jchrisfarris/OrganizationalConfig.yaml Secret

## OrganizationalConfig.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure The Organizational Config Service Aggregator and Conformance Pack Infrastructure
Parameters:

  pOrganizationConformancePackBucketSuffix:
    Description: Suffix to append to awsconfigconforms when creating the bucket
    Type: String

  pOrganizationId:
    Description: AWS Organization ID
    Type: String

  pCreateBucket:
    Description: If true, the ConformancePackResults Bucket is created
    Type: String
    AllowedValues:
      - "true"
      - "false"
    Default: "true"

Conditions:
  CreateBucket: !Equals [ !Ref pCreateBucket, "true" ]


Resources:

  ConformancePackDeliveryS3Bucket:
    Type: AWS::S3::Bucket
    Condition: CreateBucket
    Properties:
      BucketName: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
      AccessControl: Private
      # LoggingConfiguration:
      #   DestinationBucketName:
      #     Ref: pLoggingBucket
      #   LogFilePrefix: !Join ['', ['S3logs/', !Ref pBucketName, '/']]
      # VersioningConfiguration:
      #   Status: Disabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ConformancePackDeliveryS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
      PolicyDocument:
        Statement:
        - Sid: AllowGetObject
          Effect: Allow
          Principal: '*'
          Action:
            - s3:getObject
            - s3:PutObject
          Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}/*"
          Condition:
            StringEquals:
              aws:PrincipalOrgID: !Ref pOrganizationId
        - Sid: AllowGetBucketAcl
          Effect: Allow
          Principal: '*'
          Action:
            - s3:GetBucketAcl
          Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
          Condition:
            StringEquals:
              aws:PrincipalOrgID: !Ref pOrganizationId

  ConfigTopic:
    Type: "AWS::SNS::Topic"
    Properties:
      TopicName: !Sub "${AWS::StackName}"
      DisplayName: "Organizational Config Topic"


  # Why they don't have a service linked role here is beyond me
  ConfigAggregatorRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "aws-config-aggregator-role-${AWS::StackName}"
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /service-role/
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations

  # Create the Aggregator
  ConfigAggregator:
    Type: AWS::Config::ConfigurationAggregator
    Properties:
      ConfigurationAggregatorName: !Sub "${AWS::StackName}-Aggregator"
      OrganizationAggregationSource:
          AllAwsRegions: True
          RoleArn: !GetAtt ConfigAggregatorRole.Arn

Outputs:
  ConfigTopicArn:
    Value: !Ref ConfigTopic
  TemplateVersion:
    Value: "1.0.0"
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure The Organizational Config Service Aggregator and Conformance Pack Infrastructure
	Parameters:

	pOrganizationConformancePackBucketSuffix:
	Description: Suffix to append to awsconfigconforms when creating the bucket
	Type: String

	pOrganizationId:
	Description: AWS Organization ID
	Type: String

	pCreateBucket:
	Description: If true, the ConformancePackResults Bucket is created
	Type: String
	AllowedValues:
	- "true"
	- "false"
	Default: "true"

	Conditions:
	CreateBucket: !Equals [ !Ref pCreateBucket, "true" ]


	Resources:

	ConformancePackDeliveryS3Bucket:
	Type: AWS::S3::Bucket
	Condition: CreateBucket
	Properties:
	BucketName: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
	AccessControl: Private
	# LoggingConfiguration:
	# DestinationBucketName:
	# Ref: pLoggingBucket
	# LogFilePrefix: !Join ['', ['S3logs/', !Ref pBucketName, '/']]
	# VersioningConfiguration:
	# Status: Disabled
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256

	ConformancePackDeliveryS3BucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Sub "awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
	PolicyDocument:
	Statement:
	- Sid: AllowGetObject
	Effect: Allow
	Principal: '*'
	Action:
	- s3:getObject
	- s3:PutObject
	Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}/*"
	Condition:
	StringEquals:
	aws:PrincipalOrgID: !Ref pOrganizationId
	- Sid: AllowGetBucketAcl
	Effect: Allow
	Principal: '*'
	Action:
	- s3:GetBucketAcl
	Resource: !Sub "arn:aws:s3:::awsconfigconforms-${pOrganizationConformancePackBucketSuffix}"
	Condition:
	StringEquals:
	aws:PrincipalOrgID: !Ref pOrganizationId

	ConfigTopic:
	Type: "AWS::SNS::Topic"
	Properties:
	TopicName: !Sub "${AWS::StackName}"
	DisplayName: "Organizational Config Topic"


	# Why they don't have a service linked role here is beyond me
	ConfigAggregatorRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: !Sub "aws-config-aggregator-role-${AWS::StackName}"
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service: config.amazonaws.com
	Action:
	- sts:AssumeRole
	Path: /service-role/
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations

	# Create the Aggregator
	ConfigAggregator:
	Type: AWS::Config::ConfigurationAggregator
	Properties:
	ConfigurationAggregatorName: !Sub "${AWS::StackName}-Aggregator"
	OrganizationAggregationSource:
	AllAwsRegions: True
	RoleArn: !GetAtt ConfigAggregatorRole.Arn

	Outputs:
	ConfigTopicArn:
	Value: !Ref ConfigTopic
	TemplateVersion:
	Value: "1.0.0"