From 2df574f906d14a0c36e74cc8003edd726b5ea040 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Sun, 21 Apr 2024 21:21:23 -0400 Subject: [PATCH] Add org sink rules template and deploy action --- .../workflows/deploy-eventrules-org-sink.yml | 39 ++++++++++++ event-rules/org-sink-rules/template.yml | 60 +++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 .github/workflows/deploy-eventrules-org-sink.yml create mode 100644 event-rules/org-sink-rules/template.yml diff --git a/.github/workflows/deploy-eventrules-org-sink.yml b/.github/workflows/deploy-eventrules-org-sink.yml new file mode 100644 index 000000000..4e17f5b82 --- /dev/null +++ b/.github/workflows/deploy-eventrules-org-sink.yml @@ -0,0 +1,39 @@ +name: Deploy org sink rules + +on: + push: + branches: + - main + paths: + - event-rules/org-sink-rules/template.yml + +concurrency: + group: ${{ github.workflow }} + +permissions: + id-token: write + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-2 + role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-org-sink-rules + + - name: Deploy to management account + working-directory: event-rules/org-sink-rules + run: | + aws cloudformation deploy \ + --region us-east-2 \ + --stack-name org-sink-event-rules \ + --template-file template.yml \ + --capabilities CAPABILITY_NAMED_IAM \ + --no-fail-on-empty-changeset \ + --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation diff --git a/event-rules/org-sink-rules/template.yml b/event-rules/org-sink-rules/template.yml new file mode 100644 index 000000000..280841eec --- /dev/null +++ b/event-rules/org-sink-rules/template.yml @@ -0,0 +1,60 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Resources: + CloudWatchAlarmStateChangeRule: + Type: AWS::Events::Rule + Properties: + EventPattern: + detail-type: + - CloudWatch Alarm State Change + source: + - aws.cloudwatch + State: ENABLED + Targets: + - Arn: arn:aws:events:us-east-2:578003269847:event-bus/CloudWatch-org-sink + Id: org-sink-alarm-state-change + RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PRX-CloudWatchOrgSinkRole + + CloudFormationStateChangeRule: + Type: AWS::Events::Rule + Properties: + EventPattern: + detail-type: + - CloudFormation Resource Status Change + - CloudFormation Stack Status Change + source: + - aws.cloudformation + State: ENABLED + Targets: + - Arn: arn:aws:events:us-east-2:578003269847:event-bus/CloudFormation-org-sink + Id: org-sink-cfn-state-change + RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PRX-CloudFormationOrgSinkRole + + CloudTrailRootActivityRule: + Type: AWS::Events::Rule + Properties: + EventPattern: + detail: + userIdentity: + type: + - Root + detail-type: + - AWS API Call via CloudTrail + - AWS Console Sign In via CloudTrail + State: ENABLED + Targets: + - Arn: arn:aws:events:us-east-2:578003269847:event-bus/CloudTrail-org-sink + Id: org-sink-trail-root-activity + RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PRX-CloudTrailOrgSinkRole + + SlackMessageRule: + Type: AWS::Events::Rule + Properties: + EventPattern: + detail-type: + - Slack Message Relay Message Payload + State: ENABLED + Targets: + - Arn: arn:aws:events:us-east-2:578003269847:event-bus/SlackMessageRelay-org-sink + Id: org-sink-slack-message-payload + RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PRX-SlackOrgSinkRole