org-formation / aws-resource-providers Goto Github PK

It would be nice to be able to define an organization policy's content as YAML (similar to how you can define IAM policies in YAML), and have the resource provider itself do the conversion to json before calling the organizations:CreatePolicy api

When making use of Community::S3::PublicAccessBlock i get the error from CloudFormation :

ERROR: Resource S3AccountPublicAccessBlock failed because Properties validation failed for resource S3AccountPublicAccessBlock with message:
#: required key [TestCode] not found
#: required key [Title] not found.

this is after registering from here
s3://community-resource-provider-catalog/community-s3-publicaccessblock-0.1.0.zip

hi! got quite far on my own.

• Created a number of resources in JSON Schema, started to implement the OrganizationalUnit resource.
• Implemented Create, Update and Delete
• Added the right permissions
• Created an example template

ran cfn generate && npm run build && cfn submit --region us-east-1 in the folder org/organizationalunit
ran aws cloudformation create-stack --stack-name organization --template-body file://example-template.yml --region us-east-1 in the rootfolder.

template gets build, etc. stack gets created (pretty magical!!). but in the events i get Error: You don't have permissions to access this resource. any ideas?

If you try to enable the AWS service access for access-analyzer.amazonaws.com, the following error happens in Community::Organizations::EnableAWSServiceAccess resource type v0.1.0:

Properties validation failed for resource AccessAnalyzerServiceAccess with message: #: required key [ResourceId] not found

We should use the following common types from AWS, such as Tags, AccountId, etc: https://schema.cloudformation.us-east-1.amazonaws.com/aws.common.types.v1.json

dont have a clear view on what the model should look like yes but, a ConformancePack resource should:

• Allow you to deploy AWS 'sample' templates as well as new templates.
• Allow to deploy conformance packs to the entire AWS Organization.

The Community::CostExplorer::AnomalyMonitor allows users to set up an anomaly monitor

Proposal to do so using the following resource types

Type: Community::CostExplorer::AnomalyMonitor
Properties: 
  MonitorName: String # Name of the anomaly monitor
  MonitorType: String # DIMENSIONAL or CUSTOM
  MonitorDimension: String # SERVICE
  MonitorSpecification: any # contains expression as JSON or YAML
  DimensionalValueCount: number 

Type: Community::CostExplorer::AnomalySubscription
Properties: 
  SubscriptionName: String # Name of the anomaly subscription
  MonitorArnList: List<String> # !Refs to Monitor
  Subscribers: List<Subscriber> # { Type: EMAIL | SNS, Address: String  }
  Threshold: number
  Frequency: String # DAILY, IMMEDIATE or WEEKLY 

A provider to setup Resource Access Manager (RAM)[1] to share one resource (in one AWS account) to another resource (in another AWS account).

[1] https://docs.aws.amazon.com/ram/latest/userguide/what-is.html

The Community::IAM::OpenIDConnectProvider allows users to set up a trust with an open id connect provider.

Proposal to do so using the following resource

Type: Community::IAM::OpenIDConnectProvider
Properties: 
  Url: String # The URL of the identity provider
  ClientIdList: List<String> # list of client ids/ audiences
  ThumbprintList: List<String> # list of certificate thumbprints

The AWS::SSO::Assignment resource requires users to declare a resource for each Principal-Account-PermissionSet combination. This is not very practical as it might lead to a large number of CloudFormation resources.

Proposal to create a resource to do all assignments per principl in a single resource:

Type: AWS::SSO::PrincipalAssignments
Properties: 
  InstanceArn: String 
  PermissionSets: List<String> # can be either a list ARNs or logicalId's
  PrincipalName: String # name of the principal instead of the Id
  PrincipalType: String # GROUP | USER
  TargetAccountIds: List<String>
  TargetOuIds: List<String>

Based on the InstanceArn, PrincipalType and PrincipalName the PrincipalArn can be created:

• InstanceArn is used to look up the IdentityStoreId (aws sso-admin list-instances)
• based on PrincipalType either list-groups or list-users is invoked to look for a principal of name PrincipalName (aws identitystore list-users --identity-store-id xxxxxxxxx

PermissionSets can be created by !Ref to AWS::SSO::PermissionSet or !GetAtt resource.PermissionSetArn (but why would you want to do that?)

For now i think the TargetAccountIds / TargetOuIds seems like a fair startingpoint. Later maybe create an OrganizationBinding type?

Move all org-formation repositories under a single GitHub organization. https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/about-organizations#organizations-and-enterprise-accounts

AWS has released an official resource type for IAM SAML providers. Therefore, we should review our community resource to see if it is still needed.

The new version of the library class-transformer introduced a breaking change (details here). We need to pin version 0.3.1 exactly in all resource providers.

provider to set the custom Service Quota limits for EC2 resources. e.g: to increase the maximum number of instances per AZ and region.

We need a mechanism to enable ECS awsvpc trunking by default in a AWS account. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#271.

I just noticed that AWS added support for easily setting up cloudtrail for an organization. It looks like you just need to set Enable for all accounts in my organization and AWS will do all the work to setup log aggregation from all accounts to a bucket on the organizations master account. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html

The IsOrganizationTrail setting is not supported by cloudformation however there is an cloudtrail API for it,
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudTrail.html

Would be great to have a resource provider to allow users to easily enable cloudtrail at the organization level.

This looks neat: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html#cross-account-and-AWS-organizations

The Community::EC2::NoDefaultVpc resource can be used to remove the Default VPC.

Type: Community::EC2::NoDefaultVPC
Properties:
 DeleteDefaultVPC: true| false #default is true

If the resource is created or DeleteDefaultVPC is set to true the default VPC in the current region is deleted
If the resource is deleted or DeleteDefaultVPC is set to false a default VPC in the current region is created :-)

questions:

• should there be a DeleteDefaultVPC or can we do wihtout?

would be good to package resource providers in a way that no other resources are created in the target account. i think users wouldnt expect this

I'm using org-formation ver 0.9.13 trying to setup a SAML provider with Community::IAM::SamlProvider however I keep getting error ERROR: Resource SamlProvider failed because Error: Provider with name testitorgmgnt-admin already exists..

When i view the account with aws console there are no SAML providers setup in IAM. Also I am able to manually go into AWS console -> IAM -> identity providers -> and add testitorgmgnt-admin SAML provider without error.

entire log execution: http://paste.openstack.org/show/801544/

org-formation repo is here: https://github.com/Sage-Bionetworks/testitorgmgnt-infra

Currently all resource providers are versioned at 0.1.0.
Would be good to have a set of quality gates that can be implemented and reflect in the versioning scheme

Quality gates could be things like: support all methods, unit testing, documentation, review, contract testing.
Quality gates can also be also explicitly discussed, documented and deviated from deviated from.

Hi.
I was able to create a rule containing role like:

• !Sub "arn:aws:sts::${AWS::AccountId}:assumed-role/Role1"
• !Sub "arn:aws:iam::${AWS::AccountId}:assumed-role/Role2"

but the rule is is not satisfied when I approve a pull request, from console or terminal.
The user that appear as approver has no ARN displayed, and I assume that's why is reported as: "0 of 1 rules satisfied"

If I manually add "Approval pool members - optional" using IAM User name or assumed role" my role assumed in the console, then the rule is reported as passed.

If I try to add the rule entry as simple string, as you know the CF will throw an error because of this error: Invalid arn syntax in the ApprovalPoolMembers.

Thank you in advance

Community::SecurityHub::Hub is a better AWS::SecurityHub::Hub

Loosely modeled after GuardDuty::Master and GuardDuty::Member.

SecurityHub supports inviting multiple accounts at once, therefore Members (plural).
Master resource goes into the Mester accounts.
Member resource goes into the Master account.
This doesn't make complete sense for me, but it is how GuardDuty works...

  SecurityHubMembers:
    Type: Community::SecurityHub::Members
    Properties:
      MemberAccountIDs: List<String>

Community::SecurityHub::Members calls apis:

• create-members
• invite-members

  SecurityHubMaster:
    Type: Community::SecurityHub::Master
    Properties:
      MasterAccountId: String

Community::SecurityHub::Master calls apis:

• list-invitations
• accept-invitation (compares on MasterAccountId)

  SecurityHub:
    Type: Community::SecurityHub::Hub
    Properties:
      AutoEnableControls: true | false # default true
      Standards: 
        EnablePCIDSS: true | false # default false
        EnableCISFoundations: true | false # default false
        EnableSecurityFoundations: true | false # default false

Community::SecurityHub::Hub. calls apis:

• update-security-hub-configuration
• enable-security-hub

Similar to the Community::S3::PublicAccessBlock, it would be great to see another resource the enabled the setting that blocks public sharing to Systems Manager documents. One main difference from Community::S3::PublicAccessBlock is that this setting needs to be configured per region.

This recent blog post has more info on how to do that via the console/cli: https://aws.amazon.com/blogs/mt/best-practice-considerations-aws-systems-manager-document-sharing/

Repro

1. Create a new AWS account
2. Follow the steps in Community::ServiceQuotas::S3 to install via the AWS CLI

Expected

Type is registered.

Actual

❯ aws cloudformation describe-type-registration --registration-token  "f9f2a953-75bf-4fb1-a78f-55091e83f2b4"  --profile Me --region us-east-1
{
    "ProgressStatus": "FAILED",
    "Description": "Deployment is currently in DEPLOY_STAGE of status FAILED\nDeployment failed with error. Error message: [f9f2a953-75bf-4fb1-a78f-55091e83f2b4] Internal Failure",
    "TypeArn": "arn:aws:cloudformation:us-east-1:1234:type/resource/Community-ServiceQuotas-S3",
    "TypeVersionArn": "arn:aws:cloudformation:us-east-1:1234:type/resource/Community-ServiceQuotas-S3/00000001"
}

The same occurs via org-formation.

I've tried:

aws cloudformation delete-stack --stack-name community-servicequotas-s3-resource-role --profile Me --region us-east-1

and following the steps again but reach the same outcome.

I would like to be able to use the Community::Support::SupportLevel resource provider to set all accounts in my org's support level, but if your organization includes more than a handful of accounts then you will run into CREATE_FAILED errors like the following:

Note that this is the org master account, and previous support cases succeeded before this one hit. Looks like it could use some retry with backoff logic here

Additional Context:
The task I am looking to be able to run is the following.

AWSTemplateFormatVersion: "2010-09-09-OC"
OrganizationBindings:
  ManagementBinding:
    Account: !Ref MasterAccount
    IncludeMasterAccount: true
  
  SupportBinding:
    Account: "*"

Resources:
  SupportLevel:
    Type: Community::Support::SupportLevel
    OrganizationBinding: !Ref ManagementBinding
    ForeachAccount: !Ref SupportBinding
    Properties:
      AccountId: !Sub "${CurrentAccount.AccountId}"
      SupportLevel: 'enterprise'

Any type starts with version 0.1.0.
When implementing any of the below, you can increment minor with +1:

Features (use category feat in commit):

• Implement Create, Update and Delete handler (required minimum -> this is version 0.1.0)
• Implement Read handler
• Implement List handler (optional)
• implement strict mode (optional)

Tests (use category test in commit):

• Implement automated testing (unit tests)
• Use and test in a production environment.
• Use and test in a production environment by someone else.
• Pass the contract tests.

Example commit message: feat(my-type): implement create/update and delete handler

Breaking changes may occur before 1.0.0.
After 1.0.0 breaking changing only occur when incrementing major.

When squashing PRs use BREAKING CHANGE in the commit body (new line) and add an explanation of breaking changes

see: https://www.conventionalcommits.org/en/v1.0.0-beta.4/
also: https://gist.github.com/PurpleBooth/b24679402957c63ec426

If you have the management account as your target, the following error happens in Community::SSO::AssignmentGroup resource type v0.3.1:

Error: Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts::123456789012:assumed-role/community-sso-assignmentgroup-resour-ExecutionRole/1111 is not authorized to perform: iam:ListRolePolicies on resource: role AWSReservedSSO_Viewer_1111 (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 1111; Proxy: null): 1111, 123456789012 arn:aws:sso:::permissionSet/ssoins-1111/ps-1111

I gave the resource type execution role with full permission to account and that still did not work.

As a workaround, I used the native type AWS::SSO::Assignment just for the management account.

Despite #70, I've been unable to deploy my org-formation for a while. I've tried removing the SCP and redeploying, but I consistently get this error:

ERROR: Resource Scp failed because Resource handler returned message: "Error: Resource of type 'Community::Organizations::Policy' with identifier 'DenyLargeEC2Instances' already exists." (RequestToken: asdf, HandlerErrorCode: AlreadyExists).
ERROR: Stack example-deny-large-ec2 in account 1234 (us-east-1) update failed. reason: Resource is not in the state stackCreateComplete (1234= ManagementAccount)

Do I need to do something in my account so that the delete_then_create starts working?

org-formation _task.yml

OrganizationsPolicyRp:
  Type: register-type
  ResourceType: 'Community::Organizations::Policy'
  SchemaHandlerPackage: !Sub 's3://${catalogBucket}/community-organizations-policy-0.2.2.zip'
  MaxConcurrentTasks: 100
  OrganizationBinding:
    IncludeMasterAccount: true
    Region: us-east-1 # Only compatible to us-east-1 region

example-deny-large-ec2 template

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {},
  "Resources": {
    "Scp": {
      "Type": "Community::Organizations::Policy",
      "Properties": {
        "Name": "DenyLargeEC2Instances",
        "Description": "Deny running EC2 instances larger than 4xlarge",
        "PolicyType": "SERVICE_CONTROL_POLICY",
        "TargetIds": [
          "account1",
          "account2",
          "account3",
          "account4",
          "account5",
          "account6",
          "account7",
          "account8",
          "account9",
          "account10",
          "account11"
        ],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "DenyLargerThan4XLarge",
              "Effect": "Deny",
              "Action": [
                "ec2:RunInstances"
              ],
              "Resource": "arn:aws:ec2:*:*:instance/*",
              "Condition": {
                "ForAnyValue:StringNotLike": {
                  "ec2:InstanceType": [
                    "*.nano",
                    "*.small",
                    "*.micro",
                    "*.medium",
                    "*.large",
                    "*.xlarge",
                    "*.2xlarge",
                    "*.4xlarge"
                  ]
                }
              }
            }
          ]
        }
      }
    }
  },
  "Outputs": {}
}

If you try to create the CloudFormation service quota for stacks in an AWS account that has never been used with Service Quotas, the following error happens in Community::ServiceQuotas::CloudFormation resource type v0.1.0:

Error: Service-linked role creation access denied.

Even after adding the following policy to the execution role, it still did not work:

        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*",
            "Condition": {"StringLike": {"iam:AWSServiceName": "servicequotas.amazonaws.com"}}
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*"
        }

The CloudTrail event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "<REDACTED>",
        "arn": "arn:aws:sts::123456789012:assumed-role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>/<REDACTED>",
        "accountId": "123456789012",
        "accessKeyId": "<REDACTED>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "<REDACTED>",
                "arn": "arn:aws:iam::123456789012:role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>",
                "accountId": "123456789012",
                "userName": "community-servicequotas-cloudformati-ExecutionRole-<REDACTED>"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "<REDACTED>"
            }
        },
        "invokedBy": "servicequotas.amazonaws.com"
    },
    "eventTime": "<REDACTED>",
    "eventSource": "iam.amazonaws.com",
    "eventName": "CreateServiceLinkedRole",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "servicequotas.amazonaws.com",
    "userAgent": "servicequotas.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::123456789012:assumed-role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>/<REDACTED> is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::123456789012:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "<REDACTED>",
    "eventID": "<REDACTED>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "123456789012"
}

As a workaround, I have been able to create the service-linked role myself through the CLI beforehand: aws iam create-service-linked-role --aws-service-name servicequotas.amazonaws.com.

Because the servicequotas.amazonaws.com does not have MFA authenticated set to true, the resource provider making the call directly to IAM to create the service-linked role would be a possible solution.

If you try to update any of the target identifiers, the following error happens in Community::Organizations::Policy resource type v0.1.0:

A policy with the specified name and type already exists.

We need to change the replacement strategy to delete_then_create.

We need a mechanism to auto deploy the stage of API Gateway v1 (REST). It can either be a separate resource type or an attribute of the Stage resource. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#623.

We need a mechanism to manage an approval rule template in CodeCommit. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#329.

A provider to setup VPC peering from one VPC (in one account) to another VPC (in another account).

There is quite a bit of examples where we create resource providers that change settings without an ARN and global to an account or account/region. At this moment there is no consistent implementation for the primaryIdentifier.

I think the best suggestion i have is to use awsAccountId for this. This has the benefit of CloudFormation ensuring there is no 2 resources that own the same setting (the combination ResourceType/primaryIdentifier needs to be unique within a region/account).

There is 1 undesired side-effect: If you change the logicalName of a resource with this type of ID CFN will create 2 operations: Create and Delete. Depending on the order this will fail: Create before delete will violate the uniqueness constraint. This is something CloudFormation users did/do get used to because it is how CFN works. arguable it is also the CFN behavior i find hardest to deal with....

Is there a way around this? specify Deletes should go before Creates? Do them in parallel and retry the Create (max 3 times with backoff?)? any other suggestions?

https://github.com/OlafConijn/org-formation-resource-providers/blob/78613f7dd8d26180e7a065d49f8ddf6c95a041f5/org/organizationalunit/oc-org-organizationalunit.json#L20-L25

For most resources that you have the ARN as a unique identifier, you should remove ResourceId and leave the ARN as the only primary identifier.

The current build process includes the aws sdk (and all of its dependencies) when packaging a RP.
We should be able to leave the aws sdk out and have a smaller package size.

Downloading/installing will be faster and hosting the registry will cost less money

Whenever I modify the property PrincipalId, the assignment is created for the the new one, but the old one is not fully deleted.

This is happening inCommunity::SSO::AssignmentGroup resource type v0.3.1.

I'm trying to set up our organization to work in af-south-1, a relatively new region, but org-formation times-out and fails while registering NoDefaultVpcRp:

ERROR: Workload NoDefaultVpcRp in 1234/af-south-1 updated failed. reason: Account seems stuck initializing. (1234 = MyOldAccount)
ERROR: Workload NoDefaultVpcRp in 5678/af-south-1 updated failed. reason: Account seems stuck initializing. (5678 = MyOtherAccount)
...

I see that af-south-1 is not a 'known' region, but do any of these community resource providers depend on knowing the regions? It didn't seem like NoDefaultVpcRp does. Do you have any tips for investigating this further?

We're using this community package: Community::Organizations::NoDefaultVPC and installed it using org-formation as explained in these instructions: https://github.com/org-formation/aws-resource-providers/blob/master/ec2/no-default-vpc/installation.md#installation-using-org-formation-task

Next to that, we've supplied a task to deploy the stack (stackname: compliance-config) using this example: https://github.com/org-formation/aws-resource-providers/blob/master/ec2/no-default-vpc/example.yml

So our tasks look like this:

Parameters:
  <<: !Include "../organization-parameters.yml"

#NoDefaultVPC
CommunityEc2NoDefaultVpcsRP:
  Type: register-type
  SchemaHandlerPackage: s3://community-resource-provider-catalog/community-organizations-nodefaultvpc-0.1.0.zip
  ResourceType: 'Community::Organizations::NoDefaultVPC'
  MaxConcurrentTasks: 10
  OrganizationBinding:
    IncludeMasterAccount: true
    Account: '*'
    Region: !Ref primaryRegion

ComplianceTemplate:
  Type: update-stacks
  Template: ./compliance-template.yml
  StackName: compliance-config
  StackDescription: Remediations for AWS Foundational Security Best Practices
  MaxConcurrentStacks: 10
  FailedStackTolerance: 10
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  OrganizationBinding:
    IncludeMasterAccount: true
    Account: '*'
    Region: !Ref primaryRegion

However, the defaultvpc's are removed the first time. But running the pipeline again having this task enabled causes the following errors:

INFO: Executing: register-type CommunityEc2NoDefaultVpcsRP.
622 | DEBG: Setting build action on register-type / CommunityEc2NoDefaultVpcsRP for 012345678910/eu-west-1 to None - hash matches stored target. (012345678910 = Account1)
DEBG: Stack compliance-config in account 012345678910 (eu-west-1) update starting... (012345678910 = Account1)
645 | ERROR: error updating CloudFormation stack compliance-config in account 012345678910 (eu-west-1).
646 | Resource is not in the state stackCreateComplete (012345678910 = Account1)
647 | ERROR: Resource NoDefaultVpc failed because Internal Failure.
648 | ERROR: Stack compliance-config in account 012345678910 (eu-west-1) update failed. reason: Resource is not in the state stackCreateComplete (012345678910 = Account1)
649 | Resource is not in the state stackCreateComplete (use option --print-stack to print stack)

I would expect org-formation to skip making changes if it detects that there are no default vpc's anymore. Now, it's causing the pipeline to slow down since it retries the tasks before giving up.

As a workaround, I've disabled the task.

Hello,

It would be nice to have a feature in org-formation that enabled default EBS encryption. Default encryption is enabled/disabled per region in a given account.

• https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
• https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ebs-encryption-by-default.html

link in https://github.com/org-formation/aws-resource-providers/blob/master/iam/password-policy/README.md is broken.

"Use this template to deploy a sample password policy resource". link on template points to 404

thinking about resource providers in the context of org-formation these resources will be applied to multiple accounts at the same time.

I was thinking of implementing https://github.com/OlafConijn/AwsOrganizationFormation/issues/84 using a resource called RegionDefaults. this can then by applied to any number of account/region combinations. I also thought about collecting similar settings (region scope) in the same resource. Logically there would also be a resource called AccountDefaults with a collection of settings that make sense to include in org-formation.

e.g.

Resources:
  RegionDefaults:
    Type: 'OC::ORG::RegionDefaults'
    OrganizationBinding:
       Regions: 
          - eu-central-1
          - us-east
       Account: '*'
    Properties:
      EnableEbsEncryptionByDefault: true

Question becomes: Would password policy be an account default? or its own resource?
IAM Alias will not be a default because it will (certainly) change for each account, but Password Policy is likely to be the same.

Another question: Would service limits have their own resource? or would limits be part of the 'account defaults'?

honestly dont know yet. somehow inclined to have Password Policy be part of an AccountDefaults resource and get service limits a resource of their own.

what do you think? thanks

Resource should allow settings the SupportLevel for an Account within the organization through a support ticket.

This because it is currently not possible to automate this process. org-formation, but also ADF use this mechanism to automate setting support level on new member-accounts.

Type: Community::Support::SupportLevel
Properties: 
  SupportLevel: 'developer' | 'business' | 'enterprise'
  AccountId: String # \d{12}
  CCEmailAddresses: List<String> # list of emailaddresses need to be included on the support case.

Type must be deployed to master account, where the support case will be created as follows:
The Support API is only supported on AWS Accounts that have business or enterprise support enabled. Resource will expect to fail if the support level is less.

 const createCaseRequest: CreateCaseRequest = {
    subject: `Enable ${resource.supportLevel} Support for account: ${accountId}`,
    communicationBody: `Hi AWS,
Please enable ${resource.supportLevel} on account ${accountId}.
This case was created automatically - please resolve when done.

Thank you!
    `,
    serviceCode: 'customer-account',
    categoryCode: 'other-account-issues',
    severityCode: 'low',
    issueType: 'customer-service',
    ccEmailAddresses: [resource.rootEmail],
};

Intended use using org-formation syntax:

DevelopmentAccountsHaveDeveloperSupport:
  Type: Community::Support::SupportLevel
  OrganizationBinding: !Ref masterAccountBinding
  ForeachAccount: !Ref developmentAccountsBinding
  Properties: 
    SupportLevel: 'developer'
    AccountId: !Ref CurrentAccount
    CCEmailAdresses: 
    - [email protected]
    - !GetAtt CurrentAccount.RootEmail

ProductionsAccountsHaveBusinessSupport:
  Type: Community::Support::SupportLevel
  OrganizationBinding: !Ref masterAccountBinding
  ForeachAccount: !Ref productionAccountsBinding
  Properties: 
    SupportLevel: 'business'
    AccountId: !Ref CurrentAccount
    CCEmailAdresses: 
    - [email protected]
    - !GetAtt CurrentAccount.RootEmail

We need a mechanism to manage custom action targets in SecurityHub. Here is the CloudFormation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#427.

currently the Community::Organizations::Policy type supports specifying a policy document as a string (or using !Include).

if we would like to use expressions (or other org-formation functions) within the body of these policies they must be defined as an complex object and converted to a string (JSON.Stringify) only when interfacing with the Organizations API.

https://aws.amazon.com/blogs/aws/introducing-a-public-registry-for-aws-cloudformation/, org-formation/org-formation-cli#128

• Contract tests
  • Investigate current state
    • cloud-formation/delay/inputs
    • code-commit/approval-rule-template/overrides.json
    • code-commit/repository-association/overrides.json
    • organizations/policy/overrides.json
  • Fix failing tests
  • #93
• Register publisher (docs)
  • @iann0036 mentioned publishers must be regional and some regions didn't support Github connections
• Manually publish one version of one type in one region
• fix CI (#90, #91, #92, ...)

Feature

Please add support for configuring Session Manager preferences, e.g. configuring which log group and/or s3 bucket commands get logged to.

Session manager preferences are configured at a regional level.

Environment

• version of org-foramtion (ofn --version): 0.9.18
• version of node (node --version): 12.18
• which OS/distro: macOS Monterey

Hello,

In a similar way that password policies can be applied to an account or set of accounts, it would be nice if org-formation was able to set "block public access" to S3 at the account level.

• https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#console-block-public-access-options