template.yaml

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: >
  Creates and maps IAM role Arns created by SSO to predictable names in AWS Parameter store

Parameters:
  ParameterStorePrefix:
    Type: String
    Description: Prefix for the parameters in parameter store
    Default: /attini/aws-sso-role-names/

  S3Bucket:
    Type: String
    Description: Name of S3 bucket containing packaged code
    Default: attini-artifacts-us-east-1

  S3BucketKey:
    Type: String
    Description: Packaged code
    Default: __S3_KEY__

  Schedule:
    Type: String
    Description: Cron/Rate Expression https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html
    Default: cron(0 0 1 * ? *)

Resources:
  TriggerOnSchedule:
    Type: AWS::Events::Rule
    Properties:
      Description: Triggers on schedule
      ScheduleExpression: !Ref Schedule
      Targets:
        - Arn: !GetAtt DistributeSSORoles.Arn
          Id: DistributeSSORoles
          Input: '{"ExecutionType": "Sync"}'

  TriggerOnEvent:
    Type: AWS::Events::Rule
    Properties:
      Description: Triggers on the creation/deletion of an SSO PermissionSet role
      EventPattern: |
        {
          "source": [
            "aws.iam"
          ],
          "detail-type": [
            "AWS API Call via CloudTrail"
          ],
          "detail": {
            "eventSource": [
              "iam.amazonaws.com"
            ],
            "userAgent": [
                "sso.amazonaws.com"
              ],
            "eventName": [
              "CreateRole",
              "DeleteRole"
            ]
          }
        }
      Targets:
        - Arn: !GetAtt DistributeSSORoles.Arn
          Id: DistributeSSORoles


  TriggerLambda:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt DistributeSSORoles.Arn
      Principal: events.amazonaws.com


  DistributeSSORolesLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub
        - /aws/lambda/${LambdaName}
        - { LambdaName: !Ref DistributeSSORoles }
      RetentionInDays: 90

  DistributeSSORoles:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Zip
      CodeUri:
        Bucket: !Ref S3Bucket
        Key: !Ref S3BucketKey
      Description: This lambda maps IAM role names created by SSO to simple names in AWS Parameter store.
      Handler: not.used.in.provided.runtime
      MemorySize: 512
      Runtime: provided
      Timeout: 900
      Environment:
        Variables:
          PARAMETER_STORE_PREFIX: !Ref ParameterStorePrefix
          DISABLE_SIGNAL_HANDLERS: true
      Policies:
        Statement:
          - Effect: Allow
            Action:
              - ssm:PutParameter
              - ssm:DeleteParameter
              - ssm:DeleteParameters
            Resource: !Sub arn:aws:ssm:*:${AWS::AccountId}:parameter${ParameterStorePrefix}*
          - Effect: Allow
            Action:
              - ssm:GetParametersByPath
            Resource:
              - arn:aws:ssm:*::parameter/aws/service/global-infrastructure/regions
              - !Sub arn:aws:ssm:*:${AWS::AccountId}:parameter/*
          - Effect: Allow
            Action:
              - iam:ListRoles
            Resource: "*"