletionPolicy: Retain + Properties: + Domain: vpc + + NAT4EIP: + Condition: Public&PrivateSubnets&4AZCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::EIP + DeletionPolicy: Retain + Properties: + Domain: vpc + + NATGateway1: + Condition: NATGatewayCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::NatGateway + DeletionPolicy: Retain + Properties: + AllocationId: !GetAtt 'NAT1EIP.AllocationId' + SubnetId: !Ref 'PublicSubnet1' + + NATGateway2: + Condition: NATGatewayCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::NatGateway + DeletionPolicy: Retain + Properties: + AllocationId: !GetAtt 'NAT2EIP.AllocationId' + SubnetId: !Ref 'PublicSubnet2' + + NATGateway3: + Condition: NATGateway&3AZCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::NatGateway + DeletionPolicy: Retain + Properties: + AllocationId: !GetAtt 'NAT3EIP.AllocationId' + SubnetId: !Ref 'PublicSubnet3' + + NATGateway4: + Condition: NATGateway&4AZCondition + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::NatGateway + DeletionPolicy: Retain + Properties: + AllocationId: !GetAtt 'NAT4EIP.AllocationId' + SubnetId: !Ref 'PublicSubnet4' + + S3VPCEndpoint: + Condition: S3VPCEndpointCondition + Type: AWS::EC2::VPCEndpoint + DeletionPolicy: Retain + Properties: + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: '*' + Effect: Allow + Resource: '*' + Principal: '*' + RouteTableIds: + - !Ref 'PrivateSubnet1ARouteTable' + - !Ref 'PrivateSubnet2ARouteTable' + - !If [PrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3ARouteTable', !Ref 'AWS::NoValue'] + - !If [PrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4ARouteTable', !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet1BRouteTable', + !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet2BRouteTable', + !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3BRouteTable', + !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4BRouteTable', + !Ref 'AWS::NoValue'] + ServiceName: !Join ['', [com.amazonaws., !Ref 'AWS::Region', .s3]] + VpcId: !Ref 'VPC' + + VPCFlowLogsLogGroup: + Type: AWS::Logs::LogGroup + DeletionPolicy: Retain + Properties: + RetentionInDays: !Ref LogsRetentionInDays + + VPCFlowLogsRole: + Type: AWS::IAM::Role + DeletionPolicy: Retain + Metadata: + cfn_nag: + rules_to_suppress: + - id: W11 + reason: "Allow Resource * for CloudWatch Logs API since the resources are customer defined." + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - vpc-flow-logs.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: LogRolePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:DescribeLogGroups + - logs:DescribeLogStreams + - logs:PutLogEvents + Resource: '*' + VPCFlowLog: + Type: AWS::EC2::FlowLog + DeletionPolicy: Retain + Properties: + DeliverLogsPermissionArn: !GetAtt 'VPCFlowLogsRole.Arn' + LogGroupName: !Ref 'VPCFlowLogsLogGroup' + ResourceId: !Ref 'VPC' + ResourceType: VPC + TrafficType: ALL +Outputs: +# NAT1EIP: +# Condition: Public&PrivateSubnetsCondition +# Description: NAT 1 IP address +# Value: !Ref 'NAT1EIP' +# Export: +# Name: !Sub '${AWS::StackName}-NAT1EIP' +# NAT2EIP: +# Condition: Public&PrivateSubnetsCondition +# Description: NAT 2 IP address +# Value: !Ref 'NAT2EIP' +# Export: +# Name: !Sub '${AWS::StackName}-NAT2EIP' +# NAT3EIP: +# Condition: Public&PrivateSubnets&3AZCondition +# Description: NAT 3 IP address +# Value: !Ref 'NAT3EIP' +# Export: +# Name: !Sub '${AWS::StackName}-NAT3EIP' +# NAT4EIP: +# Condition: Public&PrivateSubnets&4AZCondition +# Description: NAT 4 IP address +# Value: !Ref 'NAT4EIP' +# Export: +# Name: !Sub '${AWS::StackName}-NAT4EIP' + PrivateSubnet1ACIDR: + Condition: PrivateSubnetsCondition + Description: Private subnet 1A CIDR in Availability Zone 1 + Value: !Ref 'PrivateSubnet1ACIDR' + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1ACIDR' + PrivateSubnet1AID: + Condition: PrivateSubnetsCondition + Description: Private subnet 1A ID in Availability Zone 1 + Value: !Ref 'PrivateSubnet1A' + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1AID' +# PrivateSubnet1BCIDR: +# Condition: AdditionalPrivateSubnetsCondition +# Description: Private subnet 1B CIDR in Availability Zone 1 +# Value: !Ref 'PrivateSubnet1BCIDR' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet1BCIDR' +# PrivateSubnet1BID: +# Condition: AdditionalPrivateSubnetsCondition +# Description: Private subnet 1B ID in Availability Zone 1 +# Value: !Ref 'PrivateSubnet1B' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet1BID' + PrivateSubnet2ACIDR: + Condition: PrivateSubnetsCondition + Description: Private subnet 2A CIDR in Availability Zone 2 + Value: !Ref 'PrivateSubnet2ACIDR' + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2ACIDR' + PrivateSubnet2AID: + Condition: PrivateSubnetsCondition + Description: Private subnet 2A ID in Availability Zone 2 + Value: !Ref 'PrivateSubnet2A' + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2AID' +# PrivateSubnet2BCIDR: +# Condition: AdditionalPrivateSubnetsCondition +# Description: Private subnet 2B CIDR in Availability Zone 2 +# Value: !Ref 'PrivateSubnet2BCIDR' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet2BCIDR' +# PrivateSubnet2BID: +# Condition: AdditionalPrivateSubnetsCondition +# Description: Private subnet 2B ID in Availability Zone 2 +# Value: !Ref 'PrivateSubnet2B' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet2BID' + PrivateSubnet3ACIDR: + Condition: PrivateSubnets&3AZCondition + Description: Private subnet 3A CIDR in Availability Zone 3 + Value: !Ref 'PrivateSubnet3ACIDR' + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3ACIDR' + PrivateSubnet3AID: + Condition: PrivateSubnets&3AZCondition + Description: Private subnet 3A ID in Availability Zone 3 + Value: !Ref 'PrivateSubnet3A' + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3AID' +# PrivateSubnet3BCIDR: +# Condition: AdditionalPrivateSubnets&3AZCondition +# Description: Private subnet 3B CIDR in Availability Zone 3 +# Value: !Ref 'PrivateSubnet3BCIDR' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet3BCIDR' +# PrivateSubnet3BID: +# Condition: AdditionalPrivateSubnets&3AZCondition +# Description: Private subnet 3B ID in Availability Zone 3 +# Value: !Ref 'PrivateSubnet3B' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet3BID' +# PrivateSubnet4ACIDR: +# Condition: PrivateSubnets&4AZCondition +# Description: Private subnet 4A CIDR in Availability Zone 4 +# Value: !Ref 'PrivateSubnet4ACIDR' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet4ACIDR' +# PrivateSubnet4AID: +# Condition: PrivateSubnets&4AZCondition +# Description: Private subnet 4A ID in Availability Zone 4 +# Value: !Ref 'PrivateSubnet4A' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet4AID' +# PrivateSubnet4BCIDR: +# Condition: AdditionalPrivateSubnets&4AZCondition +# Description: Private subnet 4B CIDR in Availability Zone 4 +# Value: !Ref 'PrivateSubnet4BCIDR' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet4BCIDR' +# PrivateSubnet4BID: +# Condition: AdditionalPrivateSubnets&4AZCondition +# Description: Private subnet 4B ID in Availability Zone 4 +# Value: !Ref 'PrivateSubnet4B' +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet4BID' + PublicSubnet1CIDR: + Condition: PublicSubnetsCondition + Description: Public subnet 1 CIDR in Availability Zone 1 + Value: !Ref 'PublicSubnet1CIDR' + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR' + PublicSubnet1ID: + Condition: PublicSubnetsCondition + Description: Public subnet 1 ID in Availability Zone 1 + Value: !Ref 'PublicSubnet1' + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1ID' + PublicSubnet2CIDR: + Condition: PublicSubnetsCondition + Description: Public subnet 2 CIDR in Availability Zone 2 + Value: !Ref 'PublicSubnet2CIDR' + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR' + PublicSubnet2ID: + Condition: PublicSubnetsCondition + Description: Public subnet 2 ID in Availability Zone 2 + Value: !Ref 'PublicSubnet2' + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2ID' + PublicSubnet3CIDR: + Condition: 3AZPublicCondition + Description: Public subnet 3 CIDR in Availability Zone 3 + Value: !Ref 'PublicSubnet3CIDR' + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR' + PublicSubnet3ID: + Condition: 3AZPublicCondition + Description: Public subnet 3 ID in Availability Zone 3 + Value: !Ref 'PublicSubnet3' + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3ID' +# PublicSubnet4CIDR: +# Condition: 4AZPublicCondition +# Description: Public subnet 4 CIDR in Availability Zone 4 +# Value: !Ref 'PublicSubnet4CIDR' +# Export: +# Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR' +# PublicSubnet4ID: +# Condition: 4AZPublicCondition +# Description: Public subnet 4 ID in Availability Zone 4 +# Value: !Ref 'PublicSubnet4' +# Export: +# Name: !Sub '${AWS::StackName}-PublicSubnet4ID' +# S3VPCEndpoint: +# Condition: S3VPCEndpointCondition +# Description: S3 VPC Endpoint +# Value: !Ref 'S3VPCEndpoint' +# Export: +# Name: !Sub '${AWS::StackName}-S3VPCEndpoint' + PrivateSubnet1ARouteTable: + Condition: PrivateSubnetsCondition + Value: !Ref 'PrivateSubnet1ARouteTable' + Description: Private subnet 1A route table + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1ARouteTable' +# PrivateSubnet1BRouteTable: +# Condition: AdditionalPrivateSubnetsCondition +# Value: !Ref 'PrivateSubnet1BRouteTable' +# Description: Private subnet 1B route table +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet1BRouteTable' + PrivateSubnet2ARouteTable: + Condition: PrivateSubnetsCondition + Value: !Ref 'PrivateSubnet2ARouteTable' + Description: Private subnet 2A route table + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2ARouteTable' +# PrivateSubnet2BRouteTable: +# Condition: AdditionalPrivateSubnetsCondition +# Value: !Ref 'PrivateSubnet2BRouteTable' +# Description: Private subnet 2B route table +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet2BRouteTable' + PrivateSubnet3ARouteTable: + Condition: PrivateSubnets&3AZCondition + Value: !Ref 'PrivateSubnet3ARouteTable' + Description: Private subnet 3A route table + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3ARouteTable' +# PrivateSubnet3BRouteTable: +# Condition: AdditionalPrivateSubnets&3AZCondition +# Value: !Ref 'PrivateSubnet3BRouteTable' +# Description: Private subnet 3B route table +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet3BRouteTable' +# PrivateSubnet4ARouteTable: +# Condition: PrivateSubnets&4AZCondition +# Value: !Ref 'PrivateSubnet4ARouteTable' +# Description: Private subnet 4A route table +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet4ARouteTable' +# PrivateSubnet4BRouteTable: +# Condition: AdditionalPrivateSubnets&4AZCondition +# Value: !Ref 'PrivateSubnet4BRouteTable' +# Description: Private subnet 4B route table +# Export: +# Name: !Sub '${AWS::StackName}-PrivateSubnet4BRouteTable' + PublicSubnetRouteTable: + Condition: PublicSubnetsCondition + Value: !Ref 'PublicSubnetRouteTable' + Description: Public subnet route table + Export: + Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable' + PrivateSubnetRouteTables: + Value: + !Join + - ',' + - - !If [PrivateSubnetsCondition, !Ref 'PrivateSubnet1ARouteTable', !Ref 'AWS::NoValue'] + - !If [PrivateSubnetsCondition, !Ref 'PrivateSubnet2ARouteTable', !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet1BRouteTable', !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnetsCondition, !Ref 'PrivateSubnet2BRouteTable', !Ref 'AWS::NoValue'] + - !If [PrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3ARouteTable', !Ref 'AWS::NoValue'] + - !If [PrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4ARouteTable', !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3BRouteTable', !Ref 'AWS::NoValue'] + - !If [AdditionalPrivateSubnets&4AZCondition, !Ref 'PrivateSubnet4BRouteTable', !Ref 'AWS::NoValue'] + Description: List of private subnet route tables + VPCCIDR: + Value: !Ref 'VPCCIDR' + Description: VPC CIDR + Export: + Name: !Sub '${AWS::StackName}-VPCCIDR' + VPCID: + Value: !Ref 'VPC' + Description: VPC ID + Export: + Name: DefaultVPCId + VPCRegion: + Value: !Ref AWS::Region + Description: VPC Region diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-guardduty-master.template b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-guardduty-master.template index 1a58d57db..3826098b3 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-guardduty-master.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-guardduty-master.template @@ -1,210 +1,210 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: Enable Amazon GuardDuty (master) - -Parameters: - AlarmNotificationTopic: - Type: String - Description: SNS topic ARN for forwarding alerts. - NotifyDisplayName: - Type: 'String' - Default: LZNotify - Description: SNS display name for security administrator(s) - NotifyTopicName: - Type: 'String' - Default: AWS-Landing-Zone-GuardDuty-Notifications - Description: SNS topic name for security notifications - GuardDutyFindingNotifications: - Type: String - Description: "Enable notifications for AWS Config rule compliance status changes?" - Default: true - AllowedValues: - - true - - false - LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain notification forwarding log events in the Lambda log group.' - Type: Number - Default: 14 - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] - -Conditions: - GuardDutyFindingNotificationCondition: !Equals - - !Ref GuardDutyFindingNotifications - - 'true' - -Resources: - MasterDetector: - Type: AWS::GuardDuty::Detector - Properties: - Enable: true - - SNSNotificationTopic: - Type: AWS::SNS::Topic - Properties: - DisplayName: !Ref NotifyDisplayName - TopicName: !Ref NotifyTopicName - - SNSNotificationPolicy: - Type: AWS::SNS::TopicPolicy - Metadata: - cfn_nag: - rules_to_suppress: - - id: F18 - reason: "Condition restricts permissions to current account." - Properties: - Topics: - - !Ref SNSNotificationTopic - PolicyDocument: - Statement: - - Sid: __default_statement_ID - Effect: Allow - Principal: - AWS: "*" - Action: - - SNS:GetTopicAttributes - - SNS:SetTopicAttributes - - SNS:AddPermission - - SNS:RemovePermission - - SNS:DeleteTopic - - SNS:Subscribe - - SNS:ListSubscriptionsByTopic - - SNS:Publish - - SNS:Receive - Resource: !Ref SNSNotificationTopic - Condition: - StringEquals: - AWS:SourceOwner: !Sub ${AWS::AccountId} - - Sid: TrustCWEToPublishEventsToMyTopic - Effect: Allow - Principal: - Service: events.amazonaws.com - Action: sns:Publish - Resource: !Ref SNSNotificationTopic - - SNSNotificationSubscription: - Type: "AWS::SNS::Subscription" - Properties: - Endpoint: !GetAtt ForwardSnsNotification.Arn - Protocol: lambda - TopicArn: !Ref SNSNotificationTopic - - SNSInvokeLambdaPermission: - Type: AWS::Lambda::Permission - Properties: - Action: lambda:InvokeFunction - Principal: sns.amazonaws.com - SourceArn: !Ref SNSNotificationTopic - FunctionName: !GetAtt ForwardSnsNotification.Arn - - # Enable notifications for AWS Config Rule compliance changes - GuardDutyFindingEventRule: - Type: AWS::Events::Rule - Condition: GuardDutyFindingNotificationCondition - Properties: - Name: GuardDuty-Finding - Description: 'Landing Zone rule to send notification on GuardDuty findings.' - EventPattern: - { - "source": [ - "aws.guardduty" - ], - "detail-type": [ - "GuardDuty Finding" - ] - } - State: ENABLED - Targets: - - Id: !Sub 'AWS-Landing-Zone-GuardDuty-Finding-Topic' - Arn: !Ref SNSNotificationTopic - - ForwardSnsNotificationLambdaRole: - Type: 'AWS::IAM::Role' - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: 'lambda.amazonaws.com' - Action: - - 'sts:AssumeRole' - Path: '/' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' - Policies: - - PolicyName: sns - PolicyDocument: - Statement: - - Effect: Allow - Action: - - 'sns:publish' - Resource: !Join - - ':' - - - 'arn:aws' - - !Select [2, !Split [":", !Ref AlarmNotificationTopic]] - - !Sub ${AWS::Region} - - !Select [4, !Split [":", !Ref AlarmNotificationTopic]] - - !Select [5, !Split [":", !Ref AlarmNotificationTopic]] - - ForwardSnsNotification: - Type: 'AWS::Lambda::Function' - Properties: - FunctionName: LandingZoneGuardDutyNotificationForwarder - Description: AWS Landing Zone SNS message forwarding function for aggregating GuardDuty notifications. - Code: - ZipFile: - !Sub | - from __future__ import print_function - import boto3 - import json - import os - def lambda_handler(event, context): - sns = boto3.client('sns') - subject=event['Records'][0]['Sns']['Subject'] - if subject is None: - subject = 'None' - message = event['Records'][0]['Sns']['Message'] - try: - msg = json.loads(message) - message = json.dumps(msg, indent=4) - if 'detail-type' in msg: - subject = msg['detail-type'] - except: - print('Not json') - response = sns.publish( - TopicArn=os.environ.get('sns_arn'), - Subject=subject, - Message=message - ) - print(response) - return response - Handler: 'index.lambda_handler' - MemorySize: 128 - Role: !GetAtt 'ForwardSnsNotificationLambdaRole.Arn' - Runtime: 'python3.6' - Timeout: 60 - Environment: - Variables: - sns_arn: !Join - - ':' - - - 'arn:aws' - - !Select [2, !Split [":", !Ref AlarmNotificationTopic]] - - !Sub ${AWS::Region} - - !Select [4, !Split [":", !Ref AlarmNotificationTopic]] - - !Select [5, !Split [":", !Ref AlarmNotificationTopic]] - - - ForwardSnsNotificationGroup: - Type: 'AWS::Logs::LogGroup' - Properties: - LogGroupName: !Sub '/aws/lambda/${ForwardSnsNotification}' - RetentionInDays: !Ref LogsRetentionInDays - -Outputs: - MasterDetectorId: - Description: GuardDuty DetectorId for this region - Value: !Ref MasterDetector - SnsNotificationTopicArn: - Description: AWS Landing Zone SNS Topic ARN - Value: !Ref SNSNotificationTopic - Export: - Name: LandingZoneSnsSecNotificationTopicArn +AWSTemplateFormatVersion: '2010-09-09' +Description: Enable Amazon GuardDuty (master) + +Parameters: + AlarmNotificationTopic: + Type: String + Description: SNS topic ARN for forwarding alerts. + NotifyDisplayName: + Type: 'String' + Default: LZNotify + Description: SNS display name for security administrator(s) + NotifyTopicName: + Type: 'String' + Default: AWS-Landing-Zone-GuardDuty-Notifications + Description: SNS topic name for security notifications + GuardDutyFindingNotifications: + Type: String + Description: "Enable notifications for AWS Config rule compliance status changes?" + Default: true + AllowedValues: + - true + - false + LogsRetentionInDays: + Description: 'Specifies the number of days you want to retain notification forwarding log events in the Lambda log group.' + Type: Number + Default: 14 + AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + +Conditions: + GuardDutyFindingNotificationCondition: !Equals + - !Ref GuardDutyFindingNotifications + - 'true' + +Resources: + MasterDetector: + Type: AWS::GuardDuty::Detector + Properties: + Enable: true + + SNSNotificationTopic: + Type: AWS::SNS::Topic + Properties: + DisplayName: !Ref NotifyDisplayName + TopicName: !Ref NotifyTopicName + + SNSNotificationPolicy: + Type: AWS::SNS::TopicPolicy + Metadata: + cfn_nag: + rules_to_suppress: + - id: F18 + reason: "Condition restricts permissions to current account." + Properties: + Topics: + - !Ref SNSNotificationTopic + PolicyDocument: + Statement: + - Sid: __default_statement_ID + Effect: Allow + Principal: + AWS: "*" + Action: + - SNS:GetTopicAttributes + - SNS:SetTopicAttributes + - SNS:AddPermission + - SNS:RemovePermission + - SNS:DeleteTopic + - SNS:Subscribe + - SNS:ListSubscriptionsByTopic + - SNS:Publish + - SNS:Receive + Resource: !Ref SNSNotificationTopic + Condition: + StringEquals: + AWS:SourceOwner: !Sub ${AWS::AccountId} + - Sid: TrustCWEToPublishEventsToMyTopic + Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sns:Publish + Resource: !Ref SNSNotificationTopic + + SNSNotificationSubscription: + Type: "AWS::SNS::Subscription" + Properties: + Endpoint: !GetAtt ForwardSnsNotification.Arn + Protocol: lambda + TopicArn: !Ref SNSNotificationTopic + + SNSInvokeLambdaPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + Principal: sns.amazonaws.com + SourceArn: !Ref SNSNotificationTopic + FunctionName: !GetAtt ForwardSnsNotification.Arn + + # Enable notifications for AWS Config Rule compliance changes + GuardDutyFindingEventRule: + Type: AWS::Events::Rule + Condition: GuardDutyFindingNotificationCondition + Properties: + Name: GuardDuty-Finding + Description: 'Landing Zone rule to send notification on GuardDuty findings.' + EventPattern: + { + "source": [ + "aws.guardduty" + ], + "detail-type": [ + "GuardDuty Finding" + ] + } + State: ENABLED + Targets: + - Id: !Sub 'AWS-Landing-Zone-GuardDuty-Finding-Topic' + Arn: !Ref SNSNotificationTopic + + ForwardSnsNotificationLambdaRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: 'lambda.amazonaws.com' + Action: + - 'sts:AssumeRole' + Path: '/' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' + Policies: + - PolicyName: sns + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'sns:publish' + Resource: !Join + - ':' + - - 'arn:aws' + - !Select [2, !Split [":", !Ref AlarmNotificationTopic]] + - !Sub ${AWS::Region} + - !Select [4, !Split [":", !Ref AlarmNotificationTopic]] + - !Select [5, !Split [":", !Ref AlarmNotificationTopic]] + + ForwardSnsNotification: + Type: 'AWS::Lambda::Function' + Properties: + FunctionName: LandingZoneGuardDutyNotificationForwarder + Description: AWS Landing Zone SNS message forwarding function for aggregating GuardDuty notifications. + Code: + ZipFile: + !Sub | + from __future__ import print_function + import boto3 + import json + import os + def lambda_handler(event, context): + sns = boto3.client('sns') + subject=event['Records'][0]['Sns']['Subject'] + if subject is None: + subject = 'None' + message = event['Records'][0]['Sns']['Message'] + try: + msg = json.loads(message) + message = json.dumps(msg, indent=4) + if 'detail-type' in msg: + subject = msg['detail-type'] + except: + print('Not json') + response = sns.publish( + TopicArn=os.environ.get('sns_arn'), + Subject=subject, + Message=message + ) + print(response) + return response + Handler: 'index.lambda_handler' + MemorySize: 128 + Role: !GetAtt 'ForwardSnsNotificationLambdaRole.Arn' + Runtime: 'python3.6' + Timeout: 60 + Environment: + Variables: + sns_arn: !Join + - ':' + - - 'arn:aws' + - !Select [2, !Split [":", !Ref AlarmNotificationTopic]] + - !Sub ${AWS::Region} + - !Select [4, !Split [":", !Ref AlarmNotificationTopic]] + - !Select [5, !Split [":", !Ref AlarmNotificationTopic]] + + + ForwardSnsNotificationGroup: + Type: 'AWS::Logs::LogGroup' + Properties: + LogGroupName: !Sub '/aws/lambda/${ForwardSnsNotification}' + RetentionInDays: !Ref LogsRetentionInDays + +Outputs: + MasterDetectorId: + Description: GuardDuty DetectorId for this region + Value: !Ref MasterDetector + SnsNotificationTopicArn: + Description: AWS Landing Zone SNS Topic ARN + Value: !Ref SNSNotificationTopic + Export: + Name: LandingZoneSnsSecNotificationTopicArn diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-logging.template b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-logging.template index 7deeda0ce..25e221ffa 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-logging.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-logging.template @@ -1,193 +1,193 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Create a S3 logging bucket in the logging account. - -Parameters: - SSEAlgorithm: - Type: 'String' - Default: 'AES256' - Description: S3 bucket SSE Algorithm. - AllowedValues: - - 'AES256' - - 'aws:kms' - KMSMasterKeyID: - Type: 'String' - Description: 'KMS key ID required if SSE algorithm is aws:kms.' - AWSLogsS3KeyPrefix: - Type: 'String' - Description: 'Organization ID to use as the S3 Key prefix for storing the audit logs' - -Conditions: - UseKMS: !Equals - - !Ref SSEAlgorithm - - 'aws:kms' - UseAES256: !Equals - - !Ref SSEAlgorithm - - 'AES256' - -Resources: - # Create buckets using KMS keys for default encryption - S3KmsLoggingBucket: - DeletionPolicy: Retain - Condition: UseKMS - Type: AWS::S3::Bucket - Metadata: - cfn_nag: - rules_to_suppress: - - id: W35 - reason: "This S3 bucket is used as the destination for 'S3KmsBucket'" - Properties: - BucketName: !Sub aws-landing-zone-s3-access-logs-${AWS::AccountId}-${AWS::Region} - AccessControl: LogDeliveryWrite - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Ref KMSMasterKeyID - SSEAlgorithm: !Ref SSEAlgorithm - PublicAccessBlockConfiguration: - BlockPublicAcls: True - BlockPublicPolicy: True - IgnorePublicAcls: True - RestrictPublicBuckets: True - - S3KmsBucket: - DeletionPolicy: Retain - Condition: UseKMS - Type: AWS::S3::Bucket - Properties: - BucketName: !Sub aws-landing-zone-logs-${AWS::AccountId}-${AWS::Region} - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref S3KmsLoggingBucket - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Ref KMSMasterKeyID - SSEAlgorithm: !Ref SSEAlgorithm - PublicAccessBlockConfiguration: - BlockPublicAcls: True - BlockPublicPolicy: True - IgnorePublicAcls: True - RestrictPublicBuckets: True - - S3KmsBucketPolicy: - Type: AWS::S3::BucketPolicy - Condition: UseKMS - Properties: - Bucket: !Ref S3KmsBucket - PolicyDocument: - Version: 2012-10-17 - Statement: - - Sid: AWSBucketPermissionsCheck - Effect: Allow - Principal: - Service: - - cloudtrail.amazonaws.com - - config.amazonaws.com - Action: s3:GetBucketAcl - Resource: - - !Sub "arn:aws:s3:::${S3Bucket}" - - Sid: AWSBucketDelivery - Effect: Allow - Principal: - Service: - - cloudtrail.amazonaws.com - - config.amazonaws.com - Action: s3:PutObject - Resource: - - Fn::Join: - - "" - - - - "arn:aws:s3:::" - - !Ref "S3KmsBucket" - - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*" - - # Create buckets using S3-SSE keys for default encryption - S3LoggingBucket: - DeletionPolicy: Retain - Condition: UseAES256 - Type: AWS::S3::Bucket - Metadata: - cfn_nag: - rules_to_suppress: - - id: W35 - reason: "This S3 bucket is used as the destination for 'S3Bucket'" - Properties: - BucketName: !Sub aws-landing-zone-s3-access-logs-${AWS::AccountId}-${AWS::Region} - AccessControl: LogDeliveryWrite - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: !Ref SSEAlgorithm - PublicAccessBlockConfiguration: - BlockPublicAcls: True - BlockPublicPolicy: True - IgnorePublicAcls: True - RestrictPublicBuckets: True - - S3Bucket: - DeletionPolicy: Retain - Condition: UseAES256 - Type: AWS::S3::Bucket - Properties: - BucketName: !Sub aws-landing-zone-logs-${AWS::AccountId}-${AWS::Region} - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref S3LoggingBucket - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: !Ref SSEAlgorithm - PublicAccessBlockConfiguration: - BlockPublicAcls: True - BlockPublicPolicy: True - IgnorePublicAcls: True - RestrictPublicBuckets: True - - S3BucketPolicy: - Type: AWS::S3::BucketPolicy - Condition: UseAES256 - Properties: - Bucket: !Ref S3Bucket - PolicyDocument: - Version: 2012-10-17 - Statement: - - Sid: AWSBucketPermissionsCheck - Effect: Allow - Principal: - Service: - - cloudtrail.amazonaws.com - - config.amazonaws.com - Action: s3:GetBucketAcl - Resource: - - !Sub "arn:aws:s3:::${S3Bucket}" - - Sid: AWSBucketDelivery - Effect: Allow - Principal: - Service: - - cloudtrail.amazonaws.com - - config.amazonaws.com - Action: s3:PutObject - Resource: - - Fn::Join: - - "" - - - - "arn:aws:s3:::" - - !Ref "S3Bucket" - - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*" - -Outputs: - BucketName: - Description: AWS Landing Zone logging bucket name - Value: !If [UseAES256, !Ref S3Bucket, !Ref S3KmsBucket] - LoggingBucketName: - Description: AWS Landing Zone s3 access logs bucket name - Value: !If [UseAES256, !Ref S3LoggingBucket, !Ref S3KmsLoggingBucket] - AuditLogsS3KeyPrefix: - Description: S3 Key prefix for storing the audit logs +AWSTemplateFormatVersion: 2010-09-09 +Description: Create a S3 logging bucket in the logging account. + +Parameters: + SSEAlgorithm: + Type: 'String' + Default: 'AES256' + Description: S3 bucket SSE Algorithm. + AllowedValues: + - 'AES256' + - 'aws:kms' + KMSMasterKeyID: + Type: 'String' + Description: 'KMS key ID required if SSE algorithm is aws:kms.' + AWSLogsS3KeyPrefix: + Type: 'String' + Description: 'Organization ID to use as the S3 Key prefix for storing the audit logs' + +Conditions: + UseKMS: !Equals + - !Ref SSEAlgorithm + - 'aws:kms' + UseAES256: !Equals + - !Ref SSEAlgorithm + - 'AES256' + +Resources: + # Create buckets using KMS keys for default encryption + S3KmsLoggingBucket: + DeletionPolicy: Retain + Condition: UseKMS + Type: AWS::S3::Bucket + Metadata: + cfn_nag: + rules_to_suppress: + - id: W35 + reason: "This S3 bucket is used as the destination for 'S3KmsBucket'" + Properties: + BucketName: !Sub aws-landing-zone-s3-access-logs-${AWS::AccountId}-${AWS::Region} + AccessControl: LogDeliveryWrite + VersioningConfiguration: + Status: Enabled + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + KMSMasterKeyID: !Ref KMSMasterKeyID + SSEAlgorithm: !Ref SSEAlgorithm + PublicAccessBlockConfiguration: + BlockPublicAcls: True + BlockPublicPolicy: True + IgnorePublicAcls: True + RestrictPublicBuckets: True + + S3KmsBucket: + DeletionPolicy: Retain + Condition: UseKMS + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub aws-landing-zone-logs-${AWS::AccountId}-${AWS::Region} + VersioningConfiguration: + Status: Enabled + LoggingConfiguration: + DestinationBucketName: !Ref S3KmsLoggingBucket + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + KMSMasterKeyID: !Ref KMSMasterKeyID + SSEAlgorithm: !Ref SSEAlgorithm + PublicAccessBlockConfiguration: + BlockPublicAcls: True + BlockPublicPolicy: True + IgnorePublicAcls: True + RestrictPublicBuckets: True + + S3KmsBucketPolicy: + Type: AWS::S3::BucketPolicy + Condition: UseKMS + Properties: + Bucket: !Ref S3KmsBucket + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: AWSBucketPermissionsCheck + Effect: Allow + Principal: + Service: + - cloudtrail.amazonaws.com + - config.amazonaws.com + Action: s3:GetBucketAcl + Resource: + - !Sub "arn:aws:s3:::${S3Bucket}" + - Sid: AWSBucketDelivery + Effect: Allow + Principal: + Service: + - cloudtrail.amazonaws.com + - config.amazonaws.com + Action: s3:PutObject + Resource: + - Fn::Join: + - "" + - + - "arn:aws:s3:::" + - !Ref "S3KmsBucket" + - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*" + + # Create buckets using S3-SSE keys for default encryption + S3LoggingBucket: + DeletionPolicy: Retain + Condition: UseAES256 + Type: AWS::S3::Bucket + Metadata: + cfn_nag: + rules_to_suppress: + - id: W35 + reason: "This S3 bucket is used as the destination for 'S3Bucket'" + Properties: + BucketName: !Sub aws-landing-zone-s3-access-logs-${AWS::AccountId}-${AWS::Region} + AccessControl: LogDeliveryWrite + VersioningConfiguration: + Status: Enabled + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: !Ref SSEAlgorithm + PublicAccessBlockConfiguration: + BlockPublicAcls: True + BlockPublicPolicy: True + IgnorePublicAcls: True + RestrictPublicBuckets: True + + S3Bucket: + DeletionPolicy: Retain + Condition: UseAES256 + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub aws-landing-zone-logs-${AWS::AccountId}-${AWS::Region} + VersioningConfiguration: + Status: Enabled + LoggingConfiguration: + DestinationBucketName: !Ref S3LoggingBucket + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: !Ref SSEAlgorithm + PublicAccessBlockConfiguration: + BlockPublicAcls: True + BlockPublicPolicy: True + IgnorePublicAcls: True + RestrictPublicBuckets: True + + S3BucketPolicy: + Type: AWS::S3::BucketPolicy + Condition: UseAES256 + Properties: + Bucket: !Ref S3Bucket + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: AWSBucketPermissionsCheck + Effect: Allow + Principal: + Service: + - cloudtrail.amazonaws.com + - config.amazonaws.com + Action: s3:GetBucketAcl + Resource: + - !Sub "arn:aws:s3:::${S3Bucket}" + - Sid: AWSBucketDelivery + Effect: Allow + Principal: + Service: + - cloudtrail.amazonaws.com + - config.amazonaws.com + Action: s3:PutObject + Resource: + - Fn::Join: + - "" + - + - "arn:aws:s3:::" + - !Ref "S3Bucket" + - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*" + +Outputs: + BucketName: + Description: AWS Landing Zone logging bucket name + Value: !If [UseAES256, !Ref S3Bucket, !Ref S3KmsBucket] + LoggingBucketName: + Description: AWS Landing Zone s3 access logs bucket name + Value: !If [UseAES256, !Ref S3LoggingBucket, !Ref S3KmsLoggingBucket] + AuditLogsS3KeyPrefix: + Description: S3 Key prefix for storing the audit logs Value: !Ref AWSLogsS3KeyPrefix \ No newline at end of file diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-notification.template b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-notification.template index d1126a448..15d5fb357 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-notification.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-notification.template @@ -1,136 +1,136 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Create notification aggregation SNS topics. - -Parameters: - AllConfigurationEmail: - Type: 'String' - Description: Email for receiving all AWS configuration events - AllConfigurationDisplayName: - Type: 'String' - Default: LZConfig - Description: SNS display name for all AWS configuration events - AllConfigurationTopicName: - Type: 'String' - Default: AWS-Landing-Zone-All-Config-Notifications - Description: SNS display name for all AWS configuration events - NotifyEmail: - Type: 'String' - Description: Email for the security administrator(s) - NotifyDisplayName: - Type: 'String' - Default: LZNotify - Description: SNS display name for security administrator(s) - NotifyTopicName: - Type: 'String' - Default: AWS-Landing-Zone-Aggregate-Security-Notifications - Description: SNS topic name for security notifications - OrgID: - Type: 'String' - Description: AWS Organizations ID to allow notifications from member accounts - SubscribeToAllConfigurationTopic: - Type: String - Default: false - Description: Indicates whether AllConfigurationEmail will be subscribed to the AllConfigurationTopicName topic. - AllowedValues: - - true - - false - -Conditions: - Subscribe: !Equals - - !Ref SubscribeToAllConfigurationTopic - - 'true' - -Resources: - SNSAllConfigurationTopic: - Type: AWS::SNS::Topic - Properties: - DisplayName: !Ref AllConfigurationDisplayName - TopicName: !Ref AllConfigurationTopicName - - SNSAllConfigurationTopicPolicy: - Type: AWS::SNS::TopicPolicy - Properties: - Topics: - - !Ref SNSAllConfigurationTopic - PolicyDocument: - Statement: - - Sid: AWSSNSPolicy - Action: - - sns:Publish - Effect: Allow - Resource: !Ref SNSAllConfigurationTopic - Principal: - Service: - - cloudtrail.amazonaws.com - - config.amazonaws.com - - SNSAllConfigurationEmailNotification: - Condition: Subscribe - Type: AWS::SNS::Subscription - Properties: - Endpoint: !Ref AllConfigurationEmail - Protocol: email - TopicArn: !Ref SNSAllConfigurationTopic - - SNSNotification: - Type: AWS::SNS::Topic - Properties: - DisplayName: !Ref NotifyDisplayName - TopicName: !Ref NotifyTopicName - Subscription: - - Protocol: email - Endpoint: !Ref NotifyEmail - - SNSNotificationPolicy: - Type: AWS::SNS::TopicPolicy - Metadata: - cfn_nag: - rules_to_suppress: - - id: F18 - reason: "Conditions restrict permissions to Organization account and publishing only to member accounts." - Properties: - Topics: - - !Ref SNSNotification - PolicyDocument: - Statement: - - Sid: __default_statement_ID - Effect: Allow - Principal: - AWS: "*" - Action: - - SNS:GetTopicAttributes - - SNS:SetTopicAttributes - - SNS:AddPermission - - SNS:RemovePermission - - SNS:DeleteTopic - - SNS:Subscribe - - SNS:ListSubscriptionsByTopic - - SNS:Publish - - SNS:Receive - Resource: !Ref SNSNotification - Condition: - StringEquals: - AWS:SourceOwner: !Sub ${AWS::AccountId} - - Sid: AWSSNSPolicy - Effect: Allow - Principal: - AWS: "*" - Action: sns:Publish - Resource: !Ref SNSNotification - Condition: - StringEquals: - aws:PrincipalOrgID: !Ref OrgID - -Outputs: - TopicARN: - Description: AWS Landing Zone SNS Topic ARN - Value: !Ref SNSAllConfigurationTopic - TopicName: - Description: AWS Landing Zone SNS Topic Name - Value: !GetAtt SNSAllConfigurationTopic.TopicName - NotificationARN: - Description: AWS Landing Zone Notification SNS Topic ARN - Value: !Ref SNSNotification - NotificationName: - Description: AWS Landing Zone Notification SNS Topic Name - Value: !GetAtt SNSNotification.TopicName +AWSTemplateFormatVersion: 2010-09-09 +Description: Create notification aggregation SNS topics. + +Parameters: + AllConfigurationEmail: + Type: 'String' + Description: Email for receiving all AWS configuration events + AllConfigurationDisplayName: + Type: 'String' + Default: LZConfig + Description: SNS display name for all AWS configuration events + AllConfigurationTopicName: + Type: 'String' + Default: AWS-Landing-Zone-All-Config-Notifications + Description: SNS display name for all AWS configuration events + NotifyEmail: + Type: 'String' + Description: Email for the security administrator(s) + NotifyDisplayName: + Type: 'String' + Default: LZNotify + Description: SNS display name for security administrator(s) + NotifyTopicName: + Type: 'String' + Default: AWS-Landing-Zone-Aggregate-Security-Notifications + Description: SNS topic name for security notifications + OrgID: + Type: 'String' + Description: AWS Organizations ID to allow notifications from member accounts + SubscribeToAllConfigurationTopic: + Type: String + Default: false + Description: Indicates whether AllConfigurationEmail will be subscribed to the AllConfigurationTopicName topic. + AllowedValues: + - true + - false + +Conditions: + Subscribe: !Equals + - !Ref SubscribeToAllConfigurationTopic + - 'true' + +Resources: + SNSAllConfigurationTopic: + Type: AWS::SNS::Topic + Properties: + DisplayName: !Ref AllConfigurationDisplayName + TopicName: !Ref AllConfigurationTopicName + + SNSAllConfigurationTopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - !Ref SNSAllConfigurationTopic + PolicyDocument: + Statement: + - Sid: AWSSNSPolicy + Action: + - sns:Publish + Effect: Allow + Resource: !Ref SNSAllConfigurationTopic + Principal: + Service: + - cloudtrail.amazonaws.com + - config.amazonaws.com + + SNSAllConfigurationEmailNotification: + Condition: Subscribe + Type: AWS::SNS::Subscription + Properties: + Endpoint: !Ref AllConfigurationEmail + Protocol: email + TopicArn: !Ref SNSAllConfigurationTopic + + SNSNotification: + Type: AWS::SNS::Topic + Properties: + DisplayName: !Ref NotifyDisplayName + TopicName: !Ref NotifyTopicName + Subscription: + - Protocol: email + Endpoint: !Ref NotifyEmail + + SNSNotificationPolicy: + Type: AWS::SNS::TopicPolicy + Metadata: + cfn_nag: + rules_to_suppress: + - id: F18 + reason: "Conditions restrict permissions to Organization account and publishing only to member accounts." + Properties: + Topics: + - !Ref SNSNotification + PolicyDocument: + Statement: + - Sid: __default_statement_ID + Effect: Allow + Principal: + AWS: "*" + Action: + - SNS:GetTopicAttributes + - SNS:SetTopicAttributes + - SNS:AddPermission + - SNS:RemovePermission + - SNS:DeleteTopic + - SNS:Subscribe + - SNS:ListSubscriptionsByTopic + - SNS:Publish + - SNS:Receive + Resource: !Ref SNSNotification + Condition: + StringEquals: + AWS:SourceOwner: !Sub ${AWS::AccountId} + - Sid: AWSSNSPolicy + Effect: Allow + Principal: + AWS: "*" + Action: sns:Publish + Resource: !Ref SNSNotification + Condition: + StringEquals: + aws:PrincipalOrgID: !Ref OrgID + +Outputs: + TopicARN: + Description: AWS Landing Zone SNS Topic ARN + Value: !Ref SNSAllConfigurationTopic + TopicName: + Description: AWS Landing Zone SNS Topic Name + Value: !GetAtt SNSAllConfigurationTopic.TopicName + NotificationARN: + Description: AWS Landing Zone Notification SNS Topic ARN + Value: !Ref SNSNotification + NotificationName: + Description: AWS Landing Zone Notification SNS Topic Name + Value: !GetAtt SNSNotification.TopicName diff --git a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-security.template b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-security.template index fcdd54c07..35ed6b765 100644 --- a/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-security.template +++ b/reference-artifacts/aws-landing-zone-configuration/templates/core_accounts/aws-landing-zone-security.template @@ -1,82 +1,82 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Configure the AWS Landing Zone Security Roles to enable access to target accounts. - -Parameters: - AdminRoleName: - Type: String - Description: Role name for administrator access. - Default: AWSLandingZoneSecurityAdministratorRole - ReadOnlyRoleName: - Type: String - Description: Role name for read-only access. - Default: AWSLandingZoneSecurityReadOnlyRole - -Resources: - AdministrationRole: - Type: AWS::IAM::Role - Metadata: - cfn_nag: - rules_to_suppress: - - id: W11 - reason: "Allow * in the ARN of the execution role to allow cross account access to user created child account in the AWS Organizations" - - id: W28 - reason: "The role name is defined to identify AWS Landing Zone resources." - Properties: - RoleName: AWSLandingZoneSecurityAdministratorRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - sts:AssumeRole - Path: / - Policies: - - PolicyName: AssumeRole-AWSLandingZoneSecurityAdministratorRole - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - sts:AssumeRole - Resource: - - "arn:aws:iam::*:role/AWSLandingZoneAdminExecutionRole" - ReadOnlyRole: - Type: AWS::IAM::Role - Metadata: - cfn_nag: - rules_to_suppress: - - id: W11 - reason: "Allow * in the ARN of the execution role to allow cross account access to user created child account in the AWS Organizations" - - id: W28 - reason: "The role name is defined to identify AWS Landing Zone resources." - Properties: - RoleName: AWSLandingZoneSecurityReadOnlyRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - sts:AssumeRole - Path: / - Policies: - - PolicyName: AssumeRole-AWSLandingZoneSecurityReadOnlyRole - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - sts:AssumeRole - Resource: - - "arn:aws:iam::*:role/AWSLandingZoneReadOnlyExecutionRole" - -Outputs: - CrossAccountAdminRole: - Description: AWS Landing Zone Security Administrator Role - Value: !GetAtt 'AdministrationRole.Arn' - CrossAccountReadOnlyRole: - Description: AWS Landing Zone Security ReadOnly Role - Value: !GetAtt 'ReadOnlyRole.Arn' +AWSTemplateFormatVersion: 2010-09-09 +Description: Configure the AWS Landing Zone Security Roles to enable access to target accounts. + +Parameters: + AdminRoleName: + Type: String + Description: Role name for administrator access. + Default: AWSLandingZoneSecurityAdministratorRole + ReadOnlyRoleName: + Type: String + Description: Role name for read-only access. + Default: AWSLandingZoneSecurityReadOnlyRole + +Resources: + AdministrationRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W11 + reason: "Allow * in the ARN of the execution role to allow cross account access to user created child account in the AWS Organizations" + - id: W28 + reason: "The role name is defined to identify AWS Landing Zone resources." + Properties: + RoleName: AWSLandingZoneSecurityAdministratorRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: cloudformation.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: AssumeRole-AWSLandingZoneSecurityAdministratorRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - "arn:aws:iam::*:role/AWSLandingZoneAdminExecutionRole" + ReadOnlyRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W11 + reason: "Allow * in the ARN of the execution role to allow cross account access to user created child account in the AWS Organizations" + - id: W28 + reason: "The role name is defined to identify AWS Landing Zone resources." + Properties: + RoleName: AWSLandingZoneSecurityReadOnlyRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: cloudformation.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: AssumeRole-AWSLandingZoneSecurityReadOnlyRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - "arn:aws:iam::*:role/AWSLandingZoneReadOnlyExecutionRole" + +Outputs: + CrossAccountAdminRole: + Description: AWS Landing Zone Security Administrator Role + Value: !GetAtt 'AdministrationRole.Arn' + CrossAccountReadOnlyRole: + Description: AWS Landing Zone Security ReadOnly Role + Value: !GetAtt 'ReadOnlyRole.Arn' diff --git a/reference-artifacts/config-pbmm-standalone-full.json b/reference-artifacts/config-pbmm-standalone-full.json index 0059546b3..eedae9601 100644 --- a/reference-artifacts/config-pbmm-standalone-full.json +++ b/reference-artifacts/config-pbmm-standalone-full.json @@ -1,4010 +1,4010 @@ -{ - "global-options": { - "alz-minimum-version": "v2.3.1", - "alz-baseline": false, - "ct-baseline": false, - "central-log-retention": 730, - "default-log-retention": 90, - "central-bucket": "AWSDOC-EXAMPLE-BUCKET", - "organization-admin-role": "OrganizationAccountAccessRole", - "default-cwl-retention": 731, - "workloadaccounts-suffix" : 1, - "workloadaccounts-prefix" : "config", - "workloadaccounts-param-filename": "config.json", - "ignored-ous": [], - "supported-regions": [ - "ap-northeast-1", - "ap-northeast-2", - "ap-south-1", - "ap-southeast-1", - "ap-southeast-2", - "ca-central-1", - "eu-central-1", - "eu-north-1", - "eu-west-1", - "eu-west-2", - "eu-west-3", - "sa-east-1", - "us-east-1", - "us-east-2", - "us-west-1", - "us-west-2" - ], - "keep-default-vpc-regions": [], - "aws-org-master": { - "account": "master", - "region": "ca-central-1" - }, - "central-security-services": { - "account": "security", - "region": "ca-central-1", - "security-hub": true, - "security-hub-excl-regions": [], - "guardduty": true, - "guardduty-excl-regions": [], - "cwl": true, - "access-analyzer": true, - "config-excl-regions": [], - "config-aggr-excl-regions": [], - "macie": true, - "macie-excl-regions": [], - "macie-frequency": "FIFTEEN_MINUTES" - }, - "central-operations-services": { - "account": "operations", - "region": "ca-central-1", - "cwl": true, - "cwl-access-level": "full" - }, - "central-log-services": { - "account": "log-archive", - "region": "ca-central-1", - "cwl-glbl-exclusions": [], - "cwl-exclusions": [], - "ssm-to-s3": true, - "ssm-to-cwl": true - }, - "reports": { - "cost-and-usage-report": { - "additional-schema-elements": ["RESOURCES"], - "compression": "Parquet", - "format": "Parquet", - "report-name": "Cost-and-Usage-Report", - "s3-prefix": "cur", - "time-unit": "HOURLY", - "additional-artifacts": ["ATHENA"], - "refresh-closed-reports": true, - "report-versioning": "OVERWRITE_REPORT" - } - }, - "zones": { - "account": "shared-network", - "resolver-vpc": "Endpoint", - "names": { - "public": ["dept.cloud-nuage.canada.ca"], - "private": ["dept.cloud-nuage.gc.ca"] - } - }, - "vpc-flow-logs": { - "filter": "ALL", - "interval": 60, - "default-format": false, - "custom-fields": [ - "version", - "account-id", - "interface-id", - "srcaddr", - "dstaddr", - "srcport", - "dstport", - "protocol", - "packets", - "bytes", - "start", - "end", - "action", - "log-status", - "vpc-id", - "subnet-id", - "instance-id", - "tcp-flags", - "type", - "pkt-srcaddr", - "pkt-dstaddr", - "region", - "az-id" - ] - }, - "security-hub-frameworks": { - "standards": [ - { - "name": "AWS Foundational Security Best Practices v1.0.0", - "controls-to-disable": ["IAM.1"] - }, - { - "name": "PCI DSS v3.2.1", - "controls-to-disable": ["PCI.IAM.3", "PCI.KMS.1", "PCI.S3.3", "PCI.EC2.3", "PCI.Lambda.2"] - }, - { - "name": "CIS AWS Foundations Benchmark v1.2.0", - "controls-to-disable": ["CIS.1.20", "CIS.1.22", "CIS.2.8"] - } - ] - }, - "iam-password-policies": { - "allow-users-to-change-password": true, - "hard-expiry": false, - "require-uppercase-characters": true, - "require-lowercase-characters": true, - "require-symbols": true, - "require-numbers": true, - "minimum-password-length": 14, - "password-reuse-prevention": 24, - "max-password-age": 90 - }, - "scps": [ - { - "name": "ALZ-Core", - "description": "ALZ Core Preventive Guardrails", - "policy": "aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json" - }, - { - "name": "ALZ-Non-Core", - "description": "ALZ Non-core Preventive Guardrails", - "policy": "aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json" - }, - { - "name": "Guardrails-Part-1", - "description": "PBMMAccel Guardrails Part 1", - "policy": "PBMMAccel-Guardrails-Part1.json" - }, - { - "name": "Guardrails-Part-2", - "description": "PBMMAccel Guardrails Part 2", - "policy": "PBMMAccel-Guardrails-Part2.json" - }, - { - "name": "Guardrails-PBMM-Only", - "description": "PBMMAccel Guardrails PBMM Environment Specific", - "policy": "PBMMAccel-Guardrails-PBMM-Only.json" - }, - { - "name": "Guardrails-Unclass-Only", - "description": "PBMMAccel Guardrails Unclassified Environment Specific", - "policy": "PBMMAccel-Guardrails-Unclass-Only.json" - }, - { - "name": "Quarantine-New-Object", - "description": "PBMM Quarantine policy - Apply to ACCOUNTS that need to be quarantined", - "policy": "Quarantine-New-Object.json" - } - ] - }, - "mandatory-account-configs": { - "shared-network": { - "account-name": "SharedNetwork", - "email": "myemail+pbmmT-network@example.com---------------------REPLACE----------------------", - "ou": "core", - "share-mad-from": "operations", - "src-filename": "config.json", - "budget": { - "name": "SharedNetwork Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "limits": { - "Amazon VPC/Interface VPC endpoints per VPC": { - "value": 90, - "customer-confirm-inplace": false - }, - "Amazon VPC/VPCs per Region": { - "value": 15 - } - }, - "vpc": [ - { - "deploy": "local", - "name": "Endpoint", - "cidr": "10.7.0.0/22", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "Endpoint", - "definitions": [ - { - "az": "a", - "route-table": "EndpointVPC_Common", - "cidr": "10.7.0.0/24" - }, - { - "az": "b", - "route-table": "EndpointVPC_Common", - "cidr": "10.7.1.0/24" - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "EndpointVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["core"], - "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], - "blackhole-route": false, - "attach-subnets": ["Endpoint"], - "options": ["DNS-support"] - }, - "interface-endpoints": { - "subnet": "Endpoint", - "endpoints": [ - "ec2", - "ec2messages", - "ssm", - "ssmmessages", - "secretsmanager", - "cloudformation", - "access-analyzer", - "application-autoscaling", - "appmesh-envoy-management", - "athena", - "autoscaling", - "autoscaling-plans", - "clouddirectory", - "cloudtrail", - "codebuild", - "codecommit", - "codecommit-fips", - "codepipeline", - "config", - "datasync", - "ecr.dkr", - "ecs", - "ecs-agent", - "ecs-telemetry", - "elasticfilesystem", - "elasticfilesystem-fips", - "elasticloadbalancing", - "elasticmapreduce", - "events", - "execute-api", - "git-codecommit", - "git-codecommit-fips", - "glue", - "kinesis-streams", - "kms", - "logs", - "monitoring", - "sagemaker.api", - "sagemaker.runtime", - "servicecatalog", - "sms", - "sns", - "sqs", - "storagegateway", - "sts", - "transfer", - "workspaces", - "awsconnector", - "ecr.api", - "kinesis-firehose", - "states", - "acm-pca", - "cassandra", - "ebs", - "elasticbeanstalk", - "elasticbeanstalk-health", - "email-smtp", - "license-manager", - "macie2", - "notebook", - "synthetics", - "transfer.server" - ] - }, - "resolvers": { - "subnet": "Endpoint", - "outbound": true, - "inbound": true - }, - "on-premise-rules": [ - { - "zone": "dept-private.gc.ca", - "outbound-ips": ["10.254.254.1", "10.254.253.1"] - }, - { - "zone": "private-domain1.example.ca", - "outbound-ips": ["10.254.254.1", "10.254.253.1"] - } - ] - } - ], - "deployments": { - "tgw": [ - { - "name": "Main", - "asn": 65521, - "region": "ca-central-1", - "features": { - "DNS-support": true, - "VPN-ECMP-support": true, - "Default-route-table-association": false, - "Default-route-table-propagation": false, - "Auto-accept-sharing-attachments": true - }, - "route-tables": ["core", "segregated", "shared", "standalone"] - } - ] - } - }, - "operations": { - "account-name": "Operations", - "email": "myemail+pbmmT-operations@example.com---------------------REPLACE----------------------", - "ou": "core", - "account-warming-required": true, - "limits": {}, - "src-filename": "config.json", - "share-mad-from": "", - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - }, - { - "policy-name": "PBMMAccel-RDGW-Custom-Policy", - "policy": "pbmmaccel-rdgw-custom-policies.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "PBMMAccel-RDGW-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy", - "PBMMAccel-RDGW-Custom-Policy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "PBMMAccel-Rsyslog-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "CloudWatchAgentServerPolicy", - "AmazonS3ReadOnlyAccess" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "deployments": { - "mad": { - "dir-id": 1001, - "deploy": true, - "vpc-name": "Central", - "region": "ca-central-1", - "subnet": "GCWide", - "size": "Enterprise", - "dns-domain": "example.local", - "netbios-domain": "example", - "central-resolver-rule-account": "shared-network", - "central-resolver-rule-vpc": "Endpoint", - "log-group-name": "/PBMMAccel/MAD/example.local", - "share-to-account": "", - "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"], - "num-rdgw-hosts": 1, - "min-rdgw-hosts": 1, - "max-rdgw-hosts": 2, - "rdgw-max-instance-age": 30, - "rdgw-instance-type": "t2.large", - "rdgw-instance-role": "PBMMAccel-RDGW-Role", - "password-policies": { - "history": 24, - "max-age": 90, - "min-age": 1, - "min-len": 12, - "complexity": true, - "reversible": false, - "failed-attempts": 6, - "lockout-duration": 30, - "lockout-attempts-reset": 30 - }, - "ad-groups": ["aws-Provisioning", "aws-Billing"], - "ad-per-account-groups": ["*-Admin", "*-PowerUser", "*-View"], - "adc-group": "ADConnector-grp", - "ad-users": [ - { - "user": "adconnector-usr", - "email": "myemail+pbmmT-adc-usr@example.com", - "groups": ["ADConnector-grp"] - }, - { - "user": "User1", - "email": "myemail+pbmmT-User1@example.com", - "groups": ["aws-Provisioning", "*-View", "*-Admin", "*-PowerUser", "AWS Delegated Administrators"] - }, - { - "user": "User2", - "email": "myemail+pbmmT-User2@example.com", - "groups": ["*-View"] - } - ], - "security-groups": [ - { - "name": "RemoteDesktopGatewaySG", - "inbound-rules": [ - { - "description": "Allow RDP Traffic Inbound", - "type": ["RDP"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ] - }, - "rsyslog": { - "deploy": true, - "vpc-name": "Central", - "region": "ca-central-1", - "log-group-name": "rsyslog/var/log/messages", - "security-groups": [ - { - "name": "rsyslog", - "inbound-rules": [ - { - "description": "Allow Traffic Inbound", - "tcp-ports": [514], - "udp-ports": [514], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "app-subnets": [ - { - "name": "App", - "az": "a" - }, - { - "name": "App", - "az": "b" - } - ], - "web-subnets": [ - { - "name": "Web", - "az": "a" - }, - { - "name": "Web", - "az": "b" - } - ], - "min-rsyslog-hosts": 1, - "desired-rsyslog-hosts": 2, - "max-rsyslog-hosts": 2, - "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", - "rsyslog-instance-type": "t2.large", - "rsyslog-instance-role": "PBMMAccel-Rsyslog-Role", - "rsyslog-root-volume-size": 100, - "rsyslog-max-instance-age": 30 - } - } - }, - "perimeter": { - "account-name": "Perimeter", - "email": "myemail+pbmmT-perimeter@example.com---------------------REPLACE----------------------", - "ou": "core", - "account-warming-required": true, - "src-filename": "config.json", - "limits": { - "Amazon EC2/Number of EIPs": { - "value": 5, - "customer-confirm-inplace": false - } - }, - "share-mad-from": "", - "budget": { - "name": "Perimeter Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "PerimSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Public-Prod", - "scheme": "internet-facing", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Perimeter", - "subnets": "Public", - "cert-name": "PerimSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Public-Prod-ALB", - "tg-stickiness": "1 hour", - "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", - "target-alarms-when": "Minimum", - "target-alarms-of": "Healthy Hosts", - "target-alarms-is": "<", - "target-alarms-Count": "2", - "target-alarms-for": "5", - "target-alarms-periods-of": "1", - "access-logs": true, - "targets": [ - { - "target-name": "FG1-Web-azA", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7001, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7001, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "a" - } - ], - "tg-weight": 1 - }, - { - "target-name": "FG1-Web-azB", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7001, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7001, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "b" - } - ], - "tg-weight": 1 - } - ] - }, - { - "name": "Public-DevTest", - "scheme": "internet-facing", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Perimeter", - "subnets": "Public", - "cert-name": "PerimSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Public-DevTest-ALB", - "tg-stickiness": "1 hour", - "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", - "target-alarms-when": "Minimum", - "target-alarms-of": "Healthy Hosts", - "target-alarms-is": "<", - "target-alarms-Count": "2", - "target-alarms-for": "5", - "target-alarms-periods-of": "1", - "access-logs": true, - "targets": [ - { - "target-name": "FG1-Web-azA", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7002, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7002, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "a" - } - ], - "tg-weight": 1 - }, - { - "target-name": "FG1-Web-azB", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7002, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7002, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "b" - } - ], - "tg-weight": 1 - } - ] - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - }, - { - "policy-name": "Firewall-Policy", - "policy": "firewall-fg-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "Firewall-Role", - "type": "ec2", - "policies": ["Firewall-Policy"], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "vpc": [ - { - "deploy": "local", - "name": "Perimeter", - "cidr": "10.7.4.0/22", - "cidr2": "100.96.250.0/23", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": true, - "vgw": { - "asn": 65522 - }, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "Public", - "definitions": [ - { - "az": "a", - "route-table": "Public_Shared", - "cidr": "100.96.250.0/26" - }, - { - "az": "b", - "route-table": "Public_Shared", - "cidr": "100.96.250.128/26" - } - ] - }, - { - "name": "FWMgmt", - "definitions": [ - { - "az": "a", - "route-table": "FWMgmt_azA", - "cidr": "100.96.251.32/27" - }, - { - "az": "b", - "route-table": "FWMgmt_azB", - "cidr": "100.96.251.160/27" - } - ] - }, - { - "name": "Proxy", - "definitions": [ - { - "az": "a", - "route-table": "Proxy_azA", - "cidr": "100.96.251.64/26" - }, - { - "az": "b", - "route-table": "Proxy_azB", - "cidr": "100.96.251.192/26" - } - ] - }, - { - "name": "OnPremise", - "definitions": [ - { - "az": "a", - "route-table": "OnPremise_Shared", - "cidr": "100.96.250.64/26" - }, - { - "az": "b", - "route-table": "OnPremise_Shared", - "cidr": "100.96.250.192/26" - } - ] - }, - { - "name": "Detonation", - "definitions": [ - { - "az": "a", - "route-table": "Detonation_Shared", - "cidr": "10.7.4.0/24" - }, - { - "az": "b", - "route-table": "Detonation_Shared", - "cidr": "10.7.5.0/24" - } - ] - } - ], - "gateway-endpoints": ["s3"], - "route-tables": [ - { - "name": "OnPremise_Shared" - }, - { - "name": "Public_Shared", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "FWMgmt_azA", - "routes": [ - { - "destination": "10.0.0.0/8", - "target": "VGW" - }, - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "a", - "port": "OnPremise" - }, - { - "destination": "s3", - "target": "s3" - } - ] - }, - { - "name": "FWMgmt_azB", - "routes": [ - { - "destination": "10.0.0.0/8", - "target": "VGW" - }, - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "b", - "port": "OnPremise" - }, - { - "destination": "s3", - "target": "s3" - } - ] - }, - { - "name": "Proxy_azA", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "a", - "port": "Proxy" - } - ] - }, - { - "name": "Proxy_azB", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "b", - "port": "Proxy" - } - ] - }, - { - "name": "Detonation_Shared" - } - ], - "security-groups": [ - { - "name": "Public-Prod-ALB", - "inbound-rules": [ - { - "description": "TLS Traffic Inbound", - "type": ["HTTPS"], - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Public-DevTest-ALB", - "inbound-rules": [ - { - "description": "TLS Traffic Inbound", - "type": ["HTTPS"], - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "FirewallMgr", - "inbound-rules": [ - { - "description": "Allow Mgmt Traffic Inbound", - "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080], - "udp-ports": [9443], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Firewalls", - "inbound-rules": [ - { - "description": "All Allowed Inbound Traffic", - "tcp-ports": [22, 443, 541, 3000, 8080], - "source": ["0.0.0.0/0"] - }, - { - "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", - "type": ["ALL"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": { - "subnet": "Proxy", - "endpoints": ["ssm", "ssmmessages", "ec2messages"] - } - } - ], - "deployments": { - "firewalls": [ - { - "name": "Firewall", - "image-id": "ami-047aac44951feb9fb", - "instance-sizes": "c5n.2xlarge", - "region": "ca-central-1", - "security-group": "Firewalls", - "fw-instance-role": "Firewall-Role", - "vpc": "Perimeter", - "ports": [ - { - "name": "Public", - "subnet": "Public", - "create-eip": true, - "create-cgw": true - }, - { - "name": "OnPremise", - "subnet": "OnPremise", - "create-eip": false, - "create-cgw": false - }, - { - "name": "FWMgmt", - "subnet": "FWMgmt", - "create-eip": false, - "create-cgw": false - }, - { - "name": "Proxy", - "subnet": "Proxy", - "create-eip": false, - "create-cgw": false - } - ], - "license": ["firewall/license1.lic", "firewall/license2.lic"], - "config": "firewall/firewall-example.txt", - "fw-cgw-name": "Perimeter_fw", - "fw-cgw-asn": 65523, - "fw-cgw-routing": "Dynamic", - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "name": "TGW-to-Perimeter", - "associate-type": "VPN", - "tgw-rt-associate": ["core"], - "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], - "blackhole-route": false, - "attach-subnets": [], - "options": ["DNS-support"] - } - } - ], - "firewall-manager": { - "name": "FirewallMgr", - "image-id": "ami-06fa2a9e6f8fae9f2", - "instance-sizes": "c5.large", - "version": "6.2.3", - "region": "ca-central-1", - "vpc": "Perimeter", - "security-group": "FirewallMgr", - "subnet": { - "name": "FWMgmt", - "az": "a" - }, - "create-eip": true - } - } - }, - "master": { - "account-name": "primary", - "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------", - "ou": "core", - "share-mad-from": "", - "src-filename": "config.json", - "budget": { - "name": "Organization Budget", - "period": "Monthly", - "amount": 10000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "log-retention": 180, - "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 - } - }, - "iam": { - "users": [ - { - "user-ids": ["bgUser1", "bgUser2"], - "group": "BreakGlassAdmins", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "user-ids": ["OpsUser1", "OpsUser2"], - "group": "OpsAdmins", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy" - } - ], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [] - }, - "vpc": [ - { - "deploy": "local", - "name": "ForSSO", - "cidr": "10.249.1.0/24", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "ForSSO", - "definitions": [ - { - "az": "a", - "route-table": "ForSSO_Shared", - "cidr": "10.249.1.0/27" - }, - { - "az": "b", - "route-table": "ForSSO_Shared", - "cidr": "10.249.1.32/27" - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "ForSSO_Shared", - "routes": [ - { - "destination": { - "account": "shared-network", - "vpc": "Central", - "subnet": "GCWide" - }, - "target": "pcx" - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": false - } - ], - "deployments": { - "adc": { - "deploy": true, - "vpc-name": "ForSSO", - "subnet": "ForSSO", - "size": "Small", - "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"], - "connect-account-key": "operations", - "connect-dir-id": 1001 - } - } - }, - "log-archive": { - "account-name": "log-archive", - "ou": "core", - "email": "myemail+pbmmT-log@example.com---------------------REPLACE----------------------", - "src-filename": "config.json" - }, - "security": { - "account-name": "security", - "ou": "core", - "email": "myemail+pbmmT-sec@example.com---------------------REPLACE----------------------", - "src-filename": "config.json" - } - }, - "workload-account-configs": { - "fun-acct": { - "account-name": "TheFunAccount", - "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "ou": "Sandbox" - }, - "mydevacct1": { - "account-name": "MyDev1", - "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "ou": "Dev" - } - }, - "organizational-units": { - "core": { - "type": "ignore", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Core Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - } - }, - "Central": { - "type": "mandatory", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Central Budget", - "period": "Monthly", - "amount": 500, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "vpc": [ - { - "deploy": "shared-network", - "name": "Central", - "cidr": "10.1.0.0/16", - "cidr2": "100.96.252.0/23", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "BOTH", - "igw": false, - "vgw": false, - "pcx": { - "source": "master", - "source-vpc": "ForSSO", - "source-subnets": "ForSSO", - "local-subnets": "GCWide" - }, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.0/27" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.32/27" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.32.0/20" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.128.0/20" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.0.0/19" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.96.0/19" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.48.0/20" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.144.0/20" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Central", - "subnet": ["Web"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Central", - "subnet": ["Web"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.64.0/21" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.72.0/21" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.80.0/21", - "disabled": true - } - ] - }, - { - "name": "GCWide", - "share-to-ou-accounts": false, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.252.0/25" - }, - { - "az": "b", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.252.128/25" - }, - { - "az": "d", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.253.0/25", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "CentralVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - }, - { - "name": "CentralVPC_GCWide", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - }, - { - "destination": { - "account": "master", - "vpc": "ForSSO", - "subnet": "ForSSO" - }, - "target": "pcx" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["shared"], - "tgw-rt-propagate": ["core", "shared", "segregated"], - "blackhole-route": false, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Dev": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Dev Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "DevSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Dev", - "subnets": "Web", - "cert-name": "DevSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-dev-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Dev", - "cidr": "10.2.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.0/27" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.32/27" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.32.0/20" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.128.0/20" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.0.0/19" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.96.0/19" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.48.0/20" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.144.0/20" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Dev", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Dev", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.64.0/21" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.72.0/21" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "DevVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Test": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Test Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "TestSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Test", - "subnets": "Web", - "cert-name": "TestSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-test-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Test", - "cidr": "10.3.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "CWL", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.0/27" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.32/27" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.32.0/20" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.128.0/20" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.0.0/19" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.96.0/19" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.48.0/20" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.144.0/20" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Test", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Test", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.64.0/21" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.72.0/21" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "TestVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Prod": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Prod Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "ProdSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Prod", - "subnets": "Web", - "cert-name": "ProdSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-prod-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Prod", - "cidr": "10.4.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "CWL", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.0/27" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.32/27" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.32.0/20" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.128.0/20" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.0.0/19" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.96.0/19" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.48.0/20" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.144.0/20" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Prod", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Prod", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.64.0/21" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.72.0/21" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "ProdVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "UnClass": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], - "default-budgets": { - "name": "Default Unclass Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "vpc": [ - { - "deploy": "shared-network", - "name": "UnClass", - "cidr": "10.5.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.88.0/27" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.88.32/27" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.32.0/20" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.128.0/20" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.0.0/19" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.96.0/19" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.48.0/20" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.144.0/20" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "UnClass", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "UnClass", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.64.0/21" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.72.0/21" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "UnClassVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Sandbox": { - "type": "workload", - "share-mad-from": "", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], - "default-budgets": { - "name": "Default Sandbox Budget", - "period": "Monthly", - "amount": 200, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "vpc": [ - { - "deploy": "local", - "name": "Sandbox", - "cidr": "10.6.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "BOTH", - "igw": true, - "vgw": false, - "pcx": false, - "natgw": { - "subnet": { - "name": "Web", - "az": "a" - } - }, - "subnets": [ - { - "name": "Web", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.32.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.128.0/20" - }, - { - "az": "d", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.0.0/19" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.96.0/19" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.48.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.144.0/20" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Sandbox", - "subnet": ["Web"] - }, - { - "account": "shared-network", - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Sandbox", - "subnet": ["Web"] - }, - { - "account": "shared-network", - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.64.0/21" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.72.0/21" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "SandboxVPC_IGW", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "SandboxVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "NATGW_Web_azA" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - } - } -} +{ + "global-options": { + "alz-minimum-version": "v2.3.1", + "alz-baseline": false, + "ct-baseline": false, + "central-log-retention": 730, + "default-log-retention": 90, + "central-bucket": "AWSDOC-EXAMPLE-BUCKET", + "organization-admin-role": "OrganizationAccountAccessRole", + "default-cwl-retention": 731, + "workloadaccounts-suffix" : 1, + "workloadaccounts-prefix" : "config", + "workloadaccounts-param-filename": "config.json", + "ignored-ous": [], + "supported-regions": [ + "ap-northeast-1", + "ap-northeast-2", + "ap-south-1", + "ap-southeast-1", + "ap-southeast-2", + "ca-central-1", + "eu-central-1", + "eu-north-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "sa-east-1", + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2" + ], + "keep-default-vpc-regions": [], + "aws-org-master": { + "account": "master", + "region": "ca-central-1" + }, + "central-security-services": { + "account": "security", + "region": "ca-central-1", + "security-hub": true, + "security-hub-excl-regions": [], + "guardduty": true, + "guardduty-excl-regions": [], + "cwl": true, + "access-analyzer": true, + "config-excl-regions": [], + "config-aggr-excl-regions": [], + "macie": true, + "macie-excl-regions": [], + "macie-frequency": "FIFTEEN_MINUTES" + }, + "central-operations-services": { + "account": "operations", + "region": "ca-central-1", + "cwl": true, + "cwl-access-level": "full" + }, + "central-log-services": { + "account": "log-archive", + "region": "ca-central-1", + "cwl-glbl-exclusions": [], + "cwl-exclusions": [], + "ssm-to-s3": true, + "ssm-to-cwl": true + }, + "reports": { + "cost-and-usage-report": { + "additional-schema-elements": ["RESOURCES"], + "compression": "Parquet", + "format": "Parquet", + "report-name": "Cost-and-Usage-Report", + "s3-prefix": "cur", + "time-unit": "HOURLY", + "additional-artifacts": ["ATHENA"], + "refresh-closed-reports": true, + "report-versioning": "OVERWRITE_REPORT" + } + }, + "zones": { + "account": "shared-network", + "resolver-vpc": "Endpoint", + "names": { + "public": ["dept.cloud-nuage.canada.ca"], + "private": ["dept.cloud-nuage.gc.ca"] + } + }, + "vpc-flow-logs": { + "filter": "ALL", + "interval": 60, + "default-format": false, + "custom-fields": [ + "version", + "account-id", + "interface-id", + "srcaddr", + "dstaddr", + "srcport", + "dstport", + "protocol", + "packets", + "bytes", + "start", + "end", + "action", + "log-status", + "vpc-id", + "subnet-id", + "instance-id", + "tcp-flags", + "type", + "pkt-srcaddr", + "pkt-dstaddr", + "region", + "az-id" + ] + }, + "security-hub-frameworks": { + "standards": [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": ["IAM.1"] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": ["PCI.IAM.3", "PCI.KMS.1", "PCI.S3.3", "PCI.EC2.3", "PCI.Lambda.2"] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": ["CIS.1.20", "CIS.1.22", "CIS.2.8"] + } + ] + }, + "iam-password-policies": { + "allow-users-to-change-password": true, + "hard-expiry": false, + "require-uppercase-characters": true, + "require-lowercase-characters": true, + "require-symbols": true, + "require-numbers": true, + "minimum-password-length": 14, + "password-reuse-prevention": 24, + "max-password-age": 90 + }, + "scps": [ + { + "name": "ALZ-Core", + "description": "ALZ Core Preventive Guardrails", + "policy": "aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json" + }, + { + "name": "ALZ-Non-Core", + "description": "ALZ Non-core Preventive Guardrails", + "policy": "aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json" + }, + { + "name": "Guardrails-Part-1", + "description": "PBMMAccel Guardrails Part 1", + "policy": "PBMMAccel-Guardrails-Part1.json" + }, + { + "name": "Guardrails-Part-2", + "description": "PBMMAccel Guardrails Part 2", + "policy": "PBMMAccel-Guardrails-Part2.json" + }, + { + "name": "Guardrails-PBMM-Only", + "description": "PBMMAccel Guardrails PBMM Environment Specific", + "policy": "PBMMAccel-Guardrails-PBMM-Only.json" + }, + { + "name": "Guardrails-Unclass-Only", + "description": "PBMMAccel Guardrails Unclassified Environment Specific", + "policy": "PBMMAccel-Guardrails-Unclass-Only.json" + }, + { + "name": "Quarantine-New-Object", + "description": "PBMM Quarantine policy - Apply to ACCOUNTS that need to be quarantined", + "policy": "Quarantine-New-Object.json" + } + ] + }, + "mandatory-account-configs": { + "shared-network": { + "account-name": "SharedNetwork", + "email": "myemail+pbmmT-network@example.com---------------------REPLACE----------------------", + "ou": "core", + "share-mad-from": "operations", + "src-filename": "config.json", + "budget": { + "name": "SharedNetwork Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "limits": { + "Amazon VPC/Interface VPC endpoints per VPC": { + "value": 90, + "customer-confirm-inplace": false + }, + "Amazon VPC/VPCs per Region": { + "value": 15 + } + }, + "vpc": [ + { + "deploy": "local", + "name": "Endpoint", + "cidr": "10.7.0.0/22", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "EndpointVPC_Common", + "cidr": "10.7.0.0/24" + }, + { + "az": "b", + "route-table": "EndpointVPC_Common", + "cidr": "10.7.1.0/24" + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "EndpointVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["core"], + "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], + "blackhole-route": false, + "attach-subnets": ["Endpoint"], + "options": ["DNS-support"] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager", + "cloudformation", + "access-analyzer", + "application-autoscaling", + "appmesh-envoy-management", + "athena", + "autoscaling", + "autoscaling-plans", + "clouddirectory", + "cloudtrail", + "codebuild", + "codecommit", + "codecommit-fips", + "codepipeline", + "config", + "datasync", + "ecr.dkr", + "ecs", + "ecs-agent", + "ecs-telemetry", + "elasticfilesystem", + "elasticfilesystem-fips", + "elasticloadbalancing", + "elasticmapreduce", + "events", + "execute-api", + "git-codecommit", + "git-codecommit-fips", + "glue", + "kinesis-streams", + "kms", + "logs", + "monitoring", + "sagemaker.api", + "sagemaker.runtime", + "servicecatalog", + "sms", + "sns", + "sqs", + "storagegateway", + "sts", + "transfer", + "workspaces", + "awsconnector", + "ecr.api", + "kinesis-firehose", + "states", + "acm-pca", + "cassandra", + "ebs", + "elasticbeanstalk", + "elasticbeanstalk-health", + "email-smtp", + "license-manager", + "macie2", + "notebook", + "synthetics", + "transfer.server" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "dept-private.gc.ca", + "outbound-ips": ["10.254.254.1", "10.254.253.1"] + }, + { + "zone": "private-domain1.example.ca", + "outbound-ips": ["10.254.254.1", "10.254.253.1"] + } + ] + } + ], + "deployments": { + "tgw": [ + { + "name": "Main", + "asn": 65521, + "region": "ca-central-1", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": ["core", "segregated", "shared", "standalone"] + } + ] + } + }, + "operations": { + "account-name": "Operations", + "email": "myemail+pbmmT-operations@example.com---------------------REPLACE----------------------", + "ou": "core", + "account-warming-required": true, + "limits": {}, + "src-filename": "config.json", + "share-mad-from": "", + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "PBMMAccel-RDGW-Custom-Policy", + "policy": "pbmmaccel-rdgw-custom-policies.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "PBMMAccel-RDGW-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy", + "PBMMAccel-RDGW-Custom-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "PBMMAccel-Rsyslog-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "CloudWatchAgentServerPolicy", + "AmazonS3ReadOnlyAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "deployments": { + "mad": { + "dir-id": 1001, + "deploy": true, + "vpc-name": "Central", + "region": "ca-central-1", + "subnet": "GCWide", + "size": "Enterprise", + "dns-domain": "example.local", + "netbios-domain": "example", + "central-resolver-rule-account": "shared-network", + "central-resolver-rule-vpc": "Endpoint", + "log-group-name": "/PBMMAccel/MAD/example.local", + "share-to-account": "", + "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"], + "num-rdgw-hosts": 1, + "min-rdgw-hosts": 1, + "max-rdgw-hosts": 2, + "rdgw-max-instance-age": 30, + "rdgw-instance-type": "t2.large", + "rdgw-instance-role": "PBMMAccel-RDGW-Role", + "password-policies": { + "history": 24, + "max-age": 90, + "min-age": 1, + "min-len": 12, + "complexity": true, + "reversible": false, + "failed-attempts": 6, + "lockout-duration": 30, + "lockout-attempts-reset": 30 + }, + "ad-groups": ["aws-Provisioning", "aws-Billing"], + "ad-per-account-groups": ["*-Admin", "*-PowerUser", "*-View"], + "adc-group": "ADConnector-grp", + "ad-users": [ + { + "user": "adconnector-usr", + "email": "myemail+pbmmT-adc-usr@example.com", + "groups": ["ADConnector-grp"] + }, + { + "user": "User1", + "email": "myemail+pbmmT-User1@example.com", + "groups": ["aws-Provisioning", "*-View", "*-Admin", "*-PowerUser", "AWS Delegated Administrators"] + }, + { + "user": "User2", + "email": "myemail+pbmmT-User2@example.com", + "groups": ["*-View"] + } + ], + "security-groups": [ + { + "name": "RemoteDesktopGatewaySG", + "inbound-rules": [ + { + "description": "Allow RDP Traffic Inbound", + "type": ["RDP"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ] + }, + "rsyslog": { + "deploy": true, + "vpc-name": "Central", + "region": "ca-central-1", + "log-group-name": "rsyslog/var/log/messages", + "security-groups": [ + { + "name": "rsyslog", + "inbound-rules": [ + { + "description": "Allow Traffic Inbound", + "tcp-ports": [514], + "udp-ports": [514], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "app-subnets": [ + { + "name": "App", + "az": "a" + }, + { + "name": "App", + "az": "b" + } + ], + "web-subnets": [ + { + "name": "Web", + "az": "a" + }, + { + "name": "Web", + "az": "b" + } + ], + "min-rsyslog-hosts": 1, + "desired-rsyslog-hosts": 2, + "max-rsyslog-hosts": 2, + "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", + "rsyslog-instance-type": "t2.large", + "rsyslog-instance-role": "PBMMAccel-Rsyslog-Role", + "rsyslog-root-volume-size": 100, + "rsyslog-max-instance-age": 30 + } + } + }, + "perimeter": { + "account-name": "Perimeter", + "email": "myemail+pbmmT-perimeter@example.com---------------------REPLACE----------------------", + "ou": "core", + "account-warming-required": true, + "src-filename": "config.json", + "limits": { + "Amazon EC2/Number of EIPs": { + "value": 5, + "customer-confirm-inplace": false + } + }, + "share-mad-from": "", + "budget": { + "name": "Perimeter Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "PerimSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Public-Prod", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-Prod-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "FG1-Web-azA", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + } + ], + "tg-weight": 1 + }, + { + "target-name": "FG1-Web-azB", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + }, + { + "name": "Public-DevTest", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-DevTest-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "FG1-Web-azA", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7002, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + } + ], + "tg-weight": 1 + }, + { + "target-name": "FG1-Web-azB", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7002, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "Firewall-Policy", + "policy": "firewall-fg-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "Firewall-Role", + "type": "ec2", + "policies": ["Firewall-Policy"], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Perimeter", + "cidr": "10.7.4.0/22", + "cidr2": "100.96.250.0/23", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": true, + "vgw": { + "asn": 65522 + }, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": "100.96.250.0/26" + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": "100.96.250.128/26" + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": "100.96.251.32/27" + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": "100.96.251.160/27" + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": "100.96.251.64/26" + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": "100.96.251.192/26" + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": "100.96.250.64/26" + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": "100.96.250.192/26" + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": "10.7.4.0/24" + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": "10.7.5.0/24" + } + ] + } + ], + "gateway-endpoints": ["s3"], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": ["HTTPS"], + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": ["HTTPS"], + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080], + "udp-ports": [9443], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [22, 443, 541, 3000, 8080], + "source": ["0.0.0.0/0"] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": ["ALL"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": ["ssm", "ssmmessages", "ec2messages"] + } + } + ], + "deployments": { + "firewalls": [ + { + "name": "Firewall", + "image-id": "ami-047aac44951feb9fb", + "instance-sizes": "c5n.2xlarge", + "region": "ca-central-1", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": ["firewall/license1.lic", "firewall/license2.lic"], + "config": "firewall/firewall-example.txt", + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": ["core"], + "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], + "blackhole-route": false, + "attach-subnets": [], + "options": ["DNS-support"] + } + } + ], + "firewall-manager": { + "name": "FirewallMgr", + "image-id": "ami-06fa2a9e6f8fae9f2", + "instance-sizes": "c5.large", + "version": "6.2.3", + "region": "ca-central-1", + "vpc": "Perimeter", + "security-group": "FirewallMgr", + "subnet": { + "name": "FWMgmt", + "az": "a" + }, + "create-eip": true + } + } + }, + "master": { + "account-name": "primary", + "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------", + "ou": "core", + "share-mad-from": "", + "src-filename": "config.json", + "budget": { + "name": "Organization Budget", + "period": "Monthly", + "amount": 10000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "log-retention": 180, + "limits": { + "AWS Organizations/Maximum accounts": { + "value": 20 + } + }, + "iam": { + "users": [ + { + "user-ids": ["bgUser1", "bgUser2"], + "group": "BreakGlassAdmins", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "user-ids": ["OpsUser1", "OpsUser2"], + "group": "OpsAdmins", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy" + } + ], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [] + }, + "vpc": [ + { + "deploy": "local", + "name": "ForSSO", + "cidr": "10.249.1.0/24", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "ForSSO", + "definitions": [ + { + "az": "a", + "route-table": "ForSSO_Shared", + "cidr": "10.249.1.0/27" + }, + { + "az": "b", + "route-table": "ForSSO_Shared", + "cidr": "10.249.1.32/27" + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "ForSSO_Shared", + "routes": [ + { + "destination": { + "account": "shared-network", + "vpc": "Central", + "subnet": "GCWide" + }, + "target": "pcx" + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": false + } + ], + "deployments": { + "adc": { + "deploy": true, + "vpc-name": "ForSSO", + "subnet": "ForSSO", + "size": "Small", + "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"], + "connect-account-key": "operations", + "connect-dir-id": 1001 + } + } + }, + "log-archive": { + "account-name": "log-archive", + "ou": "core", + "email": "myemail+pbmmT-log@example.com---------------------REPLACE----------------------", + "src-filename": "config.json" + }, + "security": { + "account-name": "security", + "ou": "core", + "email": "myemail+pbmmT-sec@example.com---------------------REPLACE----------------------", + "src-filename": "config.json" + } + }, + "workload-account-configs": { + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "ou": "Sandbox" + }, + "mydevacct1": { + "account-name": "MyDev1", + "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "ou": "Dev" + } + }, + "organizational-units": { + "core": { + "type": "ignore", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Core Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + } + }, + "Central": { + "type": "mandatory", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Central Budget", + "period": "Monthly", + "amount": 500, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "Central", + "cidr": "10.1.0.0/16", + "cidr2": "100.96.252.0/23", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "igw": false, + "vgw": false, + "pcx": { + "source": "master", + "source-vpc": "ForSSO", + "source-subnets": "ForSSO", + "local-subnets": "GCWide" + }, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.0/27" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.32/27" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.32.0/20" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.128.0/20" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.0.0/19" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.96.0/19" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.48.0/20" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.144.0/20" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Central", + "subnet": ["Web"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Central", + "subnet": ["Web"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.64.0/21" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.72.0/21" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.80.0/21", + "disabled": true + } + ] + }, + { + "name": "GCWide", + "share-to-ou-accounts": false, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.252.0/25" + }, + { + "az": "b", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.252.128/25" + }, + { + "az": "d", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.253.0/25", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "CentralVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + }, + { + "name": "CentralVPC_GCWide", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + }, + { + "destination": { + "account": "master", + "vpc": "ForSSO", + "subnet": "ForSSO" + }, + "target": "pcx" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["shared"], + "tgw-rt-propagate": ["core", "shared", "segregated"], + "blackhole-route": false, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Dev": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Dev Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "DevSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Dev", + "subnets": "Web", + "cert-name": "DevSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-dev-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Dev", + "cidr": "10.2.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.0/27" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.32/27" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.32.0/20" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.128.0/20" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.0.0/19" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.96.0/19" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.48.0/20" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.144.0/20" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Dev", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Dev", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.64.0/21" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.72.0/21" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "DevVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Test": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Test Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "TestSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Test", + "subnets": "Web", + "cert-name": "TestSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-test-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Test", + "cidr": "10.3.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "CWL", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.0/27" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.32/27" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.32.0/20" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.128.0/20" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.0.0/19" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.96.0/19" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.48.0/20" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.144.0/20" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Test", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Test", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.64.0/21" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.72.0/21" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "TestVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Prod": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Prod Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "ProdSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Prod", + "subnets": "Web", + "cert-name": "ProdSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-prod-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Prod", + "cidr": "10.4.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "CWL", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.0/27" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.32/27" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.32.0/20" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.128.0/20" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.0.0/19" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.96.0/19" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.48.0/20" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.144.0/20" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Prod", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Prod", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.64.0/21" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.72.0/21" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "ProdVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "UnClass": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], + "default-budgets": { + "name": "Default Unclass Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "UnClass", + "cidr": "10.5.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.88.0/27" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.88.32/27" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.32.0/20" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.128.0/20" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.0.0/19" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.96.0/19" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.48.0/20" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.144.0/20" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "UnClass", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "UnClass", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.64.0/21" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.72.0/21" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "UnClassVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Sandbox": { + "type": "workload", + "share-mad-from": "", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], + "default-budgets": { + "name": "Default Sandbox Budget", + "period": "Monthly", + "amount": 200, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Sandbox", + "cidr": "10.6.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "igw": true, + "vgw": false, + "pcx": false, + "natgw": { + "subnet": { + "name": "Web", + "az": "a" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.32.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.128.0/20" + }, + { + "az": "d", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.0.0/19" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.96.0/19" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.48.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.144.0/20" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": ["Web"] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": ["Web"] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.64.0/21" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.72.0/21" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + } + } +} diff --git a/reference-artifacts/config-pbmm-standalone-lite.json b/reference-artifacts/config-pbmm-standalone-lite.json index a38c350e0..4dea18b0c 100644 --- a/reference-artifacts/config-pbmm-standalone-lite.json +++ b/reference-artifacts/config-pbmm-standalone-lite.json @@ -1,3514 +1,3514 @@ -{ - "global-options": { - "alz-minimum-version": "v2.3.1", - "alz-baseline": false, - "ct-baseline": false, - "central-log-retention": 730, - "default-log-retention": 90, - "central-bucket": "AWSDOC-EXAMPLE-BUCKET", - "organization-admin-role": "OrganizationAccountAccessRole", - "default-cwl-retention": 731, - "workloadaccounts-suffix" : 1, - "workloadaccounts-prefix" : "config", - "workloadaccounts-param-filename": "config.json", - "ignored-ous": [], - "supported-regions": [ - "ap-northeast-1", - "ap-northeast-2", - "ap-south-1", - "ap-southeast-1", - "ap-southeast-2", - "ca-central-1", - "eu-central-1", - "eu-north-1", - "eu-west-1", - "eu-west-2", - "eu-west-3", - "sa-east-1", - "us-east-1", - "us-east-2", - "us-west-1", - "us-west-2" - ], - "keep-default-vpc-regions": [], - "aws-org-master": { - "account": "master", - "region": "ca-central-1" - }, - "central-security-services": { - "account": "security", - "region": "ca-central-1", - "security-hub": true, - "security-hub-excl-regions": [], - "guardduty": true, - "guardduty-excl-regions": [], - "cwl": true, - "access-analyzer": true, - "config-excl-regions": [], - "config-aggr-excl-regions": [], - "macie": true, - "macie-excl-regions": [], - "macie-frequency": "FIFTEEN_MINUTES" - }, - "central-operations-services": { - "account": "operations", - "region": "ca-central-1", - "cwl": true, - "cwl-access-level": "full" - }, - "central-log-services": { - "account": "log-archive", - "region": "ca-central-1", - "cwl-glbl-exclusions": [], - "cwl-exclusions": [], - "ssm-to-s3": true, - "ssm-to-cwl": true - }, - "reports": { - "cost-and-usage-report": { - "additional-schema-elements": ["RESOURCES"], - "compression": "Parquet", - "format": "Parquet", - "report-name": "Cost-and-Usage-Report", - "s3-prefix": "cur", - "time-unit": "HOURLY", - "additional-artifacts": ["ATHENA"], - "refresh-closed-reports": true, - "report-versioning": "OVERWRITE_REPORT" - } - }, - "zones": { - "account": "shared-network", - "resolver-vpc": "Endpoint", - "names": { - "public": ["dept.cloud-nuage.canada.ca"], - "private": ["dept.cloud-nuage.gc.ca"] - } - }, - "vpc-flow-logs": { - "filter": "ALL", - "interval": 60, - "default-format": false, - "custom-fields": [ - "version", - "account-id", - "interface-id", - "srcaddr", - "dstaddr", - "srcport", - "dstport", - "protocol", - "packets", - "bytes", - "start", - "end", - "action", - "log-status", - "vpc-id", - "subnet-id", - "instance-id", - "tcp-flags", - "type", - "pkt-srcaddr", - "pkt-dstaddr", - "region", - "az-id" - ] - }, - "security-hub-frameworks": { - "standards": [ - { - "name": "AWS Foundational Security Best Practices v1.0.0", - "controls-to-disable": ["IAM.1"] - }, - { - "name": "PCI DSS v3.2.1", - "controls-to-disable": ["PCI.IAM.3", "PCI.KMS.1", "PCI.S3.3", "PCI.EC2.3", "PCI.Lambda.2"] - }, - { - "name": "CIS AWS Foundations Benchmark v1.2.0", - "controls-to-disable": ["CIS.1.20", "CIS.1.22", "CIS.2.8"] - } - ] - }, - "iam-password-policies": { - "allow-users-to-change-password": true, - "hard-expiry": false, - "require-uppercase-characters": true, - "require-lowercase-characters": true, - "require-symbols": true, - "require-numbers": true, - "minimum-password-length": 14, - "password-reuse-prevention": 24, - "max-password-age": 90 - }, - "scps": [ - { - "name": "ALZ-Core", - "description": "ALZ Core Preventive Guardrails", - "policy": "aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json" - }, - { - "name": "ALZ-Non-Core", - "description": "ALZ Non-core Preventive Guardrails", - "policy": "aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json" - }, - { - "name": "Guardrails-Part-1", - "description": "PBMMAccel Guardrails Part 1", - "policy": "PBMMAccel-Guardrails-Part1.json" - }, - { - "name": "Guardrails-Part-2", - "description": "PBMMAccel Guardrails Part 2", - "policy": "PBMMAccel-Guardrails-Part2.json" - }, - { - "name": "Guardrails-PBMM-Only", - "description": "PBMMAccel Guardrails PBMM Environment Specific", - "policy": "PBMMAccel-Guardrails-PBMM-Only.json" - }, - { - "name": "Guardrails-Unclass-Only", - "description": "PBMMAccel Guardrails Unclassified Environment Specific", - "policy": "PBMMAccel-Guardrails-Unclass-Only.json" - }, - { - "name": "Quarantine-New-Object", - "description": "PBMM Quarantine policy - Apply to ACCOUNTS that need to be quarantined", - "policy": "Quarantine-New-Object.json" - } - ] - }, - "mandatory-account-configs": { - "shared-network": { - "account-name": "SharedNetwork", - "email": "myemail+pbmmT-network@example.com---------------------REPLACE----------------------", - "ou": "core", - "share-mad-from": "operations", - "src-filename": "config.json", - "budget": { - "name": "SharedNetwork Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "limits": { - "Amazon VPC/Interface VPC endpoints per VPC": { - "value": 90, - "customer-confirm-inplace": false - }, - "Amazon VPC/VPCs per Region": { - "value": 15 - } - }, - "vpc": [ - { - "deploy": "local", - "name": "Endpoint", - "cidr": "10.7.0.0/22", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "Endpoint", - "definitions": [ - { - "az": "a", - "route-table": "EndpointVPC_Common", - "cidr": "10.7.0.0/24" - }, - { - "az": "b", - "route-table": "EndpointVPC_Common", - "cidr": "10.7.1.0/24" - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "EndpointVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["core"], - "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], - "blackhole-route": false, - "attach-subnets": ["Endpoint"], - "options": ["DNS-support"] - }, - "interface-endpoints": { - "subnet": "Endpoint", - "endpoints": [ - "ec2", - "ec2messages", - "ssm", - "ssmmessages", - "secretsmanager" - ] - }, - "resolvers": { - "subnet": "Endpoint", - "outbound": true, - "inbound": true - }, - "on-premise-rules": [ - { - "zone": "dept-private.gc.ca", - "outbound-ips": ["10.254.254.1", "10.254.253.1"] - }, - { - "zone": "private-domain1.example.ca", - "outbound-ips": ["10.254.254.1", "10.254.253.1"] - } - ] - } - ], - "deployments": { - "tgw": [ - { - "name": "Main", - "asn": 65521, - "region": "ca-central-1", - "features": { - "DNS-support": true, - "VPN-ECMP-support": true, - "Default-route-table-association": false, - "Default-route-table-propagation": false, - "Auto-accept-sharing-attachments": true - }, - "route-tables": ["core", "segregated", "shared", "standalone"] - } - ] - } - }, - "operations": { - "account-name": "Operations", - "email": "myemail+pbmmT-operations@example.com---------------------REPLACE----------------------", - "ou": "core", - "account-warming-required": true, - "limits": {}, - "src-filename": "config.json", - "share-mad-from": "", - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - }, - { - "policy-name": "PBMMAccel-RDGW-Custom-Policy", - "policy": "pbmmaccel-rdgw-custom-policies.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "PBMMAccel-RDGW-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy", - "PBMMAccel-RDGW-Custom-Policy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "PBMMAccel-Rsyslog-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "CloudWatchAgentServerPolicy", - "AmazonS3ReadOnlyAccess" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "deployments": { - "mad": { - "dir-id": 1001, - "deploy": true, - "vpc-name": "Central", - "region": "ca-central-1", - "subnet": "GCWide", - "size": "Enterprise", - "dns-domain": "example.local", - "netbios-domain": "example", - "central-resolver-rule-account": "shared-network", - "central-resolver-rule-vpc": "Endpoint", - "log-group-name": "/PBMMAccel/MAD/example.local", - "share-to-account": "", - "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"], - "num-rdgw-hosts": 1, - "min-rdgw-hosts": 1, - "max-rdgw-hosts": 2, - "rdgw-max-instance-age": 30, - "rdgw-instance-type": "t2.large", - "rdgw-instance-role": "PBMMAccel-RDGW-Role", - "password-policies": { - "history": 24, - "max-age": 90, - "min-age": 1, - "min-len": 12, - "complexity": true, - "reversible": false, - "failed-attempts": 6, - "lockout-duration": 30, - "lockout-attempts-reset": 30 - }, - "ad-groups": ["aws-Provisioning", "aws-Billing"], - "ad-per-account-groups": ["*-Admin", "*-PowerUser", "*-View"], - "adc-group": "ADConnector-grp", - "ad-users": [ - { - "user": "adconnector-usr", - "email": "myemail+pbmmT-adc-usr@example.com", - "groups": ["ADConnector-grp"] - }, - { - "user": "User1", - "email": "myemail+pbmmT-User1@example.com", - "groups": ["aws-Provisioning", "*-View", "*-Admin", "*-PowerUser", "AWS Delegated Administrators"] - }, - { - "user": "User2", - "email": "myemail+pbmmT-User2@example.com", - "groups": ["*-View"] - } - ], - "security-groups": [ - { - "name": "RemoteDesktopGatewaySG", - "inbound-rules": [ - { - "description": "Allow RDP Traffic Inbound", - "type": ["RDP"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ] - }, - "rsyslog": { - "deploy": true, - "vpc-name": "Central", - "region": "ca-central-1", - "log-group-name": "rsyslog/var/log/messages", - "security-groups": [ - { - "name": "rsyslog", - "inbound-rules": [ - { - "description": "Allow Traffic Inbound", - "tcp-ports": [514], - "udp-ports": [514], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "app-subnets": [ - { - "name": "App", - "az": "a" - }, - { - "name": "App", - "az": "b" - } - ], - "web-subnets": [ - { - "name": "Web", - "az": "a" - }, - { - "name": "Web", - "az": "b" - } - ], - "min-rsyslog-hosts": 1, - "desired-rsyslog-hosts": 2, - "max-rsyslog-hosts": 2, - "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", - "rsyslog-instance-type": "t2.large", - "rsyslog-instance-role": "PBMMAccel-Rsyslog-Role", - "rsyslog-root-volume-size": 100, - "rsyslog-max-instance-age": 30 - } - } - }, - "perimeter": { - "account-name": "Perimeter", - "email": "myemail+pbmmT-perimeter@example.com---------------------REPLACE----------------------", - "ou": "core", - "account-warming-required": true, - "src-filename": "config.json", - "limits": { - "Amazon EC2/Number of EIPs": { - "value": 5, - "customer-confirm-inplace": false - } - }, - "share-mad-from": "", - "budget": { - "name": "Perimeter Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "PerimSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Public-Prod", - "scheme": "internet-facing", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Perimeter", - "subnets": "Public", - "cert-name": "PerimSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Public-Prod-ALB", - "tg-stickiness": "1 hour", - "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", - "target-alarms-when": "Minimum", - "target-alarms-of": "Healthy Hosts", - "target-alarms-is": "<", - "target-alarms-Count": "2", - "target-alarms-for": "5", - "target-alarms-periods-of": "1", - "access-logs": true, - "targets": [ - { - "target-name": "FG1-Web-azA", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7001, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7001, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "a" - } - ], - "tg-weight": 1 - }, - { - "target-name": "FG1-Web-azB", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7001, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7001, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "b" - } - ], - "tg-weight": 1 - } - ] - }, - { - "name": "Public-DevTest", - "scheme": "internet-facing", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Perimeter", - "subnets": "Public", - "cert-name": "PerimSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Public-DevTest-ALB", - "tg-stickiness": "1 hour", - "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", - "target-alarms-when": "Minimum", - "target-alarms-of": "Healthy Hosts", - "target-alarms-is": "<", - "target-alarms-Count": "2", - "target-alarms-for": "5", - "target-alarms-periods-of": "1", - "access-logs": true, - "targets": [ - { - "target-name": "FG1-Web-azA", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7002, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7002, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "a" - } - ], - "tg-weight": 1 - }, - { - "target-name": "FG1-Web-azB", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7002, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7002, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "b" - } - ], - "tg-weight": 1 - } - ] - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - }, - { - "policy-name": "Firewall-Policy", - "policy": "firewall-fg-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "Firewall-Role", - "type": "ec2", - "policies": ["Firewall-Policy"], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "vpc": [ - { - "deploy": "local", - "name": "Perimeter", - "cidr": "10.7.4.0/22", - "cidr2": "100.96.250.0/23", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": true, - "vgw": { - "asn": 65522 - }, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "Public", - "definitions": [ - { - "az": "a", - "route-table": "Public_Shared", - "cidr": "100.96.250.0/26" - }, - { - "az": "b", - "route-table": "Public_Shared", - "cidr": "100.96.250.128/26" - } - ] - }, - { - "name": "FWMgmt", - "definitions": [ - { - "az": "a", - "route-table": "FWMgmt_azA", - "cidr": "100.96.251.32/27" - }, - { - "az": "b", - "route-table": "FWMgmt_azB", - "cidr": "100.96.251.160/27" - } - ] - }, - { - "name": "Proxy", - "definitions": [ - { - "az": "a", - "route-table": "Proxy_azA", - "cidr": "100.96.251.64/26" - }, - { - "az": "b", - "route-table": "Proxy_azB", - "cidr": "100.96.251.192/26" - } - ] - }, - { - "name": "OnPremise", - "definitions": [ - { - "az": "a", - "route-table": "OnPremise_Shared", - "cidr": "100.96.250.64/26" - }, - { - "az": "b", - "route-table": "OnPremise_Shared", - "cidr": "100.96.250.192/26" - } - ] - }, - { - "name": "Detonation", - "definitions": [ - { - "az": "a", - "route-table": "Detonation_Shared", - "cidr": "10.7.4.0/24" - }, - { - "az": "b", - "route-table": "Detonation_Shared", - "cidr": "10.7.5.0/24" - } - ] - } - ], - "gateway-endpoints": ["s3"], - "route-tables": [ - { - "name": "OnPremise_Shared" - }, - { - "name": "Public_Shared", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "FWMgmt_azA", - "routes": [ - { - "destination": "10.0.0.0/8", - "target": "VGW" - }, - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "a", - "port": "OnPremise" - }, - { - "destination": "s3", - "target": "s3" - } - ] - }, - { - "name": "FWMgmt_azB", - "routes": [ - { - "destination": "10.0.0.0/8", - "target": "VGW" - }, - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "b", - "port": "OnPremise" - }, - { - "destination": "s3", - "target": "s3" - } - ] - }, - { - "name": "Proxy_azA", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "a", - "port": "Proxy" - } - ] - }, - { - "name": "Proxy_azB", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "b", - "port": "Proxy" - } - ] - }, - { - "name": "Detonation_Shared" - } - ], - "security-groups": [ - { - "name": "Public-Prod-ALB", - "inbound-rules": [ - { - "description": "TLS Traffic Inbound", - "type": ["HTTPS"], - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Public-DevTest-ALB", - "inbound-rules": [ - { - "description": "TLS Traffic Inbound", - "type": ["HTTPS"], - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "FirewallMgr", - "inbound-rules": [ - { - "description": "Allow Mgmt Traffic Inbound", - "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080], - "udp-ports": [9443], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Firewalls", - "inbound-rules": [ - { - "description": "All Allowed Inbound Traffic", - "tcp-ports": [22, 443, 541, 3000, 8080], - "source": ["0.0.0.0/0"] - }, - { - "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", - "type": ["ALL"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": { - "subnet": "Proxy", - "endpoints": ["ssm", "ssmmessages", "ec2messages"] - } - } - ], - "deployments": { - "firewalls": [ - { - "name": "Firewall", - "image-id": "ami-047aac44951feb9fb", - "instance-sizes": "c5n.xlarge", - "region": "ca-central-1", - "security-group": "Firewalls", - "fw-instance-role": "Firewall-Role", - "vpc": "Perimeter", - "ports": [ - { - "name": "Public", - "subnet": "Public", - "create-eip": true, - "create-cgw": true - }, - { - "name": "OnPremise", - "subnet": "OnPremise", - "create-eip": false, - "create-cgw": false - }, - { - "name": "FWMgmt", - "subnet": "FWMgmt", - "create-eip": false, - "create-cgw": false - }, - { - "name": "Proxy", - "subnet": "Proxy", - "create-eip": false, - "create-cgw": false - } - ], - "license": ["firewall/license1.lic", "firewall/license2.lic"], - "config": "firewall/firewall-example.txt", - "fw-cgw-name": "Perimeter_fw", - "fw-cgw-asn": 65523, - "fw-cgw-routing": "Dynamic", - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "name": "TGW-to-Perimeter", - "associate-type": "VPN", - "tgw-rt-associate": ["core"], - "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], - "blackhole-route": false, - "attach-subnets": [], - "options": ["DNS-support"] - } - } - ], - "firewall-manager": { - "name": "FirewallMgr", - "image-id": "ami-06fa2a9e6f8fae9f2", - "instance-sizes": "c5.large", - "version": "6.2.3", - "region": "ca-central-1", - "vpc": "Perimeter", - "security-group": "FirewallMgr", - "subnet": { - "name": "FWMgmt", - "az": "a" - }, - "create-eip": true - } - } - }, - "master": { - "account-name": "primary", - "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------", - "ou": "core", - "share-mad-from": "", - "src-filename": "config.json", - "budget": { - "name": "Organization Budget", - "period": "Monthly", - "amount": 10000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "log-retention": 180, - "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 - } - }, - "iam": { - "users": [ - { - "user-ids": ["bgUser1", "bgUser2"], - "group": "BreakGlassAdmins", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "user-ids": ["OpsUser1", "OpsUser2"], - "group": "OpsAdmins", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy" - } - ], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [] - }, - "vpc": [ - { - "deploy": "local", - "name": "ForSSO", - "cidr": "10.249.1.0/24", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "ForSSO", - "definitions": [ - { - "az": "a", - "route-table": "ForSSO_Shared", - "cidr": "10.249.1.0/27" - }, - { - "az": "b", - "route-table": "ForSSO_Shared", - "cidr": "10.249.1.32/27" - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "ForSSO_Shared", - "routes": [ - { - "destination": { - "account": "shared-network", - "vpc": "Central", - "subnet": "GCWide" - }, - "target": "pcx" - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": false - } - ], - "deployments": { - "adc": { - "deploy": true, - "vpc-name": "ForSSO", - "subnet": "ForSSO", - "size": "Small", - "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"], - "connect-account-key": "operations", - "connect-dir-id": 1001 - } - } - }, - "log-archive": { - "account-name": "log-archive", - "ou": "core", - "email": "myemail+pbmmT-log@example.com---------------------REPLACE----------------------", - "src-filename": "config.json" - }, - "security": { - "account-name": "security", - "ou": "core", - "email": "myemail+pbmmT-sec@example.com---------------------REPLACE----------------------", - "src-filename": "config.json" - } - }, - "workload-account-configs": { - "fun-acct": { - "account-name": "TheFunAccount", - "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "ou": "Sandbox" - }, - "mydevacct1": { - "account-name": "MyDev1", - "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "ou": "Dev" - } - }, - "organizational-units": { - "core": { - "type": "ignore", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Core Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - } - }, - "Central": { - "type": "mandatory", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Central Budget", - "period": "Monthly", - "amount": 500, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "vpc": [ - { - "deploy": "shared-network", - "name": "Central", - "cidr": "10.1.0.0/16", - "cidr2": "100.96.252.0/23", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "BOTH", - "igw": false, - "vgw": false, - "pcx": { - "source": "master", - "source-vpc": "ForSSO", - "source-subnets": "ForSSO", - "local-subnets": "GCWide" - }, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.0/27" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.32/27" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.32.0/20" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.128.0/20" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.0.0/19" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.96.0/19" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.48.0/20" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.144.0/20" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Central", - "subnet": ["Web"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Central", - "subnet": ["Web"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.64.0/21" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.72.0/21" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.80.0/21", - "disabled": true - } - ] - }, - { - "name": "GCWide", - "share-to-ou-accounts": false, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.252.0/25" - }, - { - "az": "b", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.252.128/25" - }, - { - "az": "d", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.253.0/25", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "CentralVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - }, - { - "name": "CentralVPC_GCWide", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - }, - { - "destination": { - "account": "master", - "vpc": "ForSSO", - "subnet": "ForSSO" - }, - "target": "pcx" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["shared"], - "tgw-rt-propagate": ["core", "shared", "segregated"], - "blackhole-route": false, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Dev": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Dev Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "DevSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Dev", - "subnets": "Web", - "cert-name": "DevSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-dev-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Dev", - "cidr": "10.2.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.0/27" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.32/27" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.32.0/20" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.128.0/20" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.0.0/19" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.96.0/19" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.48.0/20" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.144.0/20" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Dev", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Dev", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.64.0/21" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.72.0/21" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "DevVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Test": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Test Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "TestSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Test", - "subnets": "Web", - "cert-name": "TestSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-test-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Test", - "cidr": "10.3.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "CWL", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.0/27" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.32/27" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.32.0/20" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.128.0/20" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.0.0/19" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.96.0/19" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.48.0/20" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.144.0/20" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Test", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Test", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.64.0/21" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.72.0/21" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "TestVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Prod": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Prod Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "ProdSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Prod", - "subnets": "Web", - "cert-name": "ProdSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-prod-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Prod", - "cidr": "10.4.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "CWL", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.0/27" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.32/27" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.32.0/20" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.128.0/20" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.0.0/19" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.96.0/19" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.48.0/20" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.144.0/20" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Prod", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Prod", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.64.0/21" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.72.0/21" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "ProdVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Sandbox": { - "type": "workload", - "share-mad-from": "", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], - "default-budgets": { - "name": "Default Sandbox Budget", - "period": "Monthly", - "amount": 200, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "vpc": [ - { - "deploy": "local", - "name": "Sandbox", - "cidr": "10.6.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "BOTH", - "igw": true, - "vgw": false, - "pcx": false, - "natgw": { - "subnet": { - "name": "Web", - "az": "a" - } - }, - "subnets": [ - { - "name": "Web", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.32.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.128.0/20" - }, - { - "az": "d", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.0.0/19" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.96.0/19" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.48.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.144.0/20" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Sandbox", - "subnet": ["Web"] - }, - { - "account": "shared-network", - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Sandbox", - "subnet": ["Web"] - }, - { - "account": "shared-network", - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.64.0/21" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.72.0/21" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "SandboxVPC_IGW", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "SandboxVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "NATGW_Web_azA" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - } - } -} +{ + "global-options": { + "alz-minimum-version": "v2.3.1", + "alz-baseline": false, + "ct-baseline": false, + "central-log-retention": 730, + "default-log-retention": 90, + "central-bucket": "AWSDOC-EXAMPLE-BUCKET", + "organization-admin-role": "OrganizationAccountAccessRole", + "default-cwl-retention": 731, + "workloadaccounts-suffix" : 1, + "workloadaccounts-prefix" : "config", + "workloadaccounts-param-filename": "config.json", + "ignored-ous": [], + "supported-regions": [ + "ap-northeast-1", + "ap-northeast-2", + "ap-south-1", + "ap-southeast-1", + "ap-southeast-2", + "ca-central-1", + "eu-central-1", + "eu-north-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "sa-east-1", + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2" + ], + "keep-default-vpc-regions": [], + "aws-org-master": { + "account": "master", + "region": "ca-central-1" + }, + "central-security-services": { + "account": "security", + "region": "ca-central-1", + "security-hub": true, + "security-hub-excl-regions": [], + "guardduty": true, + "guardduty-excl-regions": [], + "cwl": true, + "access-analyzer": true, + "config-excl-regions": [], + "config-aggr-excl-regions": [], + "macie": true, + "macie-excl-regions": [], + "macie-frequency": "FIFTEEN_MINUTES" + }, + "central-operations-services": { + "account": "operations", + "region": "ca-central-1", + "cwl": true, + "cwl-access-level": "full" + }, + "central-log-services": { + "account": "log-archive", + "region": "ca-central-1", + "cwl-glbl-exclusions": [], + "cwl-exclusions": [], + "ssm-to-s3": true, + "ssm-to-cwl": true + }, + "reports": { + "cost-and-usage-report": { + "additional-schema-elements": ["RESOURCES"], + "compression": "Parquet", + "format": "Parquet", + "report-name": "Cost-and-Usage-Report", + "s3-prefix": "cur", + "time-unit": "HOURLY", + "additional-artifacts": ["ATHENA"], + "refresh-closed-reports": true, + "report-versioning": "OVERWRITE_REPORT" + } + }, + "zones": { + "account": "shared-network", + "resolver-vpc": "Endpoint", + "names": { + "public": ["dept.cloud-nuage.canada.ca"], + "private": ["dept.cloud-nuage.gc.ca"] + } + }, + "vpc-flow-logs": { + "filter": "ALL", + "interval": 60, + "default-format": false, + "custom-fields": [ + "version", + "account-id", + "interface-id", + "srcaddr", + "dstaddr", + "srcport", + "dstport", + "protocol", + "packets", + "bytes", + "start", + "end", + "action", + "log-status", + "vpc-id", + "subnet-id", + "instance-id", + "tcp-flags", + "type", + "pkt-srcaddr", + "pkt-dstaddr", + "region", + "az-id" + ] + }, + "security-hub-frameworks": { + "standards": [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": ["IAM.1"] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": ["PCI.IAM.3", "PCI.KMS.1", "PCI.S3.3", "PCI.EC2.3", "PCI.Lambda.2"] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": ["CIS.1.20", "CIS.1.22", "CIS.2.8"] + } + ] + }, + "iam-password-policies": { + "allow-users-to-change-password": true, + "hard-expiry": false, + "require-uppercase-characters": true, + "require-lowercase-characters": true, + "require-symbols": true, + "require-numbers": true, + "minimum-password-length": 14, + "password-reuse-prevention": 24, + "max-password-age": 90 + }, + "scps": [ + { + "name": "ALZ-Core", + "description": "ALZ Core Preventive Guardrails", + "policy": "aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json" + }, + { + "name": "ALZ-Non-Core", + "description": "ALZ Non-core Preventive Guardrails", + "policy": "aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json" + }, + { + "name": "Guardrails-Part-1", + "description": "PBMMAccel Guardrails Part 1", + "policy": "PBMMAccel-Guardrails-Part1.json" + }, + { + "name": "Guardrails-Part-2", + "description": "PBMMAccel Guardrails Part 2", + "policy": "PBMMAccel-Guardrails-Part2.json" + }, + { + "name": "Guardrails-PBMM-Only", + "description": "PBMMAccel Guardrails PBMM Environment Specific", + "policy": "PBMMAccel-Guardrails-PBMM-Only.json" + }, + { + "name": "Guardrails-Unclass-Only", + "description": "PBMMAccel Guardrails Unclassified Environment Specific", + "policy": "PBMMAccel-Guardrails-Unclass-Only.json" + }, + { + "name": "Quarantine-New-Object", + "description": "PBMM Quarantine policy - Apply to ACCOUNTS that need to be quarantined", + "policy": "Quarantine-New-Object.json" + } + ] + }, + "mandatory-account-configs": { + "shared-network": { + "account-name": "SharedNetwork", + "email": "myemail+pbmmT-network@example.com---------------------REPLACE----------------------", + "ou": "core", + "share-mad-from": "operations", + "src-filename": "config.json", + "budget": { + "name": "SharedNetwork Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "limits": { + "Amazon VPC/Interface VPC endpoints per VPC": { + "value": 90, + "customer-confirm-inplace": false + }, + "Amazon VPC/VPCs per Region": { + "value": 15 + } + }, + "vpc": [ + { + "deploy": "local", + "name": "Endpoint", + "cidr": "10.7.0.0/22", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "EndpointVPC_Common", + "cidr": "10.7.0.0/24" + }, + { + "az": "b", + "route-table": "EndpointVPC_Common", + "cidr": "10.7.1.0/24" + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "EndpointVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["core"], + "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], + "blackhole-route": false, + "attach-subnets": ["Endpoint"], + "options": ["DNS-support"] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "dept-private.gc.ca", + "outbound-ips": ["10.254.254.1", "10.254.253.1"] + }, + { + "zone": "private-domain1.example.ca", + "outbound-ips": ["10.254.254.1", "10.254.253.1"] + } + ] + } + ], + "deployments": { + "tgw": [ + { + "name": "Main", + "asn": 65521, + "region": "ca-central-1", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": ["core", "segregated", "shared", "standalone"] + } + ] + } + }, + "operations": { + "account-name": "Operations", + "email": "myemail+pbmmT-operations@example.com---------------------REPLACE----------------------", + "ou": "core", + "account-warming-required": true, + "limits": {}, + "src-filename": "config.json", + "share-mad-from": "", + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "PBMMAccel-RDGW-Custom-Policy", + "policy": "pbmmaccel-rdgw-custom-policies.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "PBMMAccel-RDGW-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy", + "PBMMAccel-RDGW-Custom-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "PBMMAccel-Rsyslog-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "CloudWatchAgentServerPolicy", + "AmazonS3ReadOnlyAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "deployments": { + "mad": { + "dir-id": 1001, + "deploy": true, + "vpc-name": "Central", + "region": "ca-central-1", + "subnet": "GCWide", + "size": "Enterprise", + "dns-domain": "example.local", + "netbios-domain": "example", + "central-resolver-rule-account": "shared-network", + "central-resolver-rule-vpc": "Endpoint", + "log-group-name": "/PBMMAccel/MAD/example.local", + "share-to-account": "", + "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"], + "num-rdgw-hosts": 1, + "min-rdgw-hosts": 1, + "max-rdgw-hosts": 2, + "rdgw-max-instance-age": 30, + "rdgw-instance-type": "t2.large", + "rdgw-instance-role": "PBMMAccel-RDGW-Role", + "password-policies": { + "history": 24, + "max-age": 90, + "min-age": 1, + "min-len": 12, + "complexity": true, + "reversible": false, + "failed-attempts": 6, + "lockout-duration": 30, + "lockout-attempts-reset": 30 + }, + "ad-groups": ["aws-Provisioning", "aws-Billing"], + "ad-per-account-groups": ["*-Admin", "*-PowerUser", "*-View"], + "adc-group": "ADConnector-grp", + "ad-users": [ + { + "user": "adconnector-usr", + "email": "myemail+pbmmT-adc-usr@example.com", + "groups": ["ADConnector-grp"] + }, + { + "user": "User1", + "email": "myemail+pbmmT-User1@example.com", + "groups": ["aws-Provisioning", "*-View", "*-Admin", "*-PowerUser", "AWS Delegated Administrators"] + }, + { + "user": "User2", + "email": "myemail+pbmmT-User2@example.com", + "groups": ["*-View"] + } + ], + "security-groups": [ + { + "name": "RemoteDesktopGatewaySG", + "inbound-rules": [ + { + "description": "Allow RDP Traffic Inbound", + "type": ["RDP"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ] + }, + "rsyslog": { + "deploy": true, + "vpc-name": "Central", + "region": "ca-central-1", + "log-group-name": "rsyslog/var/log/messages", + "security-groups": [ + { + "name": "rsyslog", + "inbound-rules": [ + { + "description": "Allow Traffic Inbound", + "tcp-ports": [514], + "udp-ports": [514], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "app-subnets": [ + { + "name": "App", + "az": "a" + }, + { + "name": "App", + "az": "b" + } + ], + "web-subnets": [ + { + "name": "Web", + "az": "a" + }, + { + "name": "Web", + "az": "b" + } + ], + "min-rsyslog-hosts": 1, + "desired-rsyslog-hosts": 2, + "max-rsyslog-hosts": 2, + "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", + "rsyslog-instance-type": "t2.large", + "rsyslog-instance-role": "PBMMAccel-Rsyslog-Role", + "rsyslog-root-volume-size": 100, + "rsyslog-max-instance-age": 30 + } + } + }, + "perimeter": { + "account-name": "Perimeter", + "email": "myemail+pbmmT-perimeter@example.com---------------------REPLACE----------------------", + "ou": "core", + "account-warming-required": true, + "src-filename": "config.json", + "limits": { + "Amazon EC2/Number of EIPs": { + "value": 5, + "customer-confirm-inplace": false + } + }, + "share-mad-from": "", + "budget": { + "name": "Perimeter Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "PerimSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Public-Prod", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-Prod-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "FG1-Web-azA", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + } + ], + "tg-weight": 1 + }, + { + "target-name": "FG1-Web-azB", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + }, + { + "name": "Public-DevTest", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-DevTest-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "FG1-Web-azA", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7002, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + } + ], + "tg-weight": 1 + }, + { + "target-name": "FG1-Web-azB", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7002, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "Firewall-Policy", + "policy": "firewall-fg-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "Firewall-Role", + "type": "ec2", + "policies": ["Firewall-Policy"], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Perimeter", + "cidr": "10.7.4.0/22", + "cidr2": "100.96.250.0/23", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": true, + "vgw": { + "asn": 65522 + }, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": "100.96.250.0/26" + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": "100.96.250.128/26" + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": "100.96.251.32/27" + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": "100.96.251.160/27" + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": "100.96.251.64/26" + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": "100.96.251.192/26" + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": "100.96.250.64/26" + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": "100.96.250.192/26" + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": "10.7.4.0/24" + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": "10.7.5.0/24" + } + ] + } + ], + "gateway-endpoints": ["s3"], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": ["HTTPS"], + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": ["HTTPS"], + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080], + "udp-ports": [9443], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [22, 443, 541, 3000, 8080], + "source": ["0.0.0.0/0"] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": ["ALL"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": ["ssm", "ssmmessages", "ec2messages"] + } + } + ], + "deployments": { + "firewalls": [ + { + "name": "Firewall", + "image-id": "ami-047aac44951feb9fb", + "instance-sizes": "c5n.xlarge", + "region": "ca-central-1", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": ["firewall/license1.lic", "firewall/license2.lic"], + "config": "firewall/firewall-example.txt", + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": ["core"], + "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], + "blackhole-route": false, + "attach-subnets": [], + "options": ["DNS-support"] + } + } + ], + "firewall-manager": { + "name": "FirewallMgr", + "image-id": "ami-06fa2a9e6f8fae9f2", + "instance-sizes": "c5.large", + "version": "6.2.3", + "region": "ca-central-1", + "vpc": "Perimeter", + "security-group": "FirewallMgr", + "subnet": { + "name": "FWMgmt", + "az": "a" + }, + "create-eip": true + } + } + }, + "master": { + "account-name": "primary", + "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------", + "ou": "core", + "share-mad-from": "", + "src-filename": "config.json", + "budget": { + "name": "Organization Budget", + "period": "Monthly", + "amount": 10000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "log-retention": 180, + "limits": { + "AWS Organizations/Maximum accounts": { + "value": 20 + } + }, + "iam": { + "users": [ + { + "user-ids": ["bgUser1", "bgUser2"], + "group": "BreakGlassAdmins", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "user-ids": ["OpsUser1", "OpsUser2"], + "group": "OpsAdmins", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy" + } + ], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [] + }, + "vpc": [ + { + "deploy": "local", + "name": "ForSSO", + "cidr": "10.249.1.0/24", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "ForSSO", + "definitions": [ + { + "az": "a", + "route-table": "ForSSO_Shared", + "cidr": "10.249.1.0/27" + }, + { + "az": "b", + "route-table": "ForSSO_Shared", + "cidr": "10.249.1.32/27" + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "ForSSO_Shared", + "routes": [ + { + "destination": { + "account": "shared-network", + "vpc": "Central", + "subnet": "GCWide" + }, + "target": "pcx" + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": false + } + ], + "deployments": { + "adc": { + "deploy": true, + "vpc-name": "ForSSO", + "subnet": "ForSSO", + "size": "Small", + "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"], + "connect-account-key": "operations", + "connect-dir-id": 1001 + } + } + }, + "log-archive": { + "account-name": "log-archive", + "ou": "core", + "email": "myemail+pbmmT-log@example.com---------------------REPLACE----------------------", + "src-filename": "config.json" + }, + "security": { + "account-name": "security", + "ou": "core", + "email": "myemail+pbmmT-sec@example.com---------------------REPLACE----------------------", + "src-filename": "config.json" + } + }, + "workload-account-configs": { + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "ou": "Sandbox" + }, + "mydevacct1": { + "account-name": "MyDev1", + "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "ou": "Dev" + } + }, + "organizational-units": { + "core": { + "type": "ignore", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Core Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + } + }, + "Central": { + "type": "mandatory", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Central Budget", + "period": "Monthly", + "amount": 500, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "Central", + "cidr": "10.1.0.0/16", + "cidr2": "100.96.252.0/23", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "igw": false, + "vgw": false, + "pcx": { + "source": "master", + "source-vpc": "ForSSO", + "source-subnets": "ForSSO", + "local-subnets": "GCWide" + }, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.0/27" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.32/27" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.32.0/20" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.128.0/20" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.0.0/19" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.96.0/19" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.48.0/20" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.144.0/20" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Central", + "subnet": ["Web"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Central", + "subnet": ["Web"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.64.0/21" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.72.0/21" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.80.0/21", + "disabled": true + } + ] + }, + { + "name": "GCWide", + "share-to-ou-accounts": false, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.252.0/25" + }, + { + "az": "b", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.252.128/25" + }, + { + "az": "d", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.253.0/25", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "CentralVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + }, + { + "name": "CentralVPC_GCWide", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + }, + { + "destination": { + "account": "master", + "vpc": "ForSSO", + "subnet": "ForSSO" + }, + "target": "pcx" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["shared"], + "tgw-rt-propagate": ["core", "shared", "segregated"], + "blackhole-route": false, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Dev": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Dev Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "DevSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Dev", + "subnets": "Web", + "cert-name": "DevSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-dev-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Dev", + "cidr": "10.2.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.0/27" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.32/27" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.32.0/20" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.128.0/20" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.0.0/19" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.96.0/19" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.48.0/20" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.144.0/20" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Dev", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Dev", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.64.0/21" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.72.0/21" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "DevVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Test": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Test Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "TestSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Test", + "subnets": "Web", + "cert-name": "TestSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-test-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Test", + "cidr": "10.3.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "CWL", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.0/27" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.32/27" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.32.0/20" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.128.0/20" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.0.0/19" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.96.0/19" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.48.0/20" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.144.0/20" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Test", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Test", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.64.0/21" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.72.0/21" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "TestVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Prod": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Prod Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "ProdSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Prod", + "subnets": "Web", + "cert-name": "ProdSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-prod-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Prod", + "cidr": "10.4.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "CWL", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.0/27" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.32/27" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.32.0/20" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.128.0/20" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.0.0/19" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.96.0/19" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.48.0/20" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.144.0/20" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Prod", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Prod", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.64.0/21" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.72.0/21" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "ProdVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Sandbox": { + "type": "workload", + "share-mad-from": "", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], + "default-budgets": { + "name": "Default Sandbox Budget", + "period": "Monthly", + "amount": 200, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Sandbox", + "cidr": "10.6.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "igw": true, + "vgw": false, + "pcx": false, + "natgw": { + "subnet": { + "name": "Web", + "az": "a" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.32.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.128.0/20" + }, + { + "az": "d", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.0.0/19" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.96.0/19" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.48.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.144.0/20" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": ["Web"] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": ["Web"] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.64.0/21" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.72.0/21" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + } + } +} diff --git a/reference-artifacts/config.example.json b/reference-artifacts/config.example.json index c8c8856ee..74681fd3d 100644 --- a/reference-artifacts/config.example.json +++ b/reference-artifacts/config.example.json @@ -1,4049 +1,4049 @@ -{ - "global-options": { - "alz-minimum-version": "v2.3.1", - "alz-baseline": true, - "ct-baseline": false, - "central-log-retention": 730, - "default-log-retention": 90, - "central-bucket": "AWSDOC-EXAMPLE-BUCKET", - "organization-admin-role": "AWSCloudFormationStackSetExecutionRole", - "default-cwl-retention": 731, - "workloadaccounts-suffix" : 1, - "workloadaccounts-prefix" : "config", - "workloadaccounts-param-filename": "config.json", - "ignored-ous": [], - "supported-regions": [ - "ap-northeast-1", - "ap-northeast-2", - "ap-south-1", - "ap-southeast-1", - "ap-southeast-2", - "ca-central-1", - "eu-central-1", - "eu-north-1", - "eu-west-1", - "eu-west-2", - "eu-west-3", - "sa-east-1", - "us-east-1", - "us-east-2", - "us-west-1", - "us-west-2" - ], - "keep-default-vpc-regions": [], - "aws-org-master": { - "account": "master", - "region": "ca-central-1" - }, - "central-security-services": { - "account": "security", - "region": "ca-central-1", - "security-hub": true, - "security-hub-excl-regions": [], - "guardduty": true, - "guardduty-excl-regions": [], - "cwl": true, - "access-analyzer": true, - "config-excl-regions": [], - "config-aggr-excl-regions": [], - "macie": true, - "macie-excl-regions": [], - "macie-frequency": "FIFTEEN_MINUTES" - }, - "central-operations-services": { - "account": "operations", - "region": "ca-central-1", - "cwl": true, - "cwl-access-level": "full" - }, - "central-log-services": { - "account": "log-archive", - "region": "ca-central-1", - "cwl-glbl-exclusions": [], - "cwl-exclusions": [], - "ssm-to-s3": true, - "ssm-to-cwl": true - }, - "reports": { - "cost-and-usage-report": { - "additional-schema-elements": ["RESOURCES"], - "compression": "Parquet", - "format": "Parquet", - "report-name": "Cost-and-Usage-Report", - "s3-prefix": "cur", - "time-unit": "HOURLY", - "additional-artifacts": ["ATHENA"], - "refresh-closed-reports": true, - "report-versioning": "OVERWRITE_REPORT" - } - }, - "conformance-packs": [ - { - "gc-pack": { - "install": true, - "auto-remediation": true, - "monitoring": true, - "frequency": 24 - } - } - ], - "zones": { - "account": "shared-network", - "resolver-vpc": "Endpoint", - "names": { - "public": ["dept.cloud-nuage.canada.ca"], - "private": ["dept.cloud-nuage.gc.ca"] - } - }, - "vpc-flow-logs": { - "filter": "ALL", - "interval": 60, - "default-format": false, - "custom-fields": [ - "version", - "account-id", - "interface-id", - "srcaddr", - "dstaddr", - "srcport", - "dstport", - "protocol", - "packets", - "bytes", - "start", - "end", - "action", - "log-status", - "vpc-id", - "subnet-id", - "instance-id", - "tcp-flags", - "type", - "pkt-srcaddr", - "pkt-dstaddr", - "region", - "az-id" - ] - }, - "security-hub-frameworks": { - "standards": [ - { - "name": "AWS Foundational Security Best Practices v1.0.0", - "controls-to-disable": ["IAM.1"] - }, - { - "name": "PCI DSS v3.2.1", - "controls-to-disable": ["PCI.IAM.3", "PCI.KMS.1", "PCI.S3.3", "PCI.EC2.3", "PCI.Lambda.2"] - }, - { - "name": "CIS AWS Foundations Benchmark v1.2.0", - "controls-to-disable": ["CIS.1.20", "CIS.1.22", "CIS.2.8"] - } - ] - }, - "iam-password-policies": { - "allow-users-to-change-password": true, - "hard-expiry": false, - "require-uppercase-characters": true, - "require-lowercase-characters": true, - "require-symbols": true, - "require-numbers": true, - "minimum-password-length": 14, - "password-reuse-prevention": 24, - "max-password-age": 90 - }, - "scps": [ - { - "name": "ALZ-Core", - "description": "ALZ Core Preventive Guardrails", - "policy": "aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json" - }, - { - "name": "ALZ-Non-Core", - "description": "ALZ Non-core Preventive Guardrails", - "policy": "aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json" - }, - { - "name": "Guardrails-Part-1", - "description": "PBMMAccel Guardrails Part 1", - "policy": "PBMMAccel-Guardrails-Part1.json" - }, - { - "name": "Guardrails-Part-2", - "description": "PBMMAccel Guardrails Part 2", - "policy": "PBMMAccel-Guardrails-Part2.json" - }, - { - "name": "Guardrails-PBMM-Only", - "description": "PBMMAccel Guardrails PBMM Environment Specific", - "policy": "PBMMAccel-Guardrails-PBMM-Only.json" - }, - { - "name": "Guardrails-Unclass-Only", - "description": "PBMMAccel Guardrails Unclassified Environment Specific", - "policy": "PBMMAccel-Guardrails-Unclass-Only.json" - }, - { - "name": "Quarantine-New-Object", - "description": "PBMM Quarantine policy - Apply to ACCOUNTS that need to be quarantined", - "policy": "Quarantine-New-Object.json" - } - ] - }, - "mandatory-account-configs": { - "shared-network": { - "account-name": "SharedNetwork", - "email": "myemail+pbmmT-network@example.com---------------------REPLACE----------------------", - "ou": "core", - "share-mad-from": "operations", - "src-filename": "config.json", - "budget": { - "name": "SharedNetwork Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "limits": { - "Amazon VPC/Interface VPC endpoints per VPC": { - "value": 90, - "customer-confirm-inplace": false - }, - "Amazon VPC/VPCs per Region": { - "value": 15 - } - }, - "vpc": [ - { - "deploy": "local", - "name": "Endpoint", - "cidr": "10.7.0.0/22", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "Endpoint", - "definitions": [ - { - "az": "a", - "route-table": "EndpointVPC_Common", - "cidr": "10.7.0.0/24" - }, - { - "az": "b", - "route-table": "EndpointVPC_Common", - "cidr": "10.7.1.0/24" - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "EndpointVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["core"], - "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], - "blackhole-route": false, - "attach-subnets": ["Endpoint"], - "options": ["DNS-support"] - }, - "interface-endpoints": { - "subnet": "Endpoint", - "endpoints": [ - "ec2", - "ec2messages", - "ssm", - "ssmmessages", - "secretsmanager", - "cloudformation", - "access-analyzer", - "application-autoscaling", - "appmesh-envoy-management", - "athena", - "autoscaling", - "autoscaling-plans", - "clouddirectory", - "cloudtrail", - "codebuild", - "codecommit", - "codecommit-fips", - "codepipeline", - "config", - "datasync", - "ecr.dkr", - "ecs", - "ecs-agent", - "ecs-telemetry", - "elasticfilesystem", - "elasticfilesystem-fips", - "elasticloadbalancing", - "elasticmapreduce", - "events", - "execute-api", - "git-codecommit", - "git-codecommit-fips", - "glue", - "kinesis-streams", - "kms", - "logs", - "monitoring", - "sagemaker.api", - "sagemaker.runtime", - "servicecatalog", - "sms", - "sns", - "sqs", - "storagegateway", - "sts", - "transfer", - "workspaces", - "awsconnector", - "ecr.api", - "kinesis-firehose", - "states", - "acm-pca", - "cassandra", - "ebs", - "elasticbeanstalk", - "elasticbeanstalk-health", - "email-smtp", - "license-manager", - "macie2", - "notebook", - "synthetics", - "transfer.server" - ] - }, - "resolvers": { - "subnet": "Endpoint", - "outbound": true, - "inbound": true - }, - "on-premise-rules": [ - { - "zone": "dept-private.gc.ca", - "outbound-ips": ["10.254.254.1", "10.254.253.1"] - }, - { - "zone": "private-domain1.example.ca", - "outbound-ips": ["10.254.254.1", "10.254.253.1"] - } - ] - } - ], - "deployments": { - "tgw": [ - { - "name": "Main", - "asn": 65521, - "region": "ca-central-1", - "features": { - "DNS-support": true, - "VPN-ECMP-support": true, - "Default-route-table-association": false, - "Default-route-table-propagation": false, - "Auto-accept-sharing-attachments": true - }, - "route-tables": ["core", "segregated", "shared", "standalone"] - } - ] - } - }, - "operations": { - "account-name": "Operations", - "email": "myemail+pbmmT-operations@example.com---------------------REPLACE----------------------", - "ou": "core", - "account-warming-required": true, - "limits": {}, - "src-filename": "config.json", - "share-mad-from": "", - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - }, - { - "policy-name": "PBMMAccel-RDGW-Custom-Policy", - "policy": "pbmmaccel-rdgw-custom-policies.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "PBMMAccel-RDGW-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy", - "PBMMAccel-RDGW-Custom-Policy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "PBMMAccel-Rsyslog-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "CloudWatchAgentServerPolicy", - "AmazonS3ReadOnlyAccess" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "deployments": { - "mad": { - "dir-id": 1001, - "deploy": true, - "vpc-name": "Central", - "region": "ca-central-1", - "subnet": "GCWide", - "size": "Enterprise", - "dns-domain": "example.local", - "netbios-domain": "example", - "central-resolver-rule-account": "shared-network", - "central-resolver-rule-vpc": "Endpoint", - "log-group-name": "/PBMMAccel/MAD/example.local", - "share-to-account": "master", - "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"], - "num-rdgw-hosts": 1, - "min-rdgw-hosts": 1, - "max-rdgw-hosts": 2, - "rdgw-max-instance-age": 30, - "rdgw-instance-type": "t2.large", - "rdgw-instance-role": "PBMMAccel-RDGW-Role", - "password-policies": { - "history": 24, - "max-age": 90, - "min-age": 1, - "min-len": 12, - "complexity": true, - "reversible": false, - "failed-attempts": 6, - "lockout-duration": 30, - "lockout-attempts-reset": 30 - }, - "ad-groups": ["aws-Provisioning", "aws-Billing"], - "ad-per-account-groups": ["*-Admin", "*-PowerUser", "*-View"], - "adc-group": "ADConnector-grp", - "ad-users": [ - { - "user": "adconnector-usr", - "email": "myemail+pbmmT-adc-usr@example.com", - "groups": ["ADConnector-grp"] - }, - { - "user": "User1", - "email": "myemail+pbmmT-User1@example.com", - "groups": ["aws-Provisioning", "*-View", "*-Admin", "*-PowerUser", "AWS Delegated Administrators"] - }, - { - "user": "User2", - "email": "myemail+pbmmT-User2@example.com", - "groups": ["*-View"] - } - ], - "security-groups": [ - { - "name": "RemoteDesktopGatewaySG", - "inbound-rules": [ - { - "description": "Allow RDP Traffic Inbound", - "type": ["RDP"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ] - }, - "rsyslog": { - "deploy": true, - "vpc-name": "Central", - "region": "ca-central-1", - "log-group-name": "rsyslog/var/log/messages", - "security-groups": [ - { - "name": "rsyslog", - "inbound-rules": [ - { - "description": "Allow Traffic Inbound", - "tcp-ports": [514], - "udp-ports": [514], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "app-subnets": [ - { - "name": "App", - "az": "a" - }, - { - "name": "App", - "az": "b" - } - ], - "web-subnets": [ - { - "name": "Web", - "az": "a" - }, - { - "name": "Web", - "az": "b" - } - ], - "min-rsyslog-hosts": 1, - "desired-rsyslog-hosts": 2, - "max-rsyslog-hosts": 2, - "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", - "rsyslog-instance-type": "t2.large", - "rsyslog-instance-role": "PBMMAccel-Rsyslog-Role", - "rsyslog-root-volume-size": 100, - "rsyslog-max-instance-age": 30 - } - } - }, - "perimeter": { - "account-name": "Perimeter", - "email": "myemail+pbmmT-perimeter@example.com---------------------REPLACE----------------------", - "ou": "core", - "account-warming-required": true, - "src-filename": "config.json", - "limits": { - "Amazon EC2/Number of EIPs": { - "value": 5, - "customer-confirm-inplace": false - } - }, - "share-mad-from": "", - "budget": { - "name": "Perimeter Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "PerimSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Public-Prod", - "scheme": "internet-facing", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Perimeter", - "subnets": "Public", - "cert-name": "PerimSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Public-Prod-ALB", - "tg-stickiness": "1 hour", - "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", - "target-alarms-when": "Minimum", - "target-alarms-of": "Healthy Hosts", - "target-alarms-is": "<", - "target-alarms-Count": "2", - "target-alarms-for": "5", - "target-alarms-periods-of": "1", - "access-logs": true, - "targets": [ - { - "target-name": "FG1-Web-azA", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7001, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7001, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "a" - } - ], - "tg-weight": 1 - }, - { - "target-name": "FG1-Web-azB", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7001, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7001, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "b" - } - ], - "tg-weight": 1 - } - ] - }, - { - "name": "Public-DevTest", - "scheme": "internet-facing", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Perimeter", - "subnets": "Public", - "cert-name": "PerimSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Public-DevTest-ALB", - "tg-stickiness": "1 hour", - "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", - "target-alarms-when": "Minimum", - "target-alarms-of": "Healthy Hosts", - "target-alarms-is": "<", - "target-alarms-Count": "2", - "target-alarms-for": "5", - "target-alarms-periods-of": "1", - "access-logs": true, - "targets": [ - { - "target-name": "FG1-Web-azA", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7002, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7002, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "a" - } - ], - "tg-weight": 1 - }, - { - "target-name": "FG1-Web-azB", - "target-type": "instance", - "protocol": "HTTPS", - "port": 7002, - "health-check-protocol": "HTTPS", - "health-check-path": "/health-check", - "health-check-port": 7002, - "lambda-filename": "", - "target-instances": [ - { - "target": "firewall", - "name": "Firewall", - "az": "b" - } - ], - "tg-weight": 1 - } - ] - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - }, - { - "policy-name": "Firewall-Policy", - "policy": "firewall-fg-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "role": "Firewall-Role", - "type": "ec2", - "policies": ["Firewall-Policy"], - "boundary-policy": "Default-Boundary-Policy" - } - ] - }, - "vpc": [ - { - "deploy": "local", - "name": "Perimeter", - "cidr": "10.7.4.0/22", - "cidr2": "100.96.250.0/23", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": true, - "vgw": { - "asn": 65522 - }, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "Public", - "definitions": [ - { - "az": "a", - "route-table": "Public_Shared", - "cidr": "100.96.250.0/26" - }, - { - "az": "b", - "route-table": "Public_Shared", - "cidr": "100.96.250.128/26" - } - ] - }, - { - "name": "FWMgmt", - "definitions": [ - { - "az": "a", - "route-table": "FWMgmt_azA", - "cidr": "100.96.251.32/27" - }, - { - "az": "b", - "route-table": "FWMgmt_azB", - "cidr": "100.96.251.160/27" - } - ] - }, - { - "name": "Proxy", - "definitions": [ - { - "az": "a", - "route-table": "Proxy_azA", - "cidr": "100.96.251.64/26" - }, - { - "az": "b", - "route-table": "Proxy_azB", - "cidr": "100.96.251.192/26" - } - ] - }, - { - "name": "OnPremise", - "definitions": [ - { - "az": "a", - "route-table": "OnPremise_Shared", - "cidr": "100.96.250.64/26" - }, - { - "az": "b", - "route-table": "OnPremise_Shared", - "cidr": "100.96.250.192/26" - } - ] - }, - { - "name": "Detonation", - "definitions": [ - { - "az": "a", - "route-table": "Detonation_Shared", - "cidr": "10.7.4.0/24" - }, - { - "az": "b", - "route-table": "Detonation_Shared", - "cidr": "10.7.5.0/24" - } - ] - } - ], - "gateway-endpoints": ["s3"], - "route-tables": [ - { - "name": "OnPremise_Shared" - }, - { - "name": "Public_Shared", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "FWMgmt_azA", - "routes": [ - { - "destination": "10.0.0.0/8", - "target": "VGW" - }, - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "a", - "port": "OnPremise" - }, - { - "destination": "s3", - "target": "s3" - } - ] - }, - { - "name": "FWMgmt_azB", - "routes": [ - { - "destination": "10.0.0.0/8", - "target": "VGW" - }, - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "b", - "port": "OnPremise" - }, - { - "destination": "s3", - "target": "s3" - } - ] - }, - { - "name": "Proxy_azA", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "a", - "port": "Proxy" - } - ] - }, - { - "name": "Proxy_azB", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "firewall", - "name": "Firewall", - "az": "b", - "port": "Proxy" - } - ] - }, - { - "name": "Detonation_Shared" - } - ], - "security-groups": [ - { - "name": "Public-Prod-ALB", - "inbound-rules": [ - { - "description": "TLS Traffic Inbound", - "type": ["HTTPS"], - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Public-DevTest-ALB", - "inbound-rules": [ - { - "description": "TLS Traffic Inbound", - "type": ["HTTPS"], - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "FirewallMgr", - "inbound-rules": [ - { - "description": "Allow Mgmt Traffic Inbound", - "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080], - "udp-ports": [9443], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Firewalls", - "inbound-rules": [ - { - "description": "All Allowed Inbound Traffic", - "tcp-ports": [22, 443, 541, 3000, 8080], - "source": ["0.0.0.0/0"] - }, - { - "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", - "type": ["ALL"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": { - "subnet": "Proxy", - "endpoints": ["ssm", "ssmmessages", "ec2messages"] - } - } - ], - "deployments": { - "firewalls": [ - { - "name": "Firewall", - "image-id": "ami-047aac44951feb9fb", - "instance-sizes": "c5n.2xlarge", - "region": "ca-central-1", - "security-group": "Firewalls", - "fw-instance-role": "Firewall-Role", - "vpc": "Perimeter", - "ports": [ - { - "name": "Public", - "subnet": "Public", - "create-eip": true, - "create-cgw": true - }, - { - "name": "OnPremise", - "subnet": "OnPremise", - "create-eip": false, - "create-cgw": false - }, - { - "name": "FWMgmt", - "subnet": "FWMgmt", - "create-eip": false, - "create-cgw": false - }, - { - "name": "Proxy", - "subnet": "Proxy", - "create-eip": false, - "create-cgw": false - } - ], - "license": ["firewall/license1.lic", "firewall/license2.lic"], - "config": "firewall/firewall-example.txt", - "fw-cgw-name": "Perimeter_fw", - "fw-cgw-asn": 65523, - "fw-cgw-routing": "Dynamic", - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "name": "TGW-to-Perimeter", - "associate-type": "VPN", - "tgw-rt-associate": ["core"], - "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], - "blackhole-route": false, - "attach-subnets": [], - "options": ["DNS-support"] - } - } - ], - "firewall-manager": { - "name": "FirewallMgr", - "image-id": "ami-06fa2a9e6f8fae9f2", - "instance-sizes": "c5.large", - "version": "6.2.3", - "region": "ca-central-1", - "vpc": "Perimeter", - "security-group": "FirewallMgr", - "subnet": { - "name": "FWMgmt", - "az": "a" - }, - "create-eip": true - } - } - }, - "master": { - "account-name": "primary", - "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------", - "ou": "core", - "landing-zone-account-type": "primary", - "share-mad-from": "operations", - "src-filename": "config.json", - "budget": { - "name": "Organization Budget", - "period": "Monthly", - "amount": 10000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "log-retention": 180, - "limits": { - "AWS Organizations/Maximum accounts": { - "value": 20 - } - }, - "iam": { - "users": [ - { - "user-ids": ["bgUser1", "bgUser2"], - "group": "BreakGlassAdmins", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy" - }, - { - "user-ids": ["OpsUser1", "OpsUser2"], - "group": "OpsAdmins", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy" - } - ], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [] - }, - "vpc": [ - { - "deploy": "local", - "name": "ForSSO", - "cidr": "10.249.1.0/24", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "ForSSO", - "definitions": [ - { - "az": "a", - "route-table": "ForSSO_Shared", - "cidr": "10.249.1.0/27" - }, - { - "az": "b", - "route-table": "ForSSO_Shared", - "cidr": "10.249.1.32/27" - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "ForSSO_Shared", - "routes": [ - { - "destination": { - "account": "shared-network", - "vpc": "Central", - "subnet": "GCWide" - }, - "target": "pcx" - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": false - } - ], - "deployments": { - "adc": { - "deploy": true, - "vpc-name": "ForSSO", - "subnet": "ForSSO", - "size": "Small", - "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"], - "connect-account-key": "operations", - "connect-dir-id": 1001 - }, - "sso": { - "deploy": true - } - } - }, - "log-archive": { - "account-name": "log-archive", - "ou": "core", - "email": "myemail+pbmmT-log@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "landing-zone-account-type": "log-archive" - }, - "security": { - "account-name": "security", - "ou": "core", - "email": "myemail+pbmmT-sec@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "landing-zone-account-type": "security" - }, - "shared-services": { - "account-name": "shared-services", - "ou": "core", - "email": "myemail+pbmmT-ss@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "landing-zone-account-type": "shared-services" - } - }, - "workload-account-configs": { - "fun-acct": { - "account-name": "TheFunAccount", - "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "ou": "Sandbox" - }, - "mydevacct1": { - "account-name": "MyDev1", - "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", - "src-filename": "config.json", - "ou": "Dev" - } - }, - "organizational-units": { - "core": { - "type": "ignore", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Core Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - } - }, - "Central": { - "type": "mandatory", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Central Budget", - "period": "Monthly", - "amount": 500, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "CentralSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Central", - "cidr": "10.1.0.0/16", - "cidr2": "100.96.252.0/23", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "BOTH", - "igw": false, - "vgw": false, - "pcx": { - "source": "master", - "source-vpc": "ForSSO", - "source-subnets": "ForSSO", - "local-subnets": "GCWide" - }, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.0/27" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.32/27" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.32.0/20" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.128.0/20" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.0.0/19" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.96.0/19" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.48.0/20" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.144.0/20" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Central", - "subnet": ["Web"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Central", - "subnet": ["Web"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_Common", - "cidr": "10.1.64.0/21" - }, - { - "az": "b", - "route-table": "CentralVPC_Common", - "cidr": "10.1.72.0/21" - }, - { - "az": "d", - "route-table": "CentralVPC_Common", - "cidr": "10.1.80.0/21", - "disabled": true - } - ] - }, - { - "name": "GCWide", - "share-to-ou-accounts": false, - "share-to-specific-accounts": ["operations"], - "definitions": [ - { - "az": "a", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.252.0/25" - }, - { - "az": "b", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.252.128/25" - }, - { - "az": "d", - "route-table": "CentralVPC_GCWide", - "cidr2": "100.96.253.0/25", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "CentralVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - }, - { - "name": "CentralVPC_GCWide", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - }, - { - "destination": { - "account": "master", - "vpc": "ForSSO", - "subnet": "ForSSO" - }, - "target": "pcx" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["shared"], - "tgw-rt-propagate": ["core", "shared", "segregated"], - "blackhole-route": false, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Dev": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Dev Budget", - "period": "Monthly", - "amount": 2000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "DevSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Dev", - "subnets": "Web", - "cert-name": "DevSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-dev-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Dev", - "cidr": "10.2.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.0/27" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.32/27" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.32.0/20" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.128.0/20" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.0.0/19" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.96.0/19" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.48.0/20" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.144.0/20" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Dev", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Dev", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "DevVPC_Common", - "cidr": "10.2.64.0/21" - }, - { - "az": "b", - "route-table": "DevVPC_Common", - "cidr": "10.2.72.0/21" - }, - { - "az": "d", - "route-table": "DevVPC_Common", - "cidr": "10.2.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "DevVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Test": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Test Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "TestSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Test", - "subnets": "Web", - "cert-name": "TestSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-test-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Test", - "cidr": "10.3.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "CWL", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.0/27" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.32/27" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.32.0/20" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.128.0/20" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.0.0/19" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.96.0/19" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.48.0/20" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.144.0/20" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Test", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Test", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "TestVPC_Common", - "cidr": "10.3.64.0/21" - }, - { - "az": "b", - "route-table": "TestVPC_Common", - "cidr": "10.3.72.0/21" - }, - { - "az": "d", - "route-table": "TestVPC_Common", - "cidr": "10.3.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "TestVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Prod": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], - "default-budgets": { - "name": "Default Prod Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "ProdSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "alb": [ - { - "name": "Core", - "scheme": "internal", - "action-type": "forward", - "ip-type": "ipv4", - "listeners": "HTTPS", - "ports": 443, - "vpc": "Prod", - "subnets": "Web", - "cert-name": "ProdSelf-SignedCert", - "cert-arn": "", - "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", - "security-group": "Web", - "tg-stickiness": "", - "access-logs": true, - "targets": [ - { - "target-name": "health-check-Lambda", - "target-type": "lambda", - "health-check-path": "/health-check", - "lambda-filename": "internal-prod-alb-lambda.txt" - } - ] - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "Prod", - "cidr": "10.4.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "CWL", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.0/27" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.32/27" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.32.0/20" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.128.0/20" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.0.0/19" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.96.0/19" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.48.0/20" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.144.0/20" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Prod", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Prod", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "ProdVPC_Common", - "cidr": "10.4.64.0/21" - }, - { - "az": "b", - "route-table": "ProdVPC_Common", - "cidr": "10.4.72.0/21" - }, - { - "az": "d", - "route-table": "ProdVPC_Common", - "cidr": "10.4.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "ProdVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "UnClass": { - "type": "workload", - "share-mad-from": "operations", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], - "default-budgets": { - "name": "Default Unclass Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "certificates": [ - { - "name": "UnclassSelf-SignedCert", - "type": "import", - "priv-key": "certs/example1-cert.key", - "cert": "certs/example1-cert.crt" - } - ], - "vpc": [ - { - "deploy": "shared-network", - "name": "UnClass", - "cidr": "10.5.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": true, - "flow-logs": "S3", - "igw": false, - "vgw": false, - "pcx": false, - "natgw": false, - "subnets": [ - { - "name": "TGW", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.88.0/27" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.88.32/27" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.88.64/27", - "disabled": true - } - ] - }, - { - "name": "Web", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.32.0/20" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.128.0/20" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.0.0/19" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.96.0/19" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": true, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.48.0/20" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.144.0/20" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "UnClass", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "UnClass", - "subnet": ["Web"] - }, - { - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.64.0/21" - }, - { - "az": "b", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.72.0/21" - }, - { - "az": "d", - "route-table": "UnClassVPC_Common", - "cidr": "10.5.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": ["s3", "dynamodb"], - "route-tables": [ - { - "name": "UnClassVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "TGW" - }, - { - "destination": "s3", - "target": "s3" - }, - { - "destination": "DynamoDB", - "target": "DynamoDB" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Central VPC Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "vpc": "Central", - "subnet": ["Web", "App", "Mgmt", "GCWide"] - } - ] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": { - "associate-to-tgw": "Main", - "account": "shared-network", - "associate-type": "ATTACH", - "tgw-rt-associate": ["segregated"], - "tgw-rt-propagate": ["core", "shared"], - "blackhole-route": true, - "attach-subnets": ["TGW"], - "options": ["DNS-support"] - }, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - }, - "Sandbox": { - "type": "workload", - "share-mad-from": "", - "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], - "default-budgets": { - "name": "Default Sandbox Budget", - "period": "Monthly", - "amount": 200, - "include": [ - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" - ], - "alerts": [ - { - "type": "Actual", - "threshold-percent": 50, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 75, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 90, - "emails": ["myemail+pbmmT-budg@example.com"] - }, - { - "type": "Actual", - "threshold-percent": 100, - "emails": ["myemail+pbmmT-budg@example.com"] - } - ] - }, - "vpc": [ - { - "deploy": "local", - "name": "Sandbox", - "cidr": "10.6.0.0/16", - "region": "ca-central-1", - "use-central-endpoints": false, - "flow-logs": "BOTH", - "igw": true, - "vgw": false, - "pcx": false, - "natgw": { - "subnet": { - "name": "Web", - "az": "a" - } - }, - "subnets": [ - { - "name": "Web", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.32.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.128.0/20" - }, - { - "az": "d", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.192.0/20", - "disabled": true - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.0.0/19" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.96.0/19" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.160.0/19", - "disabled": true - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.48.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.144.0/20" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.208.0/20", - "disabled": true - } - ], - "nacls": [ - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": true, - "cidr-blocks": [ - { - "vpc": "Sandbox", - "subnet": ["Web"] - }, - { - "account": "shared-network", - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": true, - "cidr-blocks": ["0.0.0.0/0"] - }, - { - "rule": 100, - "protocol": -1, - "ports": -1, - "rule-action": "deny", - "egress": false, - "cidr-blocks": [ - { - "vpc": "Sandbox", - "subnet": ["Web"] - }, - { - "account": "shared-network", - "vpc": "Central", - "subnet": ["Data"] - } - ] - }, - { - "rule": 32000, - "protocol": -1, - "ports": -1, - "rule-action": "allow", - "egress": false, - "cidr-blocks": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Mgmt", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.64.0/21" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.72.0/21" - }, - { - "az": "d", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.80.0/21", - "disabled": true - } - ] - } - ], - "gateway-endpoints": [], - "route-tables": [ - { - "name": "SandboxVPC_IGW", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "SandboxVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "NATGW_Web_azA" - } - ] - } - ], - "security-groups": [ - { - "name": "Mgmt", - "inbound-rules": [ - { - "description": "Mgmt RDP/SSH Traffic Inbound", - "type": ["RDP", "SSH"], - "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Web", - "inbound-rules": [ - { - "description": "World Web Traffic Inbound", - "type": ["HTTP", "HTTPS"], - "source": ["0.0.0.0/0"] - }, - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "App", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local Web Tier Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Web"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["App"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - }, - { - "name": "Data", - "inbound-rules": [ - { - "description": "Local Mgmt Traffic Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Mgmt"] - } - ] - }, - { - "description": "Local App DB Traffic Inbound", - "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], - "source": [ - { - "security-group": ["App"] - } - ] - }, - { - "description": "Allow East/West Communication Inbound", - "type": ["ALL"], - "source": [ - { - "security-group": ["Data"] - } - ] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0"] - } - ] - } - ], - "tgw-attach": false, - "interface-endpoints": false - } - ], - "iam": { - "users": [], - "policies": [ - { - "policy-name": "Default-Boundary-Policy", - "policy": "boundary-policy.txt" - } - ], - "roles": [ - { - "role": "EC2-Default-SSM-AD-Role", - "type": "ec2", - "ssm-log-archive-access": true, - "policies": [ - "AmazonSSMManagedInstanceCore", - "AmazonSSMDirectoryServiceAccess", - "CloudWatchAgentServerPolicy" - ], - "boundary-policy": "Default-Boundary-Policy" - } - ] - } - } - } -} +{ + "global-options": { + "alz-minimum-version": "v2.3.1", + "alz-baseline": true, + "ct-baseline": false, + "central-log-retention": 730, + "default-log-retention": 90, + "central-bucket": "AWSDOC-EXAMPLE-BUCKET", + "organization-admin-role": "AWSCloudFormationStackSetExecutionRole", + "default-cwl-retention": 731, + "workloadaccounts-suffix" : 1, + "workloadaccounts-prefix" : "config", + "workloadaccounts-param-filename": "config.json", + "ignored-ous": [], + "supported-regions": [ + "ap-northeast-1", + "ap-northeast-2", + "ap-south-1", + "ap-southeast-1", + "ap-southeast-2", + "ca-central-1", + "eu-central-1", + "eu-north-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "sa-east-1", + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2" + ], + "keep-default-vpc-regions": [], + "aws-org-master": { + "account": "master", + "region": "ca-central-1" + }, + "central-security-services": { + "account": "security", + "region": "ca-central-1", + "security-hub": true, + "security-hub-excl-regions": [], + "guardduty": true, + "guardduty-excl-regions": [], + "cwl": true, + "access-analyzer": true, + "config-excl-regions": [], + "config-aggr-excl-regions": [], + "macie": true, + "macie-excl-regions": [], + "macie-frequency": "FIFTEEN_MINUTES" + }, + "central-operations-services": { + "account": "operations", + "region": "ca-central-1", + "cwl": true, + "cwl-access-level": "full" + }, + "central-log-services": { + "account": "log-archive", + "region": "ca-central-1", + "cwl-glbl-exclusions": [], + "cwl-exclusions": [], + "ssm-to-s3": true, + "ssm-to-cwl": true + }, + "reports": { + "cost-and-usage-report": { + "additional-schema-elements": ["RESOURCES"], + "compression": "Parquet", + "format": "Parquet", + "report-name": "Cost-and-Usage-Report", + "s3-prefix": "cur", + "time-unit": "HOURLY", + "additional-artifacts": ["ATHENA"], + "refresh-closed-reports": true, + "report-versioning": "OVERWRITE_REPORT" + } + }, + "conformance-packs": [ + { + "gc-pack": { + "install": true, + "auto-remediation": true, + "monitoring": true, + "frequency": 24 + } + } + ], + "zones": { + "account": "shared-network", + "resolver-vpc": "Endpoint", + "names": { + "public": ["dept.cloud-nuage.canada.ca"], + "private": ["dept.cloud-nuage.gc.ca"] + } + }, + "vpc-flow-logs": { + "filter": "ALL", + "interval": 60, + "default-format": false, + "custom-fields": [ + "version", + "account-id", + "interface-id", + "srcaddr", + "dstaddr", + "srcport", + "dstport", + "protocol", + "packets", + "bytes", + "start", + "end", + "action", + "log-status", + "vpc-id", + "subnet-id", + "instance-id", + "tcp-flags", + "type", + "pkt-srcaddr", + "pkt-dstaddr", + "region", + "az-id" + ] + }, + "security-hub-frameworks": { + "standards": [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": ["IAM.1"] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": ["PCI.IAM.3", "PCI.KMS.1", "PCI.S3.3", "PCI.EC2.3", "PCI.Lambda.2"] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": ["CIS.1.20", "CIS.1.22", "CIS.2.8"] + } + ] + }, + "iam-password-policies": { + "allow-users-to-change-password": true, + "hard-expiry": false, + "require-uppercase-characters": true, + "require-lowercase-characters": true, + "require-symbols": true, + "require-numbers": true, + "minimum-password-length": 14, + "password-reuse-prevention": 24, + "max-password-age": 90 + }, + "scps": [ + { + "name": "ALZ-Core", + "description": "ALZ Core Preventive Guardrails", + "policy": "aws-landing-zone-core-mandatory-preventive-guardrails-Accel.json" + }, + { + "name": "ALZ-Non-Core", + "description": "ALZ Non-core Preventive Guardrails", + "policy": "aws-landing-zone-non-core-mandatory-preventive-guardrails-Accel.json" + }, + { + "name": "Guardrails-Part-1", + "description": "PBMMAccel Guardrails Part 1", + "policy": "PBMMAccel-Guardrails-Part1.json" + }, + { + "name": "Guardrails-Part-2", + "description": "PBMMAccel Guardrails Part 2", + "policy": "PBMMAccel-Guardrails-Part2.json" + }, + { + "name": "Guardrails-PBMM-Only", + "description": "PBMMAccel Guardrails PBMM Environment Specific", + "policy": "PBMMAccel-Guardrails-PBMM-Only.json" + }, + { + "name": "Guardrails-Unclass-Only", + "description": "PBMMAccel Guardrails Unclassified Environment Specific", + "policy": "PBMMAccel-Guardrails-Unclass-Only.json" + }, + { + "name": "Quarantine-New-Object", + "description": "PBMM Quarantine policy - Apply to ACCOUNTS that need to be quarantined", + "policy": "Quarantine-New-Object.json" + } + ] + }, + "mandatory-account-configs": { + "shared-network": { + "account-name": "SharedNetwork", + "email": "myemail+pbmmT-network@example.com---------------------REPLACE----------------------", + "ou": "core", + "share-mad-from": "operations", + "src-filename": "config.json", + "budget": { + "name": "SharedNetwork Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "limits": { + "Amazon VPC/Interface VPC endpoints per VPC": { + "value": 90, + "customer-confirm-inplace": false + }, + "Amazon VPC/VPCs per Region": { + "value": 15 + } + }, + "vpc": [ + { + "deploy": "local", + "name": "Endpoint", + "cidr": "10.7.0.0/22", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "EndpointVPC_Common", + "cidr": "10.7.0.0/24" + }, + { + "az": "b", + "route-table": "EndpointVPC_Common", + "cidr": "10.7.1.0/24" + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "EndpointVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["core"], + "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], + "blackhole-route": false, + "attach-subnets": ["Endpoint"], + "options": ["DNS-support"] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager", + "cloudformation", + "access-analyzer", + "application-autoscaling", + "appmesh-envoy-management", + "athena", + "autoscaling", + "autoscaling-plans", + "clouddirectory", + "cloudtrail", + "codebuild", + "codecommit", + "codecommit-fips", + "codepipeline", + "config", + "datasync", + "ecr.dkr", + "ecs", + "ecs-agent", + "ecs-telemetry", + "elasticfilesystem", + "elasticfilesystem-fips", + "elasticloadbalancing", + "elasticmapreduce", + "events", + "execute-api", + "git-codecommit", + "git-codecommit-fips", + "glue", + "kinesis-streams", + "kms", + "logs", + "monitoring", + "sagemaker.api", + "sagemaker.runtime", + "servicecatalog", + "sms", + "sns", + "sqs", + "storagegateway", + "sts", + "transfer", + "workspaces", + "awsconnector", + "ecr.api", + "kinesis-firehose", + "states", + "acm-pca", + "cassandra", + "ebs", + "elasticbeanstalk", + "elasticbeanstalk-health", + "email-smtp", + "license-manager", + "macie2", + "notebook", + "synthetics", + "transfer.server" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "dept-private.gc.ca", + "outbound-ips": ["10.254.254.1", "10.254.253.1"] + }, + { + "zone": "private-domain1.example.ca", + "outbound-ips": ["10.254.254.1", "10.254.253.1"] + } + ] + } + ], + "deployments": { + "tgw": [ + { + "name": "Main", + "asn": 65521, + "region": "ca-central-1", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": ["core", "segregated", "shared", "standalone"] + } + ] + } + }, + "operations": { + "account-name": "Operations", + "email": "myemail+pbmmT-operations@example.com---------------------REPLACE----------------------", + "ou": "core", + "account-warming-required": true, + "limits": {}, + "src-filename": "config.json", + "share-mad-from": "", + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "PBMMAccel-RDGW-Custom-Policy", + "policy": "pbmmaccel-rdgw-custom-policies.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "PBMMAccel-RDGW-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy", + "PBMMAccel-RDGW-Custom-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "PBMMAccel-Rsyslog-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "CloudWatchAgentServerPolicy", + "AmazonS3ReadOnlyAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "deployments": { + "mad": { + "dir-id": 1001, + "deploy": true, + "vpc-name": "Central", + "region": "ca-central-1", + "subnet": "GCWide", + "size": "Enterprise", + "dns-domain": "example.local", + "netbios-domain": "example", + "central-resolver-rule-account": "shared-network", + "central-resolver-rule-vpc": "Endpoint", + "log-group-name": "/PBMMAccel/MAD/example.local", + "share-to-account": "master", + "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"], + "num-rdgw-hosts": 1, + "min-rdgw-hosts": 1, + "max-rdgw-hosts": 2, + "rdgw-max-instance-age": 30, + "rdgw-instance-type": "t2.large", + "rdgw-instance-role": "PBMMAccel-RDGW-Role", + "password-policies": { + "history": 24, + "max-age": 90, + "min-age": 1, + "min-len": 12, + "complexity": true, + "reversible": false, + "failed-attempts": 6, + "lockout-duration": 30, + "lockout-attempts-reset": 30 + }, + "ad-groups": ["aws-Provisioning", "aws-Billing"], + "ad-per-account-groups": ["*-Admin", "*-PowerUser", "*-View"], + "adc-group": "ADConnector-grp", + "ad-users": [ + { + "user": "adconnector-usr", + "email": "myemail+pbmmT-adc-usr@example.com", + "groups": ["ADConnector-grp"] + }, + { + "user": "User1", + "email": "myemail+pbmmT-User1@example.com", + "groups": ["aws-Provisioning", "*-View", "*-Admin", "*-PowerUser", "AWS Delegated Administrators"] + }, + { + "user": "User2", + "email": "myemail+pbmmT-User2@example.com", + "groups": ["*-View"] + } + ], + "security-groups": [ + { + "name": "RemoteDesktopGatewaySG", + "inbound-rules": [ + { + "description": "Allow RDP Traffic Inbound", + "type": ["RDP"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ] + }, + "rsyslog": { + "deploy": true, + "vpc-name": "Central", + "region": "ca-central-1", + "log-group-name": "rsyslog/var/log/messages", + "security-groups": [ + { + "name": "rsyslog", + "inbound-rules": [ + { + "description": "Allow Traffic Inbound", + "tcp-ports": [514], + "udp-ports": [514], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "app-subnets": [ + { + "name": "App", + "az": "a" + }, + { + "name": "App", + "az": "b" + } + ], + "web-subnets": [ + { + "name": "Web", + "az": "a" + }, + { + "name": "Web", + "az": "b" + } + ], + "min-rsyslog-hosts": 1, + "desired-rsyslog-hosts": 2, + "max-rsyslog-hosts": 2, + "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", + "rsyslog-instance-type": "t2.large", + "rsyslog-instance-role": "PBMMAccel-Rsyslog-Role", + "rsyslog-root-volume-size": 100, + "rsyslog-max-instance-age": 30 + } + } + }, + "perimeter": { + "account-name": "Perimeter", + "email": "myemail+pbmmT-perimeter@example.com---------------------REPLACE----------------------", + "ou": "core", + "account-warming-required": true, + "src-filename": "config.json", + "limits": { + "Amazon EC2/Number of EIPs": { + "value": 5, + "customer-confirm-inplace": false + } + }, + "share-mad-from": "", + "budget": { + "name": "Perimeter Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "PerimSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Public-Prod", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-Prod-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "FG1-Web-azA", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + } + ], + "tg-weight": 1 + }, + { + "target-name": "FG1-Web-azB", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + }, + { + "name": "Public-DevTest", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-DevTest-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "FG1-Web-azA", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7002, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + } + ], + "tg-weight": 1 + }, + { + "target-name": "FG1-Web-azB", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7002, + "lambda-filename": "", + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "Firewall-Policy", + "policy": "firewall-fg-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "Firewall-Role", + "type": "ec2", + "policies": ["Firewall-Policy"], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Perimeter", + "cidr": "10.7.4.0/22", + "cidr2": "100.96.250.0/23", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": true, + "vgw": { + "asn": 65522 + }, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": "100.96.250.0/26" + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": "100.96.250.128/26" + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": "100.96.251.32/27" + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": "100.96.251.160/27" + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": "100.96.251.64/26" + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": "100.96.251.192/26" + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": "100.96.250.64/26" + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": "100.96.250.192/26" + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": "10.7.4.0/24" + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": "10.7.5.0/24" + } + ] + } + ], + "gateway-endpoints": ["s3"], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": ["HTTPS"], + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": ["HTTPS"], + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080], + "udp-ports": [9443], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [22, 443, 541, 3000, 8080], + "source": ["0.0.0.0/0"] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": ["ALL"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": ["ssm", "ssmmessages", "ec2messages"] + } + } + ], + "deployments": { + "firewalls": [ + { + "name": "Firewall", + "image-id": "ami-047aac44951feb9fb", + "instance-sizes": "c5n.2xlarge", + "region": "ca-central-1", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": ["firewall/license1.lic", "firewall/license2.lic"], + "config": "firewall/firewall-example.txt", + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": ["core"], + "tgw-rt-propagate": ["core", "segregated", "shared", "standalone"], + "blackhole-route": false, + "attach-subnets": [], + "options": ["DNS-support"] + } + } + ], + "firewall-manager": { + "name": "FirewallMgr", + "image-id": "ami-06fa2a9e6f8fae9f2", + "instance-sizes": "c5.large", + "version": "6.2.3", + "region": "ca-central-1", + "vpc": "Perimeter", + "security-group": "FirewallMgr", + "subnet": { + "name": "FWMgmt", + "az": "a" + }, + "create-eip": true + } + } + }, + "master": { + "account-name": "primary", + "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------", + "ou": "core", + "landing-zone-account-type": "primary", + "share-mad-from": "operations", + "src-filename": "config.json", + "budget": { + "name": "Organization Budget", + "period": "Monthly", + "amount": 10000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "log-retention": 180, + "limits": { + "AWS Organizations/Maximum accounts": { + "value": 20 + } + }, + "iam": { + "users": [ + { + "user-ids": ["bgUser1", "bgUser2"], + "group": "BreakGlassAdmins", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "user-ids": ["OpsUser1", "OpsUser2"], + "group": "OpsAdmins", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy" + } + ], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [] + }, + "vpc": [ + { + "deploy": "local", + "name": "ForSSO", + "cidr": "10.249.1.0/24", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "ForSSO", + "definitions": [ + { + "az": "a", + "route-table": "ForSSO_Shared", + "cidr": "10.249.1.0/27" + }, + { + "az": "b", + "route-table": "ForSSO_Shared", + "cidr": "10.249.1.32/27" + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "ForSSO_Shared", + "routes": [ + { + "destination": { + "account": "shared-network", + "vpc": "Central", + "subnet": "GCWide" + }, + "target": "pcx" + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": false + } + ], + "deployments": { + "adc": { + "deploy": true, + "vpc-name": "ForSSO", + "subnet": "ForSSO", + "size": "Small", + "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"], + "connect-account-key": "operations", + "connect-dir-id": 1001 + }, + "sso": { + "deploy": true + } + } + }, + "log-archive": { + "account-name": "log-archive", + "ou": "core", + "email": "myemail+pbmmT-log@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "landing-zone-account-type": "log-archive" + }, + "security": { + "account-name": "security", + "ou": "core", + "email": "myemail+pbmmT-sec@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "landing-zone-account-type": "security" + }, + "shared-services": { + "account-name": "shared-services", + "ou": "core", + "email": "myemail+pbmmT-ss@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "landing-zone-account-type": "shared-services" + } + }, + "workload-account-configs": { + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "ou": "Sandbox" + }, + "mydevacct1": { + "account-name": "MyDev1", + "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", + "src-filename": "config.json", + "ou": "Dev" + } + }, + "organizational-units": { + "core": { + "type": "ignore", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Core Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + } + }, + "Central": { + "type": "mandatory", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Central Budget", + "period": "Monthly", + "amount": 500, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "CentralSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Central", + "cidr": "10.1.0.0/16", + "cidr2": "100.96.252.0/23", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "igw": false, + "vgw": false, + "pcx": { + "source": "master", + "source-vpc": "ForSSO", + "source-subnets": "ForSSO", + "local-subnets": "GCWide" + }, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.0/27" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.32/27" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.32.0/20" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.128.0/20" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.0.0/19" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.96.0/19" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.48.0/20" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.144.0/20" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Central", + "subnet": ["Web"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Central", + "subnet": ["Web"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_Common", + "cidr": "10.1.64.0/21" + }, + { + "az": "b", + "route-table": "CentralVPC_Common", + "cidr": "10.1.72.0/21" + }, + { + "az": "d", + "route-table": "CentralVPC_Common", + "cidr": "10.1.80.0/21", + "disabled": true + } + ] + }, + { + "name": "GCWide", + "share-to-ou-accounts": false, + "share-to-specific-accounts": ["operations"], + "definitions": [ + { + "az": "a", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.252.0/25" + }, + { + "az": "b", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.252.128/25" + }, + { + "az": "d", + "route-table": "CentralVPC_GCWide", + "cidr2": "100.96.253.0/25", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "CentralVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + }, + { + "name": "CentralVPC_GCWide", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + }, + { + "destination": { + "account": "master", + "vpc": "ForSSO", + "subnet": "ForSSO" + }, + "target": "pcx" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["shared"], + "tgw-rt-propagate": ["core", "shared", "segregated"], + "blackhole-route": false, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Dev": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Dev Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "DevSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Dev", + "subnets": "Web", + "cert-name": "DevSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-dev-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Dev", + "cidr": "10.2.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.0/27" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.32/27" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.32.0/20" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.128.0/20" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.0.0/19" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.96.0/19" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.48.0/20" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.144.0/20" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Dev", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Dev", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "DevVPC_Common", + "cidr": "10.2.64.0/21" + }, + { + "az": "b", + "route-table": "DevVPC_Common", + "cidr": "10.2.72.0/21" + }, + { + "az": "d", + "route-table": "DevVPC_Common", + "cidr": "10.2.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "DevVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Test": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Test Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "TestSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Test", + "subnets": "Web", + "cert-name": "TestSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-test-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Test", + "cidr": "10.3.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "CWL", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.0/27" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.32/27" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.32.0/20" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.128.0/20" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.0.0/19" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.96.0/19" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.48.0/20" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.144.0/20" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Test", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Test", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "TestVPC_Common", + "cidr": "10.3.64.0/21" + }, + { + "az": "b", + "route-table": "TestVPC_Common", + "cidr": "10.3.72.0/21" + }, + { + "az": "d", + "route-table": "TestVPC_Common", + "cidr": "10.3.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "TestVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Prod": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-PBMM-Only"], + "default-budgets": { + "name": "Default Prod Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "ProdSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Prod", + "subnets": "Web", + "cert-name": "ProdSelf-SignedCert", + "cert-arn": "", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "tg-stickiness": "", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-prod-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "Prod", + "cidr": "10.4.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "CWL", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.0/27" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.32/27" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.32.0/20" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.128.0/20" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.0.0/19" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.96.0/19" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.48.0/20" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.144.0/20" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Prod", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Prod", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "ProdVPC_Common", + "cidr": "10.4.64.0/21" + }, + { + "az": "b", + "route-table": "ProdVPC_Common", + "cidr": "10.4.72.0/21" + }, + { + "az": "d", + "route-table": "ProdVPC_Common", + "cidr": "10.4.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "ProdVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "UnClass": { + "type": "workload", + "share-mad-from": "operations", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], + "default-budgets": { + "name": "Default Unclass Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "certificates": [ + { + "name": "UnclassSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "UnClass", + "cidr": "10.5.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": true, + "flow-logs": "S3", + "igw": false, + "vgw": false, + "pcx": false, + "natgw": false, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.88.0/27" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.88.32/27" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.88.64/27", + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.32.0/20" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.128.0/20" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.0.0/19" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.96.0/19" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.48.0/20" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.144.0/20" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "UnClass", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "UnClass", + "subnet": ["Web"] + }, + { + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.64.0/21" + }, + { + "az": "b", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.72.0/21" + }, + { + "az": "d", + "route-table": "UnClassVPC_Common", + "cidr": "10.5.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": ["s3", "dynamodb"], + "route-tables": [ + { + "name": "UnClassVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "vpc": "Central", + "subnet": ["Web", "App", "Mgmt", "GCWide"] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + }, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + }, + "Sandbox": { + "type": "workload", + "share-mad-from": "", + "scps": ["ALZ-Core", "Guardrails-Part-1", "Guardrails-Part-2", "Guardrails-Unclass-Only"], + "default-budgets": { + "name": "Default Sandbox Budget", + "period": "Monthly", + "amount": 200, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": ["myemail+pbmmT-budg@example.com"] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": ["myemail+pbmmT-budg@example.com"] + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Sandbox", + "cidr": "10.6.0.0/16", + "region": "ca-central-1", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "igw": true, + "vgw": false, + "pcx": false, + "natgw": { + "subnet": { + "name": "Web", + "az": "a" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.32.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.128.0/20" + }, + { + "az": "d", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.192.0/20", + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.0.0/19" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.96.0/19" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.160.0/19", + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.48.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.144.0/20" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.208.0/20", + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": ["Web"] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": ["0.0.0.0/0"] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": ["Web"] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": ["Data"] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.64.0/21" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.72.0/21" + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.80.0/21", + "disabled": true + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": ["RDP", "SSH"], + "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": ["HTTP", "HTTPS"], + "source": ["0.0.0.0/0"] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Web"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["App"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Mgmt"] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": ["MSSQL", "MYSQL/AURORA", "REDSHIFT", "POSTGRESQL", "ORACLE-RDS"], + "source": [ + { + "security-group": ["App"] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": ["ALL"], + "source": [ + { + "security-group": ["Data"] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0"] + } + ] + } + ], + "tgw-attach": false, + "interface-endpoints": false + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + } + } + } +} diff --git a/reference-artifacts/iam-policies/boundary-policy.txt b/reference-artifacts/iam-policies/boundary-policy.txt index ce9d5c2e5..fa6110e22 100644 --- a/reference-artifacts/iam-policies/boundary-policy.txt +++ b/reference-artifacts/iam-policies/boundary-policy.txt @@ -1,10 +1,10 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/iam-policies/firewall-fg-policy.txt b/reference-artifacts/iam-policies/firewall-fg-policy.txt index 565913c74..f462bc787 100644 --- a/reference-artifacts/iam-policies/firewall-fg-policy.txt +++ b/reference-artifacts/iam-policies/firewall-fg-policy.txt @@ -1,16 +1,16 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:Describe*", - "ec2:AssociateAddress", - "ec2:AssignPrivateIpAddresses", - "ec2:UnassignPrivateIpAddresses", - "ec2:ReplaceRoute" - ], - "Resource": "*" - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "ec2:AssociateAddress", + "ec2:AssignPrivateIpAddresses", + "ec2:UnassignPrivateIpAddresses", + "ec2:ReplaceRoute" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/iam-policies/key-policy-basic.txt b/reference-artifacts/iam-policies/key-policy-basic.txt index bcda0453b..d3f04f7ec 100644 --- a/reference-artifacts/iam-policies/key-policy-basic.txt +++ b/reference-artifacts/iam-policies/key-policy-basic.txt @@ -1,15 +1,15 @@ -{ - "Id": "key-consolepolicy-3", - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::863254859172:root" - }, - "Action": "kms:*", - "Resource": "*" - } - ] +{ + "Id": "key-consolepolicy-3", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::863254859172:root" + }, + "Action": "kms:*", + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/iam-policies/pbmmaccel-rdgw-custom-policies.txt b/reference-artifacts/iam-policies/pbmmaccel-rdgw-custom-policies.txt index 302396b87..e8504bcce 100644 --- a/reference-artifacts/iam-policies/pbmmaccel-rdgw-custom-policies.txt +++ b/reference-artifacts/iam-policies/pbmmaccel-rdgw-custom-policies.txt @@ -1,31 +1,31 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": "s3:GetObject", - "Resource": "*", - "Effect": "Allow" - }, - { - "Action": [ - "ec2:AssociateAddress", - "ec2:DescribeAddresses" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Action": "secretsmanager:Get*", - "Resource": "*", - "Effect": "Allow" - }, - { - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "*", - "Effect": "Allow" - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "s3:GetObject", + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "ec2:AssociateAddress", + "ec2:DescribeAddresses" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": "secretsmanager:Get*", + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Effect": "Allow" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/iam-policies/role-trust-policy.txt b/reference-artifacts/iam-policies/role-trust-policy.txt index 3c1bebaeb..49de0e8e2 100644 --- a/reference-artifacts/iam-policies/role-trust-policy.txt +++ b/reference-artifacts/iam-policies/role-trust-policy.txt @@ -1,12 +1,12 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::xxACCTNUMBERxx:role/xxROLENAMExx" - }, - "Action": "sts:AssumeRole" - } - ] +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::xxACCTNUMBERxx:role/xxROLENAMExx" + }, + "Action": "sts:AssumeRole" + } + ] } \ No newline at end of file diff --git a/reference-artifacts/master-config-sample-snippets/firewall_file_available_variables.txt b/reference-artifacts/master-config-sample-snippets/firewall_file_available_variables.txt index a063c6439..d0b16e8f2 100644 --- a/reference-artifacts/master-config-sample-snippets/firewall_file_available_variables.txt +++ b/reference-artifacts/master-config-sample-snippets/firewall_file_available_variables.txt @@ -1,46 +1,46 @@ -- Shown variables and values are reflective of the sample configuration file for the first AZ -- Variable names change based on subnet names, for example - -- Interface 1 is: Public -- Interface 2 is: OnPremise -- Interface 3 is: Mgmt -- Interface 4 is: Proxy/DMZ - -- templatePath: firewall/firewall-example.txt -- outputPath: fgtconfig-init-Firewall_azA-0.txt - "${Hostname}": Firewall_azA - "${VpcMask}": 255.255.252.0 - "${VpcCidr}": 10.7.4.0/22 - "${VpcNetworkIp}": 10.7.4.0 - "${VpcRouterIp}": 10.7.4.1 - "${VpcMask2}": 255.255.254.0 - "${VpcCidr2}": 100.96.250.0/23 - "${VpcNetworkIp2}": 100.96.250.0 - "${VpcRouterIp2}": 100.96.250.1 - "${PublicIp1}": FirewallInstance0Eni-PrimaryPrivateIpAddress - "${PublicNetworkIp}": 100.96.250.0 - "${PublicRouterIp}": 100.96.250.1 - "${PublicCidr}": 100.96.250.0/25 - "${PublicMask}": 255.255.255.128 - "${PublicCgwTunnelOutsideAddress1}": 35.182.44.198 - "${PublicCgwTunnelInsideAddress1}": 169.254.251.78 - "${PublicCgwBgpAsn1}": "65523" - "${PublicVpnTunnelOutsideAddress1}": 52.60.81.49 - "${PublicVpnTunnelInsideAddress1}": 169.254.251.77 - "${PublicVpnBgpAsn1}": "65521" - "${PublicPreSharedSecret1}": the-secret - "${OnPremiseIp1}": FirewallInstance0Eni-PrimaryPrivateIpAddress - "${OnPremiseNetworkIp}": 100.96.251.0 - "${OnPremiseRouterIp}": 100.96.251.1 - "${OnPremiseCidr}": 100.96.251.0/27 - "${OnPremiseMask}": 255.255.255.224 - "${FWMgmtIp1}":FirewallInstance0Eni-PrimaryPrivateIpAddress - "${FWMgmtNetworkIp}": 100.96.251.32 - "${FWMgmtRouterIp}": 100.96.251.33 - "${FWMgmtCidr}": 100.96.251.32/27 - "${FWMgmtMask}": 255.255.255.224 - "${ProxyIp1}": FirewallInstance0Eni-PrimaryPrivateIpAddress - "${ProxyNetworkIp}": 100.96.251.64 - "${ProxyRouterIp}": 100.96.251.65 - "${ProxyCidr}": 100.96.251.64/26 - "${ProxyMask}": 255.255.255.192 +- Shown variables and values are reflective of the sample configuration file for the first AZ +- Variable names change based on subnet names, for example + +- Interface 1 is: Public +- Interface 2 is: OnPremise +- Interface 3 is: Mgmt +- Interface 4 is: Proxy/DMZ + +- templatePath: firewall/firewall-example.txt +- outputPath: fgtconfig-init-Firewall_azA-0.txt + "${Hostname}": Firewall_azA + "${VpcMask}": 255.255.252.0 + "${VpcCidr}": 10.7.4.0/22 + "${VpcNetworkIp}": 10.7.4.0 + "${VpcRouterIp}": 10.7.4.1 + "${VpcMask2}": 255.255.254.0 + "${VpcCidr2}": 100.96.250.0/23 + "${VpcNetworkIp2}": 100.96.250.0 + "${VpcRouterIp2}": 100.96.250.1 + "${PublicIp1}": FirewallInstance0Eni-PrimaryPrivateIpAddress + "${PublicNetworkIp}": 100.96.250.0 + "${PublicRouterIp}": 100.96.250.1 + "${PublicCidr}": 100.96.250.0/25 + "${PublicMask}": 255.255.255.128 + "${PublicCgwTunnelOutsideAddress1}": 35.182.44.198 + "${PublicCgwTunnelInsideAddress1}": 169.254.251.78 + "${PublicCgwBgpAsn1}": "65523" + "${PublicVpnTunnelOutsideAddress1}": 52.60.81.49 + "${PublicVpnTunnelInsideAddress1}": 169.254.251.77 + "${PublicVpnBgpAsn1}": "65521" + "${PublicPreSharedSecret1}": the-secret + "${OnPremiseIp1}": FirewallInstance0Eni-PrimaryPrivateIpAddress + "${OnPremiseNetworkIp}": 100.96.251.0 + "${OnPremiseRouterIp}": 100.96.251.1 + "${OnPremiseCidr}": 100.96.251.0/27 + "${OnPremiseMask}": 255.255.255.224 + "${FWMgmtIp1}":FirewallInstance0Eni-PrimaryPrivateIpAddress + "${FWMgmtNetworkIp}": 100.96.251.32 + "${FWMgmtRouterIp}": 100.96.251.33 + "${FWMgmtCidr}": 100.96.251.32/27 + "${FWMgmtMask}": 255.255.255.224 + "${ProxyIp1}": FirewallInstance0Eni-PrimaryPrivateIpAddress + "${ProxyNetworkIp}": 100.96.251.64 + "${ProxyRouterIp}": 100.96.251.65 + "${ProxyCidr}": 100.96.251.64/26 + "${ProxyMask}": 255.255.255.192 diff --git a/reference-artifacts/master-config-sample-snippets/sample_snippets.json b/reference-artifacts/master-config-sample-snippets/sample_snippets.json index b8d328831..94a6509f7 100644 --- a/reference-artifacts/master-config-sample-snippets/sample_snippets.json +++ b/reference-artifacts/master-config-sample-snippets/sample_snippets.json @@ -1,357 +1,357 @@ -Config File Examples: {Not in sample config file} -************************************Update Central Logging Kinesis stream shard count as accounts are added - "central-log-services": { - "kinesis-stream-shard-count": 2, -************************************Override default CWL retention period (Add to any account) - “cwl-retention”: 180 -************************************Macie Frequency values: - "macie-frequency": "SIX_HOURS" ---> FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS - -************************************CWL subscription exclusions example - "central-log-services": { - "cwl-glbl-exclusions": ["/xxx/yyy/*", "abc/*"], - "cwl-exclusions": [ - { - "account": "fun-acct", - "exclusions": ["def/*"] - } - ], -************************************cert REQUEST format - "certificates": [ - { - "name": "PublicCert", - "type": "request", - "domain": "*.example.com", - "validation": "DNS", - "san": ["*.example1.com"] - } - ] -************************************budget include fields - "default-budgets": { - "name": "Default Core Budget", - "period": "Monthly", - "amount": 1000, - "include": [ - "Refunds", - "Credits", - "Upfront-reservation-fees", - "Recurring-reservation-charges", - "Other-subscription-costs", - "Taxes", - "Support-charges", - "Discounts" -************************************Cross Account Role - { - "role": "Test-Role", - "type": "account", - "policies": ["AdministratorAccess"], - "boundary-policy": "Default-Boundary-Policy", - "source-account": "security", - "source-account-role": "AWSLandingZoneSecurityAdministratorRole", - "trust-policy": "role-trust-policy.txt" - } -************************************Very basic workload and per account exceptions - "workload-account-configs": { - "fun-acct": { - "account-name": "TheFunAccount", - "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", - "ou": "Sandbox" - }, - "mydevacct1": { - "account-name": "MyDev1", - "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", - "ou": "Dev", - "share-mad-from": "operations", - "enable-s3-public-access": true - } - }, -************************************Sample limit increases supported - "limits": { - "Amazon VPC/Interface VPC endpoints per VPC": 90, - "Amazon VPC/VPCs per Region": 15, - "AWS CloudFormation/Stack count": 400, - "AWS CloudFormation/Stack sets per administrator account": 400 - }, -************************************v1.0.4_to_v1.0.5 upgrade MAD fix - "deployments": { - "mad": { - "dir-id": 1001, - "password-secret-name": "accelerator/operations/mad/password", -************************************ - -************************************ - { - "name": "SampleComplexSecurityGroup", - "inbound-rules": [ - { - "description": "Allow Inbound Domain Traffic", - "tcp-ports": [464, 389, 3389, 445, 88, 135, 636, 53], - "udp-ports": [445, 138, 464, 53, 389, 123, 88], - "source": ["0.0.0.0/0"] - }, - { - "description": "Allow Inbound RDSH", - "type": ["TCP"], - "toPort": 3269, - "fromPort": 3268, - "source": ["0.0.0.0/0"] - }, - { - "description": "Allow Inbound High Ports", - "type": ["TCP"], - "toPort": 65535, - "fromPort": 1024, - "source": ["0.0.0.0/0"] - } - ], - "outbound-rules": [ - { - "description": "All Outbound", - "type": ["ALL"], - "source": ["0.0.0.0/0", "0::/0"] - } - ] - }, -************************************One NATGW -"natgw": { - "subnet": { - "name": "Web", - "az": "a" - } - }, - "subnets": [ - { - "name": "Web", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.32.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.128.0/20" - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.0.0/19" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.96.0/19" - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.48.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.144.0/20" - } - ] - } - ], - "route-tables": [ - { - "name": "SandboxVPC_IGW", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "SandboxVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "NATGW_Web_azA" - } - ] - } - ] -************************************PER AZ NATGW -"natgw": { - "subnet": { - "name": "Web" - } - }, - "subnets": [ - { - "name": "Web", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.32.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.128.0/20" - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_a", - "cidr": "10.6.0.0/19" - }, - { - "az": "b", - "route-table": "SandboxVPC_b", - "cidr": "10.6.96.0/19" - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_a", - "cidr": "10.6.48.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_b", - "cidr": "10.6.144.0/20" - } - ] - } - ], - "route-tables": [ - { - "name": "SandboxVPC_IGW", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "SandboxVPC_a" - }, - { - "name": "SandboxVPC_b" - } - ] -************************************NOT PERFERED, but works: (uses first AZ) -"natgw": { - "subnet": { - "name": "Web" - } - }, - "subnets": [ - { - "name": "Web", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.32.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_IGW", - "cidr": "10.6.128.0/20" - } - ] - }, - { - "name": "App", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.0.0/19" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.96.0/19" - } - ] - }, - { - "name": "Data", - "share-to-ou-accounts": false, - "share-to-specific-accounts": [], - "definitions": [ - { - "az": "a", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.48.0/20" - }, - { - "az": "b", - "route-table": "SandboxVPC_Common", - "cidr": "10.6.144.0/20" - } - ] - } - ], - "route-tables": [ - { - "name": "SandboxVPC_IGW", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "IGW" - } - ] - }, - { - "name": "SandboxVPC_Common", - "routes": [ - { - "destination": "0.0.0.0/0", - "target": "NATGW_Web_azA" - } - ] - } - ] - -************************************ - -************************************ - -************************************ - -************************************ +Config File Examples: {Not in sample config file} +************************************Update Central Logging Kinesis stream shard count as accounts are added + "central-log-services": { + "kinesis-stream-shard-count": 2, +************************************Override default CWL retention period (Add to any account) + “cwl-retention”: 180 +************************************Macie Frequency values: + "macie-frequency": "SIX_HOURS" ---> FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS + +************************************CWL subscription exclusions example + "central-log-services": { + "cwl-glbl-exclusions": ["/xxx/yyy/*", "abc/*"], + "cwl-exclusions": [ + { + "account": "fun-acct", + "exclusions": ["def/*"] + } + ], +************************************cert REQUEST format + "certificates": [ + { + "name": "PublicCert", + "type": "request", + "domain": "*.example.com", + "validation": "DNS", + "san": ["*.example1.com"] + } + ] +************************************budget include fields + "default-budgets": { + "name": "Default Core Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Refunds", + "Credits", + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" +************************************Cross Account Role + { + "role": "Test-Role", + "type": "account", + "policies": ["AdministratorAccess"], + "boundary-policy": "Default-Boundary-Policy", + "source-account": "security", + "source-account-role": "AWSLandingZoneSecurityAdministratorRole", + "trust-policy": "role-trust-policy.txt" + } +************************************Very basic workload and per account exceptions + "workload-account-configs": { + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+pbmmT-funacct@example.com---------------------REPLACE----------------------", + "ou": "Sandbox" + }, + "mydevacct1": { + "account-name": "MyDev1", + "email": "myemail+pbmmT-dev1@example.com---------------------REPLACE----------------------", + "ou": "Dev", + "share-mad-from": "operations", + "enable-s3-public-access": true + } + }, +************************************Sample limit increases supported + "limits": { + "Amazon VPC/Interface VPC endpoints per VPC": 90, + "Amazon VPC/VPCs per Region": 15, + "AWS CloudFormation/Stack count": 400, + "AWS CloudFormation/Stack sets per administrator account": 400 + }, +************************************v1.0.4_to_v1.0.5 upgrade MAD fix + "deployments": { + "mad": { + "dir-id": 1001, + "password-secret-name": "accelerator/operations/mad/password", +************************************ + +************************************ + { + "name": "SampleComplexSecurityGroup", + "inbound-rules": [ + { + "description": "Allow Inbound Domain Traffic", + "tcp-ports": [464, 389, 3389, 445, 88, 135, 636, 53], + "udp-ports": [445, 138, 464, 53, 389, 123, 88], + "source": ["0.0.0.0/0"] + }, + { + "description": "Allow Inbound RDSH", + "type": ["TCP"], + "toPort": 3269, + "fromPort": 3268, + "source": ["0.0.0.0/0"] + }, + { + "description": "Allow Inbound High Ports", + "type": ["TCP"], + "toPort": 65535, + "fromPort": 1024, + "source": ["0.0.0.0/0"] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": ["ALL"], + "source": ["0.0.0.0/0", "0::/0"] + } + ] + }, +************************************One NATGW +"natgw": { + "subnet": { + "name": "Web", + "az": "a" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.32.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.128.0/20" + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.0.0/19" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.96.0/19" + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.48.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.144.0/20" + } + ] + } + ], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ] +************************************PER AZ NATGW +"natgw": { + "subnet": { + "name": "Web" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.32.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.128.0/20" + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_a", + "cidr": "10.6.0.0/19" + }, + { + "az": "b", + "route-table": "SandboxVPC_b", + "cidr": "10.6.96.0/19" + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_a", + "cidr": "10.6.48.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_b", + "cidr": "10.6.144.0/20" + } + ] + } + ], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_a" + }, + { + "name": "SandboxVPC_b" + } + ] +************************************NOT PERFERED, but works: (uses first AZ) +"natgw": { + "subnet": { + "name": "Web" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.32.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": "10.6.128.0/20" + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.0.0/19" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.96.0/19" + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.48.0/20" + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": "10.6.144.0/20" + } + ] + } + ], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ] + +************************************ + +************************************ + +************************************ + +************************************ diff --git a/reference-artifacts/rsyslog/rsyslog.conf b/reference-artifacts/rsyslog/rsyslog.conf index c51348178..e398600ef 100644 --- a/reference-artifacts/rsyslog/rsyslog.conf +++ b/reference-artifacts/rsyslog/rsyslog.conf @@ -1,90 +1,90 @@ -# rsyslog configuration file -# note that most of this config file uses old-style format, -# because it is well-known AND quite suitable for simple cases -# like we have with the default config. For more advanced -# things, RainerScript configuration is suggested. - -# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html -# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html - -#### MODULES #### - -module(load="imuxsock") # provides support for local system logging (e.g. via logger command) -module(load="imklog") # provides kernel logging support (previously done by rklogd) -#module(load"immark") # provides --MARK-- message capability - -# Provides UDP syslog reception -# for parameters see http://www.rsyslog.com/doc/imudp.html -module(load="imudp") # needs to be done just once -input(type="imudp" port="514") - -# Provides TCP syslog reception -# for parameters see http://www.rsyslog.com/doc/imtcp.html -module(load="imtcp") # needs to be done just once -input(type="imtcp" port="514") - - -#### GLOBAL DIRECTIVES #### - -# Use default timestamp format -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - -# File syncing capability is disabled by default. This feature is usually not required, -# not useful and an extreme performance hit -#$ActionFileEnableSync on - -# Include all config files in /etc/rsyslog.d/ -$IncludeConfig /etc/rsyslog.d/*.conf - - -#### RULES #### - -# Log all kernel messages to the console. -# Logging much else clutters up the screen. -#kern.* /dev/console - -# Log anything (except mail) of level info or higher. -# Don't log private authentication messages! -*.info;mail.none;authpriv.none;cron.none /var/log/messages - -# The authpriv file has restricted access. -authpriv.* /var/log/secure - -# Log all the mail messages in one place. -mail.* /var/log/maillog - - -# Log cron stuff -cron.* /var/log/cron - -# Everybody gets emergency messages -*.emerg :omusrmsg:* - -# Save news errors of level crit and higher in a special file. -uucp,news.crit /var/log/spooler - -# Save boot messages also to boot.log -local7.* /var/log/boot.log - - -:programname,isequal,"dhclient" stop -:programname,isequal,"ec2net" stop - - -# ### begin forwarding rule ### -# The statement between the begin ... end define a SINGLE forwarding -# rule. They belong together, do NOT split them. If you create multiple -# forwarding rules, duplicate the whole block! -# Remote Logging (we use TCP for reliable delivery) -# -# An on-disk queue is created for this action. If the remote host is -# down, messages are spooled to disk and sent when it is up again. -#$WorkDirectory /var/lib/rsyslog # where to place spool files -#$ActionQueueFileName fwdRule1 # unique name prefix for spool files -#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) -#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -#$ActionQueueType LinkedList # run asynchronously -#$ActionResumeRetryCount -1 # infinite retries if host is down -# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional -#*.* @@remote-host:514 -# ### end of the forwarding rule ### +# rsyslog configuration file +# note that most of this config file uses old-style format, +# because it is well-known AND quite suitable for simple cases +# like we have with the default config. For more advanced +# things, RainerScript configuration is suggested. + +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html + +#### MODULES #### + +module(load="imuxsock") # provides support for local system logging (e.g. via logger command) +module(load="imklog") # provides kernel logging support (previously done by rklogd) +#module(load"immark") # provides --MARK-- message capability + +# Provides UDP syslog reception +# for parameters see http://www.rsyslog.com/doc/imudp.html +module(load="imudp") # needs to be done just once +input(type="imudp" port="514") + +# Provides TCP syslog reception +# for parameters see http://www.rsyslog.com/doc/imtcp.html +module(load="imtcp") # needs to be done just once +input(type="imtcp" port="514") + + +#### GLOBAL DIRECTIVES #### + +# Use default timestamp format +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + + +#### RULES #### + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* /var/log/maillog + + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +*.emerg :omusrmsg:* + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + + +:programname,isequal,"dhclient" stop +:programname,isequal,"ec2net" stop + + +# ### begin forwarding rule ### +# The statement between the begin ... end define a SINGLE forwarding +# rule. They belong together, do NOT split them. If you create multiple +# forwarding rules, duplicate the whole block! +# Remote Logging (we use TCP for reliable delivery) +# +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @@remote-host:514 +# ### end of the forwarding rule ### diff --git a/reference-artifacts/scripts/AD-connector-permissions-setup.ps1 b/reference-artifacts/scripts/AD-connector-permissions-setup.ps1 index 3a15f25c7..ee25a837a 100644 --- a/reference-artifacts/scripts/AD-connector-permissions-setup.ps1 +++ b/reference-artifacts/scripts/AD-connector-permissions-setup.ps1 @@ -1,19 +1,19 @@ -[CmdletBinding()] -param( - [string] - $GroupName, - - [string] - $DomainAdminUser, - - [string] - $DomainAdminPassword -) - -# Turned off logging; -# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt - -$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force -$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword - +[CmdletBinding()] +param( + [string] + $GroupName, + + [string] + $DomainAdminUser, + + [string] + $DomainAdminPassword +) + +# Turned off logging; +# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt + +$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword + Start-Process powershell.exe -Credential $credential -ArgumentList "-file c:\cfn\scripts\AD-group-grant-permissions-setup.ps1", "$GroupName" \ No newline at end of file diff --git a/reference-artifacts/scripts/AD-group-grant-permissions-setup.ps1 b/reference-artifacts/scripts/AD-group-grant-permissions-setup.ps1 index f8b7c9027..efab9d604 100644 --- a/reference-artifacts/scripts/AD-group-grant-permissions-setup.ps1 +++ b/reference-artifacts/scripts/AD-group-grant-permissions-setup.ps1 @@ -1,16 +1,16 @@ -[CmdletBinding()] -param( - [string] - $GroupName -) - -# Turned off logging; -# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt - -#This part of the code gets the domain name and splits it -$fdn=(Get-WmiObject Win32_ComputerSystem).Domain -$dom,$ext=$fdn.split('.') - -#Delegate Control -dsacls "CN=$GroupName,OU=Users,OU=$dom,DC=$dom,DC=$ext" /I:T /G "$dom\$GroupName`:CCDC;computer" +[CmdletBinding()] +param( + [string] + $GroupName +) + +# Turned off logging; +# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt + +#This part of the code gets the domain name and splits it +$fdn=(Get-WmiObject Win32_ComputerSystem).Domain +$dom,$ext=$fdn.split('.') + +#Delegate Control +dsacls "CN=$GroupName,OU=Users,OU=$dom,DC=$dom,DC=$ext" /I:T /G "$dom\$GroupName`:CCDC;computer" dsacls "CN=$GroupName,OU=Users,OU=$dom,DC=$dom,DC=$ext" /I:T /G "$dom\$GroupName`:CCDC;user" \ No newline at end of file diff --git a/reference-artifacts/scripts/AD-group-setup.ps1 b/reference-artifacts/scripts/AD-group-setup.ps1 index 9d7a011b7..f27268feb 100644 --- a/reference-artifacts/scripts/AD-group-setup.ps1 +++ b/reference-artifacts/scripts/AD-group-setup.ps1 @@ -1,32 +1,32 @@ -[CmdletBinding()] -param( - [string] - $GroupNames, - - [string] - $DomainAdminUser, - - [string] - $DomainAdminPassword -) - -# Turned off logging; -# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt - -#This part of the code gets the domain name and splits it -$fdn=(Get-WmiObject Win32_ComputerSystem).Domain -$dom,$ext=$fdn.split('.') - -$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force -$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword - -$groupsArray = $GroupNames -split ',' - -for ($i=0; $i -lt $groupsArray.Length; $i++) { - $groupName = $groupsArray[$i] - $groupExists = Get-ADGroup -Filter {Name -eq $groupName} -Credential $credential - if($null -eq $groupExists) { - #Create Group - New-ADGroup -Name $groupName -GroupCategory Security -GroupScope Global -Credential $credential - } +[CmdletBinding()] +param( + [string] + $GroupNames, + + [string] + $DomainAdminUser, + + [string] + $DomainAdminPassword +) + +# Turned off logging; +# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt + +#This part of the code gets the domain name and splits it +$fdn=(Get-WmiObject Win32_ComputerSystem).Domain +$dom,$ext=$fdn.split('.') + +$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword + +$groupsArray = $GroupNames -split ',' + +for ($i=0; $i -lt $groupsArray.Length; $i++) { + $groupName = $groupsArray[$i] + $groupExists = Get-ADGroup -Filter {Name -eq $groupName} -Credential $credential + if($null -eq $groupExists) { + #Create Group + New-ADGroup -Name $groupName -GroupCategory Security -GroupScope Global -Credential $credential + } } \ No newline at end of file diff --git a/reference-artifacts/scripts/AD-user-group-setup.ps1 b/reference-artifacts/scripts/AD-user-group-setup.ps1 index d164a893a..848d3c068 100644 --- a/reference-artifacts/scripts/AD-user-group-setup.ps1 +++ b/reference-artifacts/scripts/AD-user-group-setup.ps1 @@ -1,31 +1,31 @@ -[CmdletBinding()] -param( - [string] - $GroupNames, - - [string] - $UserName, - - [string] - $DomainAdminUser, - - [string] - $DomainAdminPassword -) - -# Turned off logging; -# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt - -#This part of the code gets the domain name and splits it -$fdn=(Get-WmiObject Win32_ComputerSystem).Domain -$dom,$ext=$fdn.split('.') - -$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force -$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword - -$groupsArray = $GroupNames -split ',' - -for ($i=0; $i -lt $groupsArray.Length; $i++) { - #Add User to Group - Add-ADGroupMember -Identity $groupsArray[$i] -Members $UserName -Credential $credential +[CmdletBinding()] +param( + [string] + $GroupNames, + + [string] + $UserName, + + [string] + $DomainAdminUser, + + [string] + $DomainAdminPassword +) + +# Turned off logging; +# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt + +#This part of the code gets the domain name and splits it +$fdn=(Get-WmiObject Win32_ComputerSystem).Domain +$dom,$ext=$fdn.split('.') + +$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword + +$groupsArray = $GroupNames -split ',' + +for ($i=0; $i -lt $groupsArray.Length; $i++) { + #Add User to Group + Add-ADGroupMember -Identity $groupsArray[$i] -Members $UserName -Credential $credential } \ No newline at end of file diff --git a/reference-artifacts/scripts/AD-user-setup.ps1 b/reference-artifacts/scripts/AD-user-setup.ps1 index bcf03dfb1..dd154bf03 100644 --- a/reference-artifacts/scripts/AD-user-setup.ps1 +++ b/reference-artifacts/scripts/AD-user-setup.ps1 @@ -1,45 +1,45 @@ -[CmdletBinding()] -param( - [string] - $UserName, - - [string] - $Password, - - [string] - $DomainAdminUser, - - [string] - $DomainAdminPassword, - - [string] - $PasswordNeverExpires, - - [Parameter(Mandatory=$false)] - [AllowEmptyString()] - [string]$UserEmailAddress = '' -) - -# Turned off logging; -# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt - -#This part of the code gets the domain name and splits it -$fdn=(Get-WmiObject Win32_ComputerSystem).Domain -$dom,$ext=$fdn.split('.') - -$pass = ConvertTo-SecureString $Password -AsPlainText -Force -$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force -$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword -$userExists = Get-ADUser -Credential $credential -Filter "Name -eq '$UserName'" - -If ($null -eq $userExists -and $UserEmailAddress) { - #Create User - New-ADUser -Name $UserName -EmailAddress $UserEmailAddress -AccountPassword $pass -Enabled 1 -Credential $credential -SamAccountName $UserName -} - -#Set the admin & connector user's password never expires flag -If (-NOT ($PasswordNeverExpires -eq 'No')) { - Set-ADUser -Identity $UserName -PasswordNeverExpires $true -Credential $credential -} Else { - Set-ADUser -Identity $UserName -PasswordNeverExpires $false -Credential $credential -} +[CmdletBinding()] +param( + [string] + $UserName, + + [string] + $Password, + + [string] + $DomainAdminUser, + + [string] + $DomainAdminPassword, + + [string] + $PasswordNeverExpires, + + [Parameter(Mandatory=$false)] + [AllowEmptyString()] + [string]$UserEmailAddress = '' +) + +# Turned off logging; +# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt + +#This part of the code gets the domain name and splits it +$fdn=(Get-WmiObject Win32_ComputerSystem).Domain +$dom,$ext=$fdn.split('.') + +$pass = ConvertTo-SecureString $Password -AsPlainText -Force +$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword +$userExists = Get-ADUser -Credential $credential -Filter "Name -eq '$UserName'" + +If ($null -eq $userExists -and $UserEmailAddress) { + #Create User + New-ADUser -Name $UserName -EmailAddress $UserEmailAddress -AccountPassword $pass -Enabled 1 -Credential $credential -SamAccountName $UserName +} + +#Set the admin & connector user's password never expires flag +If (-NOT ($PasswordNeverExpires -eq 'No')) { + Set-ADUser -Identity $UserName -PasswordNeverExpires $true -Credential $credential +} Else { + Set-ADUser -Identity $UserName -PasswordNeverExpires $false -Credential $credential +} diff --git a/reference-artifacts/scripts/AWSQuickStart.psm1 b/reference-artifacts/scripts/AWSQuickStart.psm1 index c477f99e1..fc1b30f80 100644 --- a/reference-artifacts/scripts/AWSQuickStart.psm1 +++ b/reference-artifacts/scripts/AWSQuickStart.psm1 @@ -1,345 +1,345 @@ -function New-AWSQuickStartWaitHandle { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$true, ValueFromPipeline=$true)] - [string] - $Handle, - - [Parameter(Mandatory=$false)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\', - - [Parameter(Mandatory=$false)] - [switch] - $Base64Handle - ) - - try { - $ErrorActionPreference = "Stop" - - Write-Verbose "Creating $Path" - New-Item $Path -Force - - if ($Base64Handle) { - Write-Verbose "Trying to decode handle Base64 string as UTF8 string" - $decodedHandle = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Handle)) - if ($decodedHandle -notlike "http*") { - Write-Verbose "Now trying to decode handle Base64 string as Unicode string" - $decodedHandle = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Handle)) - } - Write-Verbose "Decoded handle string: $decodedHandle" - $Handle = $decodedHandle - } - - Write-Verbose "Creating Handle Registry Key" - New-ItemProperty -Path $Path -Name Handle -Value $Handle -Force - - Write-Verbose "Creating ErrorCount Registry Key" - New-ItemProperty -Path $Path -Name ErrorCount -Value 0 -PropertyType dword -Force - } - catch { - Write-Verbose $_.Exception.Message - } -} - -function New-AWSQuickStartResourceSignal { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$true)] - [string] - $Stack, - - [Parameter(Mandatory=$true)] - [string] - $Resource, - - [Parameter(Mandatory=$true)] - [string] - $Region, - - [Parameter(Mandatory=$false)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - try { - $ErrorActionPreference = "Stop" - - Write-Verbose "Creating $Path" - New-Item $Path -Force - - Write-Verbose "Creating Stack Registry Key" - New-ItemProperty -Path $Path -Name Stack -Value $Stack -Force - - Write-Verbose "Creating Resource Registry Key" - New-ItemProperty -Path $Path -Name Resource -Value $Resource -Force - - Write-Verbose "Creating Region Registry Key" - New-ItemProperty -Path $Path -Name Region -Value $Region -Force - - Write-Verbose "Creating ErrorCount Registry Key" - New-ItemProperty -Path $Path -Name ErrorCount -Value 0 -PropertyType dword -Force - } - catch { - Write-Verbose $_.Exception.Message - } -} - - -function Get-AWSQuickStartErrorCount { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$false)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - process { - try { - Write-Verbose "Getting ErrorCount Registry Key" - Get-ItemProperty -Path $Path -Name ErrorCount -ErrorAction Stop | Select-Object -ExpandProperty ErrorCount - } - catch { - Write-Verbose $_.Exception.Message - } - } -} - -function Set-AWSQuickStartErrorCount { - [CmdletBinding()] - Param( - [Parameter(Mandatory, ValueFromPipeline=$true)] - [int32] - $Count, - - [Parameter(Mandatory=$false)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - process { - try { - $currentCount = Get-AWSQuickStartErrorCount - $currentCount += $Count - - Write-Verbose "Creating ErrorCount Registry Key" - Set-ItemProperty -Path $Path -Name ErrorCount -Value $currentCount -ErrorAction Stop - } - catch { - Write-Verbose $_.Exception.Message - } - } -} - -function Get-AWSQuickStartWaitHandle { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$false, ValueFromPipeline=$true)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - process { - try { - $ErrorActionPreference = "Stop" - - Write-Verbose "Getting Handle key value from $Path" - $key = Get-ItemProperty $Path - - return $key.Handle - } - catch { - Write-Verbose $_.Exception.Message - } - } -} - -function Get-AWSQuickStartResourceSignal { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$false)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - try { - $ErrorActionPreference = "Stop" - - Write-Verbose "Getting Stack, Resource, and Region key values from $Path" - $key = Get-ItemProperty $Path - $resourceSignal = @{ - Stack = $key.Stack - Resource = $key.Resource - Region = $key.Region - } - $toReturn = New-Object -TypeName PSObject -Property $resourceSignal - - if ($toReturn.Stack -and $toReturn.Resource -and $toReturn.Region) { - return $toReturn - } else { - return $null - } - } - catch { - Write-Verbose $_.Exception.Message - } -} - -function Remove-AWSQuickStartWaitHandle { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$false, ValueFromPipeline=$true)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - process { - try { - $ErrorActionPreference = "Stop" - - Write-Verbose "Getting Handle key value from $Path" - $key = Get-ItemProperty -Path $Path -Name Handle -ErrorAction SilentlyContinue - - if ($key) { - Write-Verbose "Removing Handle key value from $Path" - Remove-ItemProperty -Path $Path -Name Handle - } - } - catch { - Write-Verbose $_.Exception.Message - } - } -} - -function Remove-AWSQuickStartResourceSignal { - [CmdletBinding()] - Param( - [Parameter(Mandatory=$false)] - [string] - $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' - ) - - try { - $ErrorActionPreference = "Stop" - - foreach ($keyName in @('Stack','Resource','Region')) { - Write-Verbose "Getting Stack, Resource, and Region key values from $Path" - $key = Get-ItemProperty -Path $Path -Name $keyName -ErrorAction SilentlyContinue - - if ($key) { - Write-Verbose "Removing $keyName key value from $Path" - Remove-ItemProperty -Path $Path -Name $keyName - } - } - } - catch { - Write-Verbose $_.Exception.Message - } -} - -function Write-AWSQuickStartEvent { - [CmdletBinding()] - Param( - [Parameter(Mandatory, ValueFromPipelineByPropertyName=$true)] - [string] - $Message, - - [Parameter(Mandatory=$false)] - [string] - $EntryType = 'Error' - ) - - process { - Write-Verbose "Checking for AWSQuickStart Eventlog Source" - if(![System.Diagnostics.EventLog]::SourceExists('AWSQuickStart')) { - New-EventLog -LogName Application -Source AWSQuickStart -ErrorAction SilentlyContinue - } - else { - Write-Verbose "AWSQuickStart Eventlog Source exists" - } - - Write-Verbose "Writing message to application log" - - try { - Write-EventLog -LogName Application -Source AWSQuickStart -EntryType $EntryType -EventId 1001 -Message $Message - } - catch { - Write-Verbose $_.Exception.Message - } - } -} - -function Write-AWSQuickStartException { - [CmdletBinding()] - Param( - [Parameter(Mandatory, ValueFromPipeline=$true)] - [System.Management.Automation.ErrorRecord] - $ErrorRecord - ) - - process { - try { - Write-Verbose "Incrementing error count" - Set-AWSQuickStartErrorCount -Count 1 - - Write-Verbose "Getting total error count" - $errorTotal = Get-AWSQuickStartErrorCount - - $errorMessage = "Command failure in {0} {1} on line {2} `nException: {3}" -f $ErrorRecord.InvocationInfo.MyCommand.name, - $ErrorRecord.InvocationInfo.ScriptName, $ErrorRecord.InvocationInfo.ScriptLineNumber, $ErrorRecord.Exception.ToString() - - $CmdSafeErrorMessage = $errorMessage -replace '[^a-zA-Z0-9\s\.\[\]\-,:_\\\/\(\)]', '' - if ($CmdSafeErrorMessage.length -gt 255) { - $CmdSafeErrorMessage = $CmdSafeErrorMessage.substring(0,252) + '...' - } - - $handle = Get-AWSQuickStartWaitHandle -ErrorAction SilentlyContinue - if ($handle) { - Invoke-Expression "cfn-signal.exe -e 1 --reason='$CmdSafeErrorMessage' '$handle'" - } else { - $resourceSignal = Get-AWSQuickStartResourceSignal -ErrorAction SilentlyContinue - if ($resourceSignal) { - Invoke-Expression "cfn-signal.exe -e 1 --stack '$($resourceSignal.Stack)' --resource '$($resourceSignal.Resource)' --region '$($resourceSignal.Region)'" - } else { - throw "No handle or stack/resource/region found in registry" - } - } - } - catch { - Write-Verbose $_.Exception.Message - } - finally { - Write-AWSQuickStartEvent -Message $errorMessage - # throwing an exception to force cfn-init execution to stop - throw $CmdSafeErrorMessage - } - } -} - -function Write-AWSQuickStartStatus { - [CmdletBinding()] - Param() - - process { - try { - Write-Verbose "Checking error count" - if((Get-AWSQuickStartErrorCount) -eq 0) { - Write-Verbose "Getting Handle" - $handle = Get-AWSQuickStartWaitHandle -ErrorAction SilentlyContinue - if ($handle) { - Invoke-Expression "cfn-signal.exe -e 0 '$handle'" - } else { - $resourceSignal = Get-AWSQuickStartResourceSignal -ErrorAction SilentlyContinue - if ($resourceSignal) { - Invoke-Expression "cfn-signal.exe -e 0 --stack '$($resourceSignal.Stack)' --resource '$($resourceSignal.Resource)' --region '$($resourceSignal.Region)'" - } else { - throw "No handle or stack/resource/region found in registry" - } - } - } - } - catch { - Write-Verbose $_.Exception.Message - } - } -} +function New-AWSQuickStartWaitHandle { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$true, ValueFromPipeline=$true)] + [string] + $Handle, + + [Parameter(Mandatory=$false)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\', + + [Parameter(Mandatory=$false)] + [switch] + $Base64Handle + ) + + try { + $ErrorActionPreference = "Stop" + + Write-Verbose "Creating $Path" + New-Item $Path -Force + + if ($Base64Handle) { + Write-Verbose "Trying to decode handle Base64 string as UTF8 string" + $decodedHandle = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Handle)) + if ($decodedHandle -notlike "http*") { + Write-Verbose "Now trying to decode handle Base64 string as Unicode string" + $decodedHandle = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Handle)) + } + Write-Verbose "Decoded handle string: $decodedHandle" + $Handle = $decodedHandle + } + + Write-Verbose "Creating Handle Registry Key" + New-ItemProperty -Path $Path -Name Handle -Value $Handle -Force + + Write-Verbose "Creating ErrorCount Registry Key" + New-ItemProperty -Path $Path -Name ErrorCount -Value 0 -PropertyType dword -Force + } + catch { + Write-Verbose $_.Exception.Message + } +} + +function New-AWSQuickStartResourceSignal { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$true)] + [string] + $Stack, + + [Parameter(Mandatory=$true)] + [string] + $Resource, + + [Parameter(Mandatory=$true)] + [string] + $Region, + + [Parameter(Mandatory=$false)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + try { + $ErrorActionPreference = "Stop" + + Write-Verbose "Creating $Path" + New-Item $Path -Force + + Write-Verbose "Creating Stack Registry Key" + New-ItemProperty -Path $Path -Name Stack -Value $Stack -Force + + Write-Verbose "Creating Resource Registry Key" + New-ItemProperty -Path $Path -Name Resource -Value $Resource -Force + + Write-Verbose "Creating Region Registry Key" + New-ItemProperty -Path $Path -Name Region -Value $Region -Force + + Write-Verbose "Creating ErrorCount Registry Key" + New-ItemProperty -Path $Path -Name ErrorCount -Value 0 -PropertyType dword -Force + } + catch { + Write-Verbose $_.Exception.Message + } +} + + +function Get-AWSQuickStartErrorCount { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$false)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + process { + try { + Write-Verbose "Getting ErrorCount Registry Key" + Get-ItemProperty -Path $Path -Name ErrorCount -ErrorAction Stop | Select-Object -ExpandProperty ErrorCount + } + catch { + Write-Verbose $_.Exception.Message + } + } +} + +function Set-AWSQuickStartErrorCount { + [CmdletBinding()] + Param( + [Parameter(Mandatory, ValueFromPipeline=$true)] + [int32] + $Count, + + [Parameter(Mandatory=$false)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + process { + try { + $currentCount = Get-AWSQuickStartErrorCount + $currentCount += $Count + + Write-Verbose "Creating ErrorCount Registry Key" + Set-ItemProperty -Path $Path -Name ErrorCount -Value $currentCount -ErrorAction Stop + } + catch { + Write-Verbose $_.Exception.Message + } + } +} + +function Get-AWSQuickStartWaitHandle { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$false, ValueFromPipeline=$true)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + process { + try { + $ErrorActionPreference = "Stop" + + Write-Verbose "Getting Handle key value from $Path" + $key = Get-ItemProperty $Path + + return $key.Handle + } + catch { + Write-Verbose $_.Exception.Message + } + } +} + +function Get-AWSQuickStartResourceSignal { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$false)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + try { + $ErrorActionPreference = "Stop" + + Write-Verbose "Getting Stack, Resource, and Region key values from $Path" + $key = Get-ItemProperty $Path + $resourceSignal = @{ + Stack = $key.Stack + Resource = $key.Resource + Region = $key.Region + } + $toReturn = New-Object -TypeName PSObject -Property $resourceSignal + + if ($toReturn.Stack -and $toReturn.Resource -and $toReturn.Region) { + return $toReturn + } else { + return $null + } + } + catch { + Write-Verbose $_.Exception.Message + } +} + +function Remove-AWSQuickStartWaitHandle { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$false, ValueFromPipeline=$true)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + process { + try { + $ErrorActionPreference = "Stop" + + Write-Verbose "Getting Handle key value from $Path" + $key = Get-ItemProperty -Path $Path -Name Handle -ErrorAction SilentlyContinue + + if ($key) { + Write-Verbose "Removing Handle key value from $Path" + Remove-ItemProperty -Path $Path -Name Handle + } + } + catch { + Write-Verbose $_.Exception.Message + } + } +} + +function Remove-AWSQuickStartResourceSignal { + [CmdletBinding()] + Param( + [Parameter(Mandatory=$false)] + [string] + $Path = 'HKLM:\SOFTWARE\AWSQuickStart\' + ) + + try { + $ErrorActionPreference = "Stop" + + foreach ($keyName in @('Stack','Resource','Region')) { + Write-Verbose "Getting Stack, Resource, and Region key values from $Path" + $key = Get-ItemProperty -Path $Path -Name $keyName -ErrorAction SilentlyContinue + + if ($key) { + Write-Verbose "Removing $keyName key value from $Path" + Remove-ItemProperty -Path $Path -Name $keyName + } + } + } + catch { + Write-Verbose $_.Exception.Message + } +} + +function Write-AWSQuickStartEvent { + [CmdletBinding()] + Param( + [Parameter(Mandatory, ValueFromPipelineByPropertyName=$true)] + [string] + $Message, + + [Parameter(Mandatory=$false)] + [string] + $EntryType = 'Error' + ) + + process { + Write-Verbose "Checking for AWSQuickStart Eventlog Source" + if(![System.Diagnostics.EventLog]::SourceExists('AWSQuickStart')) { + New-EventLog -LogName Application -Source AWSQuickStart -ErrorAction SilentlyContinue + } + else { + Write-Verbose "AWSQuickStart Eventlog Source exists" + } + + Write-Verbose "Writing message to application log" + + try { + Write-EventLog -LogName Application -Source AWSQuickStart -EntryType $EntryType -EventId 1001 -Message $Message + } + catch { + Write-Verbose $_.Exception.Message + } + } +} + +function Write-AWSQuickStartException { + [CmdletBinding()] + Param( + [Parameter(Mandatory, ValueFromPipeline=$true)] + [System.Management.Automation.ErrorRecord] + $ErrorRecord + ) + + process { + try { + Write-Verbose "Incrementing error count" + Set-AWSQuickStartErrorCount -Count 1 + + Write-Verbose "Getting total error count" + $errorTotal = Get-AWSQuickStartErrorCount + + $errorMessage = "Command failure in {0} {1} on line {2} `nException: {3}" -f $ErrorRecord.InvocationInfo.MyCommand.name, + $ErrorRecord.InvocationInfo.ScriptName, $ErrorRecord.InvocationInfo.ScriptLineNumber, $ErrorRecord.Exception.ToString() + + $CmdSafeErrorMessage = $errorMessage -replace '[^a-zA-Z0-9\s\.\[\]\-,:_\\\/\(\)]', '' + if ($CmdSafeErrorMessage.length -gt 255) { + $CmdSafeErrorMessage = $CmdSafeErrorMessage.substring(0,252) + '...' + } + + $handle = Get-AWSQuickStartWaitHandle -ErrorAction SilentlyContinue + if ($handle) { + Invoke-Expression "cfn-signal.exe -e 1 --reason='$CmdSafeErrorMessage' '$handle'" + } else { + $resourceSignal = Get-AWSQuickStartResourceSignal -ErrorAction SilentlyContinue + if ($resourceSignal) { + Invoke-Expression "cfn-signal.exe -e 1 --stack '$($resourceSignal.Stack)' --resource '$($resourceSignal.Resource)' --region '$($resourceSignal.Region)'" + } else { + throw "No handle or stack/resource/region found in registry" + } + } + } + catch { + Write-Verbose $_.Exception.Message + } + finally { + Write-AWSQuickStartEvent -Message $errorMessage + # throwing an exception to force cfn-init execution to stop + throw $CmdSafeErrorMessage + } + } +} + +function Write-AWSQuickStartStatus { + [CmdletBinding()] + Param() + + process { + try { + Write-Verbose "Checking error count" + if((Get-AWSQuickStartErrorCount) -eq 0) { + Write-Verbose "Getting Handle" + $handle = Get-AWSQuickStartWaitHandle -ErrorAction SilentlyContinue + if ($handle) { + Invoke-Expression "cfn-signal.exe -e 0 '$handle'" + } else { + $resourceSignal = Get-AWSQuickStartResourceSignal -ErrorAction SilentlyContinue + if ($resourceSignal) { + Invoke-Expression "cfn-signal.exe -e 0 --stack '$($resourceSignal.Stack)' --resource '$($resourceSignal.Resource)' --region '$($resourceSignal.Region)'" + } else { + throw "No handle or stack/resource/region found in registry" + } + } + } + } + catch { + Write-Verbose $_.Exception.Message + } + } +} diff --git a/reference-artifacts/scripts/Configure-password-policy.ps1 b/reference-artifacts/scripts/Configure-password-policy.ps1 index 00fe17639..fde472147 100644 --- a/reference-artifacts/scripts/Configure-password-policy.ps1 +++ b/reference-artifacts/scripts/Configure-password-policy.ps1 @@ -1,51 +1,51 @@ -[CmdletBinding()] -param( - [string] - $DomainAdminUser, - - [string] - $DomainAdminPassword, - - [Boolean] - $ComplexityEnabled, - - [string] - $LockoutDuration, - - [string] - $LockoutObservationWindow, - - [string] - $LockoutThreshold, - - [string] - $MaxPasswordAge, - - [string] - $MinPasswordAge, - - [string] - $MinPasswordLength, - - [string] - $PasswordHistoryCount, - - [Boolean] - $ReversibleEncryptionEnabled -) - -# Turned off logging; -# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt - -#This part of the code gets the domain name and splits it -$fdn=(Get-WmiObject Win32_ComputerSystem).Domain -$dom,$ext=$fdn.split('.') - -$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force -$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword - -#Configure passsord policy for all users -Set-ADFineGrainedPasswordPolicy -Identity:"CN=CustomerPSO-01,CN=Password Settings Container,CN=System,DC=$dom,DC=$ext" -ComplexityEnabled:$ComplexityEnabled -MaxPasswordAge:$MaxPasswordAge -LockoutDuration:$LockoutDuration -LockoutObservationWindow:$LockoutObservationWindow -LockoutThreshold:$LockoutThreshold -MinPasswordAge:$MinPasswordAge -MinPasswordLength:$MinPasswordLength -PasswordHistoryCount:$PasswordHistoryCount -ReversibleEncryptionEnabled:$ReversibleEncryptionEnabled -Server:$fdn -Credential $credential - -#Create password policy subject -Add-ADFineGrainedPasswordPolicySubject -Identity:"CN=CustomerPSO-01,CN=Password Settings Container,CN=System,DC=$dom,DC=$ext" -Server:$fdn -Subjects:"CN=Domain Users,CN=Users,DC=$dom,DC=$ext" -Credential $credential +[CmdletBinding()] +param( + [string] + $DomainAdminUser, + + [string] + $DomainAdminPassword, + + [Boolean] + $ComplexityEnabled, + + [string] + $LockoutDuration, + + [string] + $LockoutObservationWindow, + + [string] + $LockoutThreshold, + + [string] + $MaxPasswordAge, + + [string] + $MinPasswordAge, + + [string] + $MinPasswordLength, + + [string] + $PasswordHistoryCount, + + [Boolean] + $ReversibleEncryptionEnabled +) + +# Turned off logging; +# Start-Transcript -Path C:\cfn\log\AD-connector-setup.txt + +#This part of the code gets the domain name and splits it +$fdn=(Get-WmiObject Win32_ComputerSystem).Domain +$dom,$ext=$fdn.split('.') + +$securePassword = ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential $DomainAdminUser, $securePassword + +#Configure passsord policy for all users +Set-ADFineGrainedPasswordPolicy -Identity:"CN=CustomerPSO-01,CN=Password Settings Container,CN=System,DC=$dom,DC=$ext" -ComplexityEnabled:$ComplexityEnabled -MaxPasswordAge:$MaxPasswordAge -LockoutDuration:$LockoutDuration -LockoutObservationWindow:$LockoutObservationWindow -LockoutThreshold:$LockoutThreshold -MinPasswordAge:$MinPasswordAge -MinPasswordLength:$MinPasswordLength -PasswordHistoryCount:$PasswordHistoryCount -ReversibleEncryptionEnabled:$ReversibleEncryptionEnabled -Server:$fdn -Credential $credential + +#Create password policy subject +Add-ADFineGrainedPasswordPolicySubject -Identity:"CN=CustomerPSO-01,CN=Password Settings Container,CN=System,DC=$dom,DC=$ext" -Server:$fdn -Subjects:"CN=Domain Users,CN=Users,DC=$dom,DC=$ext" -Credential $credential diff --git a/reference-artifacts/scripts/Initialize-RDGW.ps1 b/reference-artifacts/scripts/Initialize-RDGW.ps1 index e865b00ff..c7373dde3 100644 --- a/reference-artifacts/scripts/Initialize-RDGW.ps1 +++ b/reference-artifacts/scripts/Initialize-RDGW.ps1 @@ -1,68 +1,68 @@ -[CmdletBinding()] -param ( - [Parameter(Mandatory=$true)] - [string]$ServerFQDN, - - [Parameter(Mandatory=$true)] - [string]$DomainNetBiosName, - - [Parameter(Mandatory=$true)] - [string]$GroupName, - - [Parameter(Mandatory=$false)] - [string]$KeyLength='2048' -) - -try { - $ErrorActionPreference = "Stop" - - Start-Transcript -Path c:\cfn\log\Initialize-RDGW.ps1.txt -Append - - Import-Module remotedesktopservices - - $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" - $name.Encode("CN=$ServerFQDN", 0) - - $key = new-object -com "X509Enrollment.CX509PrivateKey.1" - $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" - $key.KeySpec = 1 - $key.Length = $KeyLength - $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" - $key.MachineContext = 1 - $key.Create() - - $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" - $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") - $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" - $ekuoids.add($serverauthoid) - $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" - $ekuext.InitializeEncode($ekuoids) - - $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" - $cert.InitializeFromPrivateKey(2, $key, "") - $cert.Subject = $name - $cert.Issuer = $cert.Subject - $cert.NotBefore = get-date - $cert.NotAfter = $cert.NotBefore.AddDays(730) - $cert.X509Extensions.Add($ekuext) - $cert.Encode() - - $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" - $enrollment.InitializeFromRequest($cert) - $certdata = $enrollment.CreateRequest(0) - $enrollment.InstallResponse(2, $certdata, 0, "") - - dir cert:\localmachine\my | ? { $_.Subject -eq "CN=$ServerFQDN" } | % { [system.IO.file]::WriteAllBytes("c:\$env:COMPUTERNAME.cer", ($_.Export('CERT', 'secret')) ) } - - new-item -path RDS:\GatewayServer\CAP -Name Default-CAP -UserGroups "$GroupName@$DomainNetBiosName" -AuthMethod 1 - - new-item -Path RDS:\GatewayServer\RAP -Name Default-RAP -UserGroups "$GroupName@$DomainNetBiosName" -ComputerGroupType 2 - - dir cert:\localmachine\my | where-object { $_.Subject -eq "CN=$ServerFQDN" } | ForEach-Object { Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $_.Thumbprint } - - Restart-Service tsgateway -} -catch { - Write-Verbose "$($_.exception.message)@ $(Get-Date)" - $_ | Write-AWSQuickStartException -} +[CmdletBinding()] +param ( + [Parameter(Mandatory=$true)] + [string]$ServerFQDN, + + [Parameter(Mandatory=$true)] + [string]$DomainNetBiosName, + + [Parameter(Mandatory=$true)] + [string]$GroupName, + + [Parameter(Mandatory=$false)] + [string]$KeyLength='2048' +) + +try { + $ErrorActionPreference = "Stop" + + Start-Transcript -Path c:\cfn\log\Initialize-RDGW.ps1.txt -Append + + Import-Module remotedesktopservices + + $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" + $name.Encode("CN=$ServerFQDN", 0) + + $key = new-object -com "X509Enrollment.CX509PrivateKey.1" + $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" + $key.KeySpec = 1 + $key.Length = $KeyLength + $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" + $key.MachineContext = 1 + $key.Create() + + $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" + $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") + $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" + $ekuoids.add($serverauthoid) + $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" + $ekuext.InitializeEncode($ekuoids) + + $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" + $cert.InitializeFromPrivateKey(2, $key, "") + $cert.Subject = $name + $cert.Issuer = $cert.Subject + $cert.NotBefore = get-date + $cert.NotAfter = $cert.NotBefore.AddDays(730) + $cert.X509Extensions.Add($ekuext) + $cert.Encode() + + $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" + $enrollment.InitializeFromRequest($cert) + $certdata = $enrollment.CreateRequest(0) + $enrollment.InstallResponse(2, $certdata, 0, "") + + dir cert:\localmachine\my | ? { $_.Subject -eq "CN=$ServerFQDN" } | % { [system.IO.file]::WriteAllBytes("c:\$env:COMPUTERNAME.cer", ($_.Export('CERT', 'secret')) ) } + + new-item -path RDS:\GatewayServer\CAP -Name Default-CAP -UserGroups "$GroupName@$DomainNetBiosName" -AuthMethod 1 + + new-item -Path RDS:\GatewayServer\RAP -Name Default-RAP -UserGroups "$GroupName@$DomainNetBiosName" -ComputerGroupType 2 + + dir cert:\localmachine\my | where-object { $_.Subject -eq "CN=$ServerFQDN" } | ForEach-Object { Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $_.Thumbprint } + + Restart-Service tsgateway +} +catch { + Write-Verbose "$($_.exception.message)@ $(Get-Date)" + $_ | Write-AWSQuickStartException +} diff --git a/reference-artifacts/scripts/Join-Domain.ps1 b/reference-artifacts/scripts/Join-Domain.ps1 index 2f3581163..acdf6d8c8 100644 --- a/reference-artifacts/scripts/Join-Domain.ps1 +++ b/reference-artifacts/scripts/Join-Domain.ps1 @@ -1,29 +1,29 @@ -[CmdletBinding()] -param( - [string] - $DomainName, - - [string] - $UserName, - - [string] - $Password -) - -try { - $ErrorActionPreference = "Stop" - - $pass = ConvertTo-SecureString $Password -AsPlainText -Force - $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$pass - - Add-Computer -DomainName $DomainName -Credential $cred -ErrorAction Stop - - # Execute restart after script exit and allow time for external services - $shutdown = Start-Process -FilePath "shutdown.exe" -ArgumentList @("/r", "/t 10") -Wait -NoNewWindow -PassThru - if ($shutdown.ExitCode -ne 0) { - throw "[ERROR] shutdown.exe exit code was not 0. It was actually $($shutdown.ExitCode)." - } -} -catch { - $_ | Write-AWSQuickStartException -} +[CmdletBinding()] +param( + [string] + $DomainName, + + [string] + $UserName, + + [string] + $Password +) + +try { + $ErrorActionPreference = "Stop" + + $pass = ConvertTo-SecureString $Password -AsPlainText -Force + $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$pass + + Add-Computer -DomainName $DomainName -Credential $cred -ErrorAction Stop + + # Execute restart after script exit and allow time for external services + $shutdown = Start-Process -FilePath "shutdown.exe" -ArgumentList @("/r", "/t 10") -Wait -NoNewWindow -PassThru + if ($shutdown.ExitCode -ne 0) { + throw "[ERROR] shutdown.exe exit code was not 0. It was actually $($shutdown.ExitCode)." + } +} +catch { + $_ | Write-AWSQuickStartException +} diff --git a/src/core/cdk/cdk.json b/src/core/cdk/cdk.json index 56b80f51e..61114a431 100644 --- a/src/core/cdk/cdk.json +++ b/src/core/cdk/cdk.json @@ -1,3 +1,3 @@ -{ - "app": "pnpx ts-node src/index.ts" +{ + "app": "pnpx ts-node src/index.ts" } \ No newline at end of file diff --git a/src/core/cdk/cdk.sh b/src/core/cdk/cdk.sh index 65ebf36ca..b8462e70a 100644 --- a/src/core/cdk/cdk.sh +++ b/src/core/cdk/cdk.sh @@ -1,10 +1,10 @@ -#!/bin/sh - -export ACCELERATOR_NAME="PBMM" -export ACCELERATOR_PREFIX="PBMMAccel-" -export ACCELERATOR_STATE_MACHINE_NAME="PBMMAccel-MainStateMachine_sm" - -# Make sure initial-setup-lambdas and all custom resources are built -pnpm install - -pnpx cdk --require-approval never $@ +#!/bin/sh + +export ACCELERATOR_NAME="PBMM" +export ACCELERATOR_PREFIX="PBMMAccel-" +export ACCELERATOR_STATE_MACHINE_NAME="PBMMAccel-MainStateMachine_sm" + +# Make sure initial-setup-lambdas and all custom resources are built +pnpm install + +pnpx cdk --require-approval never $@ diff --git a/src/core/cdk/src/assets/cfn-execution-role-master.template.json b/src/core/cdk/src/assets/cfn-execution-role-master.template.json index af0edcf17..6038ffcba 100644 --- a/src/core/cdk/src/assets/cfn-execution-role-master.template.json +++ b/src/core/cdk/src/assets/cfn-execution-role-master.template.json @@ -1,109 +1,109 @@ -{ - "Resources": { - "AWSCloudFormationStackSetExecutionRole46A74E25": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AdministratorAccess" - ] - ] - } - ], - "RoleName": "AWSCloudFormationStackSetExecutionRole" - }, - "Metadata": { - "aws:cdk:path": "TestNewStack/AWSCloudFormationStackSetExecutionRole/Resource" - } - }, - "AWSCloudFormationStackSetAdministrationRole84528B57": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "cloudformation.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "RoleName": "AWSCloudFormationStackSetAdministrationRole" - }, - "Metadata": { - "aws:cdk:path": "TestNewStack/AWSCloudFormationStackSetAdministrationRole/Resource" - } - }, - "AWSCloudFormationStackSetExecutionRolePolicyDBA04E55": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::*:role/", - { - "Ref": "AWSCloudFormationStackSetExecutionRole46A74E25" - } - ] - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "AWSCloudFormationStackSetExecutionRolePolicyDBA04E55", - "Roles": [ - { - "Ref": "AWSCloudFormationStackSetAdministrationRole84528B57" - } - ] - }, - "Metadata": { - "aws:cdk:path": "TestNewStack/AWSCloudFormationStackSetExecutionRolePolicy/Resource" - } - } - } +{ + "Resources": { + "AWSCloudFormationStackSetExecutionRole46A74E25": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess" + ] + ] + } + ], + "RoleName": "AWSCloudFormationStackSetExecutionRole" + }, + "Metadata": { + "aws:cdk:path": "TestNewStack/AWSCloudFormationStackSetExecutionRole/Resource" + } + }, + "AWSCloudFormationStackSetAdministrationRole84528B57": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "cloudformation.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": "AWSCloudFormationStackSetAdministrationRole" + }, + "Metadata": { + "aws:cdk:path": "TestNewStack/AWSCloudFormationStackSetAdministrationRole/Resource" + } + }, + "AWSCloudFormationStackSetExecutionRolePolicyDBA04E55": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:*:iam::*:role/", + { + "Ref": "AWSCloudFormationStackSetExecutionRole46A74E25" + } + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AWSCloudFormationStackSetExecutionRolePolicyDBA04E55", + "Roles": [ + { + "Ref": "AWSCloudFormationStackSetAdministrationRole84528B57" + } + ] + }, + "Metadata": { + "aws:cdk:path": "TestNewStack/AWSCloudFormationStackSetExecutionRolePolicy/Resource" + } + } + } } \ No newline at end of file diff --git a/src/core/cdk/src/assets/execution-role.template.json b/src/core/cdk/src/assets/execution-role.template.json index 874b604ed..32f9210e0 100644 --- a/src/core/cdk/src/assets/execution-role.template.json +++ b/src/core/cdk/src/assets/execution-role.template.json @@ -1,63 +1,63 @@ -{ - "Parameters": { - "RoleName": { - "Type": "String" - }, - "MaxSessionDuration": { - "Type": "Number" - }, - "AssumedByRoleArn": { - "Type": "CommaDelimitedList" - } - }, - "Resources": { - "Role1ABCC5F0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Ref": "AssumedByRoleArn" - } - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AdministratorAccess" - ] - ] - } - ], - "RoleName": { - "Ref": "RoleName" - }, - "MaxSessionDuration": { - "Ref": "MaxSessionDuration" - }, - "Tags": [ - { - "Key": "Accelerator", - "Value": "PBMM" - } - ] - }, - "Metadata": { - "aws:cdk:path": "AssumeRole/Role/Resource" - } - } - } +{ + "Parameters": { + "RoleName": { + "Type": "String" + }, + "MaxSessionDuration": { + "Type": "Number" + }, + "AssumedByRoleArn": { + "Type": "CommaDelimitedList" + } + }, + "Resources": { + "Role1ABCC5F0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Ref": "AssumedByRoleArn" + } + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess" + ] + ] + } + ], + "RoleName": { + "Ref": "RoleName" + }, + "MaxSessionDuration": { + "Ref": "MaxSessionDuration" + }, + "Tags": [ + { + "Key": "Accelerator", + "Value": "PBMM" + } + ] + }, + "Metadata": { + "aws:cdk:path": "AssumeRole/Role/Resource" + } + } + } } \ No newline at end of file diff --git a/src/core/cdk/tsconfig.json b/src/core/cdk/tsconfig.json index afeaba14e..ca8ff589d 100644 --- a/src/core/cdk/tsconfig.json +++ b/src/core/cdk/tsconfig.json @@ -1,17 +1,17 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ] +} diff --git a/src/core/runtime/package.json b/src/core/runtime/package.json index 230897d9a..60a1b2dc5 100644 --- a/src/core/runtime/package.json +++ b/src/core/runtime/package.json @@ -1,64 +1,64 @@ -{ - "name": "@aws-accelerator/accelerator-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "build": "pnpx webpack-cli --config webpack.config.ts", - "prepare": "pnpx webpack-cli --config webpack.config.ts", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "dist/index.js", - "devDependencies": { - "@babel/core": "7.9.0", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "@babel/preset-env": "7.9.0", - "@babel/preset-typescript": "7.9.0", - "@types/adm-zip": "0.4.32", - "@types/aws-lambda": "8.10.46", - "@types/cfn-response": "1.0.3", - "@types/jest": "25.1.4", - "@types/node": "12.12.6", - "@types/webpack": "4.41.8", - "babel-jest": "25.2.0", - "babel-loader": "8.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "glob": "7.1.6", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "6.2.0", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11", - "@types/js-base64": "2.3.1", - "js-base64": "2.5.2", - "@types/js-yaml": "3.12.3", - "js-yaml": "3.13.1" - }, - "dependencies": { - "@aws-accelerator/common": "workspace:^0.0.1", - "@aws-accelerator/common-config": "workspace:^0.0.1", - "@aws-accelerator/common-outputs": "workspace:^0.0.1", - "adm-zip": "0.4.14", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0", - "cfn-response": "1.0.1", - "generate-password": "1.5.1", - "io-ts": "2.1.2", - "original-fs": "1.1.0" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node", - "globals": { - "ts-jest": { - "isolatedModules": true - } - } - } -} +{ + "name": "@aws-accelerator/accelerator-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "build": "pnpx webpack-cli --config webpack.config.ts", + "prepare": "pnpx webpack-cli --config webpack.config.ts", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "dist/index.js", + "devDependencies": { + "@babel/core": "7.9.0", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "@babel/preset-env": "7.9.0", + "@babel/preset-typescript": "7.9.0", + "@types/adm-zip": "0.4.32", + "@types/aws-lambda": "8.10.46", + "@types/cfn-response": "1.0.3", + "@types/jest": "25.1.4", + "@types/node": "12.12.6", + "@types/webpack": "4.41.8", + "babel-jest": "25.2.0", + "babel-loader": "8.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "glob": "7.1.6", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "6.2.0", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11", + "@types/js-base64": "2.3.1", + "js-base64": "2.5.2", + "@types/js-yaml": "3.12.3", + "js-yaml": "3.13.1" + }, + "dependencies": { + "@aws-accelerator/common": "workspace:^0.0.1", + "@aws-accelerator/common-config": "workspace:^0.0.1", + "@aws-accelerator/common-outputs": "workspace:^0.0.1", + "adm-zip": "0.4.14", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0", + "cfn-response": "1.0.1", + "generate-password": "1.5.1", + "io-ts": "2.1.2", + "original-fs": "1.1.0" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node", + "globals": { + "ts-jest": { + "isolatedModules": true + } + } + } +} diff --git a/src/core/runtime/tsconfig.json b/src/core/runtime/tsconfig.json index afeaba14e..ca8ff589d 100644 --- a/src/core/runtime/tsconfig.json +++ b/src/core/runtime/tsconfig.json @@ -1,17 +1,17 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ] +} diff --git a/src/deployments/cdk/.gitignore b/src/deployments/cdk/.gitignore index 728ffa459..1d20804b2 100644 --- a/src/deployments/cdk/.gitignore +++ b/src/deployments/cdk/.gitignore @@ -1,5 +1,5 @@ -accounts.json -config.json -context.json -outputs.json -limits.json +accounts.json +config.json +context.json +outputs.json +limits.json diff --git a/src/deployments/cdk/README.md b/src/deployments/cdk/README.md index 57dbee3b4..ee3997444 100644 --- a/src/deployments/cdk/README.md +++ b/src/deployments/cdk/README.md @@ -1,124 +1,124 @@ -# PBMM Initial Setup Templates - -## Description - -This directory contains CDK code that is used to deploy stacks in the subaccounts. - -## Local Development - -Create a `config.json` file that is based on the `config.example.json` file in the `initial-setup/templates` directory. -Make sure to adjust the `config.json` file so that the email address and names of the accounts are valid. - -Create an `accounts.json` file that contains the accounts and their IDs. It should look something like the following. - - [ - { - "key": "master", - "id": "687384172140" - }, - { - "key": "perimeter", - "id": "258931004286" - }, - { - "key": "shared-network", - "id": "007307298200" - }, - { - "key": "operations", - "id": "278816265654" - } - ] - -The `key` should be the same as the key of the `mandatory-account-configs` accounts. - -Create an `outputs.json` file that contains the outputs from the different phases. You can get this output from the -secrets manager as well after running the state machine. It should look something like the following. - - [ - { - "accountKey": "shared-network", - "outputKey": "CentralVpcOutput6FD59021", - "outputValue": "{\"type\":\"VpcOutput\",\"value\":{\"vpcId\":\"vpc-042d9bbf06cf701e3\",\"vpcName\":\"Central\",\"subnets\":[{\"subnetId\":\"subnet-0f00e0435fdbe99dd\",\"subnetName\":\"TGW\",\"az\":\"a\"},{\"subnetId\":\"subnet-0ed2be03caac1d18c\",\"subnetName\":\"TGW\",\"az\":\"b\"},{\"subnetId\":\"subnet-0dc897e12131c8688\",\"subnetName\":\"Web\",\"az\":\"a\"},{\"subnetId\":\"subnet-07f5795ff5b6d4364\",\"subnetName\":\"Web\",\"az\":\"b\"},{\"subnetId\":\"subnet-0da2f121fb4bb3866\",\"subnetName\":\"App\",\"az\":\"a\"},{\"subnetId\":\"subnet-0728346c9747a6be1\",\"subnetName\":\"App\",\"az\":\"b\"},{\"subnetId\":\"subnet-0539b77df68386959\",\"subnetName\":\"Data\",\"az\":\"a\"},{\"subnetId\":\"subnet-0339e0fb436dabfc8\",\"subnetName\":\"Data\",\"az\":\"b\"},{\"subnetId\":\"subnet-05fe5de5de41e6b54\",\"subnetName\":\"Mgmt\",\"az\":\"a\"},{\"subnetId\":\"subnet-01fee06f6cf9409e7\",\"subnetName\":\"Mgmt\",\"az\":\"b\"},{\"subnetId\":\"subnet-069f1db9605991d27\",\"subnetName\":\"GCWide\",\"az\":\"a\"},{\"subnetId\":\"subnet-06a23fed48e159ae7\",\"subnetName\":\"GCWide\",\"az\":\"b\"}],\"routeTables\":{}}}" - }, - { - "accountKey": "shared-network", - "outputKey": "CentralSharingOutputSharedResourcesAddTagsToResourcesOutput5AB5F081", - "outputValue": "{\"type\":\"AddTagsToResources\",\"value\":[{\"resourceId\":\"subnet-069f1db9605991d27\",\"resourceType\":\"subnet\",\"sourceAccountId\":\"007307298200\",\"targetAccountIds\":[\"278816265654\"],\"tags\":[{\"key\":\"Accelerator\",\"value\":\"PBMM\"},{\"key\":\"Name\",\"value\":\"SubnetGcWideA_net\"}]},{\"resourceId\":\"subnet-06a23fed48e159ae7\",\"resourceType\":\"subnet\",\"sourceAccountId\":\"007307298200\",\"targetAccountIds\":[\"278816265654\"],\"tags\":[{\"key\":\"Accelerator\",\"value\":\"PBMM\"},{\"key\":\"Name\",\"value\":\"SubnetGcWideB_net\"}]}]}" - }, - { - "accountKey": "log-archive", - "outputKey": "LogArchiveAccountId", - "outputValue": "272091715658" - }, - { - "accountKey": "log-archive", - "outputKey": "LogArchiveBucketArn", - "outputValue": "arn:aws:s3:::pbmmaccel-272091715658-ca-central-1" - }, - { - "accountKey": "log-archive", - "outputKey": "LogArchiveEncryptionKey", - "outputValue": "arn:aws:kms:ca-central-1:272091715658:key/3a44c082-e1a4-4cb0-91d4-b0364beb8887" - } - ] - -Create a `context.json` file that contains the environment variables that are passed to CDK deploy by the CodeBuild -project. You can find the `cfnDnsEndpointIpsLambdaArn` by deploying the Accelerator CDK project first. The file should -look something like this. - - { - "acceleratorName": "PBMM", - "acceleratorPrefix": "PBMMAccel-", - "acceleratorExecutionRoleName": "AcceleratorPipelineRole", - "cfnDnsEndpointIpsLambdaArn": "arn:aws:lambda:ca-central-1:687384172140:function:PBMMAccel-InitialSetup-PipelineDnsEndpointIpPoller-R89LHX7APRJU" - } - -Create a `limits.json` file that contains the AWS limits for all the resources defined in CDK. you can find this value -from secrets manager in your master account. - - [ - { - "accountKey": "shared-network", - "limitKey": "Amazon VPC/VPCs per Region", - "serviceCode": "vpc", - "quotaCode": "L-F678F1CE", - "value": 5 - }, - { - "accountKey": "shared-network", - "limitKey": "Amazon VPC/Interface VPC endpoints per VPC", - "serviceCode": "vpc", - "quotaCode": "L-29B6F2EB", - "value": 50 - }, - { - "accountKey": "shared-network", - "limitKey": "AWS CloudFormation/Stack count", - "serviceCode": "cloudformation", - "quotaCode": "L-0485CB21", - "value": 200 - }, - { - "accountKey": "shared-network", - "limitKey": "AWS CloudFormation/Stack sets per administrator account", - "serviceCode": "cloudformation", - "quotaCode": "L-31709F13", - "value": 100 - }, - ] - - -Now that we have created all the files, we can start testing the deployment. - -Run the following command to synthesize the CloudFormation template from CDK. - - ./cdk-synth.sh - -Run the following command to bootstrap the CDK in all the subaccounts. - - ./cdk-bootstrap.sh - -Run the following command to deploy the CDK in all the subaccounts. - - ./cdk-deploy.sh +# PBMM Initial Setup Templates + +## Description + +This directory contains CDK code that is used to deploy stacks in the subaccounts. + +## Local Development + +Create a `config.json` file that is based on the `config.example.json` file in the `initial-setup/templates` directory. +Make sure to adjust the `config.json` file so that the email address and names of the accounts are valid. + +Create an `accounts.json` file that contains the accounts and their IDs. It should look something like the following. + + [ + { + "key": "master", + "id": "687384172140" + }, + { + "key": "perimeter", + "id": "258931004286" + }, + { + "key": "shared-network", + "id": "007307298200" + }, + { + "key": "operations", + "id": "278816265654" + } + ] + +The `key` should be the same as the key of the `mandatory-account-configs` accounts. + +Create an `outputs.json` file that contains the outputs from the different phases. You can get this output from the +secrets manager as well after running the state machine. It should look something like the following. + + [ + { + "accountKey": "shared-network", + "outputKey": "CentralVpcOutput6FD59021", + "outputValue": "{\"type\":\"VpcOutput\",\"value\":{\"vpcId\":\"vpc-042d9bbf06cf701e3\",\"vpcName\":\"Central\",\"subnets\":[{\"subnetId\":\"subnet-0f00e0435fdbe99dd\",\"subnetName\":\"TGW\",\"az\":\"a\"},{\"subnetId\":\"subnet-0ed2be03caac1d18c\",\"subnetName\":\"TGW\",\"az\":\"b\"},{\"subnetId\":\"subnet-0dc897e12131c8688\",\"subnetName\":\"Web\",\"az\":\"a\"},{\"subnetId\":\"subnet-07f5795ff5b6d4364\",\"subnetName\":\"Web\",\"az\":\"b\"},{\"subnetId\":\"subnet-0da2f121fb4bb3866\",\"subnetName\":\"App\",\"az\":\"a\"},{\"subnetId\":\"subnet-0728346c9747a6be1\",\"subnetName\":\"App\",\"az\":\"b\"},{\"subnetId\":\"subnet-0539b77df68386959\",\"subnetName\":\"Data\",\"az\":\"a\"},{\"subnetId\":\"subnet-0339e0fb436dabfc8\",\"subnetName\":\"Data\",\"az\":\"b\"},{\"subnetId\":\"subnet-05fe5de5de41e6b54\",\"subnetName\":\"Mgmt\",\"az\":\"a\"},{\"subnetId\":\"subnet-01fee06f6cf9409e7\",\"subnetName\":\"Mgmt\",\"az\":\"b\"},{\"subnetId\":\"subnet-069f1db9605991d27\",\"subnetName\":\"GCWide\",\"az\":\"a\"},{\"subnetId\":\"subnet-06a23fed48e159ae7\",\"subnetName\":\"GCWide\",\"az\":\"b\"}],\"routeTables\":{}}}" + }, + { + "accountKey": "shared-network", + "outputKey": "CentralSharingOutputSharedResourcesAddTagsToResourcesOutput5AB5F081", + "outputValue": "{\"type\":\"AddTagsToResources\",\"value\":[{\"resourceId\":\"subnet-069f1db9605991d27\",\"resourceType\":\"subnet\",\"sourceAccountId\":\"007307298200\",\"targetAccountIds\":[\"278816265654\"],\"tags\":[{\"key\":\"Accelerator\",\"value\":\"PBMM\"},{\"key\":\"Name\",\"value\":\"SubnetGcWideA_net\"}]},{\"resourceId\":\"subnet-06a23fed48e159ae7\",\"resourceType\":\"subnet\",\"sourceAccountId\":\"007307298200\",\"targetAccountIds\":[\"278816265654\"],\"tags\":[{\"key\":\"Accelerator\",\"value\":\"PBMM\"},{\"key\":\"Name\",\"value\":\"SubnetGcWideB_net\"}]}]}" + }, + { + "accountKey": "log-archive", + "outputKey": "LogArchiveAccountId", + "outputValue": "272091715658" + }, + { + "accountKey": "log-archive", + "outputKey": "LogArchiveBucketArn", + "outputValue": "arn:aws:s3:::pbmmaccel-272091715658-ca-central-1" + }, + { + "accountKey": "log-archive", + "outputKey": "LogArchiveEncryptionKey", + "outputValue": "arn:aws:kms:ca-central-1:272091715658:key/3a44c082-e1a4-4cb0-91d4-b0364beb8887" + } + ] + +Create a `context.json` file that contains the environment variables that are passed to CDK deploy by the CodeBuild +project. You can find the `cfnDnsEndpointIpsLambdaArn` by deploying the Accelerator CDK project first. The file should +look something like this. + + { + "acceleratorName": "PBMM", + "acceleratorPrefix": "PBMMAccel-", + "acceleratorExecutionRoleName": "AcceleratorPipelineRole", + "cfnDnsEndpointIpsLambdaArn": "arn:aws:lambda:ca-central-1:687384172140:function:PBMMAccel-InitialSetup-PipelineDnsEndpointIpPoller-R89LHX7APRJU" + } + +Create a `limits.json` file that contains the AWS limits for all the resources defined in CDK. you can find this value +from secrets manager in your master account. + + [ + { + "accountKey": "shared-network", + "limitKey": "Amazon VPC/VPCs per Region", + "serviceCode": "vpc", + "quotaCode": "L-F678F1CE", + "value": 5 + }, + { + "accountKey": "shared-network", + "limitKey": "Amazon VPC/Interface VPC endpoints per VPC", + "serviceCode": "vpc", + "quotaCode": "L-29B6F2EB", + "value": 50 + }, + { + "accountKey": "shared-network", + "limitKey": "AWS CloudFormation/Stack count", + "serviceCode": "cloudformation", + "quotaCode": "L-0485CB21", + "value": 200 + }, + { + "accountKey": "shared-network", + "limitKey": "AWS CloudFormation/Stack sets per administrator account", + "serviceCode": "cloudformation", + "quotaCode": "L-31709F13", + "value": 100 + }, + ] + + +Now that we have created all the files, we can start testing the deployment. + +Run the following command to synthesize the CloudFormation template from CDK. + + ./cdk-synth.sh + +Run the following command to bootstrap the CDK in all the subaccounts. + + ./cdk-bootstrap.sh + +Run the following command to deploy the CDK in all the subaccounts. + + ./cdk-deploy.sh diff --git a/src/deployments/cdk/cdk.sh b/src/deployments/cdk/cdk.sh index 2c455fdd9..5f5f94fd7 100644 --- a/src/deployments/cdk/cdk.sh +++ b/src/deployments/cdk/cdk.sh @@ -1,6 +1,6 @@ -#!/bin/sh - -export CONFIG_MODE="development" -export CDK_PLUGIN_ASSUME_ROLE_NAME="PBMMAccel-PipelineRole" - +#!/bin/sh + +export CONFIG_MODE="development" +export CDK_PLUGIN_ASSUME_ROLE_NAME="PBMMAccel-PipelineRole" + pnpx ts-node --transpile-only cdk.ts $@ \ No newline at end of file diff --git a/src/deployments/cdk/codebuild-deploy.sh b/src/deployments/cdk/codebuild-deploy.sh index f43f9d0f4..56e2b3fd0 100644 --- a/src/deployments/cdk/codebuild-deploy.sh +++ b/src/deployments/cdk/codebuild-deploy.sh @@ -1,19 +1,19 @@ -#!/bin/sh - -if [ -z "${ACCELERATOR_PHASE}" ]; then - echo "The environment variable ACCELERATOR_PHASE has to be set to the path of the app you want to deploy." - exit 1 -else - phase_arg="--phase=${ACCELERATOR_PHASE}" -fi - -if [ -n "${ACCELERATOR_REGION}" ]; then - region_arg="--region ${ACCELERATOR_REGION}" -fi -if [ -n "${ACCELERATOR_ACCOUNT_KEY}" ]; then - account_arg="--account-key=${ACCELERATOR_ACCOUNT_KEY}" -fi - -echo "Deploying phase $ACCELERATOR_PHASE..." - -pnpx ts-node --transpile-only cdk.ts bootstrap deploy --parallel ${phase_arg} ${region_arg} ${account_arg} +#!/bin/sh + +if [ -z "${ACCELERATOR_PHASE}" ]; then + echo "The environment variable ACCELERATOR_PHASE has to be set to the path of the app you want to deploy." + exit 1 +else + phase_arg="--phase=${ACCELERATOR_PHASE}" +fi + +if [ -n "${ACCELERATOR_REGION}" ]; then + region_arg="--region ${ACCELERATOR_REGION}" +fi +if [ -n "${ACCELERATOR_ACCOUNT_KEY}" ]; then + account_arg="--account-key=${ACCELERATOR_ACCOUNT_KEY}" +fi + +echo "Deploying phase $ACCELERATOR_PHASE..." + +pnpx ts-node --transpile-only cdk.ts bootstrap deploy --parallel ${phase_arg} ${region_arg} ${account_arg} diff --git a/src/deployments/cdk/package.json b/src/deployments/cdk/package.json index ada9e202e..5db00e8d5 100644 --- a/src/deployments/cdk/package.json +++ b/src/deployments/cdk/package.json @@ -1,124 +1,124 @@ -{ - "name": "@aws-accelerator/deployments", - "version": "0.0.1", - "private": true, - "scripts": { - "build": "pnpx tsc --noEmit", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'", - "synth": "pnpx cdk synth" - }, - "devDependencies": { - "@aws-cdk/assert": "1.46.0", - "@aws-cdk/cfnspec": "1.46.0", - "@aws-cdk/cloud-assembly-schema": "1.46.0", - "@aws-cdk/cx-api": "1.46.0", - "@aws-accelerator/cdk-plugin-assume-role": "workspace:^0.0.1", - "@aws-accelerator/deployments-runtime": "workspace:^0.0.1", - "@types/jest": "25.1.4", - "@types/mri": "^1.1.0", - "@types/node": "12.12.6", - "aws-cdk": "1.46.0", - "babel-jest": "25.2.0", - "jest": "25.2.4", - "mri": "^1.1.5", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "8.8.1", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-cdk/aws-accessanalyzer": "1.46.0", - "@aws-cdk/aws-autoscaling": "1.46.0", - "@aws-cdk/aws-budgets": "1.46.0", - "@aws-cdk/aws-certificatemanager": "1.46.0", - "@aws-cdk/aws-cloudformation": "1.46.0", - "@aws-cdk/aws-config": "1.46.0", - "@aws-cdk/aws-directoryservice": "1.46.0", - "@aws-cdk/aws-ec2": "1.46.0", - "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", - "@aws-cdk/aws-guardduty": "1.46.0", - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-kinesis": "1.46.0", - "@aws-cdk/aws-kinesisfirehose": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-logs": "1.46.0", - "@aws-cdk/aws-ram": "1.46.0", - "@aws-cdk/aws-route53": "1.46.0", - "@aws-cdk/aws-route53-targets": "1.46.0", - "@aws-cdk/aws-route53resolver": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0", - "@aws-cdk/aws-s3-deployment": "1.46.0", - "@aws-cdk/aws-secretsmanager": "1.46.0", - "@aws-cdk/aws-securityhub": "1.46.0", - "@aws-cdk/aws-sns": "1.46.0", - "@aws-cdk/aws-ssm": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0", - "@aws-cdk/aws-events": "1.46.0", - "@aws-cdk/aws-stepfunctions": "1.46.0", - "@aws-accelerator/cdk-accelerator": "workspace:^0.0.1", - "@aws-accelerator/common": "workspace:^0.0.1", - "@aws-accelerator/common-config": "workspace:^0.0.1", - "@aws-accelerator/common-outputs": "workspace:^0.0.1", - "@aws-accelerator/common-types": "workspace:^0.0.1", - "@aws-accelerator/cdk-constructs": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-acm-import-certificate": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cur-report-definition": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cloud-trail": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ds-log-subscription": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-ebs-default-encryption": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-image-finder": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-launch-time": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-vpn-attachment": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-iam-create-role": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-iam-password-policy": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-kms-grant": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-logs-add-subscription-filter": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-logs-log-group": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-logs-resource-policy": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-organization": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-r53-dns-endpoint-ips": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-s3-copy-files": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-s3-public-access-block": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-s3-template": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-security-hub-accept-invites": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-enable-admin": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-create-member": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-enable": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-update-config": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-update-session": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-export-config": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-get-detector": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-enable-admin": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-create-publish": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-guardduty-admin-setup": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-vpc-default-security-group": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ssm-session-manager-document": "workspace:^0.0.1", - "@types/cfn-response": "^1.0.3", - "colors": "1.4.0", - "constructs": "2.0.1", - "generate-password": "1.5.1", - "io-ts": "2.1.2", - "io-ts-types": "0.5.6", - "pascal-case": "^3.1.1", - "tempy": "0.5.0" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node", - "testMatch": [ - "/test/**/(*.)+(spec|test).ts" - ] - } -} +{ + "name": "@aws-accelerator/deployments", + "version": "0.0.1", + "private": true, + "scripts": { + "build": "pnpx tsc --noEmit", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'", + "synth": "pnpx cdk synth" + }, + "devDependencies": { + "@aws-cdk/assert": "1.46.0", + "@aws-cdk/cfnspec": "1.46.0", + "@aws-cdk/cloud-assembly-schema": "1.46.0", + "@aws-cdk/cx-api": "1.46.0", + "@aws-accelerator/cdk-plugin-assume-role": "workspace:^0.0.1", + "@aws-accelerator/deployments-runtime": "workspace:^0.0.1", + "@types/jest": "25.1.4", + "@types/mri": "^1.1.0", + "@types/node": "12.12.6", + "aws-cdk": "1.46.0", + "babel-jest": "25.2.0", + "jest": "25.2.4", + "mri": "^1.1.5", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "8.8.1", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-cdk/aws-accessanalyzer": "1.46.0", + "@aws-cdk/aws-autoscaling": "1.46.0", + "@aws-cdk/aws-budgets": "1.46.0", + "@aws-cdk/aws-certificatemanager": "1.46.0", + "@aws-cdk/aws-cloudformation": "1.46.0", + "@aws-cdk/aws-config": "1.46.0", + "@aws-cdk/aws-directoryservice": "1.46.0", + "@aws-cdk/aws-ec2": "1.46.0", + "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", + "@aws-cdk/aws-guardduty": "1.46.0", + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-kinesis": "1.46.0", + "@aws-cdk/aws-kinesisfirehose": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-logs": "1.46.0", + "@aws-cdk/aws-ram": "1.46.0", + "@aws-cdk/aws-route53": "1.46.0", + "@aws-cdk/aws-route53-targets": "1.46.0", + "@aws-cdk/aws-route53resolver": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0", + "@aws-cdk/aws-s3-deployment": "1.46.0", + "@aws-cdk/aws-secretsmanager": "1.46.0", + "@aws-cdk/aws-securityhub": "1.46.0", + "@aws-cdk/aws-sns": "1.46.0", + "@aws-cdk/aws-ssm": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0", + "@aws-cdk/aws-events": "1.46.0", + "@aws-cdk/aws-stepfunctions": "1.46.0", + "@aws-accelerator/cdk-accelerator": "workspace:^0.0.1", + "@aws-accelerator/common": "workspace:^0.0.1", + "@aws-accelerator/common-config": "workspace:^0.0.1", + "@aws-accelerator/common-outputs": "workspace:^0.0.1", + "@aws-accelerator/common-types": "workspace:^0.0.1", + "@aws-accelerator/cdk-constructs": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-acm-import-certificate": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cur-report-definition": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cloud-trail": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ds-log-subscription": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-ebs-default-encryption": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-image-finder": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-launch-time": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-vpn-attachment": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-iam-create-role": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-iam-password-policy": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-kms-grant": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-logs-add-subscription-filter": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-logs-log-group": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-logs-resource-policy": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-organization": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-r53-dns-endpoint-ips": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-s3-copy-files": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-s3-public-access-block": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-s3-template": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-security-hub-accept-invites": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-enable-admin": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-create-member": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-enable": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-update-config": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-update-session": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-export-config": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-get-detector": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-enable-admin": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-create-publish": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-guardduty-admin-setup": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-vpc-default-security-group": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ssm-session-manager-document": "workspace:^0.0.1", + "@types/cfn-response": "^1.0.3", + "colors": "1.4.0", + "constructs": "2.0.1", + "generate-password": "1.5.1", + "io-ts": "2.1.2", + "io-ts-types": "0.5.6", + "pascal-case": "^3.1.1", + "tempy": "0.5.0" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node", + "testMatch": [ + "/test/**/(*.)+(spec|test).ts" + ] + } +} diff --git a/src/deployments/cdk/src/deployments/alb/artifacts/internal-dev-alb-lambda.txt b/src/deployments/cdk/src/deployments/alb/artifacts/internal-dev-alb-lambda.txt index f996db6d5..ce4917761 100644 --- a/src/deployments/cdk/src/deployments/alb/artifacts/internal-dev-alb-lambda.txt +++ b/src/deployments/cdk/src/deployments/alb/artifacts/internal-dev-alb-lambda.txt @@ -1,20 +1,20 @@ - -exports.handler = async (event, context) => { - var response; - var accountArn = JSON.stringify(context.invokedFunctionArn); - var accountId = JSON.parse(accountArn).split(':')[4]; - var acntId = accountId.slice(accountId.length - 4); - //API Gateway - left for testing lambda - response = { - statusCode: 200, - headers: { 'Content-Type': 'application/json' }, - body: JSON.stringify('Hello from - API Gateway: ***' + acntId), - }; - // Function is invoked by ALB - if (event.requestContext && event.requestContext.elb) { - response.statusDescription = '200 OK'; - response.isBase64Encoded = false; - response.body = 'Hello from: ***' + acntId; - } - return response; -}; + +exports.handler = async (event, context) => { + var response; + var accountArn = JSON.stringify(context.invokedFunctionArn); + var accountId = JSON.parse(accountArn).split(':')[4]; + var acntId = accountId.slice(accountId.length - 4); + //API Gateway - left for testing lambda + response = { + statusCode: 200, + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify('Hello from - API Gateway: ***' + acntId), + }; + // Function is invoked by ALB + if (event.requestContext && event.requestContext.elb) { + response.statusDescription = '200 OK'; + response.isBase64Encoded = false; + response.body = 'Hello from: ***' + acntId; + } + return response; +}; diff --git a/src/deployments/cdk/src/deployments/alb/artifacts/internal-prod-alb-lambda.txt b/src/deployments/cdk/src/deployments/alb/artifacts/internal-prod-alb-lambda.txt index f996db6d5..ce4917761 100644 --- a/src/deployments/cdk/src/deployments/alb/artifacts/internal-prod-alb-lambda.txt +++ b/src/deployments/cdk/src/deployments/alb/artifacts/internal-prod-alb-lambda.txt @@ -1,20 +1,20 @@ - -exports.handler = async (event, context) => { - var response; - var accountArn = JSON.stringify(context.invokedFunctionArn); - var accountId = JSON.parse(accountArn).split(':')[4]; - var acntId = accountId.slice(accountId.length - 4); - //API Gateway - left for testing lambda - response = { - statusCode: 200, - headers: { 'Content-Type': 'application/json' }, - body: JSON.stringify('Hello from - API Gateway: ***' + acntId), - }; - // Function is invoked by ALB - if (event.requestContext && event.requestContext.elb) { - response.statusDescription = '200 OK'; - response.isBase64Encoded = false; - response.body = 'Hello from: ***' + acntId; - } - return response; -}; + +exports.handler = async (event, context) => { + var response; + var accountArn = JSON.stringify(context.invokedFunctionArn); + var accountId = JSON.parse(accountArn).split(':')[4]; + var acntId = accountId.slice(accountId.length - 4); + //API Gateway - left for testing lambda + response = { + statusCode: 200, + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify('Hello from - API Gateway: ***' + acntId), + }; + // Function is invoked by ALB + if (event.requestContext && event.requestContext.elb) { + response.statusDescription = '200 OK'; + response.isBase64Encoded = false; + response.body = 'Hello from: ***' + acntId; + } + return response; +}; diff --git a/src/deployments/cdk/src/deployments/alb/artifacts/internal-test-alb-lambda.txt b/src/deployments/cdk/src/deployments/alb/artifacts/internal-test-alb-lambda.txt index f996db6d5..ce4917761 100644 --- a/src/deployments/cdk/src/deployments/alb/artifacts/internal-test-alb-lambda.txt +++ b/src/deployments/cdk/src/deployments/alb/artifacts/internal-test-alb-lambda.txt @@ -1,20 +1,20 @@ - -exports.handler = async (event, context) => { - var response; - var accountArn = JSON.stringify(context.invokedFunctionArn); - var accountId = JSON.parse(accountArn).split(':')[4]; - var acntId = accountId.slice(accountId.length - 4); - //API Gateway - left for testing lambda - response = { - statusCode: 200, - headers: { 'Content-Type': 'application/json' }, - body: JSON.stringify('Hello from - API Gateway: ***' + acntId), - }; - // Function is invoked by ALB - if (event.requestContext && event.requestContext.elb) { - response.statusDescription = '200 OK'; - response.isBase64Encoded = false; - response.body = 'Hello from: ***' + acntId; - } - return response; -}; + +exports.handler = async (event, context) => { + var response; + var accountArn = JSON.stringify(context.invokedFunctionArn); + var accountId = JSON.parse(accountArn).split(':')[4]; + var acntId = accountId.slice(accountId.length - 4); + //API Gateway - left for testing lambda + response = { + statusCode: 200, + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify('Hello from - API Gateway: ***' + acntId), + }; + // Function is invoked by ALB + if (event.requestContext && event.requestContext.elb) { + response.statusDescription = '200 OK'; + response.isBase64Encoded = false; + response.body = 'Hello from: ***' + acntId; + } + return response; +}; diff --git a/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap b/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap index f4bdd70d1..cc3586504 100644 --- a/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap +++ b/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap @@ -1,1938 +1,1938 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase1 1`] = ` -Array [ - Object { - "LogicalId": "DefaultSandboxBudgetF8FD6863", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase1 1`] = ` -Array [ - Object { - "LogicalId": "DefaultCoreBudget2890563D", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase0 1`] = ` -Array [ - Object { - "LogicalId": "OrganizationBudgetD31584F9", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase1 1`] = ` -Array [ - Object { - "LogicalId": "DefaultDevBudgetEF9E2FE8", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase1 1`] = ` -Array [ - Object { - "LogicalId": "DefaultCoreBudget2890563D", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase1 1`] = ` -Array [ - Object { - "LogicalId": "PerimeterBudgetA01BBAF8", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase1 1`] = ` -Array [ - Object { - "LogicalId": "DefaultCoreBudget2890563D", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1 1`] = ` -Array [ - Object { - "LogicalId": "SharedNetworkBudget43476CAE", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase1 1`] = ` -Array [ - Object { - "LogicalId": "DefaultCoreBudget2890563D", - "Properties": Object { - "NotificationsWithSubscribers": Array [ - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 50, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 75, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 90, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - Object { - "Notification": Object { - "ComparisonOperator": "GREATER_THAN", - "NotificationType": "ACTUAL", - "Threshold": 100, - "ThresholdType": "PERCENTAGE", - }, - "Subscribers": Array [ - Object { - "Address": "myemail+pbmmT-budg@example.com", - "SubscriptionType": "EMAIL", - }, - ], - }, - ], - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase2 1`] = ` -Array [ - Object { - "LogicalId": "MicrosoftADMicrosoftADFC7F6466", - "Properties": Object { - "CreateAlias": undefined, - "Edition": "Enterprise", - "Name": "example.local", - "Password": Object { - "Fn::Join": Array [ - "", - Array [ - "{{resolve:secretsmanager:arn:", - Object { - "Ref": "AWS::Partition", - }, - ":secretsmanager:", - Object { - "Ref": "AWS::Region", - }, - ":111111111111:secret:PBMMAccel/operations/mad/password:SecretString:::}}", - ], - ], - }, - "ShortName": "example", - "VpcSettings": Object { - "SubnetIds": Array [ - "subnet-02809ab1988c1ec82", - "subnet-0f4514137baa07759", - ], - "VpcId": "vpc-0d0b4cd029857165a", - }, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase0 1`] = ` -Array [ - Object { - "LogicalId": "Ec2InstanceAwoperations", - "Properties": Object { - "AvailabilityZone": undefined, - "CpuOptions": undefined, - "ElasticGpuSpecifications": undefined, - "ElasticInferenceAccelerators": undefined, - "HibernationOptions": undefined, - "HostResourceGroupArn": undefined, - "ImageId": Object { - "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestamznamihvmx8664gp2C96584B6F00A464EAD1953AFF4B05118Parameter", - }, - "Ipv6AddressCount": undefined, - "Ipv6Addresses": undefined, - "KeyName": undefined, - "LaunchTemplate": undefined, - "LicenseSpecifications": undefined, - "NetworkInterfaces": undefined, - "PlacementGroupName": undefined, - "PrivateIpAddress": undefined, - "SecurityGroups": undefined, - "SubnetId": Object { - "Ref": "SubnetAwoperations", - }, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase2 1`] = ` -Array [ - Object { - "LogicalId": "FirewallFirewallInstance0D5D1EA8B", - "Properties": Object { - "AvailabilityZone": undefined, - "CpuOptions": undefined, - "ElasticGpuSpecifications": undefined, - "ElasticInferenceAccelerators": undefined, - "HibernationOptions": undefined, - "HostResourceGroupArn": undefined, - "ImageId": "ami-047aac44951feb9fb", - "Ipv6AddressCount": undefined, - "Ipv6Addresses": undefined, - "KeyName": undefined, - "LaunchTemplate": undefined, - "LicenseSpecifications": undefined, - "NetworkInterfaces": Array [ - Object { - "DeviceIndex": "0", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance0Eni0AC5E4581", - }, - }, - Object { - "DeviceIndex": "1", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance0Eni1E1DD159B", - }, - }, - Object { - "DeviceIndex": "2", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance0Eni27735B38E", - }, - }, - Object { - "DeviceIndex": "3", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance0Eni37CB730B6", - }, - }, - ], - "PlacementGroupName": undefined, - "PrivateIpAddress": undefined, - "SecurityGroups": undefined, - "SubnetId": undefined, - }, - }, - Object { - "LogicalId": "FirewallFirewallInstance108D4AC89", - "Properties": Object { - "AvailabilityZone": undefined, - "CpuOptions": undefined, - "ElasticGpuSpecifications": undefined, - "ElasticInferenceAccelerators": undefined, - "HibernationOptions": undefined, - "HostResourceGroupArn": undefined, - "ImageId": "ami-047aac44951feb9fb", - "Ipv6AddressCount": undefined, - "Ipv6Addresses": undefined, - "KeyName": undefined, - "LaunchTemplate": undefined, - "LicenseSpecifications": undefined, - "NetworkInterfaces": Array [ - Object { - "DeviceIndex": "0", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance1Eni0F306CFC9", - }, - }, - Object { - "DeviceIndex": "1", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance1Eni15EB9994D", - }, - }, - Object { - "DeviceIndex": "2", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance1Eni2DEDA30B5", - }, - }, - Object { - "DeviceIndex": "3", - "NetworkInterfaceId": Object { - "Ref": "FirewallFirewallInstance1Eni34E595DAC", - }, - }, - ], - "PlacementGroupName": undefined, - "PrivateIpAddress": undefined, - "SecurityGroups": undefined, - "SubnetId": undefined, - }, - }, - Object { - "LogicalId": "FirewallManagerCCB568C3", - "Properties": Object { - "AvailabilityZone": undefined, - "CpuOptions": undefined, - "ElasticGpuSpecifications": undefined, - "ElasticInferenceAccelerators": undefined, - "HibernationOptions": undefined, - "HostResourceGroupArn": undefined, - "ImageId": "ami-06fa2a9e6f8fae9f2", - "Ipv6AddressCount": undefined, - "Ipv6Addresses": undefined, - "KeyName": undefined, - "LaunchTemplate": undefined, - "LicenseSpecifications": undefined, - "NetworkInterfaces": Array [ - Object { - "DeviceIndex": "0", - "NetworkInterfaceId": Object { - "Ref": "FirewallManagerEni044173916", - }, - }, - ], - "PlacementGroupName": undefined, - "PrivateIpAddress": undefined, - "SecurityGroups": undefined, - "SubnetId": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase0 1`] = ` -Array [ - Object { - "LogicalId": "TgwMain627BB489", - "Properties": Object { - "AmazonSideAsn": 65521, - "AutoAcceptSharedAttachments": "enable", - "DefaultRouteTableAssociation": "disable", - "DefaultRouteTablePropagation": "disable", - "Description": undefined, - "DnsSupport": "enable", - "Tags": Array [ - Object { - "Key": "Accelerator", - "Value": "PBMM", - }, - Object { - "Key": "Name", - "Value": "Main_tgw", - }, - ], - "VpnEcmpSupport": "enable", - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase3 1`] = ` -Array [ - Object { - "LogicalId": "AlbPublicProdAlbD5FCEFC4", - "Properties": Object { - "Name": "Public-Prod-perimeter-alb", - "Scheme": "internet-facing", - "SubnetMappings": undefined, - "Type": undefined, - }, - }, - Object { - "LogicalId": "AlbPublicDevTestAlb891C6ABC", - "Properties": Object { - "Name": "Public-DevTest-perimeter-alb", - "Scheme": "internet-facing", - "SubnetMappings": undefined, - "Type": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase0 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, - Object { - "LogicalId": "aescacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase0 1`] = ` -Array [ - Object { - "LogicalId": "configcacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase1 1`] = ` -Array [ - Object { - "LogicalId": "cacentral1", - "Properties": Object { - "BucketName": undefined, - "ObjectLockEnabled": undefined, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase0 1`] = ` -Array [ - Object { - "LogicalId": "SecretsbgUser1UserPswdPolicyC9835C06", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsbgUser1UserPswdF10CD199", - }, - }, - }, - Object { - "LogicalId": "SecretsbgUser2UserPswdPolicy2131F530", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsbgUser2UserPswd08D94AA3", - }, - }, - }, - Object { - "LogicalId": "SecretsOpsUser1UserPswdPolicy903155AD", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsOpsUser1UserPswdD5EAD264", - }, - }, - }, - Object { - "LogicalId": "SecretsOpsUser2UserPswdPolicyAD9B103E", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsOpsUser2UserPswdD05A1573", - }, - }, - }, - Object { - "LogicalId": "SecretsMadPasswordPolicy73965873", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsMadPassword5CC78627", - }, - }, - }, - Object { - "LogicalId": "SecretsMadPasswordadconnectorusrPolicy889AF319", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsMadPasswordadconnectorusrB8347327", - }, - }, - }, - Object { - "LogicalId": "SecretsMadPasswordUser1Policy18726F39", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsMadPasswordUser1291E3AF7", - }, - }, - }, - Object { - "LogicalId": "SecretsMadPasswordUser2PolicyEC783CD1", - "Properties": Object { - "SecretId": Object { - "Ref": "SecretsMadPasswordUser29026EDF3", - }, - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase0 1`] = ` -Array [ - Object { - "LogicalId": "SecretsbgUser1UserPswdF10CD199", - "Properties": Object { - "Name": "PBMMAccel/master/user/password/bgUser1", - }, - }, - Object { - "LogicalId": "SecretsbgUser2UserPswd08D94AA3", - "Properties": Object { - "Name": "PBMMAccel/master/user/password/bgUser2", - }, - }, - Object { - "LogicalId": "SecretsOpsUser1UserPswdD5EAD264", - "Properties": Object { - "Name": "PBMMAccel/master/user/password/OpsUser1", - }, - }, - Object { - "LogicalId": "SecretsOpsUser2UserPswdD05A1573", - "Properties": Object { - "Name": "PBMMAccel/master/user/password/OpsUser2", - }, - }, - Object { - "LogicalId": "SecretsMadPassword5CC78627", - "Properties": Object { - "Name": "PBMMAccel/operations/mad/password", - }, - }, - Object { - "LogicalId": "SecretsMadPasswordadconnectorusrB8347327", - "Properties": Object { - "Name": "PBMMAccel/operations/mad/adconnector-usr/password", - }, - }, - Object { - "LogicalId": "SecretsMadPasswordUser1291E3AF7", - "Properties": Object { - "Name": "PBMMAccel/operations/mad/User1/password", - }, - }, - Object { - "LogicalId": "SecretsMadPasswordUser29026EDF3", - "Properties": Object { - "Name": "PBMMAccel/operations/mad/User2/password", - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase5UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase1 1`] = ` -Array [ - Object { - "LogicalId": "CertDevSelfSignedCertSecret", - "Properties": Object { - "Name": "accelerator/certificates/DevSelf-SignedCert", - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase5 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase1 1`] = ` -Array [ - Object { - "LogicalId": "CertPerimSelfSignedCertSecret", - "Properties": Object { - "Name": "accelerator/certificates/PerimSelf-SignedCert", - }, - }, -] -`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0UsEast1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase3 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase4 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase0 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase1 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase2 1`] = `Array []`; - -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase3 1`] = `Array []`; +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase1 1`] = ` +Array [ + Object { + "LogicalId": "DefaultSandboxBudgetF8FD6863", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase1 1`] = ` +Array [ + Object { + "LogicalId": "DefaultCoreBudget2890563D", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase0 1`] = ` +Array [ + Object { + "LogicalId": "OrganizationBudgetD31584F9", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase1 1`] = ` +Array [ + Object { + "LogicalId": "DefaultDevBudgetEF9E2FE8", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase1 1`] = ` +Array [ + Object { + "LogicalId": "DefaultCoreBudget2890563D", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase1 1`] = ` +Array [ + Object { + "LogicalId": "PerimeterBudgetA01BBAF8", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase1 1`] = ` +Array [ + Object { + "LogicalId": "DefaultCoreBudget2890563D", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1 1`] = ` +Array [ + Object { + "LogicalId": "SharedNetworkBudget43476CAE", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase1 1`] = ` +Array [ + Object { + "LogicalId": "DefaultCoreBudget2890563D", + "Properties": Object { + "NotificationsWithSubscribers": Array [ + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 50, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 75, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 90, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + Object { + "Notification": Object { + "ComparisonOperator": "GREATER_THAN", + "NotificationType": "ACTUAL", + "Threshold": 100, + "ThresholdType": "PERCENTAGE", + }, + "Subscribers": Array [ + Object { + "Address": "myemail+pbmmT-budg@example.com", + "SubscriptionType": "EMAIL", + }, + ], + }, + ], + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase2 1`] = ` +Array [ + Object { + "LogicalId": "MicrosoftADMicrosoftADFC7F6466", + "Properties": Object { + "CreateAlias": undefined, + "Edition": "Enterprise", + "Name": "example.local", + "Password": Object { + "Fn::Join": Array [ + "", + Array [ + "{{resolve:secretsmanager:arn:", + Object { + "Ref": "AWS::Partition", + }, + ":secretsmanager:", + Object { + "Ref": "AWS::Region", + }, + ":111111111111:secret:PBMMAccel/operations/mad/password:SecretString:::}}", + ], + ], + }, + "ShortName": "example", + "VpcSettings": Object { + "SubnetIds": Array [ + "subnet-02809ab1988c1ec82", + "subnet-0f4514137baa07759", + ], + "VpcId": "vpc-0d0b4cd029857165a", + }, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase0 1`] = ` +Array [ + Object { + "LogicalId": "Ec2InstanceAwoperations", + "Properties": Object { + "AvailabilityZone": undefined, + "CpuOptions": undefined, + "ElasticGpuSpecifications": undefined, + "ElasticInferenceAccelerators": undefined, + "HibernationOptions": undefined, + "HostResourceGroupArn": undefined, + "ImageId": Object { + "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestamznamihvmx8664gp2C96584B6F00A464EAD1953AFF4B05118Parameter", + }, + "Ipv6AddressCount": undefined, + "Ipv6Addresses": undefined, + "KeyName": undefined, + "LaunchTemplate": undefined, + "LicenseSpecifications": undefined, + "NetworkInterfaces": undefined, + "PlacementGroupName": undefined, + "PrivateIpAddress": undefined, + "SecurityGroups": undefined, + "SubnetId": Object { + "Ref": "SubnetAwoperations", + }, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase2 1`] = ` +Array [ + Object { + "LogicalId": "FirewallFirewallInstance0D5D1EA8B", + "Properties": Object { + "AvailabilityZone": undefined, + "CpuOptions": undefined, + "ElasticGpuSpecifications": undefined, + "ElasticInferenceAccelerators": undefined, + "HibernationOptions": undefined, + "HostResourceGroupArn": undefined, + "ImageId": "ami-047aac44951feb9fb", + "Ipv6AddressCount": undefined, + "Ipv6Addresses": undefined, + "KeyName": undefined, + "LaunchTemplate": undefined, + "LicenseSpecifications": undefined, + "NetworkInterfaces": Array [ + Object { + "DeviceIndex": "0", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance0Eni0AC5E4581", + }, + }, + Object { + "DeviceIndex": "1", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance0Eni1E1DD159B", + }, + }, + Object { + "DeviceIndex": "2", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance0Eni27735B38E", + }, + }, + Object { + "DeviceIndex": "3", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance0Eni37CB730B6", + }, + }, + ], + "PlacementGroupName": undefined, + "PrivateIpAddress": undefined, + "SecurityGroups": undefined, + "SubnetId": undefined, + }, + }, + Object { + "LogicalId": "FirewallFirewallInstance108D4AC89", + "Properties": Object { + "AvailabilityZone": undefined, + "CpuOptions": undefined, + "ElasticGpuSpecifications": undefined, + "ElasticInferenceAccelerators": undefined, + "HibernationOptions": undefined, + "HostResourceGroupArn": undefined, + "ImageId": "ami-047aac44951feb9fb", + "Ipv6AddressCount": undefined, + "Ipv6Addresses": undefined, + "KeyName": undefined, + "LaunchTemplate": undefined, + "LicenseSpecifications": undefined, + "NetworkInterfaces": Array [ + Object { + "DeviceIndex": "0", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance1Eni0F306CFC9", + }, + }, + Object { + "DeviceIndex": "1", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance1Eni15EB9994D", + }, + }, + Object { + "DeviceIndex": "2", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance1Eni2DEDA30B5", + }, + }, + Object { + "DeviceIndex": "3", + "NetworkInterfaceId": Object { + "Ref": "FirewallFirewallInstance1Eni34E595DAC", + }, + }, + ], + "PlacementGroupName": undefined, + "PrivateIpAddress": undefined, + "SecurityGroups": undefined, + "SubnetId": undefined, + }, + }, + Object { + "LogicalId": "FirewallManagerCCB568C3", + "Properties": Object { + "AvailabilityZone": undefined, + "CpuOptions": undefined, + "ElasticGpuSpecifications": undefined, + "ElasticInferenceAccelerators": undefined, + "HibernationOptions": undefined, + "HostResourceGroupArn": undefined, + "ImageId": "ami-06fa2a9e6f8fae9f2", + "Ipv6AddressCount": undefined, + "Ipv6Addresses": undefined, + "KeyName": undefined, + "LaunchTemplate": undefined, + "LicenseSpecifications": undefined, + "NetworkInterfaces": Array [ + Object { + "DeviceIndex": "0", + "NetworkInterfaceId": Object { + "Ref": "FirewallManagerEni044173916", + }, + }, + ], + "PlacementGroupName": undefined, + "PrivateIpAddress": undefined, + "SecurityGroups": undefined, + "SubnetId": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase0 1`] = ` +Array [ + Object { + "LogicalId": "TgwMain627BB489", + "Properties": Object { + "AmazonSideAsn": 65521, + "AutoAcceptSharedAttachments": "enable", + "DefaultRouteTableAssociation": "disable", + "DefaultRouteTablePropagation": "disable", + "Description": undefined, + "DnsSupport": "enable", + "Tags": Array [ + Object { + "Key": "Accelerator", + "Value": "PBMM", + }, + Object { + "Key": "Name", + "Value": "Main_tgw", + }, + ], + "VpnEcmpSupport": "enable", + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: PerimeterPhase3 1`] = ` +Array [ + Object { + "LogicalId": "AlbPublicProdAlbD5FCEFC4", + "Properties": Object { + "Name": "Public-Prod-perimeter-alb", + "Scheme": "internet-facing", + "SubnetMappings": undefined, + "Type": undefined, + }, + }, + Object { + "LogicalId": "AlbPublicDevTestAlb891C6ABC", + "Properties": Object { + "Name": "Public-DevTest-perimeter-alb", + "Scheme": "internet-facing", + "SubnetMappings": undefined, + "Type": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase0 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, + Object { + "LogicalId": "aescacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase0 1`] = ` +Array [ + Object { + "LogicalId": "configcacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase1 1`] = ` +Array [ + Object { + "LogicalId": "cacentral1", + "Properties": Object { + "BucketName": undefined, + "ObjectLockEnabled": undefined, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase0 1`] = ` +Array [ + Object { + "LogicalId": "SecretsbgUser1UserPswdPolicyC9835C06", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsbgUser1UserPswdF10CD199", + }, + }, + }, + Object { + "LogicalId": "SecretsbgUser2UserPswdPolicy2131F530", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsbgUser2UserPswd08D94AA3", + }, + }, + }, + Object { + "LogicalId": "SecretsOpsUser1UserPswdPolicy903155AD", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsOpsUser1UserPswdD5EAD264", + }, + }, + }, + Object { + "LogicalId": "SecretsOpsUser2UserPswdPolicyAD9B103E", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsOpsUser2UserPswdD05A1573", + }, + }, + }, + Object { + "LogicalId": "SecretsMadPasswordPolicy73965873", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsMadPassword5CC78627", + }, + }, + }, + Object { + "LogicalId": "SecretsMadPasswordadconnectorusrPolicy889AF319", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsMadPasswordadconnectorusrB8347327", + }, + }, + }, + Object { + "LogicalId": "SecretsMadPasswordUser1Policy18726F39", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsMadPasswordUser1291E3AF7", + }, + }, + }, + Object { + "LogicalId": "SecretsMadPasswordUser2PolicyEC783CD1", + "Properties": Object { + "SecretId": Object { + "Ref": "SecretsMadPasswordUser29026EDF3", + }, + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedServicesPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase1VpcStackSandboxA62C11F1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: FunAcctPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: LogArchivePhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase0 1`] = ` +Array [ + Object { + "LogicalId": "SecretsbgUser1UserPswdF10CD199", + "Properties": Object { + "Name": "PBMMAccel/master/user/password/bgUser1", + }, + }, + Object { + "LogicalId": "SecretsbgUser2UserPswd08D94AA3", + "Properties": Object { + "Name": "PBMMAccel/master/user/password/bgUser2", + }, + }, + Object { + "LogicalId": "SecretsOpsUser1UserPswdD5EAD264", + "Properties": Object { + "Name": "PBMMAccel/master/user/password/OpsUser1", + }, + }, + Object { + "LogicalId": "SecretsOpsUser2UserPswdD05A1573", + "Properties": Object { + "Name": "PBMMAccel/master/user/password/OpsUser2", + }, + }, + Object { + "LogicalId": "SecretsMadPassword5CC78627", + "Properties": Object { + "Name": "PBMMAccel/operations/mad/password", + }, + }, + Object { + "LogicalId": "SecretsMadPasswordadconnectorusrB8347327", + "Properties": Object { + "Name": "PBMMAccel/operations/mad/adconnector-usr/password", + }, + }, + Object { + "LogicalId": "SecretsMadPasswordUser1291E3AF7", + "Properties": Object { + "Name": "PBMMAccel/operations/mad/User1/password", + }, + }, + Object { + "LogicalId": "SecretsMadPasswordUser29026EDF3", + "Properties": Object { + "Name": "PBMMAccel/operations/mad/User2/password", + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase1VpcStackForSsoA3413A70 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: MasterPhase5UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase1 1`] = ` +Array [ + Object { + "LogicalId": "CertDevSelfSignedCertSecret", + "Properties": Object { + "Name": "accelerator/certificates/DevSelf-SignedCert", + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: Mydevacct1Phase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase2SecurityGroupsCentralShared18DBF8A21 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: OperationsPhase5 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase1 1`] = ` +Array [ + Object { + "LogicalId": "CertPerimSelfSignedCertSecret", + "Properties": Object { + "Name": "accelerator/certificates/PerimSelf-SignedCert", + }, + }, +] +`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase1Endpoint02EC98C35 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase1VpcStackPerimeter0F2B12AF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: PerimeterPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SecurityPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0UsEast1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint20AE19710 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackEndpointF8AAED62 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackProd407EC8DE 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackTestB1AC84C0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackUnClassCF91DDF7 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase3 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase4 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase0 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase1 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase2 1`] = `Array []`; + +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedServicesPhase3 1`] = `Array []`; diff --git a/src/deployments/cdk/tsconfig.json b/src/deployments/cdk/tsconfig.json index 022e75367..6a48f7b02 100644 --- a/src/deployments/cdk/tsconfig.json +++ b/src/deployments/cdk/tsconfig.json @@ -1,18 +1,18 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": ["es2019", "es2020.promise"], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true, - "preserveSymlinks": true, - "skipLibCheck": true, - "downlevelIteration": true, - "resolveJsonModule": true, - }, - "include": ["src/**/*"], - "exclude": ["test/**/*"] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": ["es2019", "es2020.promise"], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true, + "preserveSymlinks": true, + "skipLibCheck": true, + "downlevelIteration": true, + "resolveJsonModule": true, + }, + "include": ["src/**/*"], + "exclude": ["test/**/*"] +} diff --git a/src/deployments/runtime/package.json b/src/deployments/runtime/package.json index 60822a898..a1618f270 100644 --- a/src/deployments/runtime/package.json +++ b/src/deployments/runtime/package.json @@ -1,63 +1,63 @@ -{ - "name": "@aws-accelerator/deployments-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "build": "pnpx webpack-cli --config webpack.config.ts", - "prepare": "pnpx webpack-cli --config webpack.config.ts", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "dist/index.js", - "devDependencies": { - "@babel/core": "7.9.0", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "@babel/preset-env": "7.9.0", - "@babel/preset-typescript": "7.9.0", - "@types/adm-zip": "0.4.32", - "@types/aws-lambda": "8.10.46", - "@types/cfn-response": "1.0.3", - "@types/jest": "25.1.4", - "@types/node": "12.12.6", - "@types/webpack": "4.41.8", - "babel-jest": "25.2.0", - "babel-loader": "8.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "glob": "7.1.6", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "6.2.0", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11", - "@types/js-base64": "2.3.1", - "js-base64": "2.5.2" - }, - "dependencies": { - "@aws-accelerator/common": "workspace:^0.0.1", - "@aws-accelerator/common-outputs": "workspace:^0.0.1", - "@aws-accelerator/common-config": "workspace:^0.0.1", - "adm-zip": "0.4.14", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0", - "cfn-response": "1.0.1", - "generate-password": "1.5.1", - "io-ts": "2.1.2", - "original-fs": "1.1.0", - "pascal-case": "^3.1.1" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node", - "globals": { - "ts-jest": { - "isolatedModules": true - } - } - } -} +{ + "name": "@aws-accelerator/deployments-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "build": "pnpx webpack-cli --config webpack.config.ts", + "prepare": "pnpx webpack-cli --config webpack.config.ts", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "dist/index.js", + "devDependencies": { + "@babel/core": "7.9.0", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "@babel/preset-env": "7.9.0", + "@babel/preset-typescript": "7.9.0", + "@types/adm-zip": "0.4.32", + "@types/aws-lambda": "8.10.46", + "@types/cfn-response": "1.0.3", + "@types/jest": "25.1.4", + "@types/node": "12.12.6", + "@types/webpack": "4.41.8", + "babel-jest": "25.2.0", + "babel-loader": "8.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "glob": "7.1.6", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "6.2.0", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11", + "@types/js-base64": "2.3.1", + "js-base64": "2.5.2" + }, + "dependencies": { + "@aws-accelerator/common": "workspace:^0.0.1", + "@aws-accelerator/common-outputs": "workspace:^0.0.1", + "@aws-accelerator/common-config": "workspace:^0.0.1", + "adm-zip": "0.4.14", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0", + "cfn-response": "1.0.1", + "generate-password": "1.5.1", + "io-ts": "2.1.2", + "original-fs": "1.1.0", + "pascal-case": "^3.1.1" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node", + "globals": { + "ts-jest": { + "isolatedModules": true + } + } + } +} diff --git a/src/deployments/runtime/tsconfig.json b/src/deployments/runtime/tsconfig.json index afeaba14e..ca8ff589d 100644 --- a/src/deployments/runtime/tsconfig.json +++ b/src/deployments/runtime/tsconfig.json @@ -1,17 +1,17 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ] +} diff --git a/src/installer/cdk/assets/save-application-version.js b/src/installer/cdk/assets/save-application-version.js index 041f917a3..65051ec95 100644 --- a/src/installer/cdk/assets/save-application-version.js +++ b/src/installer/cdk/assets/save-application-version.js @@ -1,51 +1,51 @@ -const AWS = require('aws-sdk'); - -const codepipeline = new AWS.CodePipeline(); -const ssm = new AWS.SSM(); - -exports.handler = async function (event, context) { - console.info(`Saving Accelerator Application Version...`); - console.info(JSON.stringify(event, null, 2)); - - const jobInfo = event['CodePipeline.job']; - const jobId = jobInfo.id; - - try { - const userParametersString = jobInfo.data.actionConfiguration.configuration.UserParameters; - const userParameters = JSON.parse(userParametersString); - - const currentTime = new Date(); - const versionData = { - Branch: userParameters.branch, - Repository: userParameters.repository, - CommitId: userParameters.commitId, - Owner:userParameters.owner, - DeployTime: currentTime.toString(), - AcceleratorVersion: userParameters.acceleratorVersion, - } - const param = await ssm.putParameter({ - Name: '/accelerator/version', - Value: JSON.stringify(versionData, null, 2), - Type: 'String', - Overwrite: true, - }).promise(); - console.log(`Updated Application Version : ${param}`); - return codepipeline - .putJobSuccessResult({ - jobId, - }) - .promise(); - } catch (e) { - console.info(`Unexpected error while Saving Application Versio: ${e}`); - return codepipeline - .putJobFailureResult({ - jobId, - failureDetails: { - externalExecutionId: context.awsRequestId, - type: 'JobFailed', - message: JSON.stringify(e), - }, - }) - .promise(); - } -}; +const AWS = require('aws-sdk'); + +const codepipeline = new AWS.CodePipeline(); +const ssm = new AWS.SSM(); + +exports.handler = async function (event, context) { + console.info(`Saving Accelerator Application Version...`); + console.info(JSON.stringify(event, null, 2)); + + const jobInfo = event['CodePipeline.job']; + const jobId = jobInfo.id; + + try { + const userParametersString = jobInfo.data.actionConfiguration.configuration.UserParameters; + const userParameters = JSON.parse(userParametersString); + + const currentTime = new Date(); + const versionData = { + Branch: userParameters.branch, + Repository: userParameters.repository, + CommitId: userParameters.commitId, + Owner:userParameters.owner, + DeployTime: currentTime.toString(), + AcceleratorVersion: userParameters.acceleratorVersion, + } + const param = await ssm.putParameter({ + Name: '/accelerator/version', + Value: JSON.stringify(versionData, null, 2), + Type: 'String', + Overwrite: true, + }).promise(); + console.log(`Updated Application Version : ${param}`); + return codepipeline + .putJobSuccessResult({ + jobId, + }) + .promise(); + } catch (e) { + console.info(`Unexpected error while Saving Application Versio: ${e}`); + return codepipeline + .putJobFailureResult({ + jobId, + failureDetails: { + externalExecutionId: context.awsRequestId, + type: 'JobFailed', + message: JSON.stringify(e), + }, + }) + .promise(); + } +}; diff --git a/src/installer/cdk/assets/start-execution.js b/src/installer/cdk/assets/start-execution.js index e5b5ead7a..798821bf6 100644 --- a/src/installer/cdk/assets/start-execution.js +++ b/src/installer/cdk/assets/start-execution.js @@ -1,45 +1,45 @@ -const AWS = require('aws-sdk'); - -const codepipeline = new AWS.CodePipeline(); -const sfn = new AWS.StepFunctions(); - -exports.handler = async function (event, context) { - console.info(`Starting state machine execution...`); - console.info(JSON.stringify(event, null, 2)); - - const jobInfo = event['CodePipeline.job']; - const jobId = jobInfo.id; - - try { - const userParametersString = jobInfo.data.actionConfiguration.configuration.UserParameters; - const userParameters = JSON.parse(userParametersString); - if (!userParameters.stateMachineArn) { - throw new Error(`"stateMachineArn" is missing from user parameters`); - } - - await sfn - .startExecution({ - stateMachineArn: userParameters.stateMachineArn, - }) - .promise(); - - return codepipeline - .putJobSuccessResult({ - jobId, - }) - .promise(); - } catch (e) { - console.info(`Unexpected error while starting execution: ${e}`); - - return codepipeline - .putJobFailureResult({ - jobId, - failureDetails: { - externalExecutionId: context.awsRequestId, - type: 'JobFailed', - message: JSON.stringify(e), - }, - }) - .promise(); - } -}; +const AWS = require('aws-sdk'); + +const codepipeline = new AWS.CodePipeline(); +const sfn = new AWS.StepFunctions(); + +exports.handler = async function (event, context) { + console.info(`Starting state machine execution...`); + console.info(JSON.stringify(event, null, 2)); + + const jobInfo = event['CodePipeline.job']; + const jobId = jobInfo.id; + + try { + const userParametersString = jobInfo.data.actionConfiguration.configuration.UserParameters; + const userParameters = JSON.parse(userParametersString); + if (!userParameters.stateMachineArn) { + throw new Error(`"stateMachineArn" is missing from user parameters`); + } + + await sfn + .startExecution({ + stateMachineArn: userParameters.stateMachineArn, + }) + .promise(); + + return codepipeline + .putJobSuccessResult({ + jobId, + }) + .promise(); + } catch (e) { + console.info(`Unexpected error while starting execution: ${e}`); + + return codepipeline + .putJobFailureResult({ + jobId, + failureDetails: { + externalExecutionId: context.awsRequestId, + type: 'JobFailed', + message: JSON.stringify(e), + }, + }) + .promise(); + } +}; diff --git a/src/installer/cdk/cdk.json b/src/installer/cdk/cdk.json index 56b80f51e..61114a431 100644 --- a/src/installer/cdk/cdk.json +++ b/src/installer/cdk/cdk.json @@ -1,3 +1,3 @@ -{ - "app": "pnpx ts-node src/index.ts" +{ + "app": "pnpx ts-node src/index.ts" } \ No newline at end of file diff --git a/src/installer/cdk/tsconfig.json b/src/installer/cdk/tsconfig.json index afeaba14e..ca8ff589d 100644 --- a/src/installer/cdk/tsconfig.json +++ b/src/installer/cdk/tsconfig.json @@ -1,17 +1,17 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ] +} diff --git a/src/lib/cdk-accelerator/package.json b/src/lib/cdk-accelerator/package.json index b5e7be308..d73f38a67 100644 --- a/src/lib/cdk-accelerator/package.json +++ b/src/lib/cdk-accelerator/package.json @@ -1,57 +1,57 @@ -{ - "name": "@aws-accelerator/cdk-accelerator", - "version": "0.0.1", - "private": true, - "scripts": { - "compile": "pnpx tsc --noEmit", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "src/index.ts", - "files": [ - "src" - ], - "devDependencies": { - "@aws-cdk/assert": "1.46.0", - "@types/glob": "^7.1.1", - "@types/jest": "25.2.1", - "@types/node": "12.12.6", - "babel-jest": "25.2.0", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "8.8.1", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1", - "@aws-cdk/aws-cloudformation": "1.46.0", - "@aws-cdk/aws-codebuild": "1.46.0", - "@aws-cdk/aws-ec2": "1.46.0", - "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", - "@aws-cdk/aws-events": "1.46.0", - "@aws-cdk/aws-events-targets": "1.46.0", - "@aws-cdk/aws-guardduty": "1.46.0", - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0", - "@aws-cdk/aws-s3-assets": "1.46.0", - "@aws-cdk/aws-secretsmanager": "1.46.0", - "@aws-cdk/aws-sns": "1.46.0", - "@aws-cdk/aws-stepfunctions": "1.46.0", - "@aws-cdk/aws-stepfunctions-tasks": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@types/js-yaml": "3.12.3", - "glob": "^7.1.6", - "js-yaml": "3.13.1", - "tempy": "0.5.0" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node" - } -} +{ + "name": "@aws-accelerator/cdk-accelerator", + "version": "0.0.1", + "private": true, + "scripts": { + "compile": "pnpx tsc --noEmit", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "src/index.ts", + "files": [ + "src" + ], + "devDependencies": { + "@aws-cdk/assert": "1.46.0", + "@types/glob": "^7.1.1", + "@types/jest": "25.2.1", + "@types/node": "12.12.6", + "babel-jest": "25.2.0", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "8.8.1", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1", + "@aws-cdk/aws-cloudformation": "1.46.0", + "@aws-cdk/aws-codebuild": "1.46.0", + "@aws-cdk/aws-ec2": "1.46.0", + "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", + "@aws-cdk/aws-events": "1.46.0", + "@aws-cdk/aws-events-targets": "1.46.0", + "@aws-cdk/aws-guardduty": "1.46.0", + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0", + "@aws-cdk/aws-s3-assets": "1.46.0", + "@aws-cdk/aws-secretsmanager": "1.46.0", + "@aws-cdk/aws-sns": "1.46.0", + "@aws-cdk/aws-stepfunctions": "1.46.0", + "@aws-cdk/aws-stepfunctions-tasks": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@types/js-yaml": "3.12.3", + "glob": "^7.1.6", + "js-yaml": "3.13.1", + "tempy": "0.5.0" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node" + } +} diff --git a/src/lib/cdk-accelerator/tsconfig.json b/src/lib/cdk-accelerator/tsconfig.json index c5e87d76a..0cfdc8e91 100644 --- a/src/lib/cdk-accelerator/tsconfig.json +++ b/src/lib/cdk-accelerator/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/cdk-constructs/package.json b/src/lib/cdk-constructs/package.json index 11d569475..4ed7b9121 100644 --- a/src/lib/cdk-constructs/package.json +++ b/src/lib/cdk-constructs/package.json @@ -1,58 +1,58 @@ -{ - "name": "@aws-accelerator/cdk-constructs", - "version": "0.0.1", - "private": true, - "scripts": { - "compile": "pnpx tsc --noEmit", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "src/index.ts", - "files": [ - "src" - ], - "devDependencies": { - "@aws-cdk/assert": "1.46.0", - "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", - "@types/hash-sum": "^1.0.0", - "@types/jest": "25.2.1", - "@types/node": "12.12.6", - "babel-jest": "25.2.0", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "8.8.1", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-cdk/aws-autoscaling": "1.46.0", - "@aws-cdk/aws-budgets": "1.46.0", - "@aws-cdk/aws-cloudformation": "1.46.0", - "@aws-cdk/aws-ec2": "1.46.0", - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0", - "@aws-cdk/aws-s3-assets": "1.46.0", - "@aws-cdk/aws-ssm": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-securityhub": "1.46.0", - "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-s3-template": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-security-hub-accept-invites": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1", - "hash-sum": "^2.0.0", - "ip-num": "^1.2.2", - "pascal-case": "^3.1.1", - "tempy": "0.5.0" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node" - } -} +{ + "name": "@aws-accelerator/cdk-constructs", + "version": "0.0.1", + "private": true, + "scripts": { + "compile": "pnpx tsc --noEmit", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "src/index.ts", + "files": [ + "src" + ], + "devDependencies": { + "@aws-cdk/assert": "1.46.0", + "@aws-cdk/aws-elasticloadbalancingv2": "1.46.0", + "@types/hash-sum": "^1.0.0", + "@types/jest": "25.2.1", + "@types/node": "12.12.6", + "babel-jest": "25.2.0", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "8.8.1", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-cdk/aws-autoscaling": "1.46.0", + "@aws-cdk/aws-budgets": "1.46.0", + "@aws-cdk/aws-cloudformation": "1.46.0", + "@aws-cdk/aws-ec2": "1.46.0", + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0", + "@aws-cdk/aws-s3-assets": "1.46.0", + "@aws-cdk/aws-ssm": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-securityhub": "1.46.0", + "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-s3-template": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-security-hub-accept-invites": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1", + "hash-sum": "^2.0.0", + "ip-num": "^1.2.2", + "pascal-case": "^3.1.1", + "tempy": "0.5.0" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node" + } +} diff --git a/src/lib/cdk-constructs/tsconfig.json b/src/lib/cdk-constructs/tsconfig.json index c5e87d76a..0cfdc8e91 100644 --- a/src/lib/cdk-constructs/tsconfig.json +++ b/src/lib/cdk-constructs/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/cdk-plugin-assume-role/package.json b/src/lib/cdk-plugin-assume-role/package.json index 5558e37cf..c1c4cb18f 100644 --- a/src/lib/cdk-plugin-assume-role/package.json +++ b/src/lib/cdk-plugin-assume-role/package.json @@ -1,27 +1,27 @@ -{ - "name": "@aws-accelerator/cdk-plugin-assume-role", - "version": "0.0.1", - "private": true, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "source": "src/index.ts", - "main": "dist/index.js", - "types": "dist/index.d.ts", - "files": [ - "dist" - ], - "devDependencies": { - "@types/webpack": "4.41.8", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11", - "webpack-shell-plugin-next": "1.1.9" - }, - "dependencies": { - "aws-cdk": "1.46.0", - "aws-sdk": "2.668.0", - "colors": "1.4.0" - } -} +{ + "name": "@aws-accelerator/cdk-plugin-assume-role", + "version": "0.0.1", + "private": true, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "source": "src/index.ts", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "files": [ + "dist" + ], + "devDependencies": { + "@types/webpack": "4.41.8", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11", + "webpack-shell-plugin-next": "1.1.9" + }, + "dependencies": { + "aws-cdk": "1.46.0", + "aws-sdk": "2.668.0", + "colors": "1.4.0" + } +} diff --git a/src/lib/cdk-plugin-assume-role/tsconfig.json b/src/lib/cdk-plugin-assume-role/tsconfig.json index 6ef2633e1..3be83761e 100644 --- a/src/lib/cdk-plugin-assume-role/tsconfig.json +++ b/src/lib/cdk-plugin-assume-role/tsconfig.json @@ -1,18 +1,18 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true, - "preserveSymlinks": true, - "skipLibCheck": true, - "downlevelIteration": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["test/**/*"] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true, + "preserveSymlinks": true, + "skipLibCheck": true, + "downlevelIteration": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["test/**/*"] +} diff --git a/src/lib/common-config/package.json b/src/lib/common-config/package.json index 119cd2639..f7ba5c8ad 100644 --- a/src/lib/common-config/package.json +++ b/src/lib/common-config/package.json @@ -1,59 +1,59 @@ -{ - "name": "@aws-accelerator/common-config", - "version": "0.0.1", - "private": true, - "scripts": { - "build": "pnpx tsc --noEmit", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "src/index.ts", - "files": [ - "src" - ], - "devDependencies": { - "@types/adm-zip": "0.4.32", - "@types/archiver": "3.1.0", - "@types/jest": "25.1.4", - "@types/js-yaml": "3.12.3", - "@types/node": "12.12.6", - "@types/uuid": "7.0.2", - "babel-jest": "25.2.0", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "8.8.1", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-accelerator/common-types": "workspace:^0.0.1", - "@aws-accelerator/common": "workspace:^0.0.1", - "@types/deep-diff": "^1.0.0", - "adm-zip": "0.4.14", - "@types/prettier": "^2.0.2", - "archiver": "3.1.1", - "aws-sdk": "2.668.0", - "deep-diff": "^1.0.2", - "exponential-backoff": "^3.0.0", - "fp-ts": "2.5.3", - "generate-password": "1.5.1", - "io-ts": "2.1.2", - "io-ts-types": "0.5.6", - "ip-num": "1.2.2", - "js-yaml": "3.13.1", - "tempy": "0.5.0", - "uuid": "7.0.3" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node", - "globals": { - "ts-jest": { - "isolatedModules": true - } - } - } -} +{ + "name": "@aws-accelerator/common-config", + "version": "0.0.1", + "private": true, + "scripts": { + "build": "pnpx tsc --noEmit", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "src/index.ts", + "files": [ + "src" + ], + "devDependencies": { + "@types/adm-zip": "0.4.32", + "@types/archiver": "3.1.0", + "@types/jest": "25.1.4", + "@types/js-yaml": "3.12.3", + "@types/node": "12.12.6", + "@types/uuid": "7.0.2", + "babel-jest": "25.2.0", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "8.8.1", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-accelerator/common-types": "workspace:^0.0.1", + "@aws-accelerator/common": "workspace:^0.0.1", + "@types/deep-diff": "^1.0.0", + "adm-zip": "0.4.14", + "@types/prettier": "^2.0.2", + "archiver": "3.1.1", + "aws-sdk": "2.668.0", + "deep-diff": "^1.0.2", + "exponential-backoff": "^3.0.0", + "fp-ts": "2.5.3", + "generate-password": "1.5.1", + "io-ts": "2.1.2", + "io-ts-types": "0.5.6", + "ip-num": "1.2.2", + "js-yaml": "3.13.1", + "tempy": "0.5.0", + "uuid": "7.0.3" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node", + "globals": { + "ts-jest": { + "isolatedModules": true + } + } + } +} diff --git a/src/lib/common-config/tsconfig.json b/src/lib/common-config/tsconfig.json index 1e0c5f39e..09fe32b3c 100644 --- a/src/lib/common-config/tsconfig.json +++ b/src/lib/common-config/tsconfig.json @@ -1,13 +1,13 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": ["src/**/*"] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": ["src/**/*"] +} diff --git a/src/lib/common-outputs/package.json b/src/lib/common-outputs/package.json index 45f1662a2..605588530 100644 --- a/src/lib/common-outputs/package.json +++ b/src/lib/common-outputs/package.json @@ -1,43 +1,43 @@ -{ - "name": "@aws-accelerator/common-outputs", - "version": "0.0.1", - "private": true, - "scripts": { - "compile": "pnpx tsc --noEmit", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "src/index.ts", - "files": [ - "src" - ], - "devDependencies": { - "@aws-cdk/assert": "1.46.0", - "@types/jest": "25.2.1", - "@types/node": "12.12.6", - "babel-jest": "25.2.0", - "fp-ts": "2.5.3", - "io-ts": "2.1.2", - "io-ts-types": "0.5.6", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "8.8.1", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-accelerator/common-types": "workspace:^0.0.1" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node", - "globals": { - "ts-jest": { - "isolatedModules": true - } - } - } -} +{ + "name": "@aws-accelerator/common-outputs", + "version": "0.0.1", + "private": true, + "scripts": { + "compile": "pnpx tsc --noEmit", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "src/index.ts", + "files": [ + "src" + ], + "devDependencies": { + "@aws-cdk/assert": "1.46.0", + "@types/jest": "25.2.1", + "@types/node": "12.12.6", + "babel-jest": "25.2.0", + "fp-ts": "2.5.3", + "io-ts": "2.1.2", + "io-ts-types": "0.5.6", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "8.8.1", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-accelerator/common-types": "workspace:^0.0.1" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node", + "globals": { + "ts-jest": { + "isolatedModules": true + } + } + } +} diff --git a/src/lib/common-outputs/tsconfig.json b/src/lib/common-outputs/tsconfig.json index c5e87d76a..0cfdc8e91 100644 --- a/src/lib/common-outputs/tsconfig.json +++ b/src/lib/common-outputs/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/common-types/package.json b/src/lib/common-types/package.json index 97a1eabd8..56a8945f4 100644 --- a/src/lib/common-types/package.json +++ b/src/lib/common-types/package.json @@ -1,20 +1,20 @@ -{ - "name": "@aws-accelerator/common-types", - "version": "0.0.1", - "private": true, - "main": "src/index.ts", - "files": [ - "src" - ], - "devDependencies": { - "@types/node": "12.12.6", - "ts-node": "8.8.1", - "typescript": "3.8.3" - }, - "dependencies": { - "fp-ts": "2.5.3", - "io-ts": "2.1.2", - "io-ts-types": "0.5.6", - "ip-num": "1.2.2" - } -} +{ + "name": "@aws-accelerator/common-types", + "version": "0.0.1", + "private": true, + "main": "src/index.ts", + "files": [ + "src" + ], + "devDependencies": { + "@types/node": "12.12.6", + "ts-node": "8.8.1", + "typescript": "3.8.3" + }, + "dependencies": { + "fp-ts": "2.5.3", + "io-ts": "2.1.2", + "io-ts-types": "0.5.6", + "ip-num": "1.2.2" + } +} diff --git a/src/lib/common-types/tsconfig.json b/src/lib/common-types/tsconfig.json index afeaba14e..ca8ff589d 100644 --- a/src/lib/common-types/tsconfig.json +++ b/src/lib/common-types/tsconfig.json @@ -1,17 +1,17 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ] +} diff --git a/src/lib/common/package.json b/src/lib/common/package.json index ba2129644..21c3af01e 100644 --- a/src/lib/common/package.json +++ b/src/lib/common/package.json @@ -1,60 +1,60 @@ -{ - "name": "@aws-accelerator/common", - "version": "0.0.1", - "private": true, - "scripts": { - "build": "pnpx tsc --noEmit", - "test": "pnpx jest", - "lint": "tslint --project tsconfig.json 'src/**/*.ts'" - }, - "main": "src/index.ts", - "files": [ - "src" - ], - "devDependencies": { - "@types/adm-zip": "0.4.32", - "@types/archiver": "3.1.0", - "@types/jest": "25.1.4", - "@types/js-yaml": "3.12.3", - "@types/node": "12.12.6", - "@types/uuid": "7.0.2", - "babel-jest": "25.2.0", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "8.8.1", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-accelerator/common-config": "workspace:^0.0.1", - "@aws-accelerator/common-outputs": "workspace:^0.0.1", - "@aws-accelerator/common-types": "workspace:^0.0.1", - "@types/deep-diff": "^1.0.0", - "adm-zip": "0.4.14", - "@types/prettier": "^2.0.2", - "archiver": "3.1.1", - "aws-sdk": "2.668.0", - "deep-diff": "^1.0.2", - "exponential-backoff": "^3.0.0", - "fp-ts": "2.5.3", - "generate-password": "1.5.1", - "io-ts": "2.1.2", - "io-ts-types": "0.5.6", - "ip-num": "1.2.2", - "js-yaml": "3.13.1", - "tempy": "0.5.0", - "uuid": "7.0.3" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node", - "globals": { - "ts-jest": { - "isolatedModules": true - } - } - } -} +{ + "name": "@aws-accelerator/common", + "version": "0.0.1", + "private": true, + "scripts": { + "build": "pnpx tsc --noEmit", + "test": "pnpx jest", + "lint": "tslint --project tsconfig.json 'src/**/*.ts'" + }, + "main": "src/index.ts", + "files": [ + "src" + ], + "devDependencies": { + "@types/adm-zip": "0.4.32", + "@types/archiver": "3.1.0", + "@types/jest": "25.1.4", + "@types/js-yaml": "3.12.3", + "@types/node": "12.12.6", + "@types/uuid": "7.0.2", + "babel-jest": "25.2.0", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "8.8.1", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-accelerator/common-config": "workspace:^0.0.1", + "@aws-accelerator/common-outputs": "workspace:^0.0.1", + "@aws-accelerator/common-types": "workspace:^0.0.1", + "@types/deep-diff": "^1.0.0", + "adm-zip": "0.4.14", + "@types/prettier": "^2.0.2", + "archiver": "3.1.1", + "aws-sdk": "2.668.0", + "deep-diff": "^1.0.2", + "exponential-backoff": "^3.0.0", + "fp-ts": "2.5.3", + "generate-password": "1.5.1", + "io-ts": "2.1.2", + "io-ts-types": "0.5.6", + "ip-num": "1.2.2", + "js-yaml": "3.13.1", + "tempy": "0.5.0", + "uuid": "7.0.3" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node", + "globals": { + "ts-jest": { + "isolatedModules": true + } + } + } +} diff --git a/src/lib/common/tsconfig.json b/src/lib/common/tsconfig.json index 1e0c5f39e..09fe32b3c 100644 --- a/src/lib/common/tsconfig.json +++ b/src/lib/common/tsconfig.json @@ -1,13 +1,13 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": ["src/**/*"] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": ["src/**/*"] +} diff --git a/src/lib/custom-resources/cdk-acm-import-certificate/README.md b/src/lib/custom-resources/cdk-acm-import-certificate/README.md index b9ee7d522..63d803ab1 100644 --- a/src/lib/custom-resources/cdk-acm-import-certificate/README.md +++ b/src/lib/custom-resources/cdk-acm-import-certificate/README.md @@ -1,18 +1,18 @@ -# ACM Import Certificate - -This is a custom resource to import a certificate into AWS Certificate Manager. - -## Usage - - import { AcmImportCertificate } from '@aws-accelerator/custom-resource-acm-import-certificate'; - - new AcmImportCertificate(scope, `Certificate`, { - name: 'MyCertificate', - certificateBucket: ..., - certificateBucketPath: ..., - privateKeyBucket: ..., - privateKeyBucketPath: ..., - certificateChainBucket: ..., - certificateChainBucketPath: ..., - removalPolicy: cdk.RemovalPolicy.RETAIN, - }); +# ACM Import Certificate + +This is a custom resource to import a certificate into AWS Certificate Manager. + +## Usage + + import { AcmImportCertificate } from '@aws-accelerator/custom-resource-acm-import-certificate'; + + new AcmImportCertificate(scope, `Certificate`, { + name: 'MyCertificate', + certificateBucket: ..., + certificateBucketPath: ..., + privateKeyBucket: ..., + privateKeyBucketPath: ..., + certificateChainBucket: ..., + certificateChainBucketPath: ..., + removalPolicy: cdk.RemovalPolicy.RETAIN, + }); diff --git a/src/lib/custom-resources/cdk-acm-import-certificate/package.json b/src/lib/custom-resources/cdk-acm-import-certificate/package.json index 5c03a293b..bb8268bb9 100644 --- a/src/lib/custom-resources/cdk-acm-import-certificate/package.json +++ b/src/lib/custom-resources/cdk-acm-import-certificate/package.json @@ -1,26 +1,26 @@ -{ - "name": "@aws-accelerator/custom-resource-acm-import-certificate", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0" - }, - "devDependencies": { - "@aws-accelerator/custom-resource-acm-import-certificate-runtime": "workspace:^0.0.1", - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-acm-import-certificate", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0" + }, + "devDependencies": { + "@aws-accelerator/custom-resource-acm-import-certificate-runtime": "workspace:^0.0.1", + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-acm-import-certificate/runtime/.gitignore b/src/lib/custom-resources/cdk-acm-import-certificate/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-acm-import-certificate/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-acm-import-certificate/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-acm-import-certificate/runtime/package.json b/src/lib/custom-resources/cdk-acm-import-certificate/runtime/package.json index 96f24fc51..4ffcbc48f 100644 --- a/src/lib/custom-resources/cdk-acm-import-certificate/runtime/package.json +++ b/src/lib/custom-resources/cdk-acm-import-certificate/runtime/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-acm-import-certificate-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-tags": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-acm-import-certificate-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-tags": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-acm-import-certificate/runtime/tsconfig.json b/src/lib/custom-resources/cdk-acm-import-certificate/runtime/tsconfig.json index c0a79f7b9..d2de0d928 100644 --- a/src/lib/custom-resources/cdk-acm-import-certificate/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-acm-import-certificate/runtime/tsconfig.json @@ -1,16 +1,16 @@ -{ - "compilerOptions": { - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-acm-import-certificate/tsconfig.json b/src/lib/custom-resources/cdk-acm-import-certificate/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-acm-import-certificate/tsconfig.json +++ b/src/lib/custom-resources/cdk-acm-import-certificate/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cfn-sleep/README.md b/src/lib/custom-resources/cdk-cfn-sleep/README.md index f455303bd..6eebcde11 100644 --- a/src/lib/custom-resources/cdk-cfn-sleep/README.md +++ b/src/lib/custom-resources/cdk-cfn-sleep/README.md @@ -1,17 +1,17 @@ -# EC2 Image Finder - -This is a custom resource that makes it possible to add a delay after resource creation. - -## Usage - - import { CfnSleep } from '@aws-accelerator/custom-resource-cfn-sleep'; - - const resource = ... - - const sleep = new CfnSleep(scope, 'Sleep', { - sleep: 2000, - }); - sleep.node.addDependency(resource); - - const dependency = ... - dependency.node.addDependency(sleep); +# EC2 Image Finder + +This is a custom resource that makes it possible to add a delay after resource creation. + +## Usage + + import { CfnSleep } from '@aws-accelerator/custom-resource-cfn-sleep'; + + const resource = ... + + const sleep = new CfnSleep(scope, 'Sleep', { + sleep: 2000, + }); + sleep.node.addDependency(resource); + + const dependency = ... + dependency.node.addDependency(sleep); diff --git a/src/lib/custom-resources/cdk-cfn-sleep/package.json b/src/lib/custom-resources/cdk-cfn-sleep/package.json index 04bdd9c44..4547e5fe2 100644 --- a/src/lib/custom-resources/cdk-cfn-sleep/package.json +++ b/src/lib/custom-resources/cdk-cfn-sleep/package.json @@ -1,25 +1,25 @@ -{ - "name": "@aws-accelerator/custom-resource-cfn-sleep", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@aws-accelerator/custom-resource-cfn-sleep-runtime": "workspace:^0.0.1", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-cfn-sleep", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@aws-accelerator/custom-resource-cfn-sleep-runtime": "workspace:^0.0.1", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cfn-sleep/runtime/.gitignore b/src/lib/custom-resources/cdk-cfn-sleep/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-cfn-sleep/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-cfn-sleep/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-cfn-sleep/runtime/package.json b/src/lib/custom-resources/cdk-cfn-sleep/runtime/package.json index b325abbc3..79948bb99 100644 --- a/src/lib/custom-resources/cdk-cfn-sleep/runtime/package.json +++ b/src/lib/custom-resources/cdk-cfn-sleep/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-cfn-sleep-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-cfn-sleep-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cfn-sleep/runtime/tsconfig.json b/src/lib/custom-resources/cdk-cfn-sleep/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-cfn-sleep/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-cfn-sleep/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-cfn-sleep/tsconfig.json b/src/lib/custom-resources/cdk-cfn-sleep/tsconfig.json index 32a387e4b..a3c32749e 100644 --- a/src/lib/custom-resources/cdk-cfn-sleep/tsconfig.json +++ b/src/lib/custom-resources/cdk-cfn-sleep/tsconfig.json @@ -1,23 +1,23 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "declaration": true, - "resolveJsonModule": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "declaration": true, + "resolveJsonModule": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cfn-utils/README.md b/src/lib/custom-resources/cdk-cfn-utils/README.md index 40a4c40cc..a0181bab6 100644 --- a/src/lib/custom-resources/cdk-cfn-utils/README.md +++ b/src/lib/custom-resources/cdk-cfn-utils/README.md @@ -1 +1 @@ -# CloudFormation Custom Resource utils. +# CloudFormation Custom Resource utils. diff --git a/src/lib/custom-resources/cdk-cfn-utils/package.json b/src/lib/custom-resources/cdk-cfn-utils/package.json index 170f31d17..342812bee 100644 --- a/src/lib/custom-resources/cdk-cfn-utils/package.json +++ b/src/lib/custom-resources/cdk-cfn-utils/package.json @@ -1,21 +1,21 @@ -{ - "name": "@aws-accelerator/custom-resource-cfn-utils", - "peerDependencies": { - "aws-lambda": "^1.0.5", - "exponential-backoff": "^3.0.0", - "aws-sdk": "^2.668.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "aws-lambda": "1.0.5", - "exponential-backoff": "3.0.0", - "aws-sdk": "2.668.0" - }, - "devDependencies": { - "@types/node": "12.12.6", - "@types/aws-lambda": "8.10.46", - "typescript": "3.8.3" - } +{ + "name": "@aws-accelerator/custom-resource-cfn-utils", + "peerDependencies": { + "aws-lambda": "^1.0.5", + "exponential-backoff": "^3.0.0", + "aws-sdk": "^2.668.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "aws-lambda": "1.0.5", + "exponential-backoff": "3.0.0", + "aws-sdk": "2.668.0" + }, + "devDependencies": { + "@types/node": "12.12.6", + "@types/aws-lambda": "8.10.46", + "typescript": "3.8.3" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cfn-utils/tsconfig.json b/src/lib/custom-resources/cdk-cfn-utils/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-cfn-utils/tsconfig.json +++ b/src/lib/custom-resources/cdk-cfn-utils/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cloud-trail/README.md b/src/lib/custom-resources/cdk-cloud-trail/README.md index 2616bd94c..9c2eb42c5 100644 --- a/src/lib/custom-resources/cdk-cloud-trail/README.md +++ b/src/lib/custom-resources/cdk-cloud-trail/README.md @@ -1,27 +1,27 @@ -# Create CloudTrail Trail - -This is a custom resource to create CloudTrail Trail in master account using the `CreateTrail` API call. - -## Usage - - import { CreateCloudTrail } from '@aws-accelerator/custom-resource-cloud-trail'; - - const cloudTrailName = ...; - const bucketName = ...; - const logGroupArn = ...; - const roleArn = ...; - const kmsKeyId = ...; - const s3KeyPrefix = ...; - const tagName = ...; - const tagValue = ...; - - new CreateCloudTrail(this, 'CreateCloudTrail', { - cloudTrailName, - bucketName, - logGroupArn, - roleArn, - kmsKeyId, - s3KeyPrefix, - tagName, - tagValue, - }); +# Create CloudTrail Trail + +This is a custom resource to create CloudTrail Trail in master account using the `CreateTrail` API call. + +## Usage + + import { CreateCloudTrail } from '@aws-accelerator/custom-resource-cloud-trail'; + + const cloudTrailName = ...; + const bucketName = ...; + const logGroupArn = ...; + const roleArn = ...; + const kmsKeyId = ...; + const s3KeyPrefix = ...; + const tagName = ...; + const tagValue = ...; + + new CreateCloudTrail(this, 'CreateCloudTrail', { + cloudTrailName, + bucketName, + logGroupArn, + roleArn, + kmsKeyId, + s3KeyPrefix, + tagName, + tagValue, + }); diff --git a/src/lib/custom-resources/cdk-cloud-trail/package.json b/src/lib/custom-resources/cdk-cloud-trail/package.json index 1fb590e02..d5e7c3ec7 100644 --- a/src/lib/custom-resources/cdk-cloud-trail/package.json +++ b/src/lib/custom-resources/cdk-cloud-trail/package.json @@ -1,23 +1,23 @@ -{ - "name": "@aws-accelerator/custom-resource-cloud-trail", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-cloud-trail-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-cloud-trail", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-cloud-trail-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cloud-trail/runtime/.gitignore b/src/lib/custom-resources/cdk-cloud-trail/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-cloud-trail/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-cloud-trail/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-cloud-trail/runtime/package.json b/src/lib/custom-resources/cdk-cloud-trail/runtime/package.json index 972ed2833..e1c4ce198 100644 --- a/src/lib/custom-resources/cdk-cloud-trail/runtime/package.json +++ b/src/lib/custom-resources/cdk-cloud-trail/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-cloud-trail-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-cloud-trail-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cloud-trail/runtime/tsconfig.json b/src/lib/custom-resources/cdk-cloud-trail/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-cloud-trail/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-cloud-trail/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-cloud-trail/tsconfig.json b/src/lib/custom-resources/cdk-cloud-trail/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-cloud-trail/tsconfig.json +++ b/src/lib/custom-resources/cdk-cloud-trail/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cur-report-definition/README.md b/src/lib/custom-resources/cdk-cur-report-definition/README.md index 84e6a0c21..eb9b7a15c 100644 --- a/src/lib/custom-resources/cdk-cur-report-definition/README.md +++ b/src/lib/custom-resources/cdk-cur-report-definition/README.md @@ -1,22 +1,22 @@ -# Cost and Budget Report Definition - -This is a custom resource to that represents a cost and budget report. - -## Usage - - import { CurReportDefinition } from '@aws-accelerator/custom-resource-cur-report-definition'; - - new CurReportDefinition(scope, 'CurReportDefinition', { - additionalArtifacts: ..., - additionalSchemaElements: ..., - bucket: ..., - bucketPrefix: ..., - bucketRegion: ..., - compression: ..., - format: ..., - refreshClosedReports: ..., - reportName: ..., - reportVersioning: ..., - roleName: ..., - timeUnit: ..., - }); +# Cost and Budget Report Definition + +This is a custom resource to that represents a cost and budget report. + +## Usage + + import { CurReportDefinition } from '@aws-accelerator/custom-resource-cur-report-definition'; + + new CurReportDefinition(scope, 'CurReportDefinition', { + additionalArtifacts: ..., + additionalSchemaElements: ..., + bucket: ..., + bucketPrefix: ..., + bucketRegion: ..., + compression: ..., + format: ..., + refreshClosedReports: ..., + reportName: ..., + reportVersioning: ..., + roleName: ..., + timeUnit: ..., + }); diff --git a/src/lib/custom-resources/cdk-cur-report-definition/package.json b/src/lib/custom-resources/cdk-cur-report-definition/package.json index c59047587..34cb5c8fe 100644 --- a/src/lib/custom-resources/cdk-cur-report-definition/package.json +++ b/src/lib/custom-resources/cdk-cur-report-definition/package.json @@ -1,27 +1,27 @@ -{ - "name": "@aws-accelerator/custom-resource-cur-report-definition", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6", - "@aws-accelerator/custom-resource-cur-report-definition-runtime": "workspace:^0.0.1" - } - +{ + "name": "@aws-accelerator/custom-resource-cur-report-definition", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6", + "@aws-accelerator/custom-resource-cur-report-definition-runtime": "workspace:^0.0.1" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cur-report-definition/runtime/.gitignore b/src/lib/custom-resources/cdk-cur-report-definition/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-cur-report-definition/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-cur-report-definition/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-cur-report-definition/runtime/package.json b/src/lib/custom-resources/cdk-cur-report-definition/runtime/package.json index 14e36faa8..544978431 100644 --- a/src/lib/custom-resources/cdk-cur-report-definition/runtime/package.json +++ b/src/lib/custom-resources/cdk-cur-report-definition/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-cur-report-definition-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-cur-report-definition-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-cur-report-definition/runtime/tsconfig.json b/src/lib/custom-resources/cdk-cur-report-definition/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-cur-report-definition/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-cur-report-definition/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-cur-report-definition/tsconfig.json b/src/lib/custom-resources/cdk-cur-report-definition/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-cur-report-definition/tsconfig.json +++ b/src/lib/custom-resources/cdk-cur-report-definition/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ds-log-subscription/README.md b/src/lib/custom-resources/cdk-ds-log-subscription/README.md index 51d86f11b..038356cfb 100644 --- a/src/lib/custom-resources/cdk-ds-log-subscription/README.md +++ b/src/lib/custom-resources/cdk-ds-log-subscription/README.md @@ -1,15 +1,15 @@ -# Directory Service Log Subscription - -This is a custom resource to create a Directory Service log subscription using the `CreateLogSubscription` API call. - -## Usage - - import { DirectoryServiceLogSubscription } from '@aws-accelerator/custom-resource-ds-log-subscription'; - - const directory = ...; - const logGroup = ...; - - new DirectoryServiceLogSubscription(this, 'DsLogSubscription', { - directory, - logGroup, - }); +# Directory Service Log Subscription + +This is a custom resource to create a Directory Service log subscription using the `CreateLogSubscription` API call. + +## Usage + + import { DirectoryServiceLogSubscription } from '@aws-accelerator/custom-resource-ds-log-subscription'; + + const directory = ...; + const logGroup = ...; + + new DirectoryServiceLogSubscription(this, 'DsLogSubscription', { + directory, + logGroup, + }); diff --git a/src/lib/custom-resources/cdk-ds-log-subscription/package.json b/src/lib/custom-resources/cdk-ds-log-subscription/package.json index f5dee4777..eda712ff7 100644 --- a/src/lib/custom-resources/cdk-ds-log-subscription/package.json +++ b/src/lib/custom-resources/cdk-ds-log-subscription/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-ds-log-subscription", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/aws-logs": "^1.46.0", - "@aws-cdk/aws-directoryservice": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-logs": "1.46.0", - "@aws-cdk/aws-directoryservice": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "typescript": "3.8.3", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "ts-node": "6.2.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-ds-log-subscription", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/aws-logs": "^1.46.0", + "@aws-cdk/aws-directoryservice": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-logs": "1.46.0", + "@aws-cdk/aws-directoryservice": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "typescript": "3.8.3", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "ts-node": "6.2.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ds-log-subscription/tsconfig.json b/src/lib/custom-resources/cdk-ds-log-subscription/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ds-log-subscription/tsconfig.json +++ b/src/lib/custom-resources/cdk-ds-log-subscription/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/README.md b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/README.md index a1339a811..1fbfe2592 100644 --- a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/README.md +++ b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/README.md @@ -1,11 +1,11 @@ -# EC2 EBS Default Encryption - -This is a custom resource to enable default encryption for EBS. - -## Usage - - import { EbsDefaultEncryption } from '@aws-accelerator/custom-resource-ec2-ebs-default-encryption'; - - new EbsDefaultEncryption(scope, `EbsEncryption`, { - key, - }); +# EC2 EBS Default Encryption + +This is a custom resource to enable default encryption for EBS. + +## Usage + + import { EbsDefaultEncryption } from '@aws-accelerator/custom-resource-ec2-ebs-default-encryption'; + + new EbsDefaultEncryption(scope, `EbsEncryption`, { + key, + }); diff --git a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/package.json b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/package.json index ea726e838..fb2270033 100644 --- a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/package.json +++ b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0", - "@aws-cdk/aws-kms": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0", + "@aws-cdk/aws-kms": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/.gitignore b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/package.json b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/package.json index 3766d8cc8..7fe96ce58 100644 --- a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/package.json +++ b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/tsconfig.json b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-ebs-default-encryption/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-image-finder/README.md b/src/lib/custom-resources/cdk-ec2-image-finder/README.md index bda9043d4..4f47eedfb 100644 --- a/src/lib/custom-resources/cdk-ec2-image-finder/README.md +++ b/src/lib/custom-resources/cdk-ec2-image-finder/README.md @@ -1,13 +1,13 @@ -# EC2 Image Finder - -This is a custom resource to find an AMI by using the EC2 `DescribeImages` API call. - -## Usage - - import { ImageFinder } from '@aws-accelerator/custom-resource-ec2-image-finder'; - - const imageFinder = new ImageFinder(scope, 'ImageFinder', { - imageOwner: '679593333241', - imageName: 'FortiGate-VM64-AWS build*', - imageVersion: `*6.2.3*`, - }); +# EC2 Image Finder + +This is a custom resource to find an AMI by using the EC2 `DescribeImages` API call. + +## Usage + + import { ImageFinder } from '@aws-accelerator/custom-resource-ec2-image-finder'; + + const imageFinder = new ImageFinder(scope, 'ImageFinder', { + imageOwner: '679593333241', + imageName: 'FortiGate-VM64-AWS build*', + imageVersion: `*6.2.3*`, + }); diff --git a/src/lib/custom-resources/cdk-ec2-image-finder/package.json b/src/lib/custom-resources/cdk-ec2-image-finder/package.json index e38da4250..426d185a9 100644 --- a/src/lib/custom-resources/cdk-ec2-image-finder/package.json +++ b/src/lib/custom-resources/cdk-ec2-image-finder/package.json @@ -1,23 +1,23 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-image-finder", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-ec2-image-finder-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-ec2-image-finder", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-ec2-image-finder-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-image-finder/runtime/.gitignore b/src/lib/custom-resources/cdk-ec2-image-finder/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ec2-image-finder/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ec2-image-finder/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ec2-image-finder/runtime/package.json b/src/lib/custom-resources/cdk-ec2-image-finder/runtime/package.json index 900be95cf..b3730a6f6 100644 --- a/src/lib/custom-resources/cdk-ec2-image-finder/runtime/package.json +++ b/src/lib/custom-resources/cdk-ec2-image-finder/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-image-finder-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-image-finder-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-image-finder/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ec2-image-finder/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-ec2-image-finder/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-image-finder/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-ec2-image-finder/tsconfig.json b/src/lib/custom-resources/cdk-ec2-image-finder/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-image-finder/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-image-finder/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-keypair/README.md b/src/lib/custom-resources/cdk-ec2-keypair/README.md index 3afb594bb..619d2fd2f 100644 --- a/src/lib/custom-resources/cdk-ec2-keypair/README.md +++ b/src/lib/custom-resources/cdk-ec2-keypair/README.md @@ -1,15 +1,15 @@ -# EC2 Keypair generation - -This is a custom resource to generate a Keypair. - -## Usage - - import { Keypair } from '@aws-accelerator/custom-resource-ec2-keypair'; - - const keypair = new Keypair(scope, `Keypair`, { - name: 'MyKeypair', - secretPrefix: '/my/prefix/', - }); - - // Use key name to get the private key stored in secret manager - keypair.keyName(); +# EC2 Keypair generation + +This is a custom resource to generate a Keypair. + +## Usage + + import { Keypair } from '@aws-accelerator/custom-resource-ec2-keypair'; + + const keypair = new Keypair(scope, `Keypair`, { + name: 'MyKeypair', + secretPrefix: '/my/prefix/', + }); + + // Use key name to get the private key stored in secret manager + keypair.keyName(); diff --git a/src/lib/custom-resources/cdk-ec2-keypair/package.json b/src/lib/custom-resources/cdk-ec2-keypair/package.json index a4b47b26d..f625a8b0f 100644 --- a/src/lib/custom-resources/cdk-ec2-keypair/package.json +++ b/src/lib/custom-resources/cdk-ec2-keypair/package.json @@ -1,25 +1,25 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-keypair", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-ec2-keypair-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-ec2-keypair", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-ec2-keypair-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-keypair/runtime/.gitignore b/src/lib/custom-resources/cdk-ec2-keypair/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ec2-keypair/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ec2-keypair/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ec2-keypair/runtime/package.json b/src/lib/custom-resources/cdk-ec2-keypair/runtime/package.json index 7b52e3106..b01c26748 100644 --- a/src/lib/custom-resources/cdk-ec2-keypair/runtime/package.json +++ b/src/lib/custom-resources/cdk-ec2-keypair/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-keypair-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-keypair-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-keypair/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ec2-keypair/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-ec2-keypair/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-keypair/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-ec2-keypair/tsconfig.json b/src/lib/custom-resources/cdk-ec2-keypair/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-keypair/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-keypair/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-launch-time/README.md b/src/lib/custom-resources/cdk-ec2-launch-time/README.md index 42655f54b..7f4ee4c6b 100644 --- a/src/lib/custom-resources/cdk-ec2-launch-time/README.md +++ b/src/lib/custom-resources/cdk-ec2-launch-time/README.md @@ -1,13 +1,13 @@ -# EC2 Instance launch time - -This is a custom resource to get the ec2 instance launch time using the `DescribeInstances` API call. - -## Usage - - import { InstanceLaunchTime } from '@aws-accelerator/custom-resource-ec2-launch-time'; - - const InstanceId = ...; - - new InstanceLaunchTime(this, 'InstanceLaunchTime', { - InstanceId, - }); +# EC2 Instance launch time + +This is a custom resource to get the ec2 instance launch time using the `DescribeInstances` API call. + +## Usage + + import { InstanceLaunchTime } from '@aws-accelerator/custom-resource-ec2-launch-time'; + + const InstanceId = ...; + + new InstanceLaunchTime(this, 'InstanceLaunchTime', { + InstanceId, + }); diff --git a/src/lib/custom-resources/cdk-ec2-launch-time/package.json b/src/lib/custom-resources/cdk-ec2-launch-time/package.json index 57ba708f3..b1dca24d3 100644 --- a/src/lib/custom-resources/cdk-ec2-launch-time/package.json +++ b/src/lib/custom-resources/cdk-ec2-launch-time/package.json @@ -1,23 +1,23 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-launch-time", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6", - "@aws-accelerator/custom-resource-ec2-launch-time-runtime": "workspace:^0.0.1" - }, - "main": "cdk/index.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-launch-time", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6", + "@aws-accelerator/custom-resource-ec2-launch-time-runtime": "workspace:^0.0.1" + }, + "main": "cdk/index.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-launch-time/runtime/.gitignore b/src/lib/custom-resources/cdk-ec2-launch-time/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ec2-launch-time/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ec2-launch-time/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ec2-launch-time/runtime/package.json b/src/lib/custom-resources/cdk-ec2-launch-time/runtime/package.json index 4a434e354..9c5d898fa 100644 --- a/src/lib/custom-resources/cdk-ec2-launch-time/runtime/package.json +++ b/src/lib/custom-resources/cdk-ec2-launch-time/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-launch-time-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-launch-time-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-launch-time/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ec2-launch-time/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-ec2-launch-time/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-launch-time/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-ec2-launch-time/tsconfig.json b/src/lib/custom-resources/cdk-ec2-launch-time/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-launch-time/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-launch-time/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/README.md b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/README.md index 5f664d982..c6b8c080d 100644 --- a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/README.md +++ b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/README.md @@ -1,20 +1,20 @@ -# EC2 Market Place Image SubscriptionCheck - -This is a custom resource that makes ec2.runInstances and returns status to check subscription status for Market Place AMI - - -## Usage - - import { CfnMarketPlaceSubscriptionCheck } from '@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation'; - - const resource = ... - - const subscritionCheckResponse = new CfnMarketPlaceSubscriptionCheck(scope, id, { - imageId, - subnetId, - }); - return subscritionCheckResponse.getAttString('Status'); - -### Possible Output - - Subscribed | OptInRequired +# EC2 Market Place Image SubscriptionCheck + +This is a custom resource that makes ec2.runInstances and returns status to check subscription status for Market Place AMI + + +## Usage + + import { CfnMarketPlaceSubscriptionCheck } from '@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation'; + + const resource = ... + + const subscritionCheckResponse = new CfnMarketPlaceSubscriptionCheck(scope, id, { + imageId, + subnetId, + }); + return subscritionCheckResponse.getAttString('Status'); + +### Possible Output + + Subscribed | OptInRequired diff --git a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/package.json b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/package.json index 7242f7666..5a103db76 100644 --- a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/package.json +++ b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/package.json @@ -1,33 +1,33 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation-runtime": "workspace:^0.0.1", - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "prettier": "1.19.1", - "jest": "25.2.4", - "@types/node": "12.12.6", - "@types/jest": "25.1.4", - "ts-jest": "25.3.0" - } +{ + "name": "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation-runtime": "workspace:^0.0.1", + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "prettier": "1.19.1", + "jest": "25.2.4", + "@types/node": "12.12.6", + "@types/jest": "25.1.4", + "ts-jest": "25.3.0" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/.gitignore b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/package.json b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/package.json index ff9c8d771..b3f4a6332 100644 --- a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/package.json +++ b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/package.json @@ -1,42 +1,42 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation-runtime", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts && tsc --declaration --emitDeclarationOnly" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/xml2js": "^0.4.5", - "tslint": "6.1.0", - "@babel/plugin-proposal-class-properties": "7.8.3", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "@babel/preset-typescript": "7.9.0", - "prettier": "1.19.1", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@babel/plugin-transform-typescript": "7.9.4", - "tslint-config-prettier": "1.18.0", - "@types/webpack": "4.41.8", - "typescript": "3.8.3", - "ts-node": "6.2.0", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-marketplace-subscription-validation-runtime", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts && tsc --declaration --emitDeclarationOnly" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/xml2js": "^0.4.5", + "tslint": "6.1.0", + "@babel/plugin-proposal-class-properties": "7.8.3", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "@babel/preset-typescript": "7.9.0", + "prettier": "1.19.1", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@babel/plugin-transform-typescript": "7.9.4", + "tslint-config-prettier": "1.18.0", + "@types/webpack": "4.41.8", + "typescript": "3.8.3", + "ts-node": "6.2.0", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/tsconfig.json index c672caab7..d0a4eee4e 100644 --- a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/runtime/tsconfig.json @@ -1,22 +1,22 @@ -{ - "compilerOptions": { - "strict": true, - "declaration": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true, - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "declaration": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true, + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/tsconfig.json b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-marketplace-subscription-validation/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-vpn-attachment/README.md b/src/lib/custom-resources/cdk-ec2-vpn-attachment/README.md index 77a957ff9..2d2ab3cec 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-attachment/README.md +++ b/src/lib/custom-resources/cdk-ec2-vpn-attachment/README.md @@ -1,31 +1,31 @@ -# Retrieve VPN Transit Gateway Attachments - -This is a custom resource to retrieve Attachment ID assigned to VPN connection using `describeTransitGatewayAttachments` API call. - -## Usage - - // Creating VPN connection route table association and propagation - const attachments = new VpnAttachments(scope, `VpnAttachments${index}`, { - vpnConnectionId: vpnConnection.ref, - }); - - const associateConfig = tgwAttach['rt-associate'] || []; - const propagateConfig = tgwAttach['rt-propagate'] || []; - - const tgwRouteAssociates = associateConfig.map(route => transitGateway.getRouteTableIdByName(route)!); - const tgwRoutePropagates = propagateConfig.map(route => transitGateway.getRouteTableIdByName(route)!); - - for (const [index, route] of tgwRouteAssociates?.entries()) { - new ec2.CfnTransitGatewayRouteTableAssociation(scope, `tgw_associate_${index}`, { - transitGatewayAttachmentId: attachments.getTransitGatewayAttachmentId(0), // one vpn connection should only have one attachment - transitGatewayRouteTableId: route, - }); - } - - for (const [index, route] of tgwRoutePropagates?.entries()) { - new ec2.CfnTransitGatewayRouteTablePropagation(scope, `tgw_propagate_${index}`, { - transitGatewayAttachmentId: attachments.getTransitGatewayAttachmentId(0), // one vpn connection should only have one attachment - transitGatewayRouteTableId: route, - }); - } - +# Retrieve VPN Transit Gateway Attachments + +This is a custom resource to retrieve Attachment ID assigned to VPN connection using `describeTransitGatewayAttachments` API call. + +## Usage + + // Creating VPN connection route table association and propagation + const attachments = new VpnAttachments(scope, `VpnAttachments${index}`, { + vpnConnectionId: vpnConnection.ref, + }); + + const associateConfig = tgwAttach['rt-associate'] || []; + const propagateConfig = tgwAttach['rt-propagate'] || []; + + const tgwRouteAssociates = associateConfig.map(route => transitGateway.getRouteTableIdByName(route)!); + const tgwRoutePropagates = propagateConfig.map(route => transitGateway.getRouteTableIdByName(route)!); + + for (const [index, route] of tgwRouteAssociates?.entries()) { + new ec2.CfnTransitGatewayRouteTableAssociation(scope, `tgw_associate_${index}`, { + transitGatewayAttachmentId: attachments.getTransitGatewayAttachmentId(0), // one vpn connection should only have one attachment + transitGatewayRouteTableId: route, + }); + } + + for (const [index, route] of tgwRoutePropagates?.entries()) { + new ec2.CfnTransitGatewayRouteTablePropagation(scope, `tgw_propagate_${index}`, { + transitGatewayAttachmentId: attachments.getTransitGatewayAttachmentId(0), // one vpn connection should only have one attachment + transitGatewayRouteTableId: route, + }); + } + diff --git a/src/lib/custom-resources/cdk-ec2-vpn-attachment/package.json b/src/lib/custom-resources/cdk-ec2-vpn-attachment/package.json index e139f5355..696dd3982 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-attachment/package.json +++ b/src/lib/custom-resources/cdk-ec2-vpn-attachment/package.json @@ -1,47 +1,47 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-vpn-attachment", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-ec2-vpn-attachment", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-vpn-attachment/tsconfig.json b/src/lib/custom-resources/cdk-ec2-vpn-attachment/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-attachment/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-vpn-attachment/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/README.md b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/README.md index 6b223a39f..3fdd14e56 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/README.md +++ b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/README.md @@ -1,14 +1,14 @@ -# EC2 VPN Tunnel Options - -This is a custom resource to find VPN connection tunnel options by using the EC2 `DescribeVpnConnections` API call. - -## Usage - - import { VpnTunnelOptions } from '@aws-accelerator/custom-resource-ec2-vpn-tunnel-options'; - - const tunnelOptions = new VpnTunnelOptions(scope, 'TunnelOptions', { - vpnConnectionId: 'vpn-0123456789', - }); - - tunnelOptions.getAttribute('CgwOutsideIpAddress1'); - tunnelOptions.getAttribute('CgwOutsideIpAddress2'); +# EC2 VPN Tunnel Options + +This is a custom resource to find VPN connection tunnel options by using the EC2 `DescribeVpnConnections` API call. + +## Usage + + import { VpnTunnelOptions } from '@aws-accelerator/custom-resource-ec2-vpn-tunnel-options'; + + const tunnelOptions = new VpnTunnelOptions(scope, 'TunnelOptions', { + vpnConnectionId: 'vpn-0123456789', + }); + + tunnelOptions.getAttribute('CgwOutsideIpAddress1'); + tunnelOptions.getAttribute('CgwOutsideIpAddress2'); diff --git a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/package.json b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/package.json index 8b9513d2d..273187c3a 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/package.json +++ b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options-runtime": "workspace:^0.0.1", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options-runtime": "workspace:^0.0.1", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/.gitignore b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/package.json b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/package.json index 34f084e1d..5642c5a15 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/package.json +++ b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/package.json @@ -1,31 +1,31 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "xml2js": "0.4.23", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "@types/xml2js": "^0.4.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ec2-vpn-tunnel-options-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "xml2js": "0.4.23", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "@types/xml2js": "^0.4.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/tsconfig.json b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/tsconfig.json +++ b/src/lib/custom-resources/cdk-ec2-vpn-tunnel-options/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/README.md b/src/lib/custom-resources/cdk-guardduty-admin-setup/README.md index 658ccc33c..ca7a31691 100644 --- a/src/lib/custom-resources/cdk-guardduty-admin-setup/README.md +++ b/src/lib/custom-resources/cdk-guardduty-admin-setup/README.md @@ -1,11 +1,11 @@ -# Enable Guard Duty admin - -This is a custom resource to Enable Guard Duty admin from `enable-organization-admin-account` API call. - -## Usage - - // Enable guard duty admin for master account - const admin = new GuardDutyAdmin(masterAccountStack, 'GuardDutyAdmin', { - accountId: masterAccountId, - }); - +# Enable Guard Duty admin + +This is a custom resource to Enable Guard Duty admin from `enable-organization-admin-account` API call. + +## Usage + + // Enable guard duty admin for master account + const admin = new GuardDutyAdmin(masterAccountStack, 'GuardDutyAdmin', { + accountId: masterAccountId, + }); + diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/package.json b/src/lib/custom-resources/cdk-guardduty-admin-setup/package.json index 63b858d34..9d0f0daf0 100644 --- a/src/lib/custom-resources/cdk-guardduty-admin-setup/package.json +++ b/src/lib/custom-resources/cdk-guardduty-admin-setup/package.json @@ -1,49 +1,49 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-admin-setup", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@aws-accelerator/custom-resource-guardduty-admin-setup-runtime": "workspace:^0.0.1", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-guardduty-admin-setup", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@aws-accelerator/custom-resource-guardduty-admin-setup-runtime": "workspace:^0.0.1", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/.gitignore b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/package.json b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/package.json index be5c4bc9f..392bc51e3 100644 --- a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/package.json +++ b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-admin-setup-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-sdk": "2.711.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-guardduty-admin-setup-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-sdk": "2.711.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-admin-setup/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-guardduty-admin-setup/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-admin-setup/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-create-publish/README.md b/src/lib/custom-resources/cdk-guardduty-create-publish/README.md index ce3ebb1c7..4799984c5 100644 --- a/src/lib/custom-resources/cdk-guardduty-create-publish/README.md +++ b/src/lib/custom-resources/cdk-guardduty-create-publish/README.md @@ -1,16 +1,16 @@ -# Create Guard Duty Publish Config - -This is a custom resource to create Guard Duty publish config from `CreatePublishingDestination` API call. - -## Usage - - // Create Guard Duty publish config using detector id - const accountStack = props.accountStacks.getOrCreateAccountStack(accountKey, region); - const detector = new GuardDutyDetector(accountStack, 'GuardDutyPublishDetector'); - - const createPublish = new GuardDutyCreatePublish(accountStack, 'GuardDutyPublish', { - detectorId: detector.detectorId, - destinationArn: logBucket.bucketArn, - kmsKeyArn: logBucket.encryptionKey?.keyArn, - }); - +# Create Guard Duty Publish Config + +This is a custom resource to create Guard Duty publish config from `CreatePublishingDestination` API call. + +## Usage + + // Create Guard Duty publish config using detector id + const accountStack = props.accountStacks.getOrCreateAccountStack(accountKey, region); + const detector = new GuardDutyDetector(accountStack, 'GuardDutyPublishDetector'); + + const createPublish = new GuardDutyCreatePublish(accountStack, 'GuardDutyPublish', { + detectorId: detector.detectorId, + destinationArn: logBucket.bucketArn, + kmsKeyArn: logBucket.encryptionKey?.keyArn, + }); + diff --git a/src/lib/custom-resources/cdk-guardduty-create-publish/package.json b/src/lib/custom-resources/cdk-guardduty-create-publish/package.json index 189e76790..b98c71d1e 100644 --- a/src/lib/custom-resources/cdk-guardduty-create-publish/package.json +++ b/src/lib/custom-resources/cdk-guardduty-create-publish/package.json @@ -1,48 +1,48 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-create-publish", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6", - "@aws-accelerator/custom-resource-guardduty-create-publish-runtime": "workspace:^0.0.1" - } +{ + "name": "@aws-accelerator/custom-resource-guardduty-create-publish", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6", + "@aws-accelerator/custom-resource-guardduty-create-publish-runtime": "workspace:^0.0.1" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/.gitignore b/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/package.json b/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/package.json index 7c462ced6..904c4f816 100644 --- a/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/package.json +++ b/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-create-publish-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-lambda": "1.0.5", - "aws-sdk": "2.711.0", - "@aws-accelerator/custom-resource-guardduty-create-publish-runtime": "workspace:^0.0.1" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-guardduty-create-publish-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-lambda": "1.0.5", + "aws-sdk": "2.711.0", + "@aws-accelerator/custom-resource-guardduty-create-publish-runtime": "workspace:^0.0.1" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-create-publish/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-guardduty-create-publish/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-create-publish/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-guardduty-create-publish/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-create-publish/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/README.md b/src/lib/custom-resources/cdk-guardduty-enable-admin/README.md index 658ccc33c..ca7a31691 100644 --- a/src/lib/custom-resources/cdk-guardduty-enable-admin/README.md +++ b/src/lib/custom-resources/cdk-guardduty-enable-admin/README.md @@ -1,11 +1,11 @@ -# Enable Guard Duty admin - -This is a custom resource to Enable Guard Duty admin from `enable-organization-admin-account` API call. - -## Usage - - // Enable guard duty admin for master account - const admin = new GuardDutyAdmin(masterAccountStack, 'GuardDutyAdmin', { - accountId: masterAccountId, - }); - +# Enable Guard Duty admin + +This is a custom resource to Enable Guard Duty admin from `enable-organization-admin-account` API call. + +## Usage + + // Enable guard duty admin for master account + const admin = new GuardDutyAdmin(masterAccountStack, 'GuardDutyAdmin', { + accountId: masterAccountId, + }); + diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/package.json b/src/lib/custom-resources/cdk-guardduty-enable-admin/package.json index e9edf1c1a..cefb84b95 100644 --- a/src/lib/custom-resources/cdk-guardduty-enable-admin/package.json +++ b/src/lib/custom-resources/cdk-guardduty-enable-admin/package.json @@ -1,49 +1,49 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-enable-admin", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@aws-accelerator/custom-resource-guardduty-enable-admin-runtime": "workspace:^0.0.1", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-guardduty-enable-admin", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@aws-accelerator/custom-resource-guardduty-enable-admin-runtime": "workspace:^0.0.1", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/.gitignore b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/package.json b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/package.json index 0acd7eca9..7c4850f4a 100644 --- a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/package.json +++ b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-enable-admin-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.711.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-guardduty-enable-admin-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.711.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-enable-admin/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-guardduty-enable-admin/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-enable-admin/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-guardduty-enable-admin/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-enable-admin/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-get-detector/README.md b/src/lib/custom-resources/cdk-guardduty-get-detector/README.md index 3f12c29df..6538b39e1 100644 --- a/src/lib/custom-resources/cdk-guardduty-get-detector/README.md +++ b/src/lib/custom-resources/cdk-guardduty-get-detector/README.md @@ -1,14 +1,14 @@ -# Retrieve Guard Duty detector id - -This is a custom resource to retrieve Detector ID from `list-detectors` API call. - -## Usage - - // Creating Guard Duty Master using detector id - const detector = new GuardDutyDetector(masterAccountStack, 'GuardDutyDetector'); - - const updateConfig = new GuardDutyUpdateConfig(masterAccountStack, 'GuardDutyUpdateConfig', { - autoEnable: true, - detectorId: detector.detectorId, - }); - +# Retrieve Guard Duty detector id + +This is a custom resource to retrieve Detector ID from `list-detectors` API call. + +## Usage + + // Creating Guard Duty Master using detector id + const detector = new GuardDutyDetector(masterAccountStack, 'GuardDutyDetector'); + + const updateConfig = new GuardDutyUpdateConfig(masterAccountStack, 'GuardDutyUpdateConfig', { + autoEnable: true, + detectorId: detector.detectorId, + }); + diff --git a/src/lib/custom-resources/cdk-guardduty-get-detector/package.json b/src/lib/custom-resources/cdk-guardduty-get-detector/package.json index 91ce3fa12..36e09d9d7 100644 --- a/src/lib/custom-resources/cdk-guardduty-get-detector/package.json +++ b/src/lib/custom-resources/cdk-guardduty-get-detector/package.json @@ -1,50 +1,50 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-get-detector", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "@aws-accelerator/custom-resource-guardduty-get-detector-runtime": "workspace:^0.0.1", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-guardduty-get-detector", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "@aws-accelerator/custom-resource-guardduty-get-detector-runtime": "workspace:^0.0.1", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/.gitignore b/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/package.json b/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/package.json index 6781ef870..9bcf576b4 100644 --- a/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/package.json +++ b/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-guardduty-get-detector-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.711.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-guardduty-get-detector-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.711.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-get-detector/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-guardduty-get-detector/tsconfig.json b/src/lib/custom-resources/cdk-guardduty-get-detector/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-guardduty-get-detector/tsconfig.json +++ b/src/lib/custom-resources/cdk-guardduty-get-detector/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-iam-create-role/README.md b/src/lib/custom-resources/cdk-iam-create-role/README.md index 7622f4fc4..7f2159097 100644 --- a/src/lib/custom-resources/cdk-iam-create-role/README.md +++ b/src/lib/custom-resources/cdk-iam-create-role/README.md @@ -1,23 +1,23 @@ -# IAM set/update password policy - -This is a custom resource to create the iam role using the `createRole` and `attachRolePolicy` API calls. - -## Usage - - import { IamCreateRole } from '@aws-accelerator/custom-resource-iam-create-role'; - - const roleName = ...; - const accountIds = ...; - const managedPolicies = ...; - const tagName = ...; - const tagValue = ...; - const lambdaRoleArn = ...; - - new IamCreateRole(this, 'IamCreateRole', { - roleName, - accountIds, - managedPolicies, - tagName, - tagValue, - lambdaRoleArn, - }); +# IAM set/update password policy + +This is a custom resource to create the iam role using the `createRole` and `attachRolePolicy` API calls. + +## Usage + + import { IamCreateRole } from '@aws-accelerator/custom-resource-iam-create-role'; + + const roleName = ...; + const accountIds = ...; + const managedPolicies = ...; + const tagName = ...; + const tagValue = ...; + const lambdaRoleArn = ...; + + new IamCreateRole(this, 'IamCreateRole', { + roleName, + accountIds, + managedPolicies, + tagName, + tagValue, + lambdaRoleArn, + }); diff --git a/src/lib/custom-resources/cdk-iam-create-role/package.json b/src/lib/custom-resources/cdk-iam-create-role/package.json index a9120e4af..a7f1452d5 100644 --- a/src/lib/custom-resources/cdk-iam-create-role/package.json +++ b/src/lib/custom-resources/cdk-iam-create-role/package.json @@ -1,25 +1,25 @@ -{ - "name": "@aws-accelerator/custom-resource-iam-create-role", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-iam-create-role-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-iam-create-role", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-iam-create-role-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-iam-create-role/runtime/.gitignore b/src/lib/custom-resources/cdk-iam-create-role/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-iam-create-role/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-iam-create-role/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-iam-create-role/runtime/package.json b/src/lib/custom-resources/cdk-iam-create-role/runtime/package.json index 5b85994cc..45d3b2307 100644 --- a/src/lib/custom-resources/cdk-iam-create-role/runtime/package.json +++ b/src/lib/custom-resources/cdk-iam-create-role/runtime/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-iam-create-role-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-iam-create-role-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-iam-create-role/runtime/tsconfig.json b/src/lib/custom-resources/cdk-iam-create-role/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-iam-create-role/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-iam-create-role/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-iam-create-role/tsconfig.json b/src/lib/custom-resources/cdk-iam-create-role/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-iam-create-role/tsconfig.json +++ b/src/lib/custom-resources/cdk-iam-create-role/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-iam-password-policy/README.md b/src/lib/custom-resources/cdk-iam-password-policy/README.md index b00e96636..fb94df485 100644 --- a/src/lib/custom-resources/cdk-iam-password-policy/README.md +++ b/src/lib/custom-resources/cdk-iam-password-policy/README.md @@ -1,29 +1,29 @@ -# IAM set/update password policy - -This is a custom resource to set/update the iam password policy of each account using the `updateAccountPasswordPolicy` API call. - -## Usage - - import { IamPasswordPolicy } from '@aws-accelerator/custom-resource-iam-password-policy'; - - const allowUsersToChangePassword = ...; - const hardExpiry = ...; - const requireUppercaseCharacters = ...; - const requireLowercaseCharacters = ...; - const requireSymbols = ...; - const requireNumbers = ...; - const minimumPasswordLength = ...; - const passwordReusePrevention = ...; - const maxPasswordAge = ...; - - new IamPasswordPolicy(this, 'IamPasswordPolicy', { - allowUsersToChangePassword, - hardExpiry, - requireUppercaseCharacters, - requireLowercaseCharacters, - requireSymbols, - requireNumbers, - minimumPasswordLength, - passwordReusePrevention, - maxPasswordAge, - }); +# IAM set/update password policy + +This is a custom resource to set/update the iam password policy of each account using the `updateAccountPasswordPolicy` API call. + +## Usage + + import { IamPasswordPolicy } from '@aws-accelerator/custom-resource-iam-password-policy'; + + const allowUsersToChangePassword = ...; + const hardExpiry = ...; + const requireUppercaseCharacters = ...; + const requireLowercaseCharacters = ...; + const requireSymbols = ...; + const requireNumbers = ...; + const minimumPasswordLength = ...; + const passwordReusePrevention = ...; + const maxPasswordAge = ...; + + new IamPasswordPolicy(this, 'IamPasswordPolicy', { + allowUsersToChangePassword, + hardExpiry, + requireUppercaseCharacters, + requireLowercaseCharacters, + requireSymbols, + requireNumbers, + minimumPasswordLength, + passwordReusePrevention, + maxPasswordAge, + }); diff --git a/src/lib/custom-resources/cdk-iam-password-policy/package.json b/src/lib/custom-resources/cdk-iam-password-policy/package.json index b37e3fecb..e49f19bd8 100644 --- a/src/lib/custom-resources/cdk-iam-password-policy/package.json +++ b/src/lib/custom-resources/cdk-iam-password-policy/package.json @@ -1,23 +1,23 @@ -{ - "name": "@aws-accelerator/custom-resource-iam-password-policy", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "@aws-accelerator/custom-resource-iam-password-policy-runtime": "workspace:^0.0.1", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-iam-password-policy", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "@aws-accelerator/custom-resource-iam-password-policy-runtime": "workspace:^0.0.1", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-iam-password-policy/runtime/.gitignore b/src/lib/custom-resources/cdk-iam-password-policy/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-iam-password-policy/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-iam-password-policy/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-iam-password-policy/runtime/package.json b/src/lib/custom-resources/cdk-iam-password-policy/runtime/package.json index 837c387f6..6098426db 100644 --- a/src/lib/custom-resources/cdk-iam-password-policy/runtime/package.json +++ b/src/lib/custom-resources/cdk-iam-password-policy/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-iam-password-policy-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-iam-password-policy-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-iam-password-policy/runtime/tsconfig.json b/src/lib/custom-resources/cdk-iam-password-policy/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-iam-password-policy/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-iam-password-policy/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-iam-password-policy/tsconfig.json b/src/lib/custom-resources/cdk-iam-password-policy/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-iam-password-policy/tsconfig.json +++ b/src/lib/custom-resources/cdk-iam-password-policy/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-kms-grant/README.md b/src/lib/custom-resources/cdk-kms-grant/README.md index b2ff54e8e..5ffb48820 100644 --- a/src/lib/custom-resources/cdk-kms-grant/README.md +++ b/src/lib/custom-resources/cdk-kms-grant/README.md @@ -1,13 +1,13 @@ -# KMS Grant - -This is a custom resource to generate a KMS grant. - -## Usage - - import { Grant } from '@aws-accelerator/custom-resource-kms-grant'; - - const grant = new Grant(scope, `Grant`, { - granteePrincipal: principal, - key: kmsKey, - operations: [GrantOperation.DECRYPT], - }); +# KMS Grant + +This is a custom resource to generate a KMS grant. + +## Usage + + import { Grant } from '@aws-accelerator/custom-resource-kms-grant'; + + const grant = new Grant(scope, `Grant`, { + granteePrincipal: principal, + key: kmsKey, + operations: [GrantOperation.DECRYPT], + }); diff --git a/src/lib/custom-resources/cdk-kms-grant/package.json b/src/lib/custom-resources/cdk-kms-grant/package.json index ed946c7d1..f00497981 100644 --- a/src/lib/custom-resources/cdk-kms-grant/package.json +++ b/src/lib/custom-resources/cdk-kms-grant/package.json @@ -1,27 +1,27 @@ -{ - "name": "@aws-accelerator/custom-resource-kms-grant", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0", - "@aws-cdk/aws-kms": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-kms-grant-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-kms-grant", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0", + "@aws-cdk/aws-kms": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-kms-grant-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-kms-grant/runtime/.gitignore b/src/lib/custom-resources/cdk-kms-grant/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-kms-grant/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-kms-grant/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-kms-grant/runtime/package.json b/src/lib/custom-resources/cdk-kms-grant/runtime/package.json index 0f256dfce..3d8c6756d 100644 --- a/src/lib/custom-resources/cdk-kms-grant/runtime/package.json +++ b/src/lib/custom-resources/cdk-kms-grant/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-kms-grant-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-kms-grant-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-kms-grant/runtime/tsconfig.json b/src/lib/custom-resources/cdk-kms-grant/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-kms-grant/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-kms-grant/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-kms-grant/tsconfig.json b/src/lib/custom-resources/cdk-kms-grant/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-kms-grant/tsconfig.json +++ b/src/lib/custom-resources/cdk-kms-grant/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-logs-log-group/README.md b/src/lib/custom-resources/cdk-logs-log-group/README.md index 75ab26843..3d8c227a3 100644 --- a/src/lib/custom-resources/cdk-logs-log-group/README.md +++ b/src/lib/custom-resources/cdk-logs-log-group/README.md @@ -1,13 +1,13 @@ -# CloudWatch Log Group - -This is a custom resource to create a log group using the CloudWatch `CreateLogGroup` API call. The difference with the -built-in `Logs::LogGroup` resource is that this resource succeeds when the log group already exists. - -## Usage - - import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group'; - - new LogGroup(this, 'LogGroup', { - logGroupName: 'MicrosoftAD', - retention: 1, - }); +# CloudWatch Log Group + +This is a custom resource to create a log group using the CloudWatch `CreateLogGroup` API call. The difference with the +built-in `Logs::LogGroup` resource is that this resource succeeds when the log group already exists. + +## Usage + + import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group'; + + new LogGroup(this, 'LogGroup', { + logGroupName: 'MicrosoftAD', + retention: 1, + }); diff --git a/src/lib/custom-resources/cdk-logs-log-group/package.json b/src/lib/custom-resources/cdk-logs-log-group/package.json index c7b9d83e9..13f116306 100644 --- a/src/lib/custom-resources/cdk-logs-log-group/package.json +++ b/src/lib/custom-resources/cdk-logs-log-group/package.json @@ -1,26 +1,26 @@ -{ - "name": "@aws-accelerator/custom-resource-logs-log-group", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "@aws-accelerator/custom-resource-ec2-keypair-runtime": "workspace:^0.0.1", - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@aws-accelerator/custom-resource-logs-log-group-runtime": "workspace:^0.0.1", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-logs-log-group", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "@aws-accelerator/custom-resource-ec2-keypair-runtime": "workspace:^0.0.1", + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@aws-accelerator/custom-resource-logs-log-group-runtime": "workspace:^0.0.1", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-logs-log-group/runtime/.gitignore b/src/lib/custom-resources/cdk-logs-log-group/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-logs-log-group/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-logs-log-group/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-logs-log-group/runtime/package.json b/src/lib/custom-resources/cdk-logs-log-group/runtime/package.json index 5982f28ce..035069c6f 100644 --- a/src/lib/custom-resources/cdk-logs-log-group/runtime/package.json +++ b/src/lib/custom-resources/cdk-logs-log-group/runtime/package.json @@ -1,31 +1,31 @@ -{ - "name": "@aws-accelerator/custom-resource-logs-log-group-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-tags": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-logs-log-group-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-tags": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-logs-log-group/runtime/tsconfig.json b/src/lib/custom-resources/cdk-logs-log-group/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-logs-log-group/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-logs-log-group/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-logs-log-group/tsconfig.json b/src/lib/custom-resources/cdk-logs-log-group/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-logs-log-group/tsconfig.json +++ b/src/lib/custom-resources/cdk-logs-log-group/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-logs-resource-policy/README.md b/src/lib/custom-resources/cdk-logs-resource-policy/README.md index 820a908c4..988b8a4d9 100644 --- a/src/lib/custom-resources/cdk-logs-resource-policy/README.md +++ b/src/lib/custom-resources/cdk-logs-resource-policy/README.md @@ -1,27 +1,27 @@ -# CloudWatch Resource Policy - -This is a custom resource to create a log resource policy using the CloudWatch `PutResourcePolicy` API call. - -## Usage - - import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy'; - - const logGroup = ...; - - new LogResourcePolicy(this, 'LogGroupPolicy', { - policyName: 'DsLogSubscription', - policyStatements: [ - new iam.PolicyStatement({ - actions: ['logs:CreateLogStream', 'logs:PutLogEvents'], - principals: [new iam.ServicePrincipal('ds.amazonaws.com')], - resources: [logGroup.logGroupArn], - }), - ], - }); - -## To-do - -Some improvements can still be made to this resource. - -- We will end up without log resource policy when we create two `LogResourcePolicy` with the same name and then -delete one of both. +# CloudWatch Resource Policy + +This is a custom resource to create a log resource policy using the CloudWatch `PutResourcePolicy` API call. + +## Usage + + import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy'; + + const logGroup = ...; + + new LogResourcePolicy(this, 'LogGroupPolicy', { + policyName: 'DsLogSubscription', + policyStatements: [ + new iam.PolicyStatement({ + actions: ['logs:CreateLogStream', 'logs:PutLogEvents'], + principals: [new iam.ServicePrincipal('ds.amazonaws.com')], + resources: [logGroup.logGroupArn], + }), + ], + }); + +## To-do + +Some improvements can still be made to this resource. + +- We will end up without log resource policy when we create two `LogResourcePolicy` with the same name and then +delete one of both. diff --git a/src/lib/custom-resources/cdk-logs-resource-policy/package.json b/src/lib/custom-resources/cdk-logs-resource-policy/package.json index b9f28b8d5..96796bf6d 100644 --- a/src/lib/custom-resources/cdk-logs-resource-policy/package.json +++ b/src/lib/custom-resources/cdk-logs-resource-policy/package.json @@ -1,25 +1,25 @@ -{ - "name": "@aws-accelerator/custom-resource-logs-resource-policy", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "typescript": "3.8.3", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "ts-node": "6.2.0", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-logs-resource-policy", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "typescript": "3.8.3", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "ts-node": "6.2.0", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-logs-resource-policy/tsconfig.json b/src/lib/custom-resources/cdk-logs-resource-policy/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-logs-resource-policy/tsconfig.json +++ b/src/lib/custom-resources/cdk-logs-resource-policy/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-create-member/README.md b/src/lib/custom-resources/cdk-macie-create-member/README.md index e16e96a13..3c1d9ad28 100644 --- a/src/lib/custom-resources/cdk-macie-create-member/README.md +++ b/src/lib/custom-resources/cdk-macie-create-member/README.md @@ -1,17 +1,17 @@ -# Add Macie member account - -This is a custom resource to add Macie member account using `createMember` API call. - -## Usage - - // Add org members to Macie except Macie master account - const accountDetails = accounts.map(account => ({ - accountId: account.id, - email: account.email, - })); - for (const [index, account] of Object.entries(accountDetails)) { - if (account.accountId !== masterAccountId) { - const members = new MacieCreateMember(masterAccountStack, `MacieCreateMember${index}`, account); - } - } - +# Add Macie member account + +This is a custom resource to add Macie member account using `createMember` API call. + +## Usage + + // Add org members to Macie except Macie master account + const accountDetails = accounts.map(account => ({ + accountId: account.id, + email: account.email, + })); + for (const [index, account] of Object.entries(accountDetails)) { + if (account.accountId !== masterAccountId) { + const members = new MacieCreateMember(masterAccountStack, `MacieCreateMember${index}`, account); + } + } + diff --git a/src/lib/custom-resources/cdk-macie-create-member/package.json b/src/lib/custom-resources/cdk-macie-create-member/package.json index 8120bc16e..a4d05f2bb 100644 --- a/src/lib/custom-resources/cdk-macie-create-member/package.json +++ b/src/lib/custom-resources/cdk-macie-create-member/package.json @@ -1,49 +1,49 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-create-member", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "@aws-accelerator/custom-resource-macie-create-member-runtime": "workspace:^0.0.1", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-macie-create-member", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "@aws-accelerator/custom-resource-macie-create-member-runtime": "workspace:^0.0.1", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-create-member/runtime/.gitignore b/src/lib/custom-resources/cdk-macie-create-member/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-macie-create-member/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-macie-create-member/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-macie-create-member/runtime/package.json b/src/lib/custom-resources/cdk-macie-create-member/runtime/package.json index cbfa11de3..ea26631cb 100644 --- a/src/lib/custom-resources/cdk-macie-create-member/runtime/package.json +++ b/src/lib/custom-resources/cdk-macie-create-member/runtime/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-create-member-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.710.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-macie-create-member-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.710.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-create-member/runtime/tsconfig.json b/src/lib/custom-resources/cdk-macie-create-member/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-macie-create-member/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-create-member/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-macie-create-member/tsconfig.json b/src/lib/custom-resources/cdk-macie-create-member/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-macie-create-member/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-create-member/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/README.md b/src/lib/custom-resources/cdk-macie-enable-admin/README.md index 189107d3e..ee59694b0 100644 --- a/src/lib/custom-resources/cdk-macie-enable-admin/README.md +++ b/src/lib/custom-resources/cdk-macie-enable-admin/README.md @@ -1,18 +1,18 @@ -# Enable Macie admin account - -This is a custom resource to delegate Macie admin account using `EnableOrganizationAdminAccount` API call. - -## Usage - - // Enable Macie admin account for all regions - regions?.map(region => { - // Guard duty need to be enabled from master account of the organization - const masterAccountStack = accountStacks.getOrCreateAccountStack(masterOrgKey, region); - - if (masterAccountId) { - const admin = new MacieEnableAdmin(masterAccountStack, 'GuardDutyAdmin', { - accountId: masterAccountId, - }); - } - }); - +# Enable Macie admin account + +This is a custom resource to delegate Macie admin account using `EnableOrganizationAdminAccount` API call. + +## Usage + + // Enable Macie admin account for all regions + regions?.map(region => { + // Guard duty need to be enabled from master account of the organization + const masterAccountStack = accountStacks.getOrCreateAccountStack(masterOrgKey, region); + + if (masterAccountId) { + const admin = new MacieEnableAdmin(masterAccountStack, 'GuardDutyAdmin', { + accountId: masterAccountId, + }); + } + }); + diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/package.json b/src/lib/custom-resources/cdk-macie-enable-admin/package.json index 8f5c01222..f6da391a2 100644 --- a/src/lib/custom-resources/cdk-macie-enable-admin/package.json +++ b/src/lib/custom-resources/cdk-macie-enable-admin/package.json @@ -1,50 +1,50 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-enable-admin", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "@aws-accelerator/custom-resource-macie-enable-admin-runtime": "workspace:^0.0.1", - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-macie-enable-admin", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "@aws-accelerator/custom-resource-macie-enable-admin-runtime": "workspace:^0.0.1", + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/.gitignore b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/package.json b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/package.json index df79f0f47..1be2941d2 100644 --- a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/package.json +++ b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-enable-admin-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.710.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-macie-enable-admin-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.710.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/tsconfig.json b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-macie-enable-admin/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-enable-admin/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-macie-enable-admin/tsconfig.json b/src/lib/custom-resources/cdk-macie-enable-admin/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-macie-enable-admin/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-enable-admin/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-enable/README.md b/src/lib/custom-resources/cdk-macie-enable/README.md index e321dbfae..d603c40d8 100644 --- a/src/lib/custom-resources/cdk-macie-enable/README.md +++ b/src/lib/custom-resources/cdk-macie-enable/README.md @@ -1,11 +1,11 @@ -# Enable Macie for an account - -This is a custom resource to enable Macie using `enableMacie` API call. - -## Usage - - const enable = new MacieEnable(masterAccountStack, 'MacieEnable', { - findingPublishingFrequency, - status: MacieStatus.ENABLED, - }); - +# Enable Macie for an account + +This is a custom resource to enable Macie using `enableMacie` API call. + +## Usage + + const enable = new MacieEnable(masterAccountStack, 'MacieEnable', { + findingPublishingFrequency, + status: MacieStatus.ENABLED, + }); + diff --git a/src/lib/custom-resources/cdk-macie-enable/package.json b/src/lib/custom-resources/cdk-macie-enable/package.json index 4e1e9239e..495ac6c44 100644 --- a/src/lib/custom-resources/cdk-macie-enable/package.json +++ b/src/lib/custom-resources/cdk-macie-enable/package.json @@ -1,49 +1,49 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-enable", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@aws-accelerator/custom-resource-macie-enable-runtime": "workspace:^0.0.1", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-macie-enable", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@aws-accelerator/custom-resource-macie-enable-runtime": "workspace:^0.0.1", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-enable/runtime/.gitignore b/src/lib/custom-resources/cdk-macie-enable/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-macie-enable/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-macie-enable/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-macie-enable/runtime/package.json b/src/lib/custom-resources/cdk-macie-enable/runtime/package.json index 6e385751b..836588255 100644 --- a/src/lib/custom-resources/cdk-macie-enable/runtime/package.json +++ b/src/lib/custom-resources/cdk-macie-enable/runtime/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-enable-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.710.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-macie-enable-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.710.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-enable/runtime/tsconfig.json b/src/lib/custom-resources/cdk-macie-enable/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-macie-enable/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-enable/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-macie-enable/tsconfig.json b/src/lib/custom-resources/cdk-macie-enable/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-macie-enable/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-enable/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-export-config/README.md b/src/lib/custom-resources/cdk-macie-export-config/README.md index 3766a64c2..46f4d9929 100644 --- a/src/lib/custom-resources/cdk-macie-export-config/README.md +++ b/src/lib/custom-resources/cdk-macie-export-config/README.md @@ -1,16 +1,16 @@ -# Update Macie Export config - -This is a custom resource to update Macie export config from `putClassificationExportConfiguration` API call. - -## Usage - - regions.map(region => { - const masterAccountStack = accountStacks.getOrCreateAccountStack(masterAccountKey, region); - // configure export S3 bucket - new MacieExportConfig(masterAccountStack, 'MacieExportConfig', { - bucketName: masterBucket.bucketName, - keyPrefix: `${masterAccountId}/${region}/macie`, - kmsKeyArn: masterBucket.encryptionKey?.keyArn, - }); - }); - +# Update Macie Export config + +This is a custom resource to update Macie export config from `putClassificationExportConfiguration` API call. + +## Usage + + regions.map(region => { + const masterAccountStack = accountStacks.getOrCreateAccountStack(masterAccountKey, region); + // configure export S3 bucket + new MacieExportConfig(masterAccountStack, 'MacieExportConfig', { + bucketName: masterBucket.bucketName, + keyPrefix: `${masterAccountId}/${region}/macie`, + kmsKeyArn: masterBucket.encryptionKey?.keyArn, + }); + }); + diff --git a/src/lib/custom-resources/cdk-macie-export-config/package.json b/src/lib/custom-resources/cdk-macie-export-config/package.json index effb38c3d..3e1a04791 100644 --- a/src/lib/custom-resources/cdk-macie-export-config/package.json +++ b/src/lib/custom-resources/cdk-macie-export-config/package.json @@ -1,49 +1,49 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-export-config", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@aws-accelerator/custom-resource-macie-export-config-runtime": "workspace:^0.0.1", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-macie-export-config", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@aws-accelerator/custom-resource-macie-export-config-runtime": "workspace:^0.0.1", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-export-config/runtime/.gitignore b/src/lib/custom-resources/cdk-macie-export-config/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-macie-export-config/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-macie-export-config/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-macie-export-config/runtime/package.json b/src/lib/custom-resources/cdk-macie-export-config/runtime/package.json index 392073422..71681d661 100644 --- a/src/lib/custom-resources/cdk-macie-export-config/runtime/package.json +++ b/src/lib/custom-resources/cdk-macie-export-config/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-export-config-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-sdk": "2.710.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-macie-export-config-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-sdk": "2.710.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-export-config/runtime/tsconfig.json b/src/lib/custom-resources/cdk-macie-export-config/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-macie-export-config/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-export-config/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-macie-export-config/tsconfig.json b/src/lib/custom-resources/cdk-macie-export-config/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-macie-export-config/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-export-config/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-update-config/README.md b/src/lib/custom-resources/cdk-macie-update-config/README.md index 18e98af43..ceb0142dc 100644 --- a/src/lib/custom-resources/cdk-macie-update-config/README.md +++ b/src/lib/custom-resources/cdk-macie-update-config/README.md @@ -1,11 +1,11 @@ -# Update Macie config - -This is a custom resource to update Macie config from `UpdateOrganizationConfiguration` API call. - -## Usage - - // turn on auto enable - new MacieUpdateConfig(masterAccountStack, 'MacieUpdateConfig', { - autoEnable: true, - }); - +# Update Macie config + +This is a custom resource to update Macie config from `UpdateOrganizationConfiguration` API call. + +## Usage + + // turn on auto enable + new MacieUpdateConfig(masterAccountStack, 'MacieUpdateConfig', { + autoEnable: true, + }); + diff --git a/src/lib/custom-resources/cdk-macie-update-config/package.json b/src/lib/custom-resources/cdk-macie-update-config/package.json index 16a1141fe..b605afd69 100644 --- a/src/lib/custom-resources/cdk-macie-update-config/package.json +++ b/src/lib/custom-resources/cdk-macie-update-config/package.json @@ -1,49 +1,49 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-update-config", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@aws-accelerator/custom-resource-macie-update-config-runtime": "workspace:^0.0.1", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-macie-update-config", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@aws-accelerator/custom-resource-macie-update-config-runtime": "workspace:^0.0.1", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-update-config/runtime/.gitignore b/src/lib/custom-resources/cdk-macie-update-config/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-macie-update-config/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-macie-update-config/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-macie-update-config/runtime/package.json b/src/lib/custom-resources/cdk-macie-update-config/runtime/package.json index a68f66a09..5434e7bc9 100644 --- a/src/lib/custom-resources/cdk-macie-update-config/runtime/package.json +++ b/src/lib/custom-resources/cdk-macie-update-config/runtime/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-update-config-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.710.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-macie-update-config-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.710.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-update-config/runtime/tsconfig.json b/src/lib/custom-resources/cdk-macie-update-config/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-macie-update-config/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-update-config/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-macie-update-config/tsconfig.json b/src/lib/custom-resources/cdk-macie-update-config/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-macie-update-config/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-update-config/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-update-session/README.md b/src/lib/custom-resources/cdk-macie-update-session/README.md index e0f5286bc..b4098a6d7 100644 --- a/src/lib/custom-resources/cdk-macie-update-session/README.md +++ b/src/lib/custom-resources/cdk-macie-update-session/README.md @@ -1,12 +1,12 @@ -# Update Macie session - -This is a custom resource to update Macie session from `updateMacieSession` API call. - -## Usage - - // update frequency based on config - new MacieUpdateSession(accountStack, 'MacieUpdateSession', { - findingPublishingFrequency, - status: MacieStatus.ENABLED, - }); - +# Update Macie session + +This is a custom resource to update Macie session from `updateMacieSession` API call. + +## Usage + + // update frequency based on config + new MacieUpdateSession(accountStack, 'MacieUpdateSession', { + findingPublishingFrequency, + status: MacieStatus.ENABLED, + }); + diff --git a/src/lib/custom-resources/cdk-macie-update-session/package.json b/src/lib/custom-resources/cdk-macie-update-session/package.json index fd75bee2e..d23bf6ef4 100644 --- a/src/lib/custom-resources/cdk-macie-update-session/package.json +++ b/src/lib/custom-resources/cdk-macie-update-session/package.json @@ -1,50 +1,50 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-update-session", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/custom-resources": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-iam": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "@aws-accelerator/custom-resource-macie-update-session-runtime": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-macie-enable-runtime": "workspace:^0.0.1", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-macie-update-session", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/custom-resources": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-iam": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "@aws-accelerator/custom-resource-macie-update-session-runtime": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-macie-enable-runtime": "workspace:^0.0.1", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-update-session/runtime/.gitignore b/src/lib/custom-resources/cdk-macie-update-session/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-macie-update-session/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-macie-update-session/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-macie-update-session/runtime/package.json b/src/lib/custom-resources/cdk-macie-update-session/runtime/package.json index e4671ecd7..8f7b68ad2 100644 --- a/src/lib/custom-resources/cdk-macie-update-session/runtime/package.json +++ b/src/lib/custom-resources/cdk-macie-update-session/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-macie-update-session-runtime", - "externals": [ - "aws-lambda" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-macie-enable-runtime": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.710.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-macie-update-session-runtime", + "externals": [ + "aws-lambda" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-macie-enable-runtime": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.710.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-macie-update-session/runtime/tsconfig.json b/src/lib/custom-resources/cdk-macie-update-session/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-macie-update-session/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-update-session/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-macie-update-session/tsconfig.json b/src/lib/custom-resources/cdk-macie-update-session/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-macie-update-session/tsconfig.json +++ b/src/lib/custom-resources/cdk-macie-update-session/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-organization/README.md b/src/lib/custom-resources/cdk-organization/README.md index 77e948d36..0d30fe161 100644 --- a/src/lib/custom-resources/cdk-organization/README.md +++ b/src/lib/custom-resources/cdk-organization/README.md @@ -1,21 +1,21 @@ -# Retrieve Organization properties - -This is a custom resource to retrieve Organization using `DescribeOrganization` API call. - -## Usage - - const organization = new Organizations(); - - logBucket.addToResourcePolicy( - new iam.PolicyStatement({ - principals: [new AnyPrincipal()], - actions: ['s3:GetEncryptionConfiguration', 's3:PutObject'], - resources: [logBucket.bucketArn, `${logBucket.bucketArn}/*`], - conditions: { - StringEquals: { - 'aws:PrincipalOrgID': organization.organizationId, - }, - }, - }), - ); - +# Retrieve Organization properties + +This is a custom resource to retrieve Organization using `DescribeOrganization` API call. + +## Usage + + const organization = new Organizations(); + + logBucket.addToResourcePolicy( + new iam.PolicyStatement({ + principals: [new AnyPrincipal()], + actions: ['s3:GetEncryptionConfiguration', 's3:PutObject'], + resources: [logBucket.bucketArn, `${logBucket.bucketArn}/*`], + conditions: { + StringEquals: { + 'aws:PrincipalOrgID': organization.organizationId, + }, + }, + }), + ); + diff --git a/src/lib/custom-resources/cdk-organization/package.json b/src/lib/custom-resources/cdk-organization/package.json index bf89714d3..6bebaa72a 100644 --- a/src/lib/custom-resources/cdk-organization/package.json +++ b/src/lib/custom-resources/cdk-organization/package.json @@ -1,48 +1,48 @@ -{ - "name": "@aws-accelerator/custom-resource-organization", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "jest": { - "testEnvironment": "node", - "preset": "ts-jest" - }, - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "babel-loader": "8.1.0", - "@babel/core": "7.9.0", - "jest": "25.2.4", - "@babel/plugin-proposal-class-properties": "7.8.3", - "@babel/plugin-transform-typescript": "7.9.4", - "webpack": "4.42.1", - "prettier": "1.19.1", - "webpack-cli": "3.3.11", - "@babel/preset-env": "7.9.0", - "typescript": "3.8.3", - "@babel/preset-typescript": "7.9.0", - "glob": "7.1.6", - "@types/webpack": "4.41.8", - "ts-node": "6.2.0", - "@types/jest": "25.1.4", - "tslint": "6.1.0", - "fork-ts-checker-webpack-plugin": "4.1.1", - "@types/adm-zip": "0.4.32", - "babel-jest": "25.2.0", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "ts-jest": "25.3.0", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-organization", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "jest": { + "testEnvironment": "node", + "preset": "ts-jest" + }, + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "babel-loader": "8.1.0", + "@babel/core": "7.9.0", + "jest": "25.2.4", + "@babel/plugin-proposal-class-properties": "7.8.3", + "@babel/plugin-transform-typescript": "7.9.4", + "webpack": "4.42.1", + "prettier": "1.19.1", + "webpack-cli": "3.3.11", + "@babel/preset-env": "7.9.0", + "typescript": "3.8.3", + "@babel/preset-typescript": "7.9.0", + "glob": "7.1.6", + "@types/webpack": "4.41.8", + "ts-node": "6.2.0", + "@types/jest": "25.1.4", + "tslint": "6.1.0", + "fork-ts-checker-webpack-plugin": "4.1.1", + "@types/adm-zip": "0.4.32", + "babel-jest": "25.2.0", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "ts-jest": "25.3.0", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-organization/tsconfig.json b/src/lib/custom-resources/cdk-organization/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-organization/tsconfig.json +++ b/src/lib/custom-resources/cdk-organization/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/README.md b/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/README.md index 0220185cd..5d2b790de 100644 --- a/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/README.md +++ b/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/README.md @@ -1,17 +1,17 @@ -# Retrieve Route53 DNS Endpoint IP Addresses - -This is a custom resource to retrieve IpAddresses assigned to Route53 Resolver Endpoint using `listResolverEndpointIpAddresses` API call. - -## Usage - - import { R53DnsEndPointIps } from '@aws-accelerator/custom-resource-r53-dns-endpoint-ips'; - - const dnsIps = ...; - - const dnsIps = new R53DnsEndPointIps(this, 'InboundIp', { - resolverEndpointId: this._inboundEndpoint.ref, - subnetsCount: ipAddresses.length, - }); - - dnsIps.endpointIps // Returns IpAddresses as string[] - +# Retrieve Route53 DNS Endpoint IP Addresses + +This is a custom resource to retrieve IpAddresses assigned to Route53 Resolver Endpoint using `listResolverEndpointIpAddresses` API call. + +## Usage + + import { R53DnsEndPointIps } from '@aws-accelerator/custom-resource-r53-dns-endpoint-ips'; + + const dnsIps = ...; + + const dnsIps = new R53DnsEndPointIps(this, 'InboundIp', { + resolverEndpointId: this._inboundEndpoint.ref, + subnetsCount: ipAddresses.length, + }); + + dnsIps.endpointIps // Returns IpAddresses as string[] + diff --git a/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/package.json b/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/package.json index cd3121723..9c33f092e 100644 --- a/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/package.json +++ b/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-r53-dns-endpoint-ips", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-r53-dns-endpoint-ips", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/tsconfig.json b/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/tsconfig.json +++ b/src/lib/custom-resources/cdk-r53-dns-endpoint-ips/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-copy-files/README.md b/src/lib/custom-resources/cdk-s3-copy-files/README.md index 8e59f2a59..841e82870 100644 --- a/src/lib/custom-resources/cdk-s3-copy-files/README.md +++ b/src/lib/custom-resources/cdk-s3-copy-files/README.md @@ -1,12 +1,12 @@ -# S3 Copy Files - -This is a custom resource that copies files from a given source bucket to a given destination bucket. - -## Usage - - import { S3CopyFiles } from '@aws-accelerator/custom-resource-s3-copy-files'; - - const template = new S3CopyFiles(scope, 'Template', { - sourceBucket: ..., - destinationBucket: ..., - }); +# S3 Copy Files + +This is a custom resource that copies files from a given source bucket to a given destination bucket. + +## Usage + + import { S3CopyFiles } from '@aws-accelerator/custom-resource-s3-copy-files'; + + const template = new S3CopyFiles(scope, 'Template', { + sourceBucket: ..., + destinationBucket: ..., + }); diff --git a/src/lib/custom-resources/cdk-s3-copy-files/package.json b/src/lib/custom-resources/cdk-s3-copy-files/package.json index dadb6cbf6..bfa3e95b4 100644 --- a/src/lib/custom-resources/cdk-s3-copy-files/package.json +++ b/src/lib/custom-resources/cdk-s3-copy-files/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-s3-copy-files", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0", - "@aws-cdk/aws-s3": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-s3-copy-files-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-s3-copy-files", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0", + "@aws-cdk/aws-s3": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-s3-copy-files-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-copy-files/runtime/.gitignore b/src/lib/custom-resources/cdk-s3-copy-files/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-s3-copy-files/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-s3-copy-files/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-s3-copy-files/runtime/package.json b/src/lib/custom-resources/cdk-s3-copy-files/runtime/package.json index 3ec97a3cf..4d02eb661 100644 --- a/src/lib/custom-resources/cdk-s3-copy-files/runtime/package.json +++ b/src/lib/custom-resources/cdk-s3-copy-files/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-s3-copy-files-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-s3-copy-files-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-copy-files/runtime/tsconfig.json b/src/lib/custom-resources/cdk-s3-copy-files/runtime/tsconfig.json index c0a79f7b9..d2de0d928 100644 --- a/src/lib/custom-resources/cdk-s3-copy-files/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-s3-copy-files/runtime/tsconfig.json @@ -1,16 +1,16 @@ -{ - "compilerOptions": { - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-s3-copy-files/tsconfig.json b/src/lib/custom-resources/cdk-s3-copy-files/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-s3-copy-files/tsconfig.json +++ b/src/lib/custom-resources/cdk-s3-copy-files/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-public-access-block/README.md b/src/lib/custom-resources/cdk-s3-public-access-block/README.md index c8fb5519c..d6aeea451 100644 --- a/src/lib/custom-resources/cdk-s3-public-access-block/README.md +++ b/src/lib/custom-resources/cdk-s3-public-access-block/README.md @@ -1,14 +1,14 @@ -# S3 Put Public Access Block - -This is a custom resource that enables or disables public access for an entire account. - -## Usage - - import { S3PublicAccessBlock } from '@aws-accelerator/custom-resource-s3-public-access-block'; - - new S3PublicAccessBlock(this, 'PublicAccessBlock', { - blockPublicAcls: true, - blockPublicPolicy: true, - ignorePublicAcls: true, - restrictPublicBuckets: true, - }); +# S3 Put Public Access Block + +This is a custom resource that enables or disables public access for an entire account. + +## Usage + + import { S3PublicAccessBlock } from '@aws-accelerator/custom-resource-s3-public-access-block'; + + new S3PublicAccessBlock(this, 'PublicAccessBlock', { + blockPublicAcls: true, + blockPublicPolicy: true, + ignorePublicAcls: true, + restrictPublicBuckets: true, + }); diff --git a/src/lib/custom-resources/cdk-s3-public-access-block/package.json b/src/lib/custom-resources/cdk-s3-public-access-block/package.json index 3d54bc633..d27afee52 100644 --- a/src/lib/custom-resources/cdk-s3-public-access-block/package.json +++ b/src/lib/custom-resources/cdk-s3-public-access-block/package.json @@ -1,20 +1,20 @@ -{ - "name": "@aws-accelerator/custom-resource-s3-public-access-block", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/custom-resources": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/custom-resources": "1.46.0" - }, - "devDependencies": { - "@types/node": "12.12.6", - "typescript": "3.8.3" - } +{ + "name": "@aws-accelerator/custom-resource-s3-public-access-block", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/custom-resources": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/custom-resources": "1.46.0" + }, + "devDependencies": { + "@types/node": "12.12.6", + "typescript": "3.8.3" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-public-access-block/tsconfig.json b/src/lib/custom-resources/cdk-s3-public-access-block/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-s3-public-access-block/tsconfig.json +++ b/src/lib/custom-resources/cdk-s3-public-access-block/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-template/README.md b/src/lib/custom-resources/cdk-s3-template/README.md index d99649e4d..8b78c04ac 100644 --- a/src/lib/custom-resources/cdk-s3-template/README.md +++ b/src/lib/custom-resources/cdk-s3-template/README.md @@ -1,17 +1,17 @@ -# S3 Template - -This is a custom resource that replaces variables in an S3 object and saves a copy with filled-out variables. - -## Usage - - import { S3Template } from '@aws-accelerator/custom-resource-s3-template'; - - const template = new S3Template(scope, 'Template', { - templateBucket: ..., - templatePath: ..., - outputBucket: ..., - outputPath: ..., - }); - - template.addReplacement('{{IpAddress}}', '192.168.1.1'); - template.addReplacement('{{NetworkMask}}', '255.255.255.0'); +# S3 Template + +This is a custom resource that replaces variables in an S3 object and saves a copy with filled-out variables. + +## Usage + + import { S3Template } from '@aws-accelerator/custom-resource-s3-template'; + + const template = new S3Template(scope, 'Template', { + templateBucket: ..., + templatePath: ..., + outputBucket: ..., + outputPath: ..., + }); + + template.addReplacement('{{IpAddress}}', '192.168.1.1'); + template.addReplacement('{{NetworkMask}}', '255.255.255.0'); diff --git a/src/lib/custom-resources/cdk-s3-template/package.json b/src/lib/custom-resources/cdk-s3-template/package.json index 2db2fa9f7..f063b89d4 100644 --- a/src/lib/custom-resources/cdk-s3-template/package.json +++ b/src/lib/custom-resources/cdk-s3-template/package.json @@ -1,28 +1,28 @@ -{ - "name": "@aws-accelerator/custom-resource-s3-template", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0", - "@aws-cdk/aws-s3": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/aws-s3": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-s3-template-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } - +{ + "name": "@aws-accelerator/custom-resource-s3-template", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0", + "@aws-cdk/aws-s3": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/aws-s3": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-s3-template-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } + } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-template/runtime/.gitignore b/src/lib/custom-resources/cdk-s3-template/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-s3-template/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-s3-template/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-s3-template/runtime/package.json b/src/lib/custom-resources/cdk-s3-template/runtime/package.json index ebb44b698..0d85385b0 100644 --- a/src/lib/custom-resources/cdk-s3-template/runtime/package.json +++ b/src/lib/custom-resources/cdk-s3-template/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-s3-template-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-s3-template-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-s3-template/runtime/tsconfig.json b/src/lib/custom-resources/cdk-s3-template/runtime/tsconfig.json index c0a79f7b9..d2de0d928 100644 --- a/src/lib/custom-resources/cdk-s3-template/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-s3-template/runtime/tsconfig.json @@ -1,16 +1,16 @@ -{ - "compilerOptions": { - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-s3-template/tsconfig.json b/src/lib/custom-resources/cdk-s3-template/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-s3-template/tsconfig.json +++ b/src/lib/custom-resources/cdk-s3-template/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-accept-invites/package.json b/src/lib/custom-resources/cdk-security-hub-accept-invites/package.json index 86702680a..2e226606e 100644 --- a/src/lib/custom-resources/cdk-security-hub-accept-invites/package.json +++ b/src/lib/custom-resources/cdk-security-hub-accept-invites/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-security-hub-accept-invites", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "tslint-config-standard": "9.0.0", - "@aws-accelerator/custom-resource-security-hub-accept-invites-runtime": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-security-hub-accept-invites", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "tslint-config-standard": "9.0.0", + "@aws-accelerator/custom-resource-security-hub-accept-invites-runtime": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/.gitignore b/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/package.json b/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/package.json index 284e08c9b..1393e2029 100644 --- a/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/package.json +++ b/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-security-hub-accept-invites-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-security-hub-accept-invites-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/tsconfig.json b/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-security-hub-accept-invites/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-security-hub-accept-invites/tsconfig.json b/src/lib/custom-resources/cdk-security-hub-accept-invites/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-security-hub-accept-invites/tsconfig.json +++ b/src/lib/custom-resources/cdk-security-hub-accept-invites/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-enable/README.md b/src/lib/custom-resources/cdk-security-hub-enable/README.md index c5caa5962..dc91df26a 100644 --- a/src/lib/custom-resources/cdk-security-hub-enable/README.md +++ b/src/lib/custom-resources/cdk-security-hub-enable/README.md @@ -1,36 +1,36 @@ -# Security Hub Enable Standards - -This is a custom resource to enable Security Hub Standards and disable specific controls Used `describeStandards`, `batchEnableStandards`, `describeStandardControls` and `updateStandardControls` API calls. - -## Usage - - import { SecurityHubEnable } from '@aws-accelerator/custom-resource-security-hub-enable'; - - const enableSecurityHubResource = new SecurityHubEnable(this, 'EnableSecurityHubStandards`, { - standards: standards.standards, - }); - -## Input Example - - [ - { - "name": "AWS Foundational Security Best Practices v1.0.0", - "controls-to-disable": [ - "IAM.1" - ] - }, - { - "name": "PCI DSS v3.2.1", - "controls-to-disable": [ - "PCI.IAM.3", - "PCIDSS8.3.1" - ] - }, - { - "name": "CIS AWS Foundations Benchmark v1.2.0", - "controls-to-disable": [ - "CIS.1.3", - "CIS1.11" - ] - } - ] +# Security Hub Enable Standards + +This is a custom resource to enable Security Hub Standards and disable specific controls Used `describeStandards`, `batchEnableStandards`, `describeStandardControls` and `updateStandardControls` API calls. + +## Usage + + import { SecurityHubEnable } from '@aws-accelerator/custom-resource-security-hub-enable'; + + const enableSecurityHubResource = new SecurityHubEnable(this, 'EnableSecurityHubStandards`, { + standards: standards.standards, + }); + +## Input Example + + [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": [ + "IAM.1" + ] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": [ + "PCI.IAM.3", + "PCIDSS8.3.1" + ] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": [ + "CIS.1.3", + "CIS1.11" + ] + } + ] diff --git a/src/lib/custom-resources/cdk-security-hub-enable/package.json b/src/lib/custom-resources/cdk-security-hub-enable/package.json index 14e291108..4a6eb3c30 100644 --- a/src/lib/custom-resources/cdk-security-hub-enable/package.json +++ b/src/lib/custom-resources/cdk-security-hub-enable/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-security-hub-enable", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "private": true, - "main": "cdk/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "@types/node": "12.12.6", - "@aws-accelerator/custom-resource-security-hub-enable-runtime": "workspace:^0.0.1" - } +{ + "name": "@aws-accelerator/custom-resource-security-hub-enable", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "private": true, + "main": "cdk/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "@types/node": "12.12.6", + "@aws-accelerator/custom-resource-security-hub-enable-runtime": "workspace:^0.0.1" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-enable/runtime/.gitignore b/src/lib/custom-resources/cdk-security-hub-enable/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-security-hub-enable/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-security-hub-enable/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-security-hub-enable/runtime/package.json b/src/lib/custom-resources/cdk-security-hub-enable/runtime/package.json index 415bce535..e5db4625f 100644 --- a/src/lib/custom-resources/cdk-security-hub-enable/runtime/package.json +++ b/src/lib/custom-resources/cdk-security-hub-enable/runtime/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-security-hub-enable-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "exponential-backoff": "3.0.0", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-security-hub-enable-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "exponential-backoff": "3.0.0", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-enable/runtime/tsconfig.json b/src/lib/custom-resources/cdk-security-hub-enable/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-security-hub-enable/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-security-hub-enable/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-security-hub-enable/tsconfig.json b/src/lib/custom-resources/cdk-security-hub-enable/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-security-hub-enable/tsconfig.json +++ b/src/lib/custom-resources/cdk-security-hub-enable/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-send-invites/package.json b/src/lib/custom-resources/cdk-security-hub-send-invites/package.json index 2d314c28d..f9501ca95 100644 --- a/src/lib/custom-resources/cdk-security-hub-send-invites/package.json +++ b/src/lib/custom-resources/cdk-security-hub-send-invites/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-security-hub-send-invites", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "@aws-accelerator/custom-resource-security-hub-send-invites-runtime": "workspace:^0.0.1", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-security-hub-send-invites", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "@aws-accelerator/custom-resource-security-hub-send-invites-runtime": "workspace:^0.0.1", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/.gitignore b/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/package.json b/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/package.json index ab2014b2f..ed710634b 100644 --- a/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/package.json +++ b/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-security-hub-send-invites-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-security-hub-send-invites-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/tsconfig.json b/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-security-hub-send-invites/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-security-hub-send-invites/tsconfig.json b/src/lib/custom-resources/cdk-security-hub-send-invites/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-security-hub-send-invites/tsconfig.json +++ b/src/lib/custom-resources/cdk-security-hub-send-invites/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ssm-session-manager-document/README.md b/src/lib/custom-resources/cdk-ssm-session-manager-document/README.md index c5caa5962..dc91df26a 100644 --- a/src/lib/custom-resources/cdk-ssm-session-manager-document/README.md +++ b/src/lib/custom-resources/cdk-ssm-session-manager-document/README.md @@ -1,36 +1,36 @@ -# Security Hub Enable Standards - -This is a custom resource to enable Security Hub Standards and disable specific controls Used `describeStandards`, `batchEnableStandards`, `describeStandardControls` and `updateStandardControls` API calls. - -## Usage - - import { SecurityHubEnable } from '@aws-accelerator/custom-resource-security-hub-enable'; - - const enableSecurityHubResource = new SecurityHubEnable(this, 'EnableSecurityHubStandards`, { - standards: standards.standards, - }); - -## Input Example - - [ - { - "name": "AWS Foundational Security Best Practices v1.0.0", - "controls-to-disable": [ - "IAM.1" - ] - }, - { - "name": "PCI DSS v3.2.1", - "controls-to-disable": [ - "PCI.IAM.3", - "PCIDSS8.3.1" - ] - }, - { - "name": "CIS AWS Foundations Benchmark v1.2.0", - "controls-to-disable": [ - "CIS.1.3", - "CIS1.11" - ] - } - ] +# Security Hub Enable Standards + +This is a custom resource to enable Security Hub Standards and disable specific controls Used `describeStandards`, `batchEnableStandards`, `describeStandardControls` and `updateStandardControls` API calls. + +## Usage + + import { SecurityHubEnable } from '@aws-accelerator/custom-resource-security-hub-enable'; + + const enableSecurityHubResource = new SecurityHubEnable(this, 'EnableSecurityHubStandards`, { + standards: standards.standards, + }); + +## Input Example + + [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": [ + "IAM.1" + ] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": [ + "PCI.IAM.3", + "PCIDSS8.3.1" + ] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": [ + "CIS.1.3", + "CIS1.11" + ] + } + ] diff --git a/src/lib/custom-resources/cdk-ssm-session-manager-document/package.json b/src/lib/custom-resources/cdk-ssm-session-manager-document/package.json index 451f61e9c..f4e620bd9 100644 --- a/src/lib/custom-resources/cdk-ssm-session-manager-document/package.json +++ b/src/lib/custom-resources/cdk-ssm-session-manager-document/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-ssm-session-manager-document", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "tslint-config-standard": "9.0.0", - "@types/aws-lambda": "8.10.46", - "tslint-config-prettier": "1.18.0", - "@types/cfn-response": "1.0.3", - "@types/node": "12.12.6", - "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime": "workspace:^0.0.1" - } +{ + "name": "@aws-accelerator/custom-resource-ssm-session-manager-document", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "tslint-config-standard": "9.0.0", + "@types/aws-lambda": "8.10.46", + "tslint-config-prettier": "1.18.0", + "@types/cfn-response": "1.0.3", + "@types/node": "12.12.6", + "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime": "workspace:^0.0.1" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/.gitignore b/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/package.json b/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/package.json index b9ca00cb0..5cebfbfc5 100644 --- a/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/package.json +++ b/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "exponential-backoff": "3.0.0", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "exponential-backoff": "3.0.0", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/tsconfig.json b/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-ssm-session-manager-document/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-ssm-session-manager-document/tsconfig.json b/src/lib/custom-resources/cdk-ssm-session-manager-document/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-ssm-session-manager-document/tsconfig.json +++ b/src/lib/custom-resources/cdk-ssm-session-manager-document/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-vpc-default-security-group/README.md b/src/lib/custom-resources/cdk-vpc-default-security-group/README.md index ba60f154e..ebbe4e3d7 100644 --- a/src/lib/custom-resources/cdk-vpc-default-security-group/README.md +++ b/src/lib/custom-resources/cdk-vpc-default-security-group/README.md @@ -1,15 +1,15 @@ -# VPC Default Security Group - -This is a custom resource to delete the inbound and outbound rules of VPC default security group and attach tags to the default security group. - -## Usage - - import { VpcDefaultSecurityGroup } from '@aws-accelerator/custom-resource-vpc-default-security-group'; - - const vpcId = ...; - const acceleratorName = ...; - - new VpcDefaultSecurityGroup(this, 'VpcDefaultSecurityGroup', { - vpcId, - acceleratorName, - }); +# VPC Default Security Group + +This is a custom resource to delete the inbound and outbound rules of VPC default security group and attach tags to the default security group. + +## Usage + + import { VpcDefaultSecurityGroup } from '@aws-accelerator/custom-resource-vpc-default-security-group'; + + const vpcId = ...; + const acceleratorName = ...; + + new VpcDefaultSecurityGroup(this, 'VpcDefaultSecurityGroup', { + vpcId, + acceleratorName, + }); diff --git a/src/lib/custom-resources/cdk-vpc-default-security-group/package.json b/src/lib/custom-resources/cdk-vpc-default-security-group/package.json index fc21cbfc5..61bd8b5e7 100644 --- a/src/lib/custom-resources/cdk-vpc-default-security-group/package.json +++ b/src/lib/custom-resources/cdk-vpc-default-security-group/package.json @@ -1,23 +1,23 @@ -{ - "name": "@aws-accelerator/custom-resource-vpc-default-security-group", - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "main": "cdk/index.ts", - "private": true, - "version": "0.0.1", - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "devDependencies": { - "tslint": "6.1.0", - "ts-node": "6.2.0", - "tslint-config-standard": "9.0.0", - "tslint-config-prettier": "1.18.0", - "@aws-accelerator/custom-resource-vpc-default-security-group-runtime": "workspace:^0.0.1", - "typescript": "3.8.3", - "@types/node": "12.12.6" - } +{ + "name": "@aws-accelerator/custom-resource-vpc-default-security-group", + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "main": "cdk/index.ts", + "private": true, + "version": "0.0.1", + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "devDependencies": { + "tslint": "6.1.0", + "ts-node": "6.2.0", + "tslint-config-standard": "9.0.0", + "tslint-config-prettier": "1.18.0", + "@aws-accelerator/custom-resource-vpc-default-security-group-runtime": "workspace:^0.0.1", + "typescript": "3.8.3", + "@types/node": "12.12.6" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/.gitignore b/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/.gitignore +++ b/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/package.json b/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/package.json index 87b59cfe8..0c4d8f174 100644 --- a/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/package.json +++ b/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-vpc-default-security-group-runtime", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "private": true, - "source": "src/index.ts", - "version": "0.0.1", - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-sdk": "2.668.0", - "aws-lambda": "1.0.5" - }, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "devDependencies": { - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "@types/aws-lambda": "8.10.46", - "webpack": "4.42.1", - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/node": "12.12.6", - "webpack-cli": "3.3.11" - }, - "main": "dist/index.js", - "types": "dist/index.d.ts" +{ + "name": "@aws-accelerator/custom-resource-vpc-default-security-group-runtime", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "private": true, + "source": "src/index.ts", + "version": "0.0.1", + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-sdk": "2.668.0", + "aws-lambda": "1.0.5" + }, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "devDependencies": { + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "@types/aws-lambda": "8.10.46", + "webpack": "4.42.1", + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/node": "12.12.6", + "webpack-cli": "3.3.11" + }, + "main": "dist/index.js", + "types": "dist/index.d.ts" } \ No newline at end of file diff --git a/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/tsconfig.json b/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/tsconfig.json +++ b/src/lib/custom-resources/cdk-vpc-default-security-group/runtime/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/cdk-vpc-default-security-group/tsconfig.json b/src/lib/custom-resources/cdk-vpc-default-security-group/tsconfig.json index afa757ed0..4db940b9b 100644 --- a/src/lib/custom-resources/cdk-vpc-default-security-group/tsconfig.json +++ b/src/lib/custom-resources/cdk-vpc-default-security-group/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": [ - "es2019" - ], - "noImplicitAny": true, - "module": "commonjs", - "strict": true, - "esModuleInterop": true, - "moduleResolution": "node", - "outDir": "dist" - }, - "exclude": [ - "node_modules", - "**/*.spec.ts" - ], - "include": [ - "cdk/**/*" - ] +{ + "compilerOptions": { + "target": "es2019", + "lib": [ + "es2019" + ], + "noImplicitAny": true, + "module": "commonjs", + "strict": true, + "esModuleInterop": true, + "moduleResolution": "node", + "outDir": "dist" + }, + "exclude": [ + "node_modules", + "**/*.spec.ts" + ], + "include": [ + "cdk/**/*" + ] } \ No newline at end of file diff --git a/src/lib/custom-resources/ec2-ebs-default-encryption/README.md b/src/lib/custom-resources/ec2-ebs-default-encryption/README.md index a1339a811..1fbfe2592 100644 --- a/src/lib/custom-resources/ec2-ebs-default-encryption/README.md +++ b/src/lib/custom-resources/ec2-ebs-default-encryption/README.md @@ -1,11 +1,11 @@ -# EC2 EBS Default Encryption - -This is a custom resource to enable default encryption for EBS. - -## Usage - - import { EbsDefaultEncryption } from '@aws-accelerator/custom-resource-ec2-ebs-default-encryption'; - - new EbsDefaultEncryption(scope, `EbsEncryption`, { - key, - }); +# EC2 EBS Default Encryption + +This is a custom resource to enable default encryption for EBS. + +## Usage + + import { EbsDefaultEncryption } from '@aws-accelerator/custom-resource-ec2-ebs-default-encryption'; + + new EbsDefaultEncryption(scope, `EbsEncryption`, { + key, + }); diff --git a/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/.gitignore b/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/.gitignore +++ b/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/package.json b/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/package.json index 197c49715..b53a23cd3 100644 --- a/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/package.json +++ b/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/package.json @@ -1,29 +1,29 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "source": "src/index.ts", - "main": "dist/index.js", - "types": "dist/index.d.ts", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "devDependencies": { - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11" - }, - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0" - } -} +{ + "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "source": "src/index.ts", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "devDependencies": { + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11" + }, + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0" + } +} diff --git a/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/tsconfig.json b/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/tsconfig.json +++ b/src/lib/custom-resources/ec2-ebs-default-encryption/lambda/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/ec2-ebs-default-encryption/package.json b/src/lib/custom-resources/ec2-ebs-default-encryption/package.json index 6c3e8df5e..af8df15c6 100644 --- a/src/lib/custom-resources/ec2-ebs-default-encryption/package.json +++ b/src/lib/custom-resources/ec2-ebs-default-encryption/package.json @@ -1,27 +1,27 @@ -{ - "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption", - "version": "0.0.1", - "private": true, - "main": "lib/index.ts", - "devDependencies": { - "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime": "workspace:^0.0.1", - "@types/node": "12.12.6", - "ts-node": "6.2.0", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-kms": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/core": "1.46.0" - }, - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/aws-kms": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - } -} +{ + "name": "@aws-accelerator/custom-resource-ec2-ebs-default-encryption", + "version": "0.0.1", + "private": true, + "main": "lib/index.ts", + "devDependencies": { + "@aws-accelerator/custom-resource-ec2-ebs-default-encryption-runtime": "workspace:^0.0.1", + "@types/node": "12.12.6", + "ts-node": "6.2.0", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-kms": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/core": "1.46.0" + }, + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/aws-kms": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + } +} diff --git a/src/lib/custom-resources/logs-add-subscription-filter/README.md b/src/lib/custom-resources/logs-add-subscription-filter/README.md index cc9788406..884132f13 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/README.md +++ b/src/lib/custom-resources/logs-add-subscription-filter/README.md @@ -1,14 +1,14 @@ -# CloudWatch Central Logging to S3 bucket - -This is a custom resource to create Subscription filters to all loggroups. -Uses `deleteSubscriptionFilter`, `describeLogGroups` and `putSubscriptionFilter` API calls. - -## Usage - - ``` - import { CentralLoggingSubscriptionFilter } from '@aws-accelerator/custom-resource-logs-add-subscription-filter'; - - new CentralLoggingSubscriptionFilter(accountStack, `LogGroups`, { - logDestinationArn - }) +# CloudWatch Central Logging to S3 bucket + +This is a custom resource to create Subscription filters to all loggroups. +Uses `deleteSubscriptionFilter`, `describeLogGroups` and `putSubscriptionFilter` API calls. + +## Usage + + ``` + import { CentralLoggingSubscriptionFilter } from '@aws-accelerator/custom-resource-logs-add-subscription-filter'; + + new CentralLoggingSubscriptionFilter(accountStack, `LogGroups`, { + logDestinationArn + }) ``` \ No newline at end of file diff --git a/src/lib/custom-resources/logs-add-subscription-filter/package.json b/src/lib/custom-resources/logs-add-subscription-filter/package.json index 121743cf5..59814712c 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/package.json +++ b/src/lib/custom-resources/logs-add-subscription-filter/package.json @@ -1,35 +1,35 @@ -{ - "name": "@aws-accelerator/custom-resource-logs-add-subscription-filter", - "version": "0.0.1", - "private": true, - "main": "src/index.ts", - "devDependencies": { - "@aws-accelerator/custom-resource-logs-add-subscription-filter-runtime": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-logs-add-subscription-filter-cloudwatch-event-runtime": "workspace:^0.0.1", - "@types/jest": "25.1.4", - "@types/node": "12.12.6", - "jest": "25.2.4", - "prettier": "1.19.1", - "ts-jest": "25.3.0", - "ts-node": "6.2.0", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0", - "typescript": "3.8.3" - }, - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-events": "1.46.0" - }, - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/aws-lambda": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - }, - "jest": { - "preset": "ts-jest", - "testEnvironment": "node" - } +{ + "name": "@aws-accelerator/custom-resource-logs-add-subscription-filter", + "version": "0.0.1", + "private": true, + "main": "src/index.ts", + "devDependencies": { + "@aws-accelerator/custom-resource-logs-add-subscription-filter-runtime": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-logs-add-subscription-filter-cloudwatch-event-runtime": "workspace:^0.0.1", + "@types/jest": "25.1.4", + "@types/node": "12.12.6", + "jest": "25.2.4", + "prettier": "1.19.1", + "ts-jest": "25.3.0", + "ts-node": "6.2.0", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0", + "typescript": "3.8.3" + }, + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-events": "1.46.0" + }, + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/aws-lambda": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + }, + "jest": { + "preset": "ts-jest", + "testEnvironment": "node" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/.gitignore b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/.gitignore +++ b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/package.json b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/package.json index b9e94871c..5548db54a 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/package.json +++ b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-logs-add-subscription-filter-cloudwatch-event-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "source": "src/index.ts", - "main": "dist/index.js", - "types": "dist/index.d.ts", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "devDependencies": { - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11" - }, - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0" - } +{ + "name": "@aws-accelerator/custom-resource-logs-add-subscription-filter-cloudwatch-event-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "source": "src/index.ts", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "devDependencies": { + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11" + }, + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/tsconfig.json b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/tsconfig.json index c0a79f7b9..d2de0d928 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/tsconfig.json +++ b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/tsconfig.json @@ -1,16 +1,16 @@ -{ - "compilerOptions": { - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime/.gitignore b/src/lib/custom-resources/logs-add-subscription-filter/runtime/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/runtime/.gitignore +++ b/src/lib/custom-resources/logs-add-subscription-filter/runtime/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime/package.json b/src/lib/custom-resources/logs-add-subscription-filter/runtime/package.json index 74e3ade04..2b298b5c7 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/runtime/package.json +++ b/src/lib/custom-resources/logs-add-subscription-filter/runtime/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-logs-add-subscription-filter-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "source": "src/index.ts", - "main": "dist/index.js", - "types": "dist/index.d.ts", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "devDependencies": { - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11" - }, - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0" - } +{ + "name": "@aws-accelerator/custom-resource-logs-add-subscription-filter-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "source": "src/index.ts", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "devDependencies": { + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11" + }, + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "@aws-accelerator/custom-resource-cfn-utils": "workspace:^0.0.1", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0" + } } \ No newline at end of file diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime/tsconfig.json b/src/lib/custom-resources/logs-add-subscription-filter/runtime/tsconfig.json index c0a79f7b9..d2de0d928 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/runtime/tsconfig.json +++ b/src/lib/custom-resources/logs-add-subscription-filter/runtime/tsconfig.json @@ -1,16 +1,16 @@ -{ - "compilerOptions": { - "outDir": "dist", - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "outDir": "dist", + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/logs-add-subscription-filter/tsconfig.json b/src/lib/custom-resources/logs-add-subscription-filter/tsconfig.json index c5e87d76a..0cfdc8e91 100644 --- a/src/lib/custom-resources/logs-add-subscription-filter/tsconfig.json +++ b/src/lib/custom-resources/logs-add-subscription-filter/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/custom-resources/runtime-cfn-response/README.md b/src/lib/custom-resources/runtime-cfn-response/README.md index 15f9dc8c1..1adf620c4 100644 --- a/src/lib/custom-resources/runtime-cfn-response/README.md +++ b/src/lib/custom-resources/runtime-cfn-response/README.md @@ -1,3 +1,3 @@ -# CloudFormation Response Library - -Alternative to the native CloudFormation response library, `cfn-response`. +# CloudFormation Response Library + +Alternative to the native CloudFormation response library, `cfn-response`. diff --git a/src/lib/custom-resources/runtime-cfn-response/package.json b/src/lib/custom-resources/runtime-cfn-response/package.json index a34acb8a0..7d9792daf 100644 --- a/src/lib/custom-resources/runtime-cfn-response/package.json +++ b/src/lib/custom-resources/runtime-cfn-response/package.json @@ -1,21 +1,21 @@ -{ - "name": "@aws-accelerator/custom-resource-runtime-cfn-response", - "version": "0.0.1", - "private": true, - "main": "src/index.ts", - "devDependencies": { - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "typescript": "3.8.3" - }, - "dependencies": { - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0", - "exponential-backoff": "3.0.0" - }, - "peerDependencies": { - "aws-lambda": "^1.0.5", - "aws-sdk": "^2.668.0", - "exponential-backoff": "^3.0.0" - } -} +{ + "name": "@aws-accelerator/custom-resource-runtime-cfn-response", + "version": "0.0.1", + "private": true, + "main": "src/index.ts", + "devDependencies": { + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "typescript": "3.8.3" + }, + "dependencies": { + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0", + "exponential-backoff": "3.0.0" + }, + "peerDependencies": { + "aws-lambda": "^1.0.5", + "aws-sdk": "^2.668.0", + "exponential-backoff": "^3.0.0" + } +} diff --git a/src/lib/custom-resources/runtime-cfn-response/tsconfig.json b/src/lib/custom-resources/runtime-cfn-response/tsconfig.json index c5e87d76a..0cfdc8e91 100644 --- a/src/lib/custom-resources/runtime-cfn-response/tsconfig.json +++ b/src/lib/custom-resources/runtime-cfn-response/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/custom-resources/runtime-cfn-tags/README.md b/src/lib/custom-resources/runtime-cfn-tags/README.md index 3c7214840..c99fe256b 100644 --- a/src/lib/custom-resources/runtime-cfn-tags/README.md +++ b/src/lib/custom-resources/runtime-cfn-tags/README.md @@ -1,3 +1,3 @@ -# CloudFormation Tagging Library - -CloudFormation custom resource helper to tag resources. +# CloudFormation Tagging Library + +CloudFormation custom resource helper to tag resources. diff --git a/src/lib/custom-resources/runtime-cfn-tags/package.json b/src/lib/custom-resources/runtime-cfn-tags/package.json index 529b34ac6..54d8604d8 100644 --- a/src/lib/custom-resources/runtime-cfn-tags/package.json +++ b/src/lib/custom-resources/runtime-cfn-tags/package.json @@ -1,21 +1,21 @@ -{ - "name": "@aws-accelerator/custom-resource-runtime-cfn-tags", - "version": "0.0.1", - "private": true, - "main": "src/index.ts", - "devDependencies": { - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "typescript": "3.8.3" - }, - "dependencies": { - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0", - "exponential-backoff": "3.0.0" - }, - "peerDependencies": { - "aws-lambda": "^1.0.5", - "aws-sdk": "^2.668.0", - "exponential-backoff": "^3.0.0" - } -} +{ + "name": "@aws-accelerator/custom-resource-runtime-cfn-tags", + "version": "0.0.1", + "private": true, + "main": "src/index.ts", + "devDependencies": { + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "typescript": "3.8.3" + }, + "dependencies": { + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0", + "exponential-backoff": "3.0.0" + }, + "peerDependencies": { + "aws-lambda": "^1.0.5", + "aws-sdk": "^2.668.0", + "exponential-backoff": "^3.0.0" + } +} diff --git a/src/lib/custom-resources/runtime-cfn-tags/tsconfig.json b/src/lib/custom-resources/runtime-cfn-tags/tsconfig.json index c5e87d76a..0cfdc8e91 100644 --- a/src/lib/custom-resources/runtime-cfn-tags/tsconfig.json +++ b/src/lib/custom-resources/runtime-cfn-tags/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/custom-resources/runtime-webpack-base/package.json b/src/lib/custom-resources/runtime-webpack-base/package.json index 2f83ab332..b72300d11 100644 --- a/src/lib/custom-resources/runtime-webpack-base/package.json +++ b/src/lib/custom-resources/runtime-webpack-base/package.json @@ -1,20 +1,20 @@ -{ - "name": "@aws-accelerator/custom-resource-runtime-webpack-base", - "version": "0.0.1", - "private": true, - "main": "src/index.ts", - "dependencies": { - "@types/webpack": "4.41.8", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11", - "webpack-shell-plugin-next": "1.1.9" - }, - "peerDependencies": { - "ts-loader": "^7.0.5", - "typescript": "^3.8.3", - "webpack": "^4.42.1", - "webpack-cli": "^3.3.11" - } -} +{ + "name": "@aws-accelerator/custom-resource-runtime-webpack-base", + "version": "0.0.1", + "private": true, + "main": "src/index.ts", + "dependencies": { + "@types/webpack": "4.41.8", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11", + "webpack-shell-plugin-next": "1.1.9" + }, + "peerDependencies": { + "ts-loader": "^7.0.5", + "typescript": "^3.8.3", + "webpack": "^4.42.1", + "webpack-cli": "^3.3.11" + } +} diff --git a/src/lib/custom-resources/runtime-webpack-base/tsconfig.json b/src/lib/custom-resources/runtime-webpack-base/tsconfig.json index 3afbae973..c9954ca34 100644 --- a/src/lib/custom-resources/runtime-webpack-base/tsconfig.json +++ b/src/lib/custom-resources/runtime-webpack-base/tsconfig.json @@ -1,20 +1,20 @@ -{ - "compilerOptions": { - "strict": true, - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "src/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "src/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/src/lib/custom-resources/ssm-session-manager-document/README.md b/src/lib/custom-resources/ssm-session-manager-document/README.md index 15357df34..c0a713321 100644 --- a/src/lib/custom-resources/ssm-session-manager-document/README.md +++ b/src/lib/custom-resources/ssm-session-manager-document/README.md @@ -1,36 +1,36 @@ -# Security Hub Enable Standards - -This is a custom resource to enable Security Hub Standards and disable specific controls Used `describeStandards`, `batchEnableStandards`, `describeStandardControls` and `updateStandardControls` API calls. - -## Usage - - import { SecurityHubEnable } from '@custom-resources/security-hub-enable'; - - const enableSecurityHubResource = new SecurityHubEnable(this, 'EnableSecurityHubStandards`, { - standards: standards.standards, - }); - -## Input Example - - [ - { - "name": "AWS Foundational Security Best Practices v1.0.0", - "controls-to-disable": [ - "IAM.1" - ] - }, - { - "name": "PCI DSS v3.2.1", - "controls-to-disable": [ - "PCI.IAM.3", - "PCIDSS8.3.1" - ] - }, - { - "name": "CIS AWS Foundations Benchmark v1.2.0", - "controls-to-disable": [ - "CIS.1.3", - "CIS1.11" - ] - } - ] +# Security Hub Enable Standards + +This is a custom resource to enable Security Hub Standards and disable specific controls Used `describeStandards`, `batchEnableStandards`, `describeStandardControls` and `updateStandardControls` API calls. + +## Usage + + import { SecurityHubEnable } from '@custom-resources/security-hub-enable'; + + const enableSecurityHubResource = new SecurityHubEnable(this, 'EnableSecurityHubStandards`, { + standards: standards.standards, + }); + +## Input Example + + [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": [ + "IAM.1" + ] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": [ + "PCI.IAM.3", + "PCIDSS8.3.1" + ] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": [ + "CIS.1.3", + "CIS1.11" + ] + } + ] diff --git a/src/lib/custom-resources/ssm-session-manager-document/lambda/.gitignore b/src/lib/custom-resources/ssm-session-manager-document/lambda/.gitignore index 6fc7bee68..1521c8b76 100644 --- a/src/lib/custom-resources/ssm-session-manager-document/lambda/.gitignore +++ b/src/lib/custom-resources/ssm-session-manager-document/lambda/.gitignore @@ -1 +1 @@ -dist +dist diff --git a/src/lib/custom-resources/ssm-session-manager-document/lambda/package.json b/src/lib/custom-resources/ssm-session-manager-document/lambda/package.json index 55073a4d6..d6e2bacb9 100644 --- a/src/lib/custom-resources/ssm-session-manager-document/lambda/package.json +++ b/src/lib/custom-resources/ssm-session-manager-document/lambda/package.json @@ -1,30 +1,30 @@ -{ - "name": "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime", - "version": "0.0.1", - "private": true, - "scripts": { - "prepare": "webpack-cli --config webpack.config.ts" - }, - "source": "src/index.ts", - "main": "dist/index.js", - "types": "dist/index.d.ts", - "externals": [ - "aws-lambda", - "aws-sdk" - ], - "devDependencies": { - "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "@types/node": "12.12.6", - "ts-loader": "7.0.5", - "typescript": "3.8.3", - "webpack": "4.42.1", - "webpack-cli": "3.3.11" - }, - "dependencies": { - "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", - "aws-lambda": "1.0.5", - "aws-sdk": "2.668.0", - "exponential-backoff": "3.0.0" - } -} +{ + "name": "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime", + "version": "0.0.1", + "private": true, + "scripts": { + "prepare": "webpack-cli --config webpack.config.ts" + }, + "source": "src/index.ts", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "externals": [ + "aws-lambda", + "aws-sdk" + ], + "devDependencies": { + "@aws-accelerator/custom-resource-runtime-webpack-base": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "@types/node": "12.12.6", + "ts-loader": "7.0.5", + "typescript": "3.8.3", + "webpack": "4.42.1", + "webpack-cli": "3.3.11" + }, + "dependencies": { + "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:^0.0.1", + "aws-lambda": "1.0.5", + "aws-sdk": "2.668.0", + "exponential-backoff": "3.0.0" + } +} diff --git a/src/lib/custom-resources/ssm-session-manager-document/lambda/tsconfig.json b/src/lib/custom-resources/ssm-session-manager-document/lambda/tsconfig.json index 5be0a81ef..118a8376a 100644 --- a/src/lib/custom-resources/ssm-session-manager-document/lambda/tsconfig.json +++ b/src/lib/custom-resources/ssm-session-manager-document/lambda/tsconfig.json @@ -1,15 +1,15 @@ -{ - "compilerOptions": { - "target": "es2019", - "lib": ["es2019"], - "module": "commonjs", - "moduleResolution": "node", - "strict": true, - "declaration": true, - "esModuleInterop": true, - "noImplicitAny": true, - "resolveJsonModule": true - }, - "include": ["src/**/*"], - "exclude": ["node_modules", "**/*.spec.ts"] -} +{ + "compilerOptions": { + "target": "es2019", + "lib": ["es2019"], + "module": "commonjs", + "moduleResolution": "node", + "strict": true, + "declaration": true, + "esModuleInterop": true, + "noImplicitAny": true, + "resolveJsonModule": true + }, + "include": ["src/**/*"], + "exclude": ["node_modules", "**/*.spec.ts"] +} diff --git a/src/lib/custom-resources/ssm-session-manager-document/package.json b/src/lib/custom-resources/ssm-session-manager-document/package.json index 361033669..8ea5dccc2 100644 --- a/src/lib/custom-resources/ssm-session-manager-document/package.json +++ b/src/lib/custom-resources/ssm-session-manager-document/package.json @@ -1,24 +1,24 @@ -{ - "name": "@aws-accelerator/custom-resource-ssm-session-manager-document", - "version": "0.0.1", - "private": true, - "main": "lib/index.ts", - "devDependencies": { - "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime": "workspace:^0.0.1", - "@types/aws-lambda": "8.10.46", - "@types/cfn-response": "1.0.3", - "@types/node": "12.12.6", - "tslint": "6.1.0", - "tslint-config-prettier": "1.18.0", - "tslint-config-standard": "9.0.0" - }, - "dependencies": { - "@aws-cdk/aws-iam": "1.46.0", - "@aws-cdk/core": "1.46.0", - "@aws-cdk/aws-lambda": "1.46.0" - }, - "peerDependencies": { - "@aws-cdk/aws-iam": "^1.46.0", - "@aws-cdk/core": "^1.46.0" - } -} +{ + "name": "@aws-accelerator/custom-resource-ssm-session-manager-document", + "version": "0.0.1", + "private": true, + "main": "lib/index.ts", + "devDependencies": { + "@aws-accelerator/custom-resource-ssm-session-manager-document-runtime": "workspace:^0.0.1", + "@types/aws-lambda": "8.10.46", + "@types/cfn-response": "1.0.3", + "@types/node": "12.12.6", + "tslint": "6.1.0", + "tslint-config-prettier": "1.18.0", + "tslint-config-standard": "9.0.0" + }, + "dependencies": { + "@aws-cdk/aws-iam": "1.46.0", + "@aws-cdk/core": "1.46.0", + "@aws-cdk/aws-lambda": "1.46.0" + }, + "peerDependencies": { + "@aws-cdk/aws-iam": "^1.46.0", + "@aws-cdk/core": "^1.46.0" + } +} diff --git a/src/lib/custom-resources/ssm-session-manager-document/tsconfig.json b/src/lib/custom-resources/ssm-session-manager-document/tsconfig.json index f8798dfc9..3f9bf4412 100644 --- a/src/lib/custom-resources/ssm-session-manager-document/tsconfig.json +++ b/src/lib/custom-resources/ssm-session-manager-document/tsconfig.json @@ -1,21 +1,21 @@ -{ - "compilerOptions": { - "strict": true, - "outDir": "dist", - "target": "es2019", - "lib": [ - "es2019" - ], - "module": "commonjs", - "moduleResolution": "node", - "esModuleInterop": true, - "noImplicitAny": true - }, - "include": [ - "lib/**/*" - ], - "exclude": [ - "node_modules", - "**/*.spec.ts" - ] -} +{ + "compilerOptions": { + "strict": true, + "outDir": "dist", + "target": "es2019", + "lib": [ + "es2019" + ], + "module": "commonjs", + "moduleResolution": "node", + "esModuleInterop": true, + "noImplicitAny": true + }, + "include": [ + "lib/**/*" + ], + "exclude": [ + "node_modules", + "**/*.spec.ts" + ] +} diff --git a/tslint.json b/tslint.json index d47999a07..e1d925505 100644 --- a/tslint.json +++ b/tslint.json @@ -1,79 +1,79 @@ -{ - "rules": { - "align": false, - "ban": false, - "class-name": true, - "comment-format": [ - true, - "check-space" - ], - "curly": true, - "eofline": false, - "file-name-casing": [ - true, - "kebab-case" - ], - "forin": true, - "indent": false, - "interface-name": false, - "jsdoc-format": true, - "jsx-no-lambda": false, - "jsx-no-multiline-js": false, - "label-position": true, - "max-line-length": false, - "max-classes-per-file": false, - "member-ordering": false, - "no-any": true, - "no-arg": true, - "no-bitwise": true, - "no-console": false, - "no-consecutive-blank-lines": false, - "no-construct": true, - "no-debugger": true, - "no-duplicate-variable": true, - "no-empty": [ - true, - "allow-empty-catch" - ], - "no-eval": true, - "no-implicit-dependencies": false, - "no-namespace": false, - "no-shadowed-variable": [true, {"underscore": false}], - "no-string-literal": true, - "no-submodule-imports": false, - "no-switch-case-fall-through": true, - "no-trailing-whitespace": false, - "no-unused-expression": false, - "no-use-before-declare": false, - "one-line": false, - "prefer-conditional-expression": false, - "quotemark": false, - "radix": true, - "semicolon": false, - "switch-default": true, - "trailing-comma": false, - "triple-equals": [ - true, - "allow-null-check" - ], - "typedef": [ - true, - "parameter", - "property-declaration" - ], - "typedef-whitespace": false, - "variable-name": [ - true, - "ban-keywords", - "check-format", - "allow-leading-underscore", - "allow-pascal-case" - ], - "whitespace": false - }, - "extends": [ - "tslint:latest", - "tslint-config-standard", - "tslint-config-prettier" - ] -} +{ + "rules": { + "align": false, + "ban": false, + "class-name": true, + "comment-format": [ + true, + "check-space" + ], + "curly": true, + "eofline": false, + "file-name-casing": [ + true, + "kebab-case" + ], + "forin": true, + "indent": false, + "interface-name": false, + "jsdoc-format": true, + "jsx-no-lambda": false, + "jsx-no-multiline-js": false, + "label-position": true, + "max-line-length": false, + "max-classes-per-file": false, + "member-ordering": false, + "no-any": true, + "no-arg": true, + "no-bitwise": true, + "no-console": false, + "no-consecutive-blank-lines": false, + "no-construct": true, + "no-debugger": true, + "no-duplicate-variable": true, + "no-empty": [ + true, + "allow-empty-catch" + ], + "no-eval": true, + "no-implicit-dependencies": false, + "no-namespace": false, + "no-shadowed-variable": [true, {"underscore": false}], + "no-string-literal": true, + "no-submodule-imports": false, + "no-switch-case-fall-through": true, + "no-trailing-whitespace": false, + "no-unused-expression": false, + "no-use-before-declare": false, + "one-line": false, + "prefer-conditional-expression": false, + "quotemark": false, + "radix": true, + "semicolon": false, + "switch-default": true, + "trailing-comma": false, + "triple-equals": [ + true, + "allow-null-check" + ], + "typedef": [ + true, + "parameter", + "property-declaration" + ], + "typedef-whitespace": false, + "variable-name": [ + true, + "ban-keywords", + "check-format", + "allow-leading-underscore", + "allow-pascal-case" + ], + "whitespace": false + }, + "extends": [ + "tslint:latest", + "tslint-config-standard", + "tslint-config-prettier" + ] +}