Move CFN CR stuff to this stack

ServerlessOpsIO · Oct 26, 2024 · b3c20c4 · b3c20c4
1 parent 8949749
commit b3c20c4
Show file tree

Hide file tree

Showing 6 changed files with 224 additions and 11 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -73,16 +73,27 @@ jobs:
               $_f;
           done
 
-      - name: Upload SAM artifact (Management Account)
-        id: upload-sam-template
+      - name: Upload SAM artifact (Management Account / GHA Deploy)
+        id: upload-sam-gha-template
         shell: bash
         run: |
           sam package \
             --template stacksets/gha-deploy/stackset.yaml \
             --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1  \
             --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \
             --region us-east-1 \
-            --output-template-file packaged-template.yaml
+            --output-template-file packaged-gha-deploy-template.yaml
+
+      - name: Upload SAM artifact (Management Account / CFN CR)
+        id: upload-sam-cfncr-template
+        shell: bash
+        run: |
+          sam package \
+            --template stacksets/cfn-custom-resource-deploy/stackset.yaml \
+            --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1  \
+            --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \
+            --region us-east-1 \
+            --output-template-file packaged-cfncr-template.yaml
 
       - name: Upload SAM artifact (Build Account)
         id: upload-sam-stackset-build-template
@@ -222,7 +233,7 @@ jobs:
           secrets_json: ${{ toJson(secrets) }}
 
 
-  deploy_management:
+  deploy_management_gha_deploy:
     needs:
       - build
       - deploy_build_stacksets
@@ -268,11 +279,67 @@ jobs:
           deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
           gha_deploy_role_name: ${{ secrets.AWS_CICD_DEPLOY_ROLE_NAME }}
 
-      - name: Deploy via AWS SAM
+      - name: Deploy via AWS SAM (GHA Deploy)
+        uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
+        with:
+          aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+          template_file: packaged-gha-deploy-template.yaml
+          cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
+          env_json: ${{ toJson(env) }}
+          secrets_json: ${{ toJson(secrets) }}
+
+  deploy_management_cfn_cr:
+    needs:
+      - build
+      - deploy_build_stacksets
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Set extra GitHub environment variables
+        id: github-env-vars
+        uses: rlespinasse/github-slug-action@v4
+
+      - name: Download artifact
+        id: download-artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }}
+
+      - name: Setup Python
+        id: install-python
+        uses: actions/setup-python@v3
+        with:
+          python-version: 3.12
+          cache: pipenv
+
+      - name: Install pipenv
+        id: install-pipenv
+        shell: bash
+        run: python -m pip install --upgrade pipenv
+
+
+      - name: Install dependencies
+        id: install-python-deps
+        shell: bash
+        run: pipenv install --dev
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+          gha_build_role_name: ${{ secrets.AWS_CICD_BUILD_ROLE_NAME }}
+          deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+          gha_deploy_role_name: ${{ secrets.AWS_CICD_DEPLOY_ROLE_NAME }}
+
+      - name: Deploy via AWS SAM (GHA Deploy)
         uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
         with:
           aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
-          template_file: packaged-template.yaml
+          stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-cfn-cr"
+          template_file: packaged-cfncr-template.yaml
           cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
           env_json: ${{ toJson(env) }}
           secrets_json: ${{ toJson(secrets) }}
diff --git a/cfn-parameters.json b/cfn-parameters.json
@@ -3,5 +3,7 @@
     "TargetRegions": "us-east-1",
     "AwsOrganizationId": $secrets.AWS_ORG_ID,
     "CiCdOuIds": $secrets.AWS_ORG_CICD_OU_ID,
-    "CicdAwsAccountId": $secrets.AWS_CICD_ACCOUNT_ID
+    "CicdAwsAccountId": $secrets.AWS_CICD_ACCOUNT_ID,
+    "CustomResourceTopicName": "CfnCustomResource",
+    "CustomResourceSsmParamName": "/org/cicd/CustomResourceTopic"
 }
diff --git a/stackset-build-template.yaml b/stackset-build-template.yaml
@@ -1,8 +1,10 @@
 Metadata:
   GhaStack:
-    localTemplateFile: &gha_stackset_body ./stacksets/gha-build/stackset.yaml
+    localTemplateFile: &gha_template_body ./stacksets/gha-build/stackset.yaml
   SamStack:
     localTemplateFile: &sam_template_body ./stacksets/gha-build/sam-deployment.yaml
+  CfnCrStack:
+    localTemplateFile: &cfn_cr_template_body ./stacksets/cfn-custom-resource-build/stackset.yaml
 
 AWSTemplateFormatVersion: '2010-09-09'
 Transform:
@@ -19,6 +21,9 @@ Parameters:
   AwsOrganizationId:
     Type: String
     Description: AWS Organization ID
+  CustomResourceTopicName:
+    Type: String
+    Description: Custom resource ARN
 
 Resources:
   OrgCiCdSamArtifacts:
@@ -75,4 +80,33 @@ Resources:
         FailureToleranceCount: 1
         MaxConcurrentCount: 5
       PermissionModel: SERVICE_MANAGED
-      TemplateBody: *gha_stackset_body
+      TemplateBody: *gha_template_body
+
+
+  DeployAccountCfnCustomResourcesSupport:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: OrgBuildAccountCfnCustomResources
+      Description: Provides shared AWS CFN Custom Resources
+      Parameters:
+        - ParameterKey: AwsOrganizationId
+          ParameterValue: !Ref AwsOrganizationId
+        - ParameterKey: CustomResourceTopicName
+          ParameterValue: !Ref CustomResourceTopicName
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref CiCdOuIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+      PermissionModel: SERVICE_MANAGED
+      TemplateBody: *cfn_cr_template_body
diff --git a/stackset-deploy-template.yaml b/stackset-deploy-template.yaml
@@ -1,5 +1,8 @@
 Metadata:
-  localTemplateFile: &template_body stacksets/gha-deploy/stackset.yaml
+  GhaStack:
+    localTemplateFile: &gha_deploy_template_body ./stacksets/gha-deploy/stackset.yaml
+  CfnCrStack:
+    localTemplateFile: &cfn_cr_template_body ./stacksets/cfn-custom-resource-deploy/stackset.yaml
 
 AWSTemplateFormatVersion: '2010-09-09'
 Transform: AWS::Serverless-2016-10-31
@@ -18,6 +21,13 @@ Parameters:
   DeployBucketArn:
     Type: String
     Description: S3 bucket ARN for deployment
+  CustomResourceSsmParamName:
+    Type: String
+    Description: SSM parameter name for custom resource
+  CustomResourceTopicName:
+    Type: String
+    Description: Custom resource ARN
+
 
 Resources:
   OrgCiCdGhaDeploy:
@@ -46,4 +56,32 @@ Resources:
         FailureToleranceCount: 1
         MaxConcurrentCount: 5
       PermissionModel: SERVICE_MANAGED
-      TemplateBody: *template_body
+      TemplateBody: *gha_deploy_template_body
+
+  DeployAccountCfnCustomResourcesSupport:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: OrgDeployAccountCfnCustomResourcesSupport
+      Description: Provides service discovery for AWS CFN Custom Resources
+      Parameters:
+        - ParameterKey: CustomResourceSsmParamName
+          ParameterValue: !Ref CustomResourceSsmParamName
+        - ParameterKey: CustomResourceTopicName
+          ParameterValue: !Ref CustomResourceTopicName
+        - ParameterKey: CicdAwsAccountId
+          ParameterValue: !Ref CicdAwsAccountId
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref TargetOuIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      TemplateBody: *cfn_cr_template_body
diff --git a/stacksets/cfn-custom-resource-build/stackset.yaml b/stacksets/cfn-custom-resource-build/stackset.yaml
@@ -0,0 +1,50 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: AWS CFN Custom Resources Support
+
+Parameters:
+  AwsOrganizationId:
+    Type: String
+    Description: AWS Organization ID
+  CustomResourceTopicName:
+    Type: String
+    Description: Name of the SNS topic for custom resources
+
+Resources:
+  CustomResourceTopic:
+    Type: AWS::SNS::Topic
+    Properties:
+      TopicName: !Ref CustomResourceTopicName
+      DisplayName: CFN Custom Resource Topic
+
+  CustomResourceTopicPolicy:
+    Type: AWS::SNS::TopicPolicy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowCloudFormation
+            Effect: Allow
+            Principal: "*"
+            Action: sns:Publish
+            Resource: !Ref CustomResourceTopic
+            Condition:
+              StringEquals:
+                "aws:PrincipalOrgID":
+                  - !Ref AwsOrganizationId
+              StringLike:
+                "aws:PrincipalArn":
+                  - !Sub "arn:${AWS::Partition}:iam::*:role/CfnExecIamRole"
+          - Sid: AllowServiceCatalog
+            Effect: Allow
+            Principal: "*"
+            Action: sns:Publish
+            Resource: !Ref CustomResourceTopic
+            Condition:
+              StringEquals:
+                "aws:PrincipalOrgID":
+                  - !Ref AwsOrganizationId
+              StringLike:
+                "aws:PrincipalArn":
+                  - !Sub "arn:${AWS::Partition}:iam::*:role/ServiceCatalogCfnExecIamRole"
+      Topics:
+        - !Ref CustomResourceTopic
diff --git a/stacksets/cfn-custom-resource-deploy/stackset.yaml b/stacksets/cfn-custom-resource-deploy/stackset.yaml
@@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: AWS CFN Custom Resources Support
+
+Parameters:
+  CustomResourceSsmParamName:
+    Type: String
+    Description: ARN of Custom Resource target
+  CustomResourceTopicName:
+    Type: String
+    Description: ARN of Custom Resource target
+  CicdAwsAccountId:
+    Type: String
+    Description: AWS Account ID for CI/CD
+
+Resources:
+  CfnCustomResourceArn:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: !Ref CustomResourceSsmParamName
+      Type: String
+      Description: ARN of CFN Custom Resource target
+      Value: !Sub "arn:aws:sns:${AWS::Region}:${CicdAwsAccountId}:${CustomResourceTopicName}"