Release: 1.8.0

Author: AWS

VERSION

@@ -1 +1 @@
-1.7.0
+1.8.0

main.tf

@@ -188,6 +188,7 @@ module "aft_ssm_parameters" {
   aft_controltower_events_table_name                          = module.aft_account_request_framework.controltower_events_table_name
   account_factory_product_name                                = module.aft_account_request_framework.account_factory_product_name
   aft_invoke_aft_account_provisioning_framework_function_name = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_lambda_function_name
+  aft_cleanup_resources_function_name                         = module.aft_account_request_framework.aft_cleanup_resources_function_name
   aft_account_provisioning_framework_sfn_name                 = module.aft_account_request_framework.aft_account_provisioning_framework_sfn_name
   aft_sns_topic_arn                                           = module.aft_account_request_framework.sns_topic_arn
   aft_failure_sns_topic_arn                                   = module.aft_account_request_framework.failure_sns_topic_arn
@@ -227,7 +228,7 @@ module "aft_ssm_parameters" {
   aft_config_backend_secondary_region                         = var.tf_backend_secondary_region
   aft_framework_repo_url                                      = var.aft_framework_repo_url
   aft_framework_repo_git_ref                                  = local.aft_framework_repo_git_ref
-  terraform_token                                             = var.terraform_token
+  terraform_token                                             = var.terraform_token # Null default value #tfsec:ignore:general-secrets-no-plaintext-exposure
   terraform_version                                           = var.terraform_version
   terraform_org_name                                          = var.terraform_org_name
   aft_feature_cloudtrail_data_events                          = var.aft_feature_cloudtrail_data_events

modules/aft-account-provisioning-framework/iam/role-policies/iam-aft-states.tpl

@@ -52,6 +52,16 @@
             "Resource": [
                 "arn:${data_aws_partition_current_partition}:events:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"
             ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "states:DescribeExecution"
+            ],
+            "Resource": [
+                "arn:${data_aws_partition_current_partition}:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:execution:aft-*"
+            ]
         }
+
     ]
 }

modules/aft-account-provisioning-framework/lambda.tf

@@ -3,7 +3,7 @@
 #
 
 ###  CREATE ROLE FUNCTION
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "create_role" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-create-aft-execution-role"
@@ -22,14 +22,15 @@ resource "aws_lambda_function" "create_role" {
   }
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "create_role" {
   name              = "/aws/lambda/${aws_lambda_function.create_role.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
 
 ###  TAG ACCOUNT FUNCTION
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "tag_account" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-tag-account"
@@ -48,13 +49,14 @@ resource "aws_lambda_function" "tag_account" {
   }
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "tag_account" {
   name              = "/aws/lambda/${aws_lambda_function.tag_account.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
 ###  PERSIST METADATA FUNCTION
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "persist_metadata" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-persist-metadata"
@@ -73,6 +75,7 @@ resource "aws_lambda_function" "persist_metadata" {
   }
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "persist_metadata" {
   name              = "/aws/lambda/${aws_lambda_function.persist_metadata.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
@@ -81,7 +84,7 @@ resource "aws_cloudwatch_log_group" "persist_metadata" {
 ###  Account Metadata SSM Function
 
 
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "account_metadata_ssm" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-account-metadata-ssm"
@@ -100,6 +103,7 @@ resource "aws_lambda_function" "account_metadata_ssm" {
   }
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "account_metadata_ssm" {
   name              = "/aws/lambda/${aws_lambda_function.account_metadata_ssm.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention

modules/aft-account-request-framework/iam.tf

@@ -71,9 +71,8 @@ resource "aws_iam_role_policy" "aft_account_request_action_trigger" {
     data_aws_caller_identity_aft-management_account_id                = data.aws_caller_identity.aft-management.account_id
     aws_sns_topic_aft_notifications_arn                               = aws_sns_topic.aft_notifications.arn
     aws_sns_topic_aft_failure_notifications_arn                       = aws_sns_topic.aft_failure_notifications.arn
-    data_aws_region_aft-management_name                               = data.aws_region.aft-management.name
-    data_aws_caller_identity_aft-management_account_id                = data.aws_caller_identity.aft-management.account_id
     aws_lambda_function_invoke_aft_account_provisioning_framework_arn = aws_lambda_function.aft_invoke_aft_account_provisioning_framework.arn
+    aws_lambda_function_cleanup_resources_arn                         = aws_lambda_function.aft_cleanup_resources.arn
     aws_sqs_queue_aft_account_request_arn                             = aws_sqs_queue.aft_account_request.arn
     aws_kms_key_aft_arn                                               = aws_kms_key.aft.arn
     aws_dynamodb_table_aft-request_name                               = aws_dynamodb_table.aft_request.name
@@ -150,7 +149,7 @@ resource "aws_iam_role_policy_attachment" "aft_invoke_aft_account_provisioning_f
 }
 
 resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework" {
-  name = "aft-account-request-action-trigger"
+  name = "aft-invoke-account-provisioning-framework"
   role = aws_iam_role.aft_invoke_aft_account_provisioning_framework.id
 
   policy = templatefile("${path.module}/iam/role-policies/lambda-invoke-aft-account-provisioning-framework.tpl", {
@@ -165,6 +164,32 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework" {
   })
 }
 
+######### cleanup-aft-resourcess #########
+resource "aws_iam_role" "aft_cleanup_resources" {
+  name               = "aft-lambda-cleanup-resources"
+  assume_role_policy = templatefile("${path.module}/iam/trust-policies/lambda.tpl", { none = "none" })
+}
+
+resource "aws_iam_role_policy_attachment" "aft_cleanup_resources" {
+  count      = length(local.lambda_managed_policies)
+  role       = aws_iam_role.aft_cleanup_resources.name
+  policy_arn = local.lambda_managed_policies[count.index]
+}
+
+resource "aws_iam_role_policy" "aft_cleanup_resources" {
+  name = "aft-cleanup-resources"
+  role = aws_iam_role.aft_cleanup_resources.id
+
+  policy = templatefile("${path.module}/iam/role-policies/lambda-aft-cleanup-resources.tpl", {
+    data_aws_partition_current_partition               = data.aws_partition.current.partition
+    data_aws_region_aft-management_name                = data.aws_region.aft-management.name
+    data_aws_caller_identity_aft-management_account_id = data.aws_caller_identity.aft-management.account_id
+    aws_sns_topic_aft_notifications_arn                = aws_sns_topic.aft_notifications.arn
+    aws_sns_topic_aft_failure_notifications_arn        = aws_sns_topic.aft_failure_notifications.arn
+    aws_dynamodb_table_aft-request-metadata_name       = aws_dynamodb_table.aft_request_metadata.name
+    aws_kms_key_aft_arn                                = aws_kms_key.aft.arn
+  })
+}
 
 ######### aft_aws_backup #########
 

modules/aft-account-request-framework/iam/role-policies/aft-states.tpl

@@ -14,6 +14,14 @@
             "Resource": [
                 "arn:${data_aws_partition_current_partition}:lambda:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:function:aft_*"
             ]
+        },
+         {
+            "Effect": "Allow",
+            "Action": [
+                "states:DescribeExecution"
+            ],
+            "Resource": "${aft_account_provisioning_customizations_sfn_name}"
         }
+
     ]
 }

modules/aft-account-request-framework/iam/role-policies/lambda-account-request-action-trigger.tpl

@@ -9,10 +9,19 @@
 			],
 			"Resource": "arn:${data_aws_partition_current_partition}:dynamodb:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:table/${aws_dynamodb_table_aft-request-audit_name}"
 		},
+        {
+            "Effect": "Allow",
+			"Action": [
+				"lambda:InvokeFunction"
+			],
+			"Resource": [
+				"${aws_lambda_function_invoke_aft_account_provisioning_framework_arn}",
+                "${aws_lambda_function_cleanup_resources_arn}"
+			]
+        },
 		{
 			"Effect": "Allow",
 			"Action": [
-				"lambda:InvokeFunction",
 				"dynamodb:GetShardIterator",
 				"dynamodb:DescribeStream",
 				"dynamodb:GetRecords",
@@ -22,7 +31,6 @@
 			],
 			"Resource": [
 				"arn:${data_aws_partition_current_partition}:dynamodb:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:table/${aws_dynamodb_table_aft-request_name}/stream/*",
-				"${aws_lambda_function_invoke_aft_account_provisioning_framework_arn}",
                 "${aws_sqs_queue_aft_account_request_arn}"
 			]
 		},

modules/aft-account-request-framework/iam/role-policies/lambda-aft-cleanup-resources.tpl

@@ -0,0 +1,70 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "dynamodb:GetItem",
+                "dynamodb:DeleteItem"
+            ],
+            "Resource": [
+                "arn:${data_aws_partition_current_partition}:dynamodb:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:table/${aws_dynamodb_table_aft-request-metadata_name}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "codepipeline:ListPipelineExecutions",
+                "codepipeline:ListPipelines",
+                "codepipeline:ListTagsForResource",
+                "codepipeline:DeletePipeline"
+            ],
+            "Resource": [
+                "arn:${data_aws_partition_current_partition}:codepipeline:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "ssm:GetParameter",
+            "Resource": [
+                "arn:${data_aws_partition_current_partition}:ssm:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:parameter/aft/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole"
+            ],
+            "Resource": [
+                "arn:${data_aws_partition_current_partition}:iam::${data_aws_caller_identity_aft-management_account_id}:role/AWSAFTAdmin"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "sts:GetCallerIdentity",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sns:Publish"
+            ],
+            "Resource": [
+                "${aws_sns_topic_aft_notifications_arn}",
+                "${aws_sns_topic_aft_failure_notifications_arn}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:GenerateDataKey",
+                "kms:Encrypt",
+                "kms:Decrypt"
+            ],
+            "Resource": [
+                "${aws_kms_key_aft_arn}",
+                "arn:${data_aws_partition_current_partition}:kms:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:alias/aws/sns"
+            ]
+        }
+    ]
+}

modules/aft-account-request-framework/lambda.tf

@@ -3,6 +3,7 @@
 #
 ######## aft_account_request_audit_trigger ########
 
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "aft_account_request_audit_trigger" {
 
   filename      = var.request_framework_archive_path
@@ -38,14 +39,15 @@ resource "aws_lambda_event_source_mapping" "aft_account_request_audit_trigger" {
   maximum_retry_attempts = 1
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "aft_account_request_audit_trigger" {
   name              = "/aws/lambda/${aws_lambda_function.aft_account_request_audit_trigger.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
 ######## aft_account_request_action_trigger ########
 
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "aft_account_request_action_trigger" {
 
   filename      = var.request_framework_archive_path
@@ -75,14 +77,15 @@ resource "aws_lambda_event_source_mapping" "aft_account_request_action_trigger"
   maximum_retry_attempts = 1
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "aft_account_request_action_trigger" {
   name              = "/aws/lambda/${aws_lambda_function.aft_account_request_action_trigger.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
 ######## aft_controltower_event_logger ########
 
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "aft_controltower_event_logger" {
 
   filename      = var.request_framework_archive_path
@@ -111,14 +114,15 @@ resource "aws_lambda_permission" "aft_controltower_event_logger" {
   source_arn    = aws_cloudwatch_event_rule.aft_controltower_event_trigger.arn
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "aft_controltower_event_logger" {
   name              = "/aws/lambda/${aws_lambda_function.aft_controltower_event_logger.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
 ######## aft_account_request_processor ########
 
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "aft_account_request_processor" {
 
   filename      = var.request_framework_archive_path
@@ -148,14 +152,15 @@ resource "aws_lambda_permission" "aft_account_request_processor" {
   source_arn    = aws_cloudwatch_event_rule.aft_account_request_processor.arn
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "aft_account_request_processor" {
   name              = "/aws/lambda/${aws_lambda_function.aft_account_request_processor.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
 ######## aft_invoke_aft_account_provisioning_framework ########
 
-
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "aft_invoke_aft_account_provisioning_framework" {
 
   filename      = var.request_framework_archive_path
@@ -185,7 +190,38 @@ resource "aws_lambda_permission" "aft_invoke_aft_account_provisioning_framework"
   source_arn    = aws_cloudwatch_event_rule.aft_controltower_event_trigger.arn
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "aft_invoke_aft_account_provisioning_framework" {
   name              = "/aws/lambda/${aws_lambda_function.aft_invoke_aft_account_provisioning_framework.function_name}"
   retention_in_days = var.cloudwatch_log_group_retention
 }
+
+######## aft_cleanup_resources ########
+
+#tfsec:ignore:aws-lambda-enable-tracing
+resource "aws_lambda_function" "aft_cleanup_resources" {
+
+  filename      = var.request_framework_archive_path
+  function_name = "aft-cleanup-resources"
+  description   = "Removes AFT pipeline resources when an account record is removed from the AFT repo"
+  role          = aws_iam_role.aft_cleanup_resources.arn
+  handler       = "aft_cleanup_resources.lambda_handler"
+
+  source_code_hash = var.request_framework_archive_hash
+  memory_size      = 1024
+  runtime          = "python3.8"
+  timeout          = "300"
+  layers           = [var.aft_common_layer_arn]
+
+  vpc_config {
+    subnet_ids         = tolist([aws_subnet.aft_vpc_private_subnet_01.id, aws_subnet.aft_vpc_private_subnet_02.id])
+    security_group_ids = tolist([aws_security_group.aft_vpc_default_sg.id])
+  }
+
+}
+
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "aft_cleanup_resources" {
+  name              = "/aws/lambda/${aws_lambda_function.aft_cleanup_resources.function_name}"
+  retention_in_days = var.cloudwatch_log_group_retention
+}

modules/aft-account-request-framework/outputs.tf

@@ -62,6 +62,9 @@ output "account_factory_product_name" {
 output "invoke_aft_account_provisioning_framework_lambda_function_name" {
   value = aws_lambda_function.aft_invoke_aft_account_provisioning_framework.function_name
 }
+output "aft_cleanup_resources_function_name" {
+  value = aws_lambda_function.aft_cleanup_resources.function_name
+}
 output "aft_account_provisioning_framework_sfn_name" {
   value = var.aft_account_provisioning_framework_sfn_name
 }