# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 AWSTemplateFormatVersion: "2010-09-09" Description: (SO0058s) - The AWS CloudFormation template (Spoke) for deployment of the network-orchestration-for-aws-transit-gateway Solution. Version v3.3.3 Parameters: HubAccount: Description: Account Id for the network hub account, eg. 123456789012 Type: String AllowedPattern: ^\d{12}$ Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Account ID of the network account where Transit Gateway resides. Parameters: - HubAccount ParameterLabels: HubAccount: default: Network (Hub) Account CreateServiceRoleForVPCTransitGateway: default: Skip the creation of AWSServiceRoleForVPCTransitGateway Mappings: EventBridge: Bus: Name: "Network-Orchestrator-Event-Bus" Conditions: # Adding an EventBus as a target within an account is not allowed. IsSpokeAccountOtherThanHubAccount: !Not [ !Equals [ !Ref HubAccount, !Ref "AWS::AccountId" ] ] Resources: # # Serverless Transit Network Orchestrator Cloudwatch Event Rule # TagEventRule: Condition: "IsSpokeAccountOtherThanHubAccount" # Adding an EventBus as a target within an account is not allowed. Type: AWS::Events::Rule Properties: Description: Serverless Transit Network Orchestrator - Spoke - Rule for tag on resource events EventPattern: { "account": [ !Ref "AWS::AccountId" ], "source": [ "aws.tag" ], "detail-type": [ "Tag Change on Resource" ], "detail": { "service": [ "ec2" ], "resource-type": [ "subnet", "vpc" ] } } State: ENABLED Targets: - Arn: !Sub - arn:${AWS::Partition}:events:${AWS::Region}:${HubAccount}:event-bus/${EventBusName} - {EventBusName: !FindInMap [EventBridge, Bus, Name]} Id: SpokeSubnetTagEvent RoleArn: !GetAtt TransitNetworkEventDeliveryRole.Arn SubnetDeletionEventRule: Condition: "IsSpokeAccountOtherThanHubAccount" # Adding an EventBus as a target within an account is not allowed. Type: AWS::Events::Rule Properties: Description: Serverless Transit Network Orchestrator - Spoke - Rule for subnet deletion EventPattern: { "account": [ !Ref "AWS::AccountId" ], "source": [ "aws.ec2" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "ec2.amazonaws.com" ], "eventName": [ "DeleteSubnet" ], "errorCode": [ "Client.DependencyViolation" ], "sourceIPAddress": [ "cloudformation.amazonaws.com" ] } } State: ENABLED Targets: - Arn: !Sub - arn:${AWS::Partition}:events:${AWS::Region}:${HubAccount}:event-bus/${EventBusName} - {EventBusName: !FindInMap [EventBridge, Bus, Name]} Id: SpokeSubnetTagEvent RoleArn: !GetAtt TransitNetworkEventDeliveryRole.Arn # IAM Role for Serverless Transit Network Orchestrator Execution in the Spoke account TransitNetworkExecutionRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "The role name 'TransitNetworkExecutionRole-' has to be defined to allow cross account access from the hub account to make network changes." - id: W11 reason: "Allow * because it is required for making Describe and GetResourceShareInvitationsAPI calls as they don't support resource-level permissions and require you to choose All resources." Properties: RoleName: !Join ["-", ["TransitNetworkExecutionRole", Ref: "AWS::Region"]] AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: - !Join ['', ['arn:', !Ref 'AWS::Partition', ':iam::', !Ref HubAccount, ':role/STNO-StateMachineLambdaFunctionRole', '-', !Ref 'AWS::Region']] Action: - sts:AssumeRole Policies: - PolicyName: TransitNetworkExecutionPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ec2:CreateTransitGatewayRoute - ec2:DeleteTransitGatewayRoute - ec2:ModifyTransitGatewayVpcAttachment - ec2:CreateTransitGatewayVpcAttachment - ec2:DeleteTransitGatewayVpcAttachment - ec2:CreateRoute - ec2:DeleteRoute - ec2:CreateTags Resource: - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:transit-gateway-route-table/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:transit-gateway-attachment/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:vpc/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:route-table/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${HubAccount}:transit-gateway/* - Effect: Allow Action: - ec2:CreateRoute - ec2:DeleteRoute - ec2:CreateTags Resource: - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:vpc/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:route-table/* - Effect: Allow Action: - ec2:DescribeTransitGatewayVpcAttachments - ec2:DescribeTransitGatewayAttachments - ec2:DescribeTransitGatewayRouteTables - ec2:DescribeVpcs - ec2:DescribeRegions - ec2:DescribeSubnets - ec2:DescribeRouteTables Resource: "*" - Effect: Allow Action: - ram:GetResourceShareInvitations Resource: "*" - Effect: Allow Action: - ram:AcceptResourceShareInvitation Resource: !Sub arn:${AWS::Partition}:ram:${AWS::Region}:${HubAccount}:resource-share-invitation/* # IAM Role for Event Rule in the Spoke account to invoke event bus in hub account # This role is only needed if the spoke account belongs to an AWS Organization TransitNetworkEventDeliveryRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: events.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: TransitNetworkEventBusDeliveryRolePolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - events:PutEvents Resource: !Sub - arn:${AWS::Partition}:events:${AWS::Region}:${HubAccount}:event-bus/${EventBusName} - {EventBusName: !FindInMap [EventBridge, Bus, Name]}