Added Config solution (#201)

* adding abi config module

* updated config enabled regions param

* param fixes

* outputs  fixes

* adding kms key outputs

* updated param description

* added sns fanout update to the branch

* updated params

* updated main-ssm outputs

* updated documentation

---------

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

README.md

@@ -133,6 +133,7 @@ _Note: The `Quick Setup` is not designed to be used with the `Easy Setup` proced
 | [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts)           | Sets the billing, operations, and security alternate contacts for all accounts within the organization.                                                                                                                                                                                                                                                         |                                                                                                              |                                                                                                                                                                                                                                |
 | [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org)                                    | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events.                                                                                                                                                                     | CloudTrail enabled in each account with management events only.                                              |                                                                                                                                                                                                                                                                   |
 | [Config Management Account](aws_sra_examples/solutions/config/config_management_account)              | Enables AWS Config in the Management account to allow resource compliance monitoring.                                                                                                                                                                                                                                                                           | Configures AWS Config in all accounts except for the Management account in each governed region.             | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
+| [Config Organization](aws_sra_examples/solutions/config/config_org) | Configures AWS Config in all accounts in each governed region. Deploys an Organization Config Aggregator to a delegated admin account. **This solution is incompatible with the AWS Control Tower environment**.                                                                                                                                                                                                                                                                  |                                                                                                              | <ul><li>AWS Organization</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li> |
 | [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization.                                                                                                                                                                                                                                                                         |                                                                                                              | <ul><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
 | [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org)             | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account.                                                                                                                                                                                                               | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul>                                                                                                  |
 | [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption)               | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions.                                                                                                                                                                                                                                                               |                                                                                                              |                                                                                                                                                                                                                                |

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -45,6 +45,7 @@ Metadata:
         Parameters:
           - pDeployAccountAlternateContactsSolution
           - pDeployCloudTrailSolution
+          - pDeployConfigSolution
           - pDeployConfigManagementSolution
           - pDeployConfigConformancePackSolution
           - pDeployEC2DefaultEBSEncryptionSolution
@@ -88,6 +89,26 @@ Metadata:
           - pCloudTrailLogGroupRetention
           - pCreateCloudTrailLogGroup
           - pOrganizationCloudTrailKeyAlias
+      - Label:
+          default: AWS Config Solution (This solution is incompatible with the AWS Control Tower environment)
+        Parameters:
+          - pCommonPrerequisitesRegionsOnly
+          - pConfigEnabledRegions
+          - pRecorderName
+          - pAllSupported
+          - pIncludeGlobalResourceTypes
+          - pResourceTypes
+          - pDeliveryChannelName
+          - pConfigOrgDeliveryBucketPrefix
+          - pConfigOrgDeliveryKeyAlias
+          - pFrequency
+          - pConfigTopicName
+          - pSubscribeToConfigurationTopic
+          - pConfigurationEmail
+          - pConfigOrgSnsKeyAlias
+          - pAggregatorName
+          - pAggregatorRoleName
+          - pRegisterDelegatedAdminAccount
       - Label:
           default: AWS Config Management Solution
         Parameters:
@@ -298,6 +319,8 @@ Metadata:
         default: Deploy the CloudTrail Solution
       pDeployConfigConformancePackSolution:
         default: Deploy the AWS Config Conformance Pack Solution
+      pDeployConfigSolution:
+        default: Deploy the AWS Config Solution (This solution is incompatible with the AWS Control Tower environment)
       pDeployConfigManagementSolution:
         default: Deploy the AWS Config Management Solution
       pDeployEC2DefaultEBSEncryptionSolution:
@@ -437,6 +460,33 @@ Metadata:
       pVpcId:
         default: (Optional) Existing VPC ID
 
+      pCommonPrerequisitesRegionsOnly:
+        default: Common Prerequisites Regions Only
+      pConfigEnabledRegions:
+        default: (Optional) Enabled Regions
+      pRecorderName:
+        default: Recorder Name
+      pDeliveryChannelName:
+        default: Delivery Channel Name
+      pConfigOrgDeliveryBucketPrefix:
+        default: Config Delivery Bucket Prefix
+      pConfigOrgDeliveryKeyAlias:
+        default: Config Delivery KMS Key Alias
+      pConfigTopicName:
+        default: Config SNS Topic Name
+      pSubscribeToConfigurationTopic:
+        default: Subscribe to Configuration Topic
+      pConfigurationEmail:
+        default: Configuration Email
+      pConfigOrgSnsKeyAlias:
+        default: Config SNS KMS Key Alias
+      pAggregatorName:
+        default: Config Aggregator Name
+      pAggregatorRoleName:
+        default: Config Aggregator Role Name
+      pRegisterDelegatedAdminAccount:
+        default: Register Delegated Admin Account
+
 Parameters:
   pRepoURL:
     Default: https://github.com/aws-samples/aws-security-reference-architecture-examples.git
@@ -735,6 +785,11 @@ Parameters:
     Default: 'No'
     Description: Deploy the AWS Config Conformance Pack solution
     Type: String
+  pDeployConfigSolution:
+    AllowedValues: ['Yes', 'No']
+    Default: 'No'
+    Description: Deploy the AWS Config solution (This solution is incompatible with the AWS Control Tower environment)
+    Type: String
   pDeployConfigManagementSolution:
     AllowedValues: ['Yes', 'No', 'Already Deployed']
     Default: 'No'
@@ -1072,7 +1127,7 @@ Parameters:
     Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
     Type: String
   pResourceTypes:
-    AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$'
+    AllowedPattern: '^$|^([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$|^(([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+(,|, ))*[0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$'
     Default: ''
     Description:
       (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is
@@ -1136,6 +1191,82 @@ Parameters:
     Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false".
     Type: String
 
+  pCommonPrerequisitesRegionsOnly:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Only enable in the customer regions specified in Common Prerequisites solution
+    Type: String
+  pRecorderName:
+    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
+    ConstraintDescription:
+      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
+    Default: sra-ConfigRecorder
+    Description: Config recorder name
+    Type: String
+  pDeliveryChannelName:
+    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
+    ConstraintDescription:
+      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
+    Default: sra-config-s3-delivery
+    Description: Config delivery channel name
+    Type: String
+  pConfigOrgDeliveryBucketPrefix:
+    AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
+    ConstraintDescription:
+      S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
+    Default: sra-config-org-delivery
+    Description:
+      Config Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-config-delivery-123456789012-us-east-1
+    Type: String
+  pConfigOrgDeliveryKeyAlias:
+    Default: sra-config-org-delivery-key
+    Description: Config Delivery KMS Key Alias
+    Type: String
+  pConfigTopicName:
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    Default: sra-ConfigNotifications
+    Description: Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
+    Type: String
+  pSubscribeToConfigurationTopic:
+    AllowedValues: [true, false]
+    Default: false
+    Description: Indicates whether ConfigurationEmail will be subscribed to the Configuration Notification SNS Topic.
+    Type: String
+  pConfigurationEmail:
+    AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
+    ConstraintDescription: Email Validation as per RFC2822 standards.
+    Description: Email for receiving all AWS configuration events
+    Default: ''
+    Type: 'String'
+  pConfigOrgSnsKeyAlias:
+    Default: sra-config-org-sns-key
+    Description: Config SNS KMS Key Alias
+    Type: String
+  pAggregatorName:
+    AllowedPattern: '^[\w\-]+'
+    ConstraintDescription: Max 256 alphanumeric characters.
+    Default: sra-config-aggregator-org
+    MaxLength: 256
+    MinLength: 1
+    Type: String
+  pAggregatorRoleName:
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
+    Default: sra-config-aggregator-org
+    Type: String
+  pRegisterDelegatedAdminAccount:
+    AllowedValues: ['Yes', 'No']
+    Default: 'Yes'
+    Description: Register a delegated administrator account using the Common Register Delegated Administrator solution.
+    Type: String
+  pConfigEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
+    Type: String
+
 Rules:
   BillingContactValidation:
     RuleCondition: !And
@@ -1156,6 +1287,7 @@ Rules:
       - Assert: !Or
           - !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
           - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
+          - !Equals [!Ref pDeployConfigSolution, 'Yes']
         AssertDescription:
           "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the AWS Config Conformance
           Pack Solution' parameter is set to 'Yes'."
@@ -1165,6 +1297,7 @@ Rules:
       - Assert: !Or
           - !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
           - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
+          - !Equals [!Ref pDeployConfigSolution, 'Yes']
         AssertDescription:
           "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the Security Hub Solution'
           parameter is set to 'Yes'."
@@ -1194,6 +1327,16 @@ Rules:
         AssertDescription:
           "'Security Full Name', 'Security Title', 'Security Email' and 'Security Phone' parameters are required if the 'Security Alternate Contact
           Action' parameter is set to 'add'."
+  EnabledRegionValidation:
+    RuleCondition: !Equals [!Ref pCommonPrerequisitesRegionsOnly, 'false']
+    Assertions:
+      - Assert: !Not [!Equals [!Ref pConfigEnabledRegions, '']]
+        AssertDescription: "'Enabled Regions' parameter has to have a value if 'Common Prerequisites Regions Only' parameter is set to 'false'."
+  ResourceTypesValidation:
+    RuleCondition: !Equals [!Ref pAllSupported, 'false']
+    Assertions:
+      - AssertDescription: "'Resource Types' parameter is required if 'All Supported' parameter is set to 'false'."
+        Assert: !Not [!Equals [!Ref pResourceTypes, '']]
 
 Conditions:
   cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
@@ -1214,12 +1357,14 @@ Conditions:
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'Yes']
   cDeployAccountAlternateContactsSolution: !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes']
   cDeployCloudTrailSolution: !Equals [!Ref pDeployCloudTrailSolution, 'Yes']
+  cDeployConfigSolution: !Equals [!Ref pDeployConfigSolution, 'Yes']
   cDeployConfigManagementSolution: !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
   cDeployConfigManagementSolutionAlreadyDeployed: !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
   cDeployConfigConformancePackSolution: !And
     - !Or
       - !Condition cDeployConfigManagementSolution
       - !Condition cDeployConfigManagementSolutionAlreadyDeployed
+      - !Condition cDeployConfigSolution
     - !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes']
   cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes']
   cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes']
@@ -2083,3 +2228,34 @@ Resources:
         pLambdaLogLevel: !Ref pLambdaLogLevel
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
         pComplianceFrequency: !Ref pComplianceFrequency
+
+  rConfigSolutionStack:
+    Type: AWS::CloudFormation::Stack
+    DependsOn: rCommonPrerequisitesMainSsm
+    Condition: cDeployConfigSolution
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-config-org/templates/sra-config-org-main-ssm.yaml
+      Parameters:
+        pControlTowerRegionsOnly: !Ref pCommonPrerequisitesRegionsOnly
+        pEnabledRegions: !Ref pConfigEnabledRegions
+        pRecorderName: !Ref pRecorderName
+        pDeliveryChannelName: !Ref pDeliveryChannelName
+        pConfigOrgDeliveryBucketPrefix: !Ref pConfigOrgDeliveryBucketPrefix
+        pConfigOrgDeliveryKeyAlias: !Ref pConfigOrgDeliveryKeyAlias
+        pConfigTopicName: !Ref pConfigTopicName
+        pSubscribeToConfigurationTopic: !Ref pSubscribeToConfigurationTopic
+        pConfigurationEmail: !Ref pConfigurationEmail
+        pConfigOrgSnsKeyAlias: !Ref pConfigOrgSnsKeyAlias
+        pAggregatorName: !Ref pAggregatorName
+        pAggregatorRoleName: !Ref pAggregatorRoleName
+        pRegisterDelegatedAdminAccount: !Ref pRegisterDelegatedAdminAccount
+        pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
+        pLambdaLogLevel: !Ref pLambdaLogLevel
+        pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
+        pFrequency: !Ref pFrequency
+        pAllSupported: !Ref pAllSupported
+        pIncludeGlobalResourceTypes: !Ref pIncludeGlobalResourceTypes
+        pResourceTypes: !Ref pResourceTypes