rzamana/ssm_document.yaml

## ssm_document.yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Rafael Example
Parameters:
  Regions:
    Type: String
    Default: "us-east-1,eu-west-1"
    Description: Regions to add the Parameter
Resources:
  StoreParameterInfo:
      Type: AWS::SSM::Document
      Properties:
        DocumentType: Automation
        Content:
          schemaVersion: '0.3'
          parameters:
            MemberAWSAccountId:
              type: String
          mainSteps:
            - name: StoreParameter
              action: aws:executeAwsApi
              inputs:
                Service: ssm
                Api: PutParameter
                Name: /account/id
                Value: '{{ MemberAWSAccountId }}'
                Type: String
                Overwrite: true
              isEnd: true
  SSMAutomationExecutionRoleforCWEvents:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AllowStartAutomationExecution
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - ssm:StartAutomationExecution
                Resource:
                  - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${StoreParameterInfoInOrgAccount}:*
  CreateManagedAccountTrigger:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        detail-type:
          - AWS Service Event via CloudTrail
        source:
          - aws.controltower
        detail:
          serviceEventDetails:
            createManagedAccountStatus:
              state:
                - SUCCEEDED
          eventName:
            - CreateManagedAccount
      State: ENABLED
      Targets:
        - Arn: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${StoreParameterInfoInOrgAccount}
          Id: CreateManagedAccountTrigger
          RoleArn: !GetAtt SSMAutomationExecutionRoleforCWEvents.Arn
          InputTransformer:
            InputPathsMap:
              AwsAccountId: $.detail.serviceEventDetails.createManagedAccountStatus.account.accountId
            InputTemplate: |
              {
                "MemberAWSAccountId": [<AwsAccountId>]
              }

  StoreParameterInfoInOrgAccountRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ssm.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AllowStartAutomationExecutionStoreParameterInfo
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action: ssm:StartAutomationExecution
                Resource:
                  - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${StoreParameterInfo}:*
        - PolicyName: AllowDescribeSsmAutomationExecutionStatus
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - ssm:DescribeAutomationExecutions
                  - ssm:GetAutomationExecution
                Resource: '*'
        - PolicyName: AllowCallCrossAccountAutomation
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action: sts:AssumeRole
                Resource: !Sub arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution

  StoreParameterInfoInOrgAccount:
    Type: AWS::SSM::Document
    Properties:
      DocumentType: Automation
      Content:
        schemaVersion: '0.3'
        assumeRole: !GetAtt StoreParameterInfoInOrgAccountRole.Arn
        parameters:
          MemberAWSAccountId:
            type: String
        mainSteps:
          - name: StoreParameterInfoInOrgAccount
            action: aws:executeAwsApi
            inputs:
              Service: ssm
              Api: StartAutomationExecution
              DocumentName: !Ref StoreParameterInfo
              TargetLocations:
                - ExecutionRoleName: AWSControlTowerExecution
                  Accounts:
                    - '{{ MemberAWSAccountId }}'
                  Regions: !Split [ "," , !Ref Regions ]
	AWSTemplateFormatVersion: 2010-09-09
	Description: Rafael Example
	Parameters:
	Regions:
	Type: String
	Default: "us-east-1,eu-west-1"
	Description: Regions to add the Parameter
	Resources:
	StoreParameterInfo:
	Type: AWS::SSM::Document
	Properties:
	DocumentType: Automation
	Content:
	schemaVersion: '0.3'
	parameters:
	MemberAWSAccountId:
	type: String
	mainSteps:
	- name: StoreParameter
	action: aws:executeAwsApi
	inputs:
	Service: ssm
	Api: PutParameter
	Name: /account/id
	Value: '{{ MemberAWSAccountId }}'
	Type: String
	Overwrite: true
	isEnd: true
	SSMAutomationExecutionRoleforCWEvents:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service: events.amazonaws.com
	Action: sts:AssumeRole
	Policies:
	- PolicyName: AllowStartAutomationExecution
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- ssm:StartAutomationExecution
	Resource:
	- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${StoreParameterInfoInOrgAccount}:*
	CreateManagedAccountTrigger:
	Type: AWS::Events::Rule
	Properties:
	EventPattern:
	detail-type:
	- AWS Service Event via CloudTrail
	source:
	- aws.controltower
	detail:
	serviceEventDetails:
	createManagedAccountStatus:
	state:
	- SUCCEEDED
	eventName:
	- CreateManagedAccount
	State: ENABLED
	Targets:
	- Arn: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${StoreParameterInfoInOrgAccount}
	Id: CreateManagedAccountTrigger
	RoleArn: !GetAtt SSMAutomationExecutionRoleforCWEvents.Arn
	InputTransformer:
	InputPathsMap:
	AwsAccountId: $.detail.serviceEventDetails.createManagedAccountStatus.account.accountId
	InputTemplate: \|
	{
	"MemberAWSAccountId": [<AwsAccountId>]
	}

	StoreParameterInfoInOrgAccountRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service: ssm.amazonaws.com
	Action: sts:AssumeRole
	Policies:
	- PolicyName: AllowStartAutomationExecutionStoreParameterInfo
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action: ssm:StartAutomationExecution
	Resource:
	- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${StoreParameterInfo}:*
	- PolicyName: AllowDescribeSsmAutomationExecutionStatus
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- ssm:DescribeAutomationExecutions
	- ssm:GetAutomationExecution
	Resource: '*'
	- PolicyName: AllowCallCrossAccountAutomation
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action: sts:AssumeRole
	Resource: !Sub arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution

	StoreParameterInfoInOrgAccount:
	Type: AWS::SSM::Document
	Properties:
	DocumentType: Automation
	Content:
	schemaVersion: '0.3'
	assumeRole: !GetAtt StoreParameterInfoInOrgAccountRole.Arn
	parameters:
	MemberAWSAccountId:
	type: String
	mainSteps:
	- name: StoreParameterInfoInOrgAccount
	action: aws:executeAwsApi
	inputs:
	Service: ssm
	Api: StartAutomationExecution
	DocumentName: !Ref StoreParameterInfo
	TargetLocations:
	- ExecutionRoleName: AWSControlTowerExecution
	Accounts:
	- '{{ MemberAWSAccountId }}'
	Regions: !Split [ "," , !Ref Regions ]