adding mgmt account links/roles for oam

cyphronix · cyphronix · commit 8155e618c46f · 2024-10-17T11:46:59.000-06:00
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py
@@ -551,6 +551,34 @@ def create_event(event, context):
                         DRY_RUN_DATA[f"{filter}_CloudWatch"] = "DRY_RUN: Filter deploy parameter is 'false'; Skip CloudWatch metric filter deployment"
     
     # 5) Central CloudWatch Observability
+    # TODO(liamschn): determine if we need the CloudWatch-CrossAccountListAccountsRole (needed for "Enable account selector"?).
+        # TRUST
+        #     {
+        #     "Version": "2012-10-17",
+        #     "Statement": [
+        #         {
+        #             "Effect": "Allow",
+        #             "Principal": {
+        #                 "AWS": "arn:aws:iam::533267199951:root"
+        #             },
+        #             "Action": "sts:AssumeRole"
+        #         }
+        #     ]
+        # }
+        # PERMISSIONS
+        # {
+        #     "Version": "2012-10-17",
+        #     "Statement": [
+        #         {
+        #             "Action": [
+        #                 "organizations:ListAccounts",
+        #                 "organizations:ListAccountsForParent"
+        #             ],
+        #             "Resource": "*",
+        #             "Effect": "Allow"
+        #         }
+        #     ]
+        # }
     central_observability_params = json.loads(event["ResourceProperties"]["SRA-BEDROCK-CENTRAL-OBSERVABILITY"])
     # TODO(liamschn): create a parameter to choose to deploy central observability or not: deploy_central_observability = true/false
     # 5a) OAM Sink in security account
@@ -607,60 +635,63 @@ def create_event(event, context):
             LOGGER.info("CloudWatch observability access manager sink policy is correct")
     
     # 5c) OAM CloudWatch-CrossAccountSharingRole IAM role
+    # Add management account to the bedrock accounts list
+    central_observability_params["bedrock_accounts"].append(sts.MANAGEMENT_ACCOUNT)
     for bedrock_account in central_observability_params["bedrock_accounts"]:
-        iam.IAM_CLIENT = sts.assume_role(bedrock_account, sts.CONFIGURATION_ROLE, "iam", iam.get_iam_global_region())
-        cloudwatch.CROSS_ACCOUNT_TRUST_POLICY = CLOUDWATCH_OAM_TRUST_POLICY[cloudwatch.CROSS_ACCOUNT_ROLE_NAME]
-        cloudwatch.CROSS_ACCOUNT_TRUST_POLICY["Statement"][0]["Principal"]["AWS"] = \
-            cloudwatch.CROSS_ACCOUNT_TRUST_POLICY["Statement"][0]["Principal"]["AWS"].replace("<SECURITY_ACCOUNT>", SECURITY_ACCOUNT)
-        search_iam_role = iam.check_iam_role_exists(cloudwatch.CROSS_ACCOUNT_ROLE_NAME)
-        if search_iam_role[0] is False:
-            LOGGER.info(f"CloudWatch observability access manager cross-account role not found, creating {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role...")
-            if DRY_RUN is False:
-                iam.create_role(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, cloudwatch.CROSS_ACCOUNT_TRUST_POLICY, SOLUTION_NAME)
-                LIVE_RUN_DATA["OAMCrossAccountRoleCreate"] = f"Created {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
-                CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
-                CFN_RESPONSE_DATA["deployment_info"]["resources_deployed"] += 1
-                LOGGER.info(f"Created {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role")
-            else:
-                DRY_RUN_DATA["OAMCrossAccountRoleCreate"] = f"DRY_RUN: Create {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
-        else:
-            LOGGER.info(f"CloudWatch observability access manager cross-account role found: {cloudwatch.CROSS_ACCOUNT_ROLE_NAME}")
-        
-        # 5d) Attach managed policies to CloudWatch-CrossAccountSharingRole IAM role
-        cross_account_policies = [
-            "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess",
-            "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess",
-            "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
-        ]
-        for policy_arn in cross_account_policies:
-            search_attached_policies = iam.check_iam_policy_attached(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, policy_arn)
-            if search_attached_policies is False:
-                LOGGER.info(f"Attaching {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role...")
+        for bedrock_region in central_observability_params["regions"]:
+            iam.IAM_CLIENT = sts.assume_role(bedrock_account, sts.CONFIGURATION_ROLE, "iam", iam.get_iam_global_region())
+            cloudwatch.CROSS_ACCOUNT_TRUST_POLICY = CLOUDWATCH_OAM_TRUST_POLICY[cloudwatch.CROSS_ACCOUNT_ROLE_NAME]
+            cloudwatch.CROSS_ACCOUNT_TRUST_POLICY["Statement"][0]["Principal"]["AWS"] = \
+                cloudwatch.CROSS_ACCOUNT_TRUST_POLICY["Statement"][0]["Principal"]["AWS"].replace("<SECURITY_ACCOUNT>", SECURITY_ACCOUNT)
+            search_iam_role = iam.check_iam_role_exists(cloudwatch.CROSS_ACCOUNT_ROLE_NAME)
+            if search_iam_role[0] is False:
+                LOGGER.info(f"CloudWatch observability access manager cross-account role not found, creating {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role...")
                 if DRY_RUN is False:
-                    iam.attach_policy(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, policy_arn)
-                    LIVE_RUN_DATA["OAMCrossAccountRolePolicyAttach"] = f"Attached {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
+                    iam.create_role(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, cloudwatch.CROSS_ACCOUNT_TRUST_POLICY, SOLUTION_NAME)
+                    LIVE_RUN_DATA["OAMCrossAccountRoleCreate"] = f"Created {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
                     CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
-                    CFN_RESPONSE_DATA["deployment_info"]["configuration_changes"] += 1
-                    LOGGER.info(f"Attached {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role")
+                    CFN_RESPONSE_DATA["deployment_info"]["resources_deployed"] += 1
+                    LOGGER.info(f"Created {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role")
                 else:
-                    DRY_RUN_DATA["OAMCrossAccountRolePolicyAttach"] = f"DRY_RUN: Attach {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
+                    DRY_RUN_DATA["OAMCrossAccountRoleCreate"] = f"DRY_RUN: Create {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
+            else:
+                LOGGER.info(f"CloudWatch observability access manager cross-account role found: {cloudwatch.CROSS_ACCOUNT_ROLE_NAME}")
+            
+            # 5d) Attach managed policies to CloudWatch-CrossAccountSharingRole IAM role
+            cross_account_policies = [
+                "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess",
+                "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess",
+                "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
+            ]
+            for policy_arn in cross_account_policies:
+                search_attached_policies = iam.check_iam_policy_attached(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, policy_arn)
+                if search_attached_policies is False:
+                    LOGGER.info(f"Attaching {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role...")
+                    if DRY_RUN is False:
+                        iam.attach_policy(cloudwatch.CROSS_ACCOUNT_ROLE_NAME, policy_arn)
+                        LIVE_RUN_DATA["OAMCrossAccountRolePolicyAttach"] = f"Attached {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
+                        CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
+                        CFN_RESPONSE_DATA["deployment_info"]["configuration_changes"] += 1
+                        LOGGER.info(f"Attached {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role")
+                    else:
+                        DRY_RUN_DATA["OAMCrossAccountRolePolicyAttach"] = f"DRY_RUN: Attach {policy_arn} policy to {cloudwatch.CROSS_ACCOUNT_ROLE_NAME} IAM role"
 
-        # 5d) OAM link
-        cloudwatch.CWOAM_CLIENT = sts.assume_role(bedrock_account, sts.CONFIGURATION_ROLE, "cloudwatch", region)
-        search_oam_link = cloudwatch.find_oam_link(oam_sink_arn)
-        if search_oam_link[0] is False:
-            if DRY_RUN is False:
-                LOGGER.info("CloudWatch observability access manager link not found, creating...")
-                cloudwatch.create_oam_link(oam_sink_arn)
-                LIVE_RUN_DATA["OAMLinkCreate"] = "Created CloudWatch observability access manager link"
-                CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
-                CFN_RESPONSE_DATA["deployment_info"]["resources_deployed"] += 1
-                LOGGER.info("Created CloudWatch observability access manager link")
+            # 5d) OAM link in bedrock account
+            cloudwatch.CWOAM_CLIENT = sts.assume_role(bedrock_account, sts.CONFIGURATION_ROLE, "cloudwatch", bedrock_region)
+            search_oam_link = cloudwatch.find_oam_link(oam_sink_arn)
+            if search_oam_link[0] is False:
+                if DRY_RUN is False:
+                    LOGGER.info("CloudWatch observability access manager link not found, creating...")
+                    cloudwatch.create_oam_link(oam_sink_arn)
+                    LIVE_RUN_DATA["OAMLinkCreate"] = "Created CloudWatch observability access manager link"
+                    CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
+                    CFN_RESPONSE_DATA["deployment_info"]["resources_deployed"] += 1
+                    LOGGER.info("Created CloudWatch observability access manager link")
+                else:
+                    LOGGER.info("DRY_RUN: CloudWatch observability access manager link not found, creating...")
+                    DRY_RUN_DATA["OAMLinkCreate"] = "DRY_RUN: Create CloudWatch observability access manager link"
             else:
-                LOGGER.info("DRY_RUN: CloudWatch observability access manager link not found, creating...")
-                DRY_RUN_DATA["OAMLinkCreate"] = "DRY_RUN: Create CloudWatch observability access manager link"
-        else:
-            LOGGER.info("CloudWatch observability access manager link found")
+                LOGGER.info("CloudWatch observability access manager link found")
 
     # End
     # TODO(liamschn): Consider the 256 KB limit for any cloudwatch log message
