feat(core): Save outputs to SSM Parameter Store

reference-artifacts/config.example.json

@@ -11,6 +11,7 @@
     "workloadaccounts-prefix": "config",
     "workloadaccounts-param-filename": "config.json",
     "ignored-ous": [],
+    "additional-global-output-regions": [],
     "supported-regions": [
       "ap-northeast-1",
       "ap-northeast-2",

src/core/cdk/src/initial-setup.ts

@@ -21,6 +21,7 @@ import { RunAcrossAccountsTask } from './tasks/run-across-accounts-task';
 import * as fs from 'fs';
 import * as sns from '@aws-cdk/aws-sns';
 import { StoreOutputsTask } from './tasks/store-outputs-task';
+import { StoreOutputsToSSMTask } from './tasks/store-outputs-to-ssm-task';
 
 export namespace InitialSetup {
   export interface CommonProps {
@@ -90,6 +91,18 @@ export namespace InitialSetup {
         encryption: dynamodb.TableEncryption.DEFAULT,
       });
 
+      const outputUtilsTable = new dynamodb.Table(this, 'OutputUtils', {
+        tableName: createName({
+          name: 'Output-Utils',
+          suffixLength: 0,
+        }),
+        partitionKey: {
+          name: 'id',
+          type: dynamodb.AttributeType.STRING,
+        },
+        encryption: dynamodb.TableEncryption.DEFAULT,
+      });
+
       // This is the maximum time before a build times out
       // The role used by the build should allow this session duration
       const buildTimeout = cdk.Duration.hours(4);
@@ -499,7 +512,36 @@ export namespace InitialSetup {
         resultPath: 'DISCARD',
       });
 
-      const pass = new sfn.Pass(this, 'Success');
+      const storeOutputsToSsmStateMachine = new sfn.StateMachine(
+        this,
+        `${props.acceleratorPrefix}StoreOutputsToSsm_sm`,
+        {
+          stateMachineName: `${props.acceleratorPrefix}StoreOutputsToSsm_sm`,
+          definition: new StoreOutputsToSSMTask(this, 'StoreOutputsToSSM', {
+            lambdaCode,
+            role: pipelineRole,
+          }),
+        },
+      );
+
+      const storeAllOutputsToSsmTask = new sfn.Task(this, 'Store Outputs to SSM', {
+        // tslint:disable-next-line: deprecation
+        task: new tasks.StartExecution(storeOutputsToSsmStateMachine, {
+          integrationPattern: sfn.ServiceIntegrationPattern.SYNC,
+          input: {
+            'accounts.$': '$.accounts',
+            'regions.$': '$.regions',
+            acceleratorPrefix: props.acceleratorPrefix,
+            assumeRoleName: props.stateMachineExecutionRole,
+            outputsTableName: outputsTable.tableName,
+            configRepositoryName: props.configRepositoryName,
+            'configFilePath.$': '$.configFilePath',
+            'configCommitId.$': '$.configCommitId',
+            outputUtilsTableName: outputUtilsTable.tableName,
+          },
+        }),
+        resultPath: 'DISCARD',
+      });
 
       const detachQuarantineScpTask = new CodeTask(this, 'Detach Quarantine SCP', {
         functionProps: {
@@ -513,7 +555,7 @@ export namespace InitialSetup {
         },
         resultPath: 'DISCARD',
       });
-      detachQuarantineScpTask.next(pass);
+      detachQuarantineScpTask.next(storeAllOutputsToSsmTask);
 
       const enableTrustedAccessForServicesTask = new CodeTask(this, 'Enable Trusted Access For Services', {
         functionProps: {
@@ -790,7 +832,7 @@ export namespace InitialSetup {
 
       const baseLineCleanupChoice = new sfn.Choice(this, 'Baseline Clean Up?')
         .when(sfn.Condition.stringEquals('$.baseline', 'ORGANIZATIONS'), detachQuarantineScpTask)
-        .otherwise(pass);
+        .otherwise(storeAllOutputsToSsmTask);
 
       const commonStep1 = addScpTask.startState
         .next(deployPhase1Task)

src/core/cdk/src/tasks/store-outputs-to-ssm-task.ts

@@ -0,0 +1,97 @@
+import * as cdk from '@aws-cdk/core';
+import * as iam from '@aws-cdk/aws-iam';
+import * as lambda from '@aws-cdk/aws-lambda';
+import * as sfn from '@aws-cdk/aws-stepfunctions';
+import { CodeTask } from '@aws-accelerator/cdk-accelerator/src/stepfunction-tasks';
+
+export namespace StoreOutputsToSSMTask {
+  export interface Props {
+    role: iam.IRole;
+    lambdaCode: lambda.Code;
+    functionPayload?: { [key: string]: unknown };
+    waitSeconds?: number;
+  }
+}
+
+export class StoreOutputsToSSMTask extends sfn.StateMachineFragment {
+  readonly startState: sfn.State;
+  readonly endStates: sfn.INextable[];
+
+  constructor(scope: cdk.Construct, id: string, props: StoreOutputsToSSMTask.Props) {
+    super(scope, id);
+
+    const { role, lambdaCode, functionPayload, waitSeconds = 10 } = props;
+
+    role.addToPrincipalPolicy(
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        resources: ['*'],
+        actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
+      }),
+    );
+
+    const storeAccountOutputs = new sfn.Map(this, `Store Account Outputs To SSM`, {
+      itemsPath: `$.accounts`,
+      resultPath: 'DISCARD',
+      maxConcurrency: 10,
+      parameters: {
+        'accountId.$': '$$.Map.Item.Value',
+        'regions.$': '$.regions',
+        'acceleratorPrefix.$': '$.acceleratorPrefix',
+        'assumeRoleName.$': '$.assumeRoleName',
+        'outputsTableName.$': '$.outputsTableName',
+        'configRepositoryName.$': '$.configRepositoryName',
+        'configFilePath.$': '$.configFilePath',
+        'configCommitId.$': '$.configCommitId',
+        'outputUtilsTableName.$': '$.outputUtilsTableName',
+      },
+    });
+
+    const getAccountInfoTask = new CodeTask(scope, `Get Account Details`, {
+      comment: 'Get Account Info',
+      resultPath: '$.account',
+      functionPayload,
+      functionProps: {
+        role,
+        code: lambdaCode,
+        handler: 'index.getAccountInfo',
+      },
+    });
+
+    const storeAccountRegionOutputs = new sfn.Map(this, `Store Account Region Outputs To SSM`, {
+      itemsPath: `$.regions`,
+      resultPath: 'DISCARD',
+      maxConcurrency: 10,
+      parameters: {
+        'account.$': '$.account',
+        'region.$': '$$.Map.Item.Value',
+        'acceleratorPrefix.$': '$.acceleratorPrefix',
+        'assumeRoleName.$': '$.assumeRoleName',
+        'outputsTableName.$': '$.outputsTableName',
+        'configRepositoryName.$': '$.configRepositoryName',
+        'configFilePath.$': '$.configFilePath',
+        'configCommitId.$': '$.configCommitId',
+        'outputUtilsTableName.$': '$.outputUtilsTableName',
+      },
+    });
+
+    getAccountInfoTask.next(storeAccountRegionOutputs);
+    const storeOutputsTask = new CodeTask(scope, `Store Outputs To SSM`, {
+      resultPath: '$.storeOutputsOutput',
+      functionPayload,
+      functionProps: {
+        role,
+        code: lambdaCode,
+        handler: 'index.saveOutputsToSSM',
+      },
+    });
+
+    const pass = new sfn.Pass(this, 'Store Outputs To SSM Success');
+    storeAccountOutputs.iterator(getAccountInfoTask);
+    storeAccountRegionOutputs.iterator(storeOutputsTask);
+    const chain = sfn.Chain.start(storeAccountOutputs).next(pass);
+
+    this.startState = chain.startState;
+    this.endStates = chain.endStates;
+  }
+}

src/core/runtime/src/index.ts

@@ -23,6 +23,7 @@ export { handler as verifyFilesStep } from './verify-files-step';
 export { handler as notifySMFailure } from './notify-statemachine-failure';
 export { handler as notifySMSuccess } from './notify-statemachine-success';
 export { handler as getAccountInfo } from './get-account-info';
+export { handler as saveOutputsToSSM } from './save-outputs-to-ssm';
 
 // TODO Replace with
 //   export * as codebuild from './codebuild';