org-formation / aws-resource-providers Goto Github PK
View Code? Open in Web Editor NEWA community driven repository where you can find AWS Resource Type Providers for different purposes (including org-formation ones).
License: MIT License
A community driven repository where you can find AWS Resource Type Providers for different purposes (including org-formation ones).
License: MIT License
It would be nice to be able to define an organization policy's content as YAML (similar to how you can define IAM policies in YAML), and have the resource provider itself do the conversion to json before calling the organizations:CreatePolicy
api
When making use of Community::S3::PublicAccessBlock i get the error from CloudFormation :
ERROR: Resource S3AccountPublicAccessBlock failed because Properties validation failed for resource S3AccountPublicAccessBlock with message:
#: required key [TestCode] not found
#: required key [Title] not found.
this is after registering from here
s3://community-resource-provider-catalog/community-s3-publicaccessblock-0.1.0.zip
hi! got quite far on my own.
ran cfn generate && npm run build && cfn submit --region us-east-1
in the folder org/organizationalunit
ran aws cloudformation create-stack --stack-name organization --template-body file://example-template.yml --region us-east-1
in the rootfolder.
template gets build, etc. stack gets created (pretty magical!!). but in the events i get Error: You don't have permissions to access this resource.
any ideas?
If you try to enable the AWS service access for access-analyzer.amazonaws.com
, the following error happens in Community::Organizations::EnableAWSServiceAccess
resource type v0.1.0:
Properties validation failed for resource AccessAnalyzerServiceAccess with message: #: required key [ResourceId] not found
We should use the following common types from AWS, such as Tags, AccountId, etc: https://schema.cloudformation.us-east-1.amazonaws.com/aws.common.types.v1.json
dont have a clear view on what the model should look like yes but, a ConformancePack resource should:
The Community::CostExplorer::AnomalyMonitor allows users to set up an anomaly monitor
Proposal to do so using the following resource types
Type: Community::CostExplorer::AnomalyMonitor
Properties:
MonitorName: String # Name of the anomaly monitor
MonitorType: String # DIMENSIONAL or CUSTOM
MonitorDimension: String # SERVICE
MonitorSpecification: any # contains expression as JSON or YAML
DimensionalValueCount: number
Type: Community::CostExplorer::AnomalySubscription
Properties:
SubscriptionName: String # Name of the anomaly subscription
MonitorArnList: List<String> # !Refs to Monitor
Subscribers: List<Subscriber> # { Type: EMAIL | SNS, Address: String }
Threshold: number
Frequency: String # DAILY, IMMEDIATE or WEEKLY
A provider to setup Resource Access Manager (RAM)[1] to share one resource (in one AWS account) to another resource (in another AWS account).
[1] https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
The Community::IAM::OpenIDConnectProvider allows users to set up a trust with an open id connect provider.
Proposal to do so using the following resource
Type: Community::IAM::OpenIDConnectProvider
Properties:
Url: String # The URL of the identity provider
ClientIdList: List<String> # list of client ids/ audiences
ThumbprintList: List<String> # list of certificate thumbprints
The AWS::SSO::Assignment resource requires users to declare a resource for each Principal-Account-PermissionSet combination. This is not very practical as it might lead to a large number of CloudFormation resources.
Proposal to create a resource to do all assignments per principl in a single resource:
Type: AWS::SSO::PrincipalAssignments
Properties:
InstanceArn: String
PermissionSets: List<String> # can be either a list ARNs or logicalId's
PrincipalName: String # name of the principal instead of the Id
PrincipalType: String # GROUP | USER
TargetAccountIds: List<String>
TargetOuIds: List<String>
Based on the InstanceArn
, PrincipalType
and PrincipalName
the PrincipalArn
can be created:
InstanceArn
is used to look up the IdentityStoreId
(aws sso-admin list-instances
)PrincipalType
either list-groups or list-users is invoked to look for a principal of name PrincipalName
(aws identitystore list-users --identity-store-id xxxxxxxxx
PermissionSets can be created by !Ref to AWS::SSO::PermissionSet or !GetAtt resource.PermissionSetArn (but why would you want to do that?)
For now i think the TargetAccountIds / TargetOuIds seems like a fair startingpoint. Later maybe create an OrganizationBinding type?
Move all org-formation repositories under a single GitHub organization. https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/about-organizations#organizations-and-enterprise-accounts
AWS has released an official resource type for IAM SAML providers. Therefore, we should review our community resource to see if it is still needed.
The new version of the library class-transformer
introduced a breaking change (details here). We need to pin version 0.3.1
exactly in all resource providers.
provider to set the custom Service Quota limits for EC2 resources. e.g: to increase the maximum number of instances per AZ and region.
We need a mechanism to enable ECS awsvpc trunking by default in a AWS account. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#271.
I just noticed that AWS added support for easily setting up cloudtrail for an organization. It looks like you just need to set Enable for all accounts in my organization
and AWS will do all the work to setup log aggregation from all accounts to a bucket on the organizations master account. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
The IsOrganizationTrail
setting is not supported by cloudformation however there is an cloudtrail API for it,
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudTrail.html
Would be great to have a resource provider to allow users to easily enable cloudtrail at the organization level.
The Community::EC2::NoDefaultVpc resource can be used to remove the Default VPC.
Type: Community::EC2::NoDefaultVPC
Properties:
DeleteDefaultVPC: true| false #default is true
If the resource is created or DeleteDefaultVPC
is set to true
the default VPC in the current region is deleted
If the resource is deleted or DeleteDefaultVPC
is set to false
a default VPC in the current region is created :-)
questions:
DeleteDefaultVPC
or can we do wihtout?would be good to package resource providers in a way that no other resources are created in the target account. i think users wouldnt expect this
I'm using org-formation ver 0.9.13 trying to setup a SAML provider with Community::IAM::SamlProvider
however I keep getting error ERROR: Resource SamlProvider failed because Error: Provider with name testitorgmgnt-admin already exists..
When i view the account with aws console there are no SAML providers setup in IAM. Also I am able to manually go into AWS console -> IAM -> identity providers -> and add testitorgmgnt-admin
SAML provider without error.
entire log execution: http://paste.openstack.org/show/801544/
org-formation repo is here: https://github.com/Sage-Bionetworks/testitorgmgnt-infra
Currently all resource providers are versioned at 0.1.0.
Would be good to have a set of quality gates that can be implemented and reflect in the versioning scheme
Quality gates could be things like: support all methods, unit testing, documentation, review, contract testing.
Quality gates can also be also explicitly discussed, documented and deviated from deviated from.
Hi.
I was able to create a rule containing role like:
but the rule is is not satisfied when I approve a pull request, from console or terminal.
The user that appear as approver has no ARN displayed, and I assume that's why is reported as: "0 of 1 rules satisfied"
If I manually add "Approval pool members - optional" using IAM User name or assumed role" my role assumed in the console, then the rule is reported as passed.
If I try to add the rule entry as simple string, as you know the CF will throw an error because of this error: Invalid arn syntax in the ApprovalPoolMembers.
Thank you in advance
Community::SecurityHub::Hub is a better AWS::SecurityHub::Hub
Loosely modeled after GuardDuty::Master and GuardDuty::Member.
SecurityHub supports inviting multiple accounts at once, therefore Members (plural).
Master resource goes into the Mester accounts.
Member resource goes into the Master account.
This doesn't make complete sense for me, but it is how GuardDuty works...
SecurityHubMembers:
Type: Community::SecurityHub::Members
Properties:
MemberAccountIDs: List<String>
Community::SecurityHub::Members calls apis:
SecurityHubMaster:
Type: Community::SecurityHub::Master
Properties:
MasterAccountId: String
Community::SecurityHub::Master calls apis:
SecurityHub:
Type: Community::SecurityHub::Hub
Properties:
AutoEnableControls: true | false # default true
Standards:
EnablePCIDSS: true | false # default false
EnableCISFoundations: true | false # default false
EnableSecurityFoundations: true | false # default false
Community::SecurityHub::Hub. calls apis:
Similar to the Community::S3::PublicAccessBlock
, it would be great to see another resource the enabled the setting that blocks public sharing to Systems Manager documents. One main difference from Community::S3::PublicAccessBlock
is that this setting needs to be configured per region.
This recent blog post has more info on how to do that via the console/cli: https://aws.amazon.com/blogs/mt/best-practice-considerations-aws-systems-manager-document-sharing/
Type is registered.
❯ aws cloudformation describe-type-registration --registration-token "f9f2a953-75bf-4fb1-a78f-55091e83f2b4" --profile Me --region us-east-1
{
"ProgressStatus": "FAILED",
"Description": "Deployment is currently in DEPLOY_STAGE of status FAILED\nDeployment failed with error. Error message: [f9f2a953-75bf-4fb1-a78f-55091e83f2b4] Internal Failure",
"TypeArn": "arn:aws:cloudformation:us-east-1:1234:type/resource/Community-ServiceQuotas-S3",
"TypeVersionArn": "arn:aws:cloudformation:us-east-1:1234:type/resource/Community-ServiceQuotas-S3/00000001"
}
The same occurs via org-formation.
I've tried:
aws cloudformation delete-stack --stack-name community-servicequotas-s3-resource-role --profile Me --region us-east-1
and following the steps again but reach the same outcome.
I would like to be able to use the Community::Support::SupportLevel
resource provider to set all accounts in my org's support level, but if your organization includes more than a handful of accounts then you will run into CREATE_FAILED errors like the following:
Note that this is the org master account, and previous support cases succeeded before this one hit. Looks like it could use some retry with backoff logic here
Additional Context:
The task I am looking to be able to run is the following.
AWSTemplateFormatVersion: "2010-09-09-OC"
OrganizationBindings:
ManagementBinding:
Account: !Ref MasterAccount
IncludeMasterAccount: true
SupportBinding:
Account: "*"
Resources:
SupportLevel:
Type: Community::Support::SupportLevel
OrganizationBinding: !Ref ManagementBinding
ForeachAccount: !Ref SupportBinding
Properties:
AccountId: !Sub "${CurrentAccount.AccountId}"
SupportLevel: 'enterprise'
Any type starts with version 0.1.0
.
When implementing any of the below, you can increment minor with +1:
Features (use category feat
in commit):
0.1.0
)Tests (use category test
in commit):
Example commit message: feat(my-type): implement create/update and delete handler
Breaking changes may occur before 1.0.0.
After 1.0.0 breaking changing only occur when incrementing major.
When squashing PRs use BREAKING CHANGE
in the commit body (new line) and add an explanation of breaking changes
see: https://www.conventionalcommits.org/en/v1.0.0-beta.4/
also: https://gist.github.com/PurpleBooth/b24679402957c63ec426
If you have the management account as your target, the following error happens in Community::SSO::AssignmentGroup
resource type v0.3.1:
Error: Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts::123456789012:assumed-role/community-sso-assignmentgroup-resour-ExecutionRole/1111 is not authorized to perform: iam:ListRolePolicies on resource: role AWSReservedSSO_Viewer_1111 (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 1111; Proxy: null): 1111, 123456789012 arn:aws:sso:::permissionSet/ssoins-1111/ps-1111
I gave the resource type execution role with full permission to account and that still did not work.
As a workaround, I used the native type AWS::SSO::Assignment
just for the management account.
Despite #70, I've been unable to deploy my org-formation for a while. I've tried removing the SCP and redeploying, but I consistently get this error:
ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: asdf, HandlerErrorCode: AlreadyExists).
ERROR: Stack example-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)
Do I need to do something in my account so that the delete_then_create
starts working?
OrganizationsPolicyRp:
Type: register-type
ResourceType: 'Community::Organizations::Policy'
SchemaHandlerPackage: !Sub 's3://${catalogBucket}/community-organizations-policy-0.2.2.zip'
MaxConcurrentTasks: 100
OrganizationBinding:
IncludeMasterAccount: true
Region: us-east-1 # Only compatible to us-east-1 region
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {},
"Resources": {
"Scp": {
"Type": "Community::Organizations::Policy",
"Properties": {
"Name": "DenyLargeEC2Instances",
"Description": "Deny running EC2 instances larger than 4xlarge",
"PolicyType": "SERVICE_CONTROL_POLICY",
"TargetIds": [
"account1",
"account2",
"account3",
"account4",
"account5",
"account6",
"account7",
"account8",
"account9",
"account10",
"account11"
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLargerThan4XLarge",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro",
"*.medium",
"*.large",
"*.xlarge",
"*.2xlarge",
"*.4xlarge"
]
}
}
}
]
}
}
}
},
"Outputs": {}
}
If you try to create the CloudFormation service quota for stacks in an AWS account that has never been used with Service Quotas, the following error happens in Community::ServiceQuotas::CloudFormation
resource type v0.1.0:
Error: Service-linked role creation access denied.
Even after adding the following policy to the execution role, it still did not work:
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*",
"Condition": {"StringLike": {"iam:AWSServiceName": "servicequotas.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*"
}
The CloudTrail event:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "<REDACTED>",
"arn": "arn:aws:sts::123456789012:assumed-role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>/<REDACTED>",
"accountId": "123456789012",
"accessKeyId": "<REDACTED>",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "<REDACTED>",
"arn": "arn:aws:iam::123456789012:role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>",
"accountId": "123456789012",
"userName": "community-servicequotas-cloudformati-ExecutionRole-<REDACTED>"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "<REDACTED>"
}
},
"invokedBy": "servicequotas.amazonaws.com"
},
"eventTime": "<REDACTED>",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateServiceLinkedRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "servicequotas.amazonaws.com",
"userAgent": "servicequotas.amazonaws.com",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>/<REDACTED> is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::123456789012:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas",
"requestParameters": null,
"responseElements": null,
"requestID": "<REDACTED>",
"eventID": "<REDACTED>",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "123456789012"
}
As a workaround, I have been able to create the service-linked role myself through the CLI beforehand: aws iam create-service-linked-role --aws-service-name servicequotas.amazonaws.com
.
Because the servicequotas.amazonaws.com
does not have MFA authenticated set to true, the resource provider making the call directly to IAM to create the service-linked role would be a possible solution.
If you try to update any of the target identifiers, the following error happens in Community::Organizations::Policy
resource type v0.1.0:
A policy with the specified name and type already exists.
We need to change the replacement strategy to delete_then_create
.
We need a mechanism to auto deploy the stage of API Gateway v1 (REST). It can either be a separate resource type or an attribute of the Stage
resource. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#623.
We need a mechanism to manage an approval rule template in CodeCommit. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#329.
A provider to setup VPC peering from one VPC (in one account) to another VPC (in another account).
There is quite a bit of examples where we create resource providers that change settings without an ARN and global to an account or account/region. At this moment there is no consistent implementation for the primaryIdentifier.
I think the best suggestion i have is to use awsAccountId for this. This has the benefit of CloudFormation ensuring there is no 2 resources that own the same setting (the combination ResourceType/primaryIdentifier needs to be unique within a region/account).
There is 1 undesired side-effect: If you change the logicalName of a resource with this type of ID CFN will create 2 operations: Create
and Delete
. Depending on the order this will fail: Create before delete will violate the uniqueness constraint. This is something CloudFormation users did/do get used to because it is how CFN works. arguable it is also the CFN behavior i find hardest to deal with....
Is there a way around this? specify Deletes should go before Creates? Do them in parallel and retry the Create (max 3 times with backoff?)? any other suggestions?
For most resources that you have the ARN as a unique identifier, you should remove ResourceId
and leave the ARN as the only primary identifier.
The current build process includes the aws sdk (and all of its dependencies) when packaging a RP.
We should be able to leave the aws sdk out and have a smaller package size.
Downloading/installing will be faster and hosting the registry will cost less money
Whenever I modify the property PrincipalId
, the assignment is created for the the new one, but the old one is not fully deleted.
This is happening inCommunity::SSO::AssignmentGroup
resource type v0.3.1.
I'm trying to set up our organization to work in af-south-1
, a relatively new region, but org-formation times-out and fails while registering NoDefaultVpcRp
:
ERROR: Workload NoDefaultVpcRp in 1234/af-south-1 updated failed. reason: Account seems stuck initializing. (1234 = MyOldAccount)
ERROR: Workload NoDefaultVpcRp in 5678/af-south-1 updated failed. reason: Account seems stuck initializing. (5678 = MyOtherAccount)
...
I see that af-south-1
is not a 'known' region, but do any of these community resource providers depend on knowing the regions? It didn't seem like NoDefaultVpcRp
does. Do you have any tips for investigating this further?
We're using this community package: Community::Organizations::NoDefaultVPC and installed it using org-formation as explained in these instructions: https://github.com/org-formation/aws-resource-providers/blob/master/ec2/no-default-vpc/installation.md#installation-using-org-formation-task
Next to that, we've supplied a task to deploy the stack (stackname: compliance-config) using this example: https://github.com/org-formation/aws-resource-providers/blob/master/ec2/no-default-vpc/example.yml
So our tasks look like this:
Parameters:
<<: !Include "../organization-parameters.yml"
#NoDefaultVPC
CommunityEc2NoDefaultVpcsRP:
Type: register-type
SchemaHandlerPackage: s3://community-resource-provider-catalog/community-organizations-nodefaultvpc-0.1.0.zip
ResourceType: 'Community::Organizations::NoDefaultVPC'
MaxConcurrentTasks: 10
OrganizationBinding:
IncludeMasterAccount: true
Account: '*'
Region: !Ref primaryRegion
ComplianceTemplate:
Type: update-stacks
Template: ./compliance-template.yml
StackName: compliance-config
StackDescription: Remediations for AWS Foundational Security Best Practices
MaxConcurrentStacks: 10
FailedStackTolerance: 10
DefaultOrganizationBindingRegion: !Ref primaryRegion
OrganizationBinding:
IncludeMasterAccount: true
Account: '*'
Region: !Ref primaryRegion
However, the defaultvpc's are removed the first time. But running the pipeline again having this task enabled causes the following errors:
INFO: Executing: register-type CommunityEc2NoDefaultVpcsRP.
622 | DEBG: Setting build action on register-type / CommunityEc2NoDefaultVpcsRP for 012345678910/eu-west-1 to None - hash matches stored target. (012345678910 = Account1)
DEBG: Stack compliance-config in account 012345678910 (eu-west-1) update starting... (012345678910 = Account1)
645 | ERROR: error updating CloudFormation stack compliance-config in account 012345678910 (eu-west-1).
646 | Resource is not in the state stackCreateComplete (012345678910 = Account1)
647 | ERROR: Resource NoDefaultVpc failed because Internal Failure.
648 | ERROR: Stack compliance-config in account 012345678910 (eu-west-1) update failed. reason: Resource is not in the state stackCreateComplete (012345678910 = Account1)
649 | Resource is not in the state stackCreateComplete (use option --print-stack to print stack)
I would expect org-formation to skip making changes if it detects that there are no default vpc's anymore. Now, it's causing the pipeline to slow down since it retries the tasks before giving up.
As a workaround, I've disabled the task.
Hello,
It would be nice to have a feature in org-formation that enabled default EBS encryption. Default encryption is enabled/disabled per region in a given account.
link in https://github.com/org-formation/aws-resource-providers/blob/master/iam/password-policy/README.md is broken.
"Use this template to deploy a sample password policy resource". link on template
points to 404
thinking about resource providers in the context of org-formation these resources will be applied to multiple accounts at the same time.
I was thinking of implementing https://github.com/OlafConijn/AwsOrganizationFormation/issues/84 using a resource called RegionDefaults
. this can then by applied to any number of account/region combinations. I also thought about collecting similar settings (region scope) in the same resource. Logically there would also be a resource called AccountDefaults
with a collection of settings that make sense to include in org-formation.
e.g.
Resources:
RegionDefaults:
Type: 'OC::ORG::RegionDefaults'
OrganizationBinding:
Regions:
- eu-central-1
- us-east
Account: '*'
Properties:
EnableEbsEncryptionByDefault: true
Question becomes: Would password policy be an account default? or its own resource?
IAM Alias will not be a default because it will (certainly) change for each account, but Password Policy is likely to be the same.
Another question: Would service limits have their own resource? or would limits be part of the 'account defaults'?
honestly dont know yet. somehow inclined to have Password Policy be part of an AccountDefaults resource and get service limits a resource of their own.
what do you think? thanks
Resource should allow settings the SupportLevel for an Account within the organization through a support ticket.
This because it is currently not possible to automate this process. org-formation, but also ADF use this mechanism to automate setting support level on new member-accounts.
Type: Community::Support::SupportLevel
Properties:
SupportLevel: 'developer' | 'business' | 'enterprise'
AccountId: String # \d{12}
CCEmailAddresses: List<String> # list of emailaddresses need to be included on the support case.
Type must be deployed to master account, where the support case will be created as follows:
The Support API is only supported on AWS Accounts that have business or enterprise support enabled. Resource will expect to fail if the support level is less.
const createCaseRequest: CreateCaseRequest = {
subject: `Enable ${resource.supportLevel} Support for account: ${accountId}`,
communicationBody: `Hi AWS,
Please enable ${resource.supportLevel} on account ${accountId}.
This case was created automatically - please resolve when done.
Thank you!
`,
serviceCode: 'customer-account',
categoryCode: 'other-account-issues',
severityCode: 'low',
issueType: 'customer-service',
ccEmailAddresses: [resource.rootEmail],
};
Intended use using org-formation syntax:
DevelopmentAccountsHaveDeveloperSupport:
Type: Community::Support::SupportLevel
OrganizationBinding: !Ref masterAccountBinding
ForeachAccount: !Ref developmentAccountsBinding
Properties:
SupportLevel: 'developer'
AccountId: !Ref CurrentAccount
CCEmailAdresses:
- [email protected]
- !GetAtt CurrentAccount.RootEmail
ProductionsAccountsHaveBusinessSupport:
Type: Community::Support::SupportLevel
OrganizationBinding: !Ref masterAccountBinding
ForeachAccount: !Ref productionAccountsBinding
Properties:
SupportLevel: 'business'
AccountId: !Ref CurrentAccount
CCEmailAdresses:
- [email protected]
- !GetAtt CurrentAccount.RootEmail
We need a mechanism to manage custom action targets in SecurityHub. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#427.
currently the Community::Organizations::Policy
type supports specifying a policy document as a string (or using !Include
).
if we would like to use expressions (or other org-formation functions) within the body of these policies they must be defined as an complex object and converted to a string (JSON.Stringify) only when interfacing with the Organizations API.
https://aws.amazon.com/blogs/aws/introducing-a-public-registry-for-aws-cloudformation/, org-formation/org-formation-cli#128
Please add support for configuring Session Manager preferences, e.g. configuring which log group and/or s3 bucket commands get logged to.
Session manager preferences are configured at a regional level.
Hello,
In a similar way that password policies can be applied to an account or set of accounts, it would be nice if org-formation was able to set "block public access" to S3 at the account level.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.