feat: Added OrgId and SourceAccounts to SNS topic policy

obs-gh-justindaines · obs-gh-justindaines · commit 5168650631d7 · 2025-11-26T14:06:21.000-05:00
diff --git a/apps/stack/template.yaml b/apps/stack/template.yaml
@@ -31,6 +31,8 @@ Metadata:
           - ConfigDeliveryBucketName
           - IncludeResourceTypes
           - ExcludeResourceTypes
+          - OrgId
+          - SourceAccounts
       - Label:
           default: CloudWatch Logs
         Parameters:
@@ -215,6 +217,23 @@ Parameters:
       OpenTelemetry endpoint to send additional telemetry to.
     Default: ''
     AllowedPattern: "^(http(s)?:\/\/.*)?$"
+  OrgId:
+    Type: String
+    Description: >-
+      Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg
+      statement on the SNS topic that allows publishes by aws:PrincipalOrgID.
+      Useful for AWS Control Tower integrations.
+    Default: ''
+    AllowedPattern: '^(o-[a-z0-9]{10,32})?$'
+  SourceAccounts:
+    Type: CommaDelimitedList
+    Description: >-
+      List of AWS account IDs allowed to publish to the SNS topic via
+      AWS Config. Useful for sub-accounts in AWS Organizations and
+      Control Tower integrations. The current account ID is automatically
+      included when this list is non-empty.
+    Default: ''
+    AllowedPattern: '^\d*$'
 
 Conditions:
   EmptyConfigDeliveryBucketName: !Equals
@@ -269,6 +288,16 @@ Conditions:
     - !Equals
       - !Ref ObserveAwsAccountId
       - ""
+  HasOrgId: !Not
+    - !Equals
+      - !Ref OrgId
+      - ""
+  HasSourceAccounts: !Not
+    - !Equals
+      - !Join
+        - ','
+        - !Ref SourceAccounts
+      - ''
 Resources:
   Topic:
     Type: "AWS::SNS::Topic"
@@ -307,6 +336,40 @@ Resources:
               - "sns:Publish"
             Resource:
               - !Ref Topic
+          - !If
+            - HasOrgId
+            - Sid: "AllowAWSConfigFromOrg"
+              Effect: "Allow"
+              Principal:
+                Service:
+                  - "config.amazonaws.com"
+              Action:
+                - "SNS:Publish"
+              Resource:
+                - !Ref Topic
+              Condition:
+                StringEquals:
+                  "aws:PrincipalOrgID": !Ref OrgId
+            - !Ref AWS::NoValue
+          - !If
+            - HasSourceAccounts
+            - Sid: "AllowAWSConfigFromSourceAccounts"
+              Effect: "Allow"
+              Principal:
+                Service:
+                  - "config.amazonaws.com"
+              Action:
+                - "SNS:Publish"
+              Resource:
+                - !Ref Topic
+              Condition:
+                StringEquals:
+                  "AWS:SourceAccount": !Split
+                    - ','
+                    - !Sub
+                      - '${Accounts},${AWS::AccountId}'
+                      - Accounts: !Join [',', !Ref SourceAccounts]
+            - !Ref AWS::NoValue
       Topics:
         - !Ref Topic
   Bucket:
diff --git a/docs/stack.md b/docs/stack.md
@@ -32,6 +32,8 @@ The Observe stack provisions the following components:
 | `ConfigDeliveryBucketName` | String | If AWS Config is already enabled in this account and region, provide the S3 bucket snapshots are written to. |
 | `IncludeResourceTypes` | CommaDelimitedList | If AWS Config is not enabled in this account and region, provide a list of resource types to collect. Use a wildcard to collect all supported resource types. |
 | `ExcludeResourceTypes` | CommaDelimitedList | Exclude a subset of resource types from configuration collection. This parameter can only be set if IncludeResourceTypes is wildcarded. |
+| `OrgId` | String | Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg statement on the SNS topic that allows publishes by aws:PrincipalOrgID. Useful for AWS Control Tower integrations. |
+| `SourceAccounts` | CommaDelimitedList | List of AWS account IDs allowed to publish to the SNS topic via AWS Config. Useful for sub-accounts in AWS Organizations and Control Tower integrations. The current account ID is automatically included when this list is non-empty. |
 | `LogGroupNamePatterns` | CommaDelimitedList | Comma separated list of patterns. If not empty, the lambda function will only apply to log groups that have names that match one of the provided strings based on a case-sensitive substring search. |
 | `LogGroupNamePrefixes` | CommaDelimitedList | Comma separated list of prefixes. If not empty, the lambda function will only apply to log groups that start with a provided string. |
 | `ExcludeLogGroupNamePatterns` | CommaDelimitedList | Comma separated list of patterns. This paramter is used to filter out log groups from subscription, and supports the use of regular expressions. |
