This solution is designed to help users setup the appropriate AWS IAM roles and permissions in order to use CloudQuery to fetch all supported resources in their accounts within an AWS Organization. This solution will deploy a child role into each member account and a role in the administrator account for CloudQuery to use.
This solution leverages CloudFormation StackSets and service-managed permissions in order to automatically deploy IAM roles into each account in the specified Account List or Organization Unit without additional deployment IAM roles.
For deployment purposes, the template may change depending on where the StackSet is deployed from. For AWS Organizations, Stacksets can be managed from either the Organization Management (Admin) Account or a Delegated Administrator Account. A delegated administrator account is a member account that can create and manage stacksets with service-managed permissions for the organization.
If using a delegated administrator account, delegated administration must be set up for CloudFormation StackSets. Follow AWS's guide here. For deploying from a delegated administrator account, DELEGATED_ADMIN must be specified in the CallAs property in the CloudFormation StackSet.
CloudQueryMemberRoles:
Type: 'AWS::CloudFormation::StackSet'
Properties:
StackSetName: CloudQueryOrgRoles
CallAs: DELEGATED_ADMIN
Description: cloudquery org setup
Capabilities:
- CAPABILITY_NAMED_IAM
The current template.yml is meant for usage from the organization management account and the CallAs line will need to be added to the template for usage from a Delegated Administrator account.
- Clone this repo
- Run the following command but make sure to replace
<ROOT_ORG_ID>with your OU of the root (if you want to deploy to your entire organization). Or a comma separated list of OUs:
aws cloudformation create-stack --stack-name CloudQueryOrg-Deploy --template-body file://./template.yml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=OrganizationUnitList,ParameterValue=<ROOT_ORG_ID>- To get the ARN of role in the Admin and the role deployed in each member account:
aws cloudformation describe-stacks --stack-name CloudQueryOrg-Deploy --query "Stacks[].Outputs"- Using the output you got in step (3) update the following values in your
cloudquery.ymlconfiguration file:
kind: source
spec:
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v26.6.0" # find latest version here: https://hub.cloudquery.io/plugins/source/cloudquery/aws/latest
tables: ['aws_s3_buckets']
destinations: ["postgresql"]
spec:
aws_debug: false
org:
admin_account:
role_arn: <AdminRoleArn>
member_role_name: <MemberRoleName>
regions:
- "*"
Run this to delete all resources that were created:
aws cloudformation delete-stack --stack-name CloudQueryOrg-Deploy- Homepage: https://cloudquery.io
- Documentation: https://docs.cloudquery.io
- Discord: https://cloudquery.io/discord
Feel free to open Pull-Request for improvements, changes and bug fixes.