def lambda_handler(event, _): sts = STS() role = sts.assume_cross_account_role( 'arn:aws:iam::{0}:role/{1}'.format(event["account_id"], event["cross_account_access_role"]), 'master_lambda') if event['is_deployment_account']: configure_master_account_parameters(event) configure_deployment_account_parameters(event, role) s3 = S3(region=REGION_DEFAULT, bucket=S3_BUCKET) for region in list( set([event["deployment_account_region"]] + event["regions"])): if not event["is_deployment_account"]: configure_generic_account(sts, event, region, role) cloudformation = CloudFormation( region=region, deployment_account_region=event["deployment_account_region"], role=role, wait=True, stack_name= None, # Stack name will be automatically defined based on event s3=s3, s3_key_path=event["full_path"], account_id=event["account_id"]) if is_inter_ou_account_move(event): cloudformation.delete_all_base_stacks(True) #override Wait cloudformation.create_stack() if region == event["deployment_account_region"]: cloudformation.create_iam_stack() return event
def main(): # pylint: disable=R0915 LOGGER.info("ADF Version %s", ADF_VERSION) LOGGER.info("ADF Log Level is %s", ADF_LOG_LEVEL) policies = OrganizationPolicy() config = Config() config.store_config() try: parameter_store = ParameterStore(REGION_DEFAULT, boto3) deployment_account_id = parameter_store.fetch_parameter( 'deployment_account_id') organizations = Organizations(role=boto3, account_id=deployment_account_id) policies.apply(organizations, parameter_store, config.config) sts = STS() deployment_account_role = prepare_deployment_account( sts=sts, deployment_account_id=deployment_account_id, config=config) cache = Cache() ou_id = organizations.get_parent_info().get("ou_parent_id") account_path = organizations.build_account_path(ou_id=ou_id, account_path=[], cache=cache) s3 = S3(region=REGION_DEFAULT, bucket=S3_BUCKET_NAME) kms_and_bucket_dict = {} # First Setup/Update the Deployment Account in all regions (KMS Key and # S3 Bucket + Parameter Store values) for region in list( set([config.deployment_account_region] + config.target_regions)): cloudformation = CloudFormation( region=region, deployment_account_region=config.deployment_account_region, role=deployment_account_role, wait=True, stack_name=None, s3=s3, s3_key_path="adf-bootstrap/" + account_path, account_id=deployment_account_id) cloudformation.create_stack() update_deployment_account_output_parameters( deployment_account_region=config.deployment_account_region, region=region, kms_and_bucket_dict=kms_and_bucket_dict, deployment_account_role=deployment_account_role, cloudformation=cloudformation) if region == config.deployment_account_region: cloudformation.create_iam_stack() # Updating the stack on the master account in deployment region cloudformation = CloudFormation( region=config.deployment_account_region, deployment_account_region=config.deployment_account_region, role=boto3, wait=True, stack_name=None, s3=s3, s3_key_path='adf-build', account_id=ACCOUNT_ID) cloudformation.create_stack() threads = [] account_ids = [ account_id["Id"] for account_id in organizations.get_accounts() ] for account_id in [ account for account in account_ids if account != deployment_account_id ]: thread = PropagatingThread(target=worker_thread, args=(account_id, sts, config, s3, cache, kms_and_bucket_dict)) thread.start() threads.append(thread) for thread in threads: thread.join() LOGGER.info("Executing Step Function on Deployment Account") step_functions = StepFunctions( role=deployment_account_role, deployment_account_id=deployment_account_id, deployment_account_region=config.deployment_account_region, regions=config.target_regions, account_ids=account_ids, update_pipelines_only=0) step_functions.execute_statemachine() except ParameterNotFoundError: LOGGER.info( 'A Deployment Account is ready to be bootstrapped! ' 'The Account provisioner will now kick into action, ' 'be sure to check out its progress in AWS Step Functions in this account.' ) return
def worker_thread(account_id, sts, config, s3, cache, updated_kms_bucket_dict): """ The Worker thread function that is created for each account in which CloudFormation create_stack is called """ LOGGER.debug("%s - Starting new worker thread", account_id) organizations = Organizations(role=boto3, account_id=account_id) ou_id = organizations.get_parent_info().get("ou_parent_id") account_state = is_account_in_invalid_state(ou_id, config.config) if account_state: LOGGER.info("%s %s", account_id, account_state) return account_path = organizations.build_account_path( ou_id, [], # Initial empty array to hold OU Path, cache) try: role = ensure_generic_account_can_be_setup(sts, config, account_id) # Regional base stacks can be updated after global for region in list( set([config.deployment_account_region] + config.target_regions)): # Ensuring the kms_arn and bucket_name on the target account is # up-to-date parameter_store = ParameterStore(region, role) parameter_store.put_parameter( 'kms_arn', updated_kms_bucket_dict[region]['kms']) parameter_store.put_parameter( 'bucket_name', updated_kms_bucket_dict[region]['s3_regional_bucket']) cloudformation = CloudFormation( region=region, deployment_account_region=config.deployment_account_region, role=role, wait=True, stack_name=None, s3=s3, s3_key_path="adf-bootstrap/" + account_path, account_id=account_id) try: cloudformation.create_stack() if region == config.deployment_account_region: cloudformation.create_iam_stack() except GenericAccountConfigureError as error: if 'Unable to fetch parameters' in str(error): LOGGER.error( '%s - Failed to update its base stack due to missing parameters ' '(deployment_account_id or kms_arn), ensure this account has been ' 'bootstrapped correctly by being moved from the root into an ' 'Organizational Unit within AWS Organizations.', account_id, ) raise Exception from error except GenericAccountConfigureError as generic_account_error: LOGGER.info(generic_account_error) return