-
Notifications
You must be signed in to change notification settings - Fork 1
/
PrivateDNSProduct.yml
154 lines (148 loc) · 5.5 KB
/
PrivateDNSProduct.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
AWSTemplateFormatVersion: 2010-09-09
Description: This template configures Route53 private hosted zones and Authorization to hub VPC in an AVM-vended account for Hybrid DNS capabilities
Parameters:
DomainName:
Type: String
Description: The Domain name used in the Private Hosted Zone to be created in the application accounts
LocalVPCID:
Type: AWS::EC2::VPC::Id
Description: VPC ID of the local VPC in the Application Account
NetworkingHubAccountId:
Type: String
Description: The account id of the Networking Hub Account
AdditionalVPCIds:
Type: List<String>
Description: VPC Ids from other accounts belonging to the organization to associate to private hosted zone
AdditionalAccountIds:
Type: List<Number>
Description: Account Ids of the VPCs provided in AdditionalVPCIds parameter. Please ensure the accounts ids are provided in the same order as the vpc ids.
SNSAssociationTopicArn:
Type: String
Description: Arn of the SNS Hub Association Topic (Shared Services)
Resources:
PrivateHostedZone:
Type: AWS::Route53::HostedZone
Properties :
Name : !Ref DomainName
VPCs:
-
VPCRegion: !Ref "AWS::Region"
VPCId: !Ref LocalVPCID
HubAuthorizationCustomResource:
Type: Custom::Authorization
Properties:
ServiceToken: !GetAtt HubAuthorizationLambda.Arn
HostedZoneId: !Ref PrivateHostedZone
HostedZoneDomainName: !Ref DomainName
SourceAccountId: !Ref "AWS::AccountId"
VPCIds: !Ref AdditionalVPCIds
VPCRegion: !Ref "AWS::Region"
AccountIds: !Ref AdditionalAccountIds
SNSAssociationTopic: !Ref SNSAssociationTopicArn
HubAuthorizationLambdaRole:
Type: 'AWS::IAM::Role'
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: "Resource * acceptable for this policy."
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Path: '/'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyName: Route53PrivateZoneAuthorization
PolicyDocument:
Statement:
- Effect: Allow
Action:
- route53:CreateVPCAssociationAuthorization
Resource: !Sub 'arn:${AWS::Partition}:route53:::hostedzone/*'
- PolicyName: SNSPublish
PolicyDocument:
Statement:
- Effect: Allow
Action:
- sns:Publish
Resource: !Ref SNSAssociationTopicArn
- PolicyName: DeleteBoilerPlateVPC
PolicyDocument:
Statement:
- Effect: Allow
Action:
- ec2:DeleteVpc
Resource: "*"
HubAuthorizationLambda: # needs no monitoring because it is used as a custom resource
Type: 'AWS::Lambda::Function'
DependsOn:
- PrivateHostedZone
Properties:
Code:
ZipFile:
!Sub |
# Import statements
import boto3, sys
import os
import cfnresponse
import json
from botocore.exceptions import ClientError
# Start Lambda function
def create_association(event,context):
props = event['ResourceProperties']
route53 = boto3.client('route53')
sns = boto3.client('sns')
try:
#Paylod for SNS message
subject=f"{props['HostedZoneId']} Association Request"
payload={
"hostedZoneId": f"{props['HostedZoneId']}",
"hostedZoneDomainName": f"{props['HostedZoneDomainName']}",
"SourceAccountId": f"{props['SourceAccountId']}",
"VPCIds": f"{props['VPCIds']}",
"AccountIds": f"{props['AccountIds']}",
"VPCRegion": f"{props['VPCRegion']}"
}
sns.publish(
TopicArn=f"{props['SNSAssociationTopic']}",
Subject=subject,
Message=json.dumps(payload)
)
print("Respond: SUCCESS")
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
return
except ClientError as ex:
print('Updating Authorization has failed. See the following error.')
print(ex.response['Error']['Message'])
print("Respond: FAILED")
cfnresponse.send(event, context, cfnresponse.FAILED, ex.response)
def lambda_handler(event, context):
print(f"Custom::Authorization: {event['RequestType']}")
if event['RequestType'] in ["Create","Update"]:
print(f"{event['RequestType']}: Authorization Custom Resource")
create_association(event,context)
# Handle a CloudFormation resource delete event
if event['RequestType'] == "Delete":
print("Delete: Authorization Custom Resource")
# Nothing to delete
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
return
Environment:
Variables:
BP_VPC: !Ref LocalVPCID
Handler: 'index.lambda_handler'
MemorySize: 128
Role: !GetAtt 'HubAuthorizationLambdaRole.Arn'
Runtime: 'python3.6'
Timeout: 60
HubAuthorizationLambdaLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: !Sub '/aws/lambda/${HubAuthorizationLambda}'