From 2d58f1d094aaab10f0b954bc8b3a0c461127411a Mon Sep 17 00:00:00 2001 From: Soenke Ruempler Date: Mon, 25 Jan 2021 10:42:07 +0100 Subject: [PATCH] feat: make rootmail feature obligatory since we believe it's best practise. and we are not sure that disabling worked anyway. --- templates/superwerker.template.yaml | 59 ++--------------------------- 1 file changed, 3 insertions(+), 56 deletions(-) diff --git a/templates/superwerker.template.yaml b/templates/superwerker.template.yaml index 77f79f36..3dff75ba 100644 --- a/templates/superwerker.template.yaml +++ b/templates/superwerker.template.yaml @@ -3,20 +3,6 @@ Transform: AWS::Serverless-2016-10-31 Description: Automated Best Practices for AWS Cloud setups - https://superwerker.cloud Parameters: - AuditAWSAccountEmail: - Type: String - Default: "" - Description: Mail Address used to create an AWS Account for Audit purposes. (Leave empty to skip) - MaxLength: 64 - AllowedPattern: (^$|^[_A-Za-z0-9-\+\.]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$) - ConstraintDescription: Account Email can contain only ASCII characters. This must be in the format of mail@example.com - LogArchiveAWSAccountEmail: - Type: String - Default: "" - Description: Mail Address used to create an AWS Account for Log Archive purposes. (Leave empty to skip) - MaxLength: 64 - AllowedPattern: (^$|^[_A-Za-z0-9-\+\.]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$) - ConstraintDescription: Account Email can contain only ASCII characters. This must be in the format of mail@example.com Domain: Type: String Description: Domain used for Rootmail feature @@ -60,12 +46,6 @@ Parameters: - 'No' Default: 'Yes' Type: String - IncludeRootMail: - AllowedValues: - - 'Yes' - - 'No' - Default: 'Yes' - Type: String TemplateUrlPrefix: Type: String @@ -75,11 +55,6 @@ Metadata: Order: "1" AWS::CloudFormation::Interface: ParameterGroups: - - Label: - default: Account Configuration - Parameters: - - AuditAWSAccountEmail - - LogArchiveAWSAccountEmail - Label: default: Features Parameters: @@ -89,7 +64,6 @@ Metadata: - IncludeSecurityHub - IncludeBackup - IncludeServiceControlPolicies - - IncludeRootMail - Label: default: Domain Configuration Parameters: @@ -100,10 +74,6 @@ Metadata: Parameters: - TemplateUrlPrefix ParameterLabels: - AuditAWSAccountEmail: - default: Audit Account Mail Address - LogArchiveAWSAccountEmail: - default: Log Archive Account Mail Address Domain: default: Domain for automated DNS configuration Subdomain: @@ -122,8 +92,6 @@ Metadata: default: Enable Automated Backups IncludeServiceControlPolicies: default: Enable Service Control Policies in AWS Organizations - IncludeRootMail: - default: Enable automated AWS Account root mail handling Conditions: IncludeBudget: !Equals [ !Ref IncludeBudget, 'Yes' ] @@ -131,7 +99,6 @@ Conditions: IncludeGuardDuty: !And - !Condition IncludeControlTower - !Equals [ !Ref IncludeGuardDuty, 'Yes' ] - IncludeRootMail: !Equals [ !Ref IncludeRootMail, 'Yes' ] IncludeSecurityHub: !And - !Condition IncludeControlTower - !Equals [ !Ref IncludeSecurityHub, 'Yes' ] @@ -141,12 +108,6 @@ Conditions: IncludeServiceControlPolicies: !And - !Condition IncludeControlTower - !Equals [ !Ref IncludeServiceControlPolicies, 'Yes' ] - GenerateAuditAWSAccountEmail: !And - - !Condition IncludeRootMail - - !Equals [ !Ref AuditAWSAccountEmail, "" ] - GenerateLogArchiveEmail: !And - - !Condition IncludeRootMail - - !Equals [ !Ref LogArchiveAWSAccountEmail, "" ] Resources: @@ -162,29 +123,20 @@ Resources: Properties: TemplateURL: !Sub ${TemplateUrlPrefix}/templates/control-tower.yaml Parameters: - AuditAWSAccountEmail: !If - - GenerateAuditAWSAccountEmail - - !GetAtt GeneratedAuditAWSAccountEmail.email - - !Ref AuditAWSAccountEmail - LogArchiveAWSAccountEmail: !If - - GenerateLogArchiveEmail - - !GetAtt GeneratedLogArchiveAWSAccountEmail.email - - !Ref LogArchiveAWSAccountEmail + AuditAWSAccountEmail: !GetAtt GeneratedAuditAWSAccountEmail.email + LogArchiveAWSAccountEmail: !GetAtt GeneratedLogArchiveAWSAccountEmail.email GeneratedAuditAWSAccountEmail: - Condition: GenerateAuditAWSAccountEmail Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: !GetAtt GenerateLogAndOrAuditEmailCustomResource.Arn GeneratedLogArchiveAWSAccountEmail: - Condition: GenerateLogArchiveEmail Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: !GetAtt GenerateLogAndOrAuditEmailCustomResource.Arn GenerateLogAndOrAuditEmailCustomResource: - Condition: IncludeRootMail Type: AWS::Serverless::Function Properties: Timeout: 200 @@ -251,13 +203,9 @@ Resources: Properties: TemplateURL: !Sub ${TemplateUrlPrefix}/templates/living-documentation.yaml Parameters: - SuperwerkerDomain: !If - - IncludeRootMail - - !Sub '${Subdomain}.${Domain}' - - '' + SuperwerkerDomain: !Sub '${Subdomain}.${Domain}' RootMail: - Condition: IncludeRootMail Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub ${TemplateUrlPrefix}/templates/rootmail.yaml @@ -297,6 +245,5 @@ Resources: Outputs: RootMailDelegationTarget: - Condition: IncludeRootMail Description: Nameservers for the hosted zone delegation Value: !GetAtt RootMail.Outputs.DelegationTarget