Add CloudWatch org list role template and deploy action

PRX · Apr 22, 2024 · 13a9d7f · 13a9d7f
1 parent 5062769
commit 13a9d7f
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/.github/workflows/deploy-role-CloudWatch-CrossAccountSharing-ListAccountsRole.yml b/.github/workflows/deploy-role-CloudWatch-CrossAccountSharing-ListAccountsRole.yml
@@ -0,0 +1,39 @@
+name: Deploy CloudWatch-CrossAccountSharing-ListAccountsRole
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - iam-roles/CloudWatch-CrossAccountSharing-ListAccountsRole/template.yml
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-cw-list-role
+
+      - name: Deploy to management account
+        working-directory: iam-roles/CloudWatch-CrossAccountSharing-ListAccountsRole
+        run: |
+          aws cloudformation deploy \
+            --region us-east-2 \
+            --stack-name CloudWatch-CrossAccountSharing-ListAccountsRole \
+            --template-file template.yml \
+            --capabilities CAPABILITY_NAMED_IAM \
+            --no-fail-on-empty-changeset \
+            --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation
diff --git a/iam-roles/CloudWatch-CrossAccountSharing-ListAccountsRole/template.yml b/iam-roles/CloudWatch-CrossAccountSharing-ListAccountsRole/template.yml
@@ -0,0 +1,50 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >-
+  Creates a IAM role with the special name
+  CloudWatch-CrossAccountSharing-ListAccountsRole, which CloudWatch uses for
+  cross-account console functionality. This stack be should launched only in
+  the Organization's management account.
+
+Parameters:
+  MonitoringAccountIds:
+    Description: >-
+      Allows one or more monitoring accounts to view AWS Organization account
+      list. Enter AWS account ids, 12 numeric digits in comma-separated list
+    Type: CommaDelimitedList
+
+Resources:
+  # This role is intended to only be used by AWS Console. Even if we have
+  # similar needs for a role, use or make a different role.
+  CWCrossAccountListAccountsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              AWS: !Split
+                - ","
+                - !Sub
+                  - "arn:aws:iam::${inner}:root"
+                  - inner: !Join
+                      - ":root,arn:aws:iam::"
+                      - Ref: MonitoringAccountIds
+        Version: "2012-10-17"
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action:
+                  - organizations:ListAccounts
+                  - organizations:ListAccountsForParent
+                Effect: Allow
+                Resource: "*"
+            Version: "2012-10-17"
+          PolicyName: CloudWatch-CrossAccountSharing-ListAccounts-Policy
+      RoleName: CloudWatch-CrossAccountSharing-ListAccountsRole
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }