Replacing config recorder custom role with service-linked role.

Author: boueya

aws_sra_examples/solutions/config/config_management_account/lambda/src/app.py

@@ -20,7 +20,6 @@
 from crhelper import CfnResource
 
 if TYPE_CHECKING:
-    from mypy_boto3_iam.client import IAMClient
     from aws_lambda_typing.context import Context
     from aws_lambda_typing.events import CloudFormationCustomResourceEvent
     from mypy_boto3_config.client import ConfigServiceClient
@@ -190,29 +189,6 @@ def process_event(event: CloudFormationCustomResourceEvent, context: Context) ->
     return f"{params['AUDIT_ACCOUNT_ID']}-{params['AGGREGATOR_NAME']}"
 
 
-def create_service_linked_role(
-    service_linked_role_name: str,
-    service_name: str,
-    description: str = "",
-    iam_client: IAMClient = None,
-) -> None:
-    """Create the service linked role, if it does not exist.
-
-    Args:
-        service_linked_role_name: Service Linked Role Name
-        service_name: AWS Service Name
-        description: Description
-        iam_client: IAMClient
-    """
-    if not iam_client:
-        iam_client = boto3.client("iam")
-    try:
-        response = iam_client.get_role(RoleName=service_linked_role_name)
-        api_call_details = {"API_Call": "iam:GetRole", "API_Response": response}
-        LOGGER.info(api_call_details)
-    except iam_client.exceptions.NoSuchEntityException:
-        iam_client.create_service_linked_role(AWSServiceName=service_name, Description=description)
-
 def lambda_handler(event: CloudFormationCustomResourceEvent, context: Context) -> None:
     """Lambda Handler.
 
@@ -225,11 +201,6 @@ def lambda_handler(event: CloudFormationCustomResourceEvent, context: Context) -
 
     """
     try:
-        create_service_linked_role(
-            "AWSServiceRoleForConfig",
-            "config.amazonaws.com",
-            "A service-linked role required for AWS Config" 
-        )
         helper(event, context)
     except Exception:
         LOGGER.exception("Unexpected!")

aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml

@@ -17,21 +17,13 @@ Metadata:
         Parameters:
           - pSRASolutionTagKey
           - pSRASolutionName
-          - pManagedResourcePrefix
     ParameterLabels:
-      pManagedResourcePrefix:
-        default: Managed Resource Prefix
       pSRASolutionName:
         default: SRA Solution Name
       pSRASolutionTagKey:
         default: SRA Solution Tag Key
 
 Parameters:
-  pManagedResourcePrefix:
-    AllowedValues: [aws-controltower]
-    Default: aws-controltower
-    Description: Prefix for the managed resources
-    Type: String
   pSRASolutionName:
     AllowedValues: [sra-config-management-account]
     Default: sra-config-management-account
@@ -44,31 +36,8 @@ Parameters:
     Type: String
 
 Resources:
-  rConfigRecorderRole:
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: W28
-            reason: Explicit name provided
-    Type: AWS::IAM::Role
+  rConfigServiceLinkedRole:
+    Type: AWS::IAM::ServiceLinkedRole
     Properties:
-      RoleName: !Sub ${pManagedResourcePrefix}-ConfigRecorderRole
-      Description: Role for AWS Config Recorder
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: sts:AssumeRole
-            Principal:
-              Service:
-                - config.amazonaws.com
-      ManagedPolicyArns:
-        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWS_ConfigRole
-      Tags:
-        - Key: !Ref pSRASolutionTagKey
-          Value: !Ref pSRASolutionName
-
-Outputs:
-  oConfigRecorderRoleArn:
-    Description: Config Recorder Role ARN
-    Value: !GetAtt rConfigRecorderRole.Arn
+      AWSServiceName: config.amazonaws.com
+      Description: A service-linked role for the ConfigRecorder.