feat: Added OrgId and SourceAccounts to SNS topic policy

Added OrgId and SourceAccounts to SNS topic policy

Author: obs-gh-justindaines

DEVELOPER.md

@@ -278,6 +278,8 @@ make test-integration-metricstream
 make test-integration-simple
 make test-integration-stack
 make test-integration-stack_including_metricspollerrole
+make test-integration-stack_with_org_id
+make test-integration-stack_with_source_accounts
 ```
 
 ### Debugging

apps/stack/template.yaml

@@ -31,6 +31,8 @@ Metadata:
           - ConfigDeliveryBucketName
           - IncludeResourceTypes
           - ExcludeResourceTypes
+          - OrgId
+          - SourceAccounts
       - Label:
           default: CloudWatch Logs
         Parameters:
@@ -215,6 +217,23 @@ Parameters:
       OpenTelemetry endpoint to send additional telemetry to.
     Default: ''
     AllowedPattern: "^(http(s)?:\/\/.*)?$"
+  OrgId:
+    Type: String
+    Description: >-
+      Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg
+      statement on the SNS topic that allows publishes by aws:PrincipalOrgID.
+      Useful for AWS Control Tower integrations.
+    Default: ''
+    AllowedPattern: '^(o-[a-z0-9]{10,32})?$'
+  SourceAccounts:
+    Type: CommaDelimitedList
+    Description: >-
+      List of AWS account IDs allowed to publish to the SNS topic via
+      AWS Config. Useful for sub-accounts in AWS Organizations and
+      Control Tower integrations. The current account ID is automatically
+      included when this list is non-empty.
+    Default: ''
+    AllowedPattern: '^\d*$'
 
 Conditions:
   EmptyConfigDeliveryBucketName: !Equals
@@ -269,6 +288,16 @@ Conditions:
     - !Equals
       - !Ref ObserveAwsAccountId
       - ""
+  HasOrgId: !Not
+    - !Equals
+      - !Ref OrgId
+      - ""
+  HasSourceAccounts: !Not
+    - !Equals
+      - !Join
+        - ','
+        - !Ref SourceAccounts
+      - ''
 Resources:
   Topic:
     Type: "AWS::SNS::Topic"
@@ -307,6 +336,40 @@ Resources:
               - "sns:Publish"
             Resource:
               - !Ref Topic
+          - !If
+            - HasOrgId
+            - Sid: "AllowAWSConfigFromOrg"
+              Effect: "Allow"
+              Principal:
+                Service:
+                  - "config.amazonaws.com"
+              Action:
+                - "SNS:Publish"
+              Resource:
+                - !Ref Topic
+              Condition:
+                StringEquals:
+                  "aws:PrincipalOrgID": !Ref OrgId
+            - !Ref AWS::NoValue
+          - !If
+            - HasSourceAccounts
+            - Sid: "AllowAWSConfigFromSourceAccounts"
+              Effect: "Allow"
+              Principal:
+                Service:
+                  - "config.amazonaws.com"
+              Action:
+                - "SNS:Publish"
+              Resource:
+                - !Ref Topic
+              Condition:
+                StringEquals:
+                  "AWS:SourceAccount": !Split
+                    - ','
+                    - !Sub
+                      - '${Accounts},${AWS::AccountId}'
+                      - Accounts: !Join [',', !Ref SourceAccounts]
+            - !Ref AWS::NoValue
       Topics:
         - !Ref Topic
   Bucket:

docs/stack.md

@@ -32,6 +32,8 @@ The Observe stack provisions the following components:
 | `ConfigDeliveryBucketName` | String | If AWS Config is already enabled in this account and region, provide the S3 bucket snapshots are written to. |
 | `IncludeResourceTypes` | CommaDelimitedList | If AWS Config is not enabled in this account and region, provide a list of resource types to collect. Use a wildcard to collect all supported resource types. |
 | `ExcludeResourceTypes` | CommaDelimitedList | Exclude a subset of resource types from configuration collection. This parameter can only be set if IncludeResourceTypes is wildcarded. |
+| `OrgId` | String | Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg statement on the SNS topic that allows publishes by aws:PrincipalOrgID. Useful for AWS Control Tower integrations. |
+| `SourceAccounts` | CommaDelimitedList | List of AWS account IDs allowed to publish to the SNS topic via AWS Config. Useful for sub-accounts in AWS Organizations and Control Tower integrations. The current account ID is automatically included when this list is non-empty. |
 | `LogGroupNamePatterns` | CommaDelimitedList | Comma separated list of patterns. If not empty, the lambda function will only apply to log groups that have names that match one of the provided strings based on a case-sensitive substring search. |
 | `LogGroupNamePrefixes` | CommaDelimitedList | Comma separated list of prefixes. If not empty, the lambda function will only apply to log groups that start with a provided string. |
 | `ExcludeLogGroupNamePatterns` | CommaDelimitedList | Comma separated list of patterns. This paramter is used to filter out log groups from subscription, and supports the use of regular expressions. |

integration/modules/get_org_id/main.tf

@@ -0,0 +1,4 @@
+data "aws_organizations_organization" "current" {}
+
+data "aws_caller_identity" "current" {}
+

integration/tests/stack_with_org_id.tftest.hcl

@@ -0,0 +1,221 @@
+variables {
+  install_policy_json = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "cloudformation:CreateChangeSet",
+          "cloudformation:CreateStack",
+          "cloudformation:DeleteChangeSet",
+          "cloudformation:DeleteStack",
+          "cloudformation:DescribeStacks",
+          "cloudwatch:DeleteMetricStream",
+          "cloudwatch:GetMetricStream",
+          "cloudwatch:PutMetricStream",
+          "cloudwatch:TagResource",
+          "config:DeleteConfigurationRecorder",
+          "config:DeleteDeliveryChannel",
+          "config:DescribeConfigurationRecorderStatus",
+          "config:DescribeConfigurationRecorders",
+          "config:DescribeDeliveryChannelStatus",
+          "config:DescribeDeliveryChannels",
+          "config:PutConfigurationRecorder",
+          "config:PutDeliveryChannel",
+          "config:StartConfigurationRecorder",
+          "config:StopConfigurationRecorder",
+          "ec2:DescribeNetworkInterfaces",
+          "events:DeleteRule",
+          "events:DescribeRule",
+          "events:PutRule",
+          "events:PutTargets",
+          "events:RemoveTargets",
+          "firehose:CreateDeliveryStream",
+          "firehose:DeleteDeliveryStream",
+          "firehose:DescribeDeliveryStream",
+          "firehose:ListTagsForDeliveryStream",
+          "firehose:TagDeliveryStream",
+          "firehose:UpdateDestination",
+          "iam:AttachRolePolicy",
+          "iam:CreateRole",
+          "iam:DeleteRole",
+          "iam:DeleteRolePolicy",
+          "iam:DetachRolePolicy",
+          "iam:GetRole",
+          "iam:GetRolePolicy",
+          "iam:ListAttachedRolePolicies",
+          "iam:ListRolePolicies",
+          "iam:PassRole",
+          "iam:PutRolePolicy",
+          "iam:TagRole",
+          "iam:UpdateRole",
+          "kms:CreateGrant",
+          "kms:Decrypt",
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:ListGrants",
+          "kms:RevokeGrant",
+          "lambda:CreateEventSourceMapping",
+          "lambda:CreateFunction",
+          "lambda:DeleteEventSourceMapping",
+          "lambda:DeleteFunction",
+          "lambda:GetEventSourceMapping",
+          "lambda:GetFunction",
+          "lambda:GetFunctionCodeSigningConfig",
+          "lambda:GetRuntimeManagementConfig",
+          "lambda:InvokeFunction",
+          "lambda:ListEventSourceMappings",
+          "lambda:ListTags",
+          "lambda:TagResource",
+          "lambda:UntagResource",
+          "lambda:UpdateEventSourceMapping",
+          "lambda:UpdateFunctionCode",
+          "lambda:UpdateFunctionConfiguration",
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:DeleteLogGroup",
+          "logs:DeleteLogStream",
+          "logs:DeleteSubscriptionFilter",
+          "logs:DescribeLogGroups",
+          "logs:DescribeSubscriptionFilters",
+          "logs:ListTagsForResource",
+          "logs:PutRetentionPolicy",
+          "logs:PutSubscriptionFilter",
+          "logs:TagResource",
+          "logs:UntagResource",
+          "s3:CreateBucket",
+          "s3:DeleteBucket",
+          "s3:GetBucketNotification",
+          "s3:GetLifecycleConfiguration",
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:PutBucketNotification",
+          "s3:PutBucketTagging",
+          "s3:PutLifecycleConfiguration",
+          "scheduler:CreateSchedule",
+          "scheduler:DeleteSchedule",
+          "scheduler:GetSchedule",
+          "scheduler:UpdateSchedule",
+          "sns:CreateTopic",
+          "sns:DeleteTopic",
+          "sns:GetTopicAttributes",
+          "sns:ListTopics",
+          "sns:Publish",
+          "sns:SetTopicAttributes",
+          "sns:Subscribe",
+          "sns:TagResource",
+          "sns:Unsubscribe",
+          "sqs:CreateQueue",
+          "sqs:DeleteQueue",
+          "sqs:GetQueueAttributes",
+          "sqs:GetQueueUrl",
+          "sqs:PurgeQueue",
+          "sqs:SetQueueAttributes",
+          "sqs:TagQueue",
+          "sqs:UntagQueue"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:GetObject"
+        ],
+        "Resource": [
+          "arn:aws:s3:::observeinc/cloudwatchmetrics/filters/*"
+        ]
+      }
+    ]
+  }
+EOF
+}
+
+run "setup" {
+  module {
+    source  = "observeinc/collection/aws//modules/testing/setup"
+    version = "2.9.0"
+  }
+  variables {
+    id_length = 51
+  }
+}
+
+run "create_bucket" {
+  module {
+    source  = "observeinc/collection/aws//modules/testing/s3_bucket"
+    version = "2.9.0"
+  }
+  variables {
+    setup = run.setup
+  }
+}
+
+# Get the organization ID for testing
+run "get_org_id" {
+  module {
+    source = "./modules/get_org_id"
+  }
+}
+
+run "install_with_org_id" {
+  variables {
+    setup = run.setup
+    app   = "stack"
+    parameters = {
+      DataAccessPointArn       = run.create_bucket.access_point.arn
+      DestinationUri           = "s3://${run.create_bucket.access_point.alias}/"
+      ConfigDeliveryBucketName = "example-bucket"
+      SourceBucketNames        = "*"
+      LogGroupNamePatterns     = "*"
+      OrgId                    = run.get_org_id.org_id
+      NameOverride             = run.setup.id
+    }
+    capabilities = [
+      "CAPABILITY_NAMED_IAM",
+      "CAPABILITY_AUTO_EXPAND",
+    ]
+  }
+}
+
+run "verify_org_id_policy" {
+  module {
+    source  = "observeinc/collection/aws//modules/testing/exec"
+    version = "2.9.0"
+  }
+
+  variables {
+    command = "./scripts/check_sns_topic_policy"
+    env_vars = {
+      TOPIC_ARN       = run.install_with_org_id.stack.outputs["TopicArn"]
+      EXPECTED_ORG_ID = run.get_org_id.org_id
+      CHECK_TYPE      = "org_id"
+    }
+  }
+
+  assert {
+    condition     = output.exitcode == 0
+    error_message = "SNS topic policy does not contain expected OrgId condition"
+  }
+}
+
+run "check_sqs" {
+  module {
+    source  = "observeinc/collection/aws//modules/testing/exec"
+    version = "2.9.0"
+  }
+
+  variables {
+    command = "./scripts/check_object_diff"
+    env_vars = {
+      SOURCE      = run.install_with_org_id.stack.outputs["BucketName"]
+      DESTINATION = run.create_bucket.id
+    }
+  }
+
+  assert {
+    condition     = output.exitcode == 0
+    error_message = "Failed to copy object using SQS"
+  }
+}
+