-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsra-common-cfct-setup-main-ssm.yaml
158 lines (153 loc) · 6.25 KB
/
sra-common-cfct-setup-main-ssm.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template deploys Customizations for Control Tower (CFCT). Resolving SSM parameters. - 'common_cfct_setup' solution in the repo,
https://github.com/aws-samples/aws-security-reference-architecture-examples
Metadata:
SRA:
Version: 1.0
Entry: Parameters for deploying CFCT solution resolving SSM parameters
Order: 1
cfn-lint:
config:
ignore_checks:
- W6001
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pSRASolutionName
- Label:
default: CFCT - Pipeline Configuration
Parameters:
- pDeployCustomizationsForAWSControlTower
- pPipelineApprovalStage
- pPipelineApprovalEmail
- pCodePipelineSource
- Label:
default: CFCT - AWS CodeCommit Setup (Applicable if 'AWS CodeCommit' was selected as the CodePipeline Source)
Parameters:
- pExistingRepository
- pCodeCommitRepositoryName
- pCodeCommitBranchName
- Label:
default: CFCT - AWS CloudFormation StackSets Configuration
Parameters:
- pRegionConcurrencyType
- pMaxConcurrentPercentage
- pFailureTolerancePercentage
ParameterLabels:
pCodeCommitBranchName:
default: CodeCommit Branch Name
pCodeCommitRepositoryName:
default: CodeCommit Repository Name
pCodePipelineSource:
default: AWS CodePipeline Source
pDeployCustomizationsForAWSControlTower:
default: Deploy Customizations for AWS Control Tower
pExistingRepository:
default: Existing CodeCommit Repository?
pFailureTolerancePercentage:
default: Failure Tolerance Percentage
pMaxConcurrentPercentage:
default: Max Concurrent Percentage
pPipelineApprovalEmail:
default: Pipeline Approval Email Address
pPipelineApprovalStage:
default: Pipeline Approval Stage
pRegionConcurrencyType:
default: Region Concurrency Type
pSRASolutionName:
default: SRA Solution Name
Parameters:
pCodeCommitBranchName:
Default: main
Description: Name of the branch in CodeCommit repository that contains custom Control Tower configuration.
MaxLength: 256
MinLength: 1
Type: String
pCodeCommitRepositoryName:
AllowedPattern: '^[\w-.]{1,100}(?<!\.git)$'
ConstraintDescription: Max 100 alphanumeric characters. Also special characters supported [_. -]. Name cannot end in '.git'.
Default: custom-control-tower-configuration
Description: Name of the CodeCommit repository that contains custom Control Tower configuration.
Type: String
pCodePipelineSource:
AllowedValues: [Amazon S3, AWS CodeCommit]
Default: AWS CodeCommit
Description: Which AWS CodePipeline source provider do you want to select?
Type: String
pDeployCustomizationsForAWSControlTower:
AllowedValues: ['true', 'false']
Default: 'true'
Description: Indicates whether Customizations for AWS Control Tower (CFCT) should be deployed.
Type: String
pExistingRepository:
AllowedValues: ['Yes', 'No']
Default: 'No'
Description: Are you using an existing CodeCommit repository that already contains custom Control Tower configuration?
Type: String
pFailureTolerancePercentage:
Default: 0
Description:
The percentage of accounts, per Region, for which this stack operation can fail before AWS CloudFormation stops the operation in that Region.
MaxValue: 100
MinValue: 0
Type: Number
pMaxConcurrentPercentage:
Default: 100
Description: The maximum percentage of accounts in which to perform this operation at one time.
MaxValue: 100
MinValue: 1
Type: Number
pPipelineApprovalEmail:
AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
ConstraintDescription: Must be a valid email address.
Description: (Not required if Pipeline Approval Stage = 'No') Email for notifying that the CustomControlTower pipeline is waiting for an Approval
Type: String
pPipelineApprovalStage:
AllowedValues: ['Yes', 'No']
Default: 'No'
Description: Do you want to add a manual approval stage to the Custom Control Tower Configuration Pipeline?
Type: String
pRegionConcurrencyType:
AllowedValues: [PARALLEL, SEQUENTIAL]
Default: PARALLEL
Description: Select the the concurrency type of deploying StackSets operations in Regions.
Type: String
pSRASolutionName:
AllowedValues: [sra-common-cfct-setup]
Default: sra-common-cfct-setup
Description: The SRA solution name. The Description value is the folder name of the solution
Type: String
Rules:
PipelineApprovalEmailValidation:
RuleCondition: !Equals [!Ref pPipelineApprovalEmail, '']
Assertions:
- AssertDescription: "'Pipeline Approval Email Address' parameter is required if the 'Pipeline Approval Stage' parameter is set to 'Yes'."
Assert: !Equals [!Ref pPipelineApprovalStage, 'No']
Conditions:
cDeployCustomizationsForAWSControlTower: !Equals [!Ref pDeployCustomizationsForAWSControlTower, 'true']
Resources:
rCFCTStack:
Condition: cDeployCustomizationsForAWSControlTower
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.template
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
Parameters:
CodeCommitBranchName: !Ref pCodeCommitBranchName
CodeCommitRepositoryName: !Ref pCodeCommitRepositoryName
CodePipelineSource: !Ref pCodePipelineSource
ExistingRepository: !Ref pExistingRepository
FailureTolerancePercentage: !Ref pFailureTolerancePercentage
MaxConcurrentPercentage: !Ref pMaxConcurrentPercentage
PipelineApprovalEmail: !Ref pPipelineApprovalEmail
PipelineApprovalStage: !Ref pPipelineApprovalStage
RegionConcurrencyType: !Ref pRegionConcurrencyType