kun432 · October 15, 2021 06:40 · kun432 · Oct 15, 2021
diff --git a/cfn-onboarding-mini.yaml b/cfn-onboarding-mini.yaml
 ---
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Template to create AWS resources for onboarding an account with Sophos Optix


 # ExternalId and CustomerId come from the Sophos Optix UI.

 Parameters:
  ExternalId:
    Type: String
    Description: Enter the External ID from the Sophos Optix UI CFN onboardng
  CustomerId:
    Type: String
    Description: Enter your customer ID from the Sophos Optix UI CFN onboardng
  OptixResourceKey:
    Type: String
    Default: "created_by"
    Description: Script will tag all resources created by optix with this key
  OptixResourceValue:
    Type: String
    Default: "optix"
    Description: Script will tag all resources created by optix with this Value
  SophosOptixAccountId:
    Type: String
    Default: 195990147830

 Resources:
 # Create IAM Role for Optix and its policy
  OptixRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: Sophos-Optix-Role
      Tags:
        - Key: !Ref OptixResourceKey
          Value: !Ref OptixResourceValue
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Action: "sts:AssumeRole"
            Principal:
              AWS: !Ref SophosOptixAccountId
            Condition:
              StringEquals:
                sts:ExternalId: !Ref ExternalId
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/SecurityAudit"
      Policies:
      - PolicyName: 'Sophos-Optix-read-policy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            Effect: Allow
            Action:
            - elasticfilesystem:DescribeMountTargetSecurityGroups
            - elasticfilesystem:DescribeMountTargets
            - sns:ListSubscriptions
            - s3:GetAccountPublicAccessBlock
            - ce:GetCostAndUsage
            - ce:GetCostForecast
            - ce:GetUsageForecast
            - eks:List*
            - detective:ListGraphs
            - ec2:SearchTransitGatewayRoutes
            - ec2:GetTransitGatewayRouteTableAssociations
            - support:DescribeTrustedAdvisorCheckResult
            - support:RefreshTrustedAdvisorCheck
            Resource: '*'

 # Create Lambda Execution role for the dynamically discovered resources
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Sophos-Optix-Lambda-Execution-Role"
      Tags:
        - Key: !Ref OptixResourceKey
          Value: !Ref OptixResourceValue
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: 'Sophos-Optix-Lambda-Execution-policy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - lambda:CreateFunction
            - lambda:AddPermission
            - lambda:DeleteFunction
            - lambda:RemovePermission
            Resource: [!Sub "arn:aws:lambda:*:${AWS::AccountId}:function:OptixAccountOnboardingLambda"]

  OptixAccountOnboardingCreationV2:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: "OptixAccountOnboardingLambda"
      Code:
        S3Bucket: !Join ["", ["sophos-optix-deploy-", !Ref 'AWS::Region']]
        S3Key: 'regionResourcesLambdaMiniv2.zip'
      Handler: "regionResourcesLambdaMiniv2.lambda_handler"
      Runtime: 'python3.8'
      Timeout: 900
      Role: !GetAtt LambdaExecutionRole.Arn
      Tags:
        - Key: !Ref OptixResourceKey
          Value: !Ref OptixResourceValue
      Environment:
        Variables:
          CloudTrailRegion: !Ref "AWS::Region"
          ACCOUNT_ID: !Ref 'AWS::AccountId'
          CUSTOMER_ID: !Ref CustomerId
          ExternalId: !Ref ExternalId
          AssumeRoleArn: !GetAtt 'OptixRole.Arn'
          OptixDomain: 'https://optix.sophos.com'
          FriendlyName: !Join ["", ["CloudOptixStack", '-', !Ref 'AWS::AccountId']]

  OptixAccountOnboardingV2:
      Type: Custom::OptixAccountOnboardingV2
      Properties:
        ServiceToken: !GetAtt OptixAccountOnboardingCreationV2.Arn

 Outputs:
  ExternalId:
    Description: The External Id to be used for account onboarding
    Value: !Ref ExternalId
  RoleArn:
    Description: The Role ARM for the Cloud Optix role
    Value: !GetAtt 'OptixRole.Arn'
  AccountId:
    Description: The Account Id to be used for account onboarding
    Value: !Ref 'AWS::AccountId'
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Template to create AWS resources for onboarding an account with Sophos Optix


	# ExternalId and CustomerId come from the Sophos Optix UI.

	Parameters:
	ExternalId:
	Type: String
	Description: Enter the External ID from the Sophos Optix UI CFN onboardng
	CustomerId:
	Type: String
	Description: Enter your customer ID from the Sophos Optix UI CFN onboardng
	OptixResourceKey:
	Type: String
	Default: "created_by"
	Description: Script will tag all resources created by optix with this key
	OptixResourceValue:
	Type: String
	Default: "optix"
	Description: Script will tag all resources created by optix with this Value
	SophosOptixAccountId:
	Type: String
	Default: 195990147830

	Resources:
	# Create IAM Role for Optix and its policy
	OptixRole:
	Type: "AWS::IAM::Role"
	Properties:
	RoleName: Sophos-Optix-Role
	Tags:
	- Key: !Ref OptixResourceKey
	Value: !Ref OptixResourceValue
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	-
	Effect: "Allow"
	Action: "sts:AssumeRole"
	Principal:
	AWS: !Ref SophosOptixAccountId
	Condition:
	StringEquals:
	sts:ExternalId: !Ref ExternalId
	ManagedPolicyArns:
	- "arn:aws:iam::aws:policy/SecurityAudit"
	Policies:
	- PolicyName: 'Sophos-Optix-read-policy'
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	Effect: Allow
	Action:
	- elasticfilesystem:DescribeMountTargetSecurityGroups
	- elasticfilesystem:DescribeMountTargets
	- sns:ListSubscriptions
	- s3:GetAccountPublicAccessBlock
	- ce:GetCostAndUsage
	- ce:GetCostForecast
	- ce:GetUsageForecast
	- eks:List*
	- detective:ListGraphs
	- ec2:SearchTransitGatewayRoutes
	- ec2:GetTransitGatewayRouteTableAssociations
	- support:DescribeTrustedAdvisorCheckResult
	- support:RefreshTrustedAdvisorCheck
	Resource: '*'

	# Create Lambda Execution role for the dynamically discovered resources
	LambdaExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: "Sophos-Optix-Lambda-Execution-Role"
	Tags:
	- Key: !Ref OptixResourceKey
	Value: !Ref OptixResourceValue
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- lambda.amazonaws.com
	Action:
	- sts:AssumeRole
	Path: "/"
	Policies:
	- PolicyName: 'Sophos-Optix-Lambda-Execution-policy'
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- lambda:CreateFunction
	- lambda:AddPermission
	- lambda:DeleteFunction
	- lambda:RemovePermission
	Resource: [!Sub "arn:aws:lambda:*:${AWS::AccountId}:function:OptixAccountOnboardingLambda"]

	OptixAccountOnboardingCreationV2:
	Type: AWS::Lambda::Function
	Properties:
	FunctionName: "OptixAccountOnboardingLambda"
	Code:
	S3Bucket: !Join ["", ["sophos-optix-deploy-", !Ref 'AWS::Region']]
	S3Key: 'regionResourcesLambdaMiniv2.zip'
	Handler: "regionResourcesLambdaMiniv2.lambda_handler"
	Runtime: 'python3.8'
	Timeout: 900
	Role: !GetAtt LambdaExecutionRole.Arn
	Tags:
	- Key: !Ref OptixResourceKey
	Value: !Ref OptixResourceValue
	Environment:
	Variables:
	CloudTrailRegion: !Ref "AWS::Region"
	ACCOUNT_ID: !Ref 'AWS::AccountId'
	CUSTOMER_ID: !Ref CustomerId
	ExternalId: !Ref ExternalId
	AssumeRoleArn: !GetAtt 'OptixRole.Arn'
	OptixDomain: 'https://optix.sophos.com'
	FriendlyName: !Join ["", ["CloudOptixStack", '-', !Ref 'AWS::AccountId']]

	OptixAccountOnboardingV2:
	Type: Custom::OptixAccountOnboardingV2
	Properties:
	ServiceToken: !GetAtt OptixAccountOnboardingCreationV2.Arn

	Outputs:
	ExternalId:
	Description: The External Id to be used for account onboarding
	Value: !Ref ExternalId
	RoleArn:
	Description: The Role ARM for the Cloud Optix role
	Value: !GetAtt 'OptixRole.Arn'
	AccountId:
	Description: The Account Id to be used for account onboarding
	Value: !Ref 'AWS::AccountId'