Updated Config Management Account solution to make AWS Control Tower optional (#181)

IevIe · ievgeniia ieromenko · web-flow · commit 95a3fe823de3 · 2023-10-07T09:05:15.000-04:00
Co-authored-by: ievgeniia ieromenko &lt;ieviero@amazon.com&gt;
diff --git a/aws_sra_examples/solutions/config/config_management_account/README.md b/aws_sra_examples/solutions/config/config_management_account/README.md
@@ -74,10 +74,10 @@ accounts/regions.
 
 ---
 
-### 2.0 Audit Account<!-- omit in toc -->
+### 2.0 Audit Account (Security Tooling)<!-- omit in toc -->
+
+The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account`  can be determined from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
 
-The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` SSM parameter is
-populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet.
 
 #### 2.1 AWS Config Aggregator<!-- omit in toc -->
 
diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml
@@ -25,6 +25,11 @@ Metadata:
           - pLogArchiveAccountId
           - pOrganizationId
           - pHomeRegion
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
       - Label:
           default: Config Recorder Properties
         Parameters:
@@ -45,6 +50,10 @@ Metadata:
           - pLambdaLogGroupKmsKey
           - pLambdaLogLevel
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAllSupported:
         default: All Supported
       pAuditAccountId:
@@ -81,6 +90,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAllSupported:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -214,10 +233,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-config-management-account
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Enables AWS Config in the Control Tower Management account.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml
@@ -24,6 +24,11 @@ Metadata:
           - pLogArchiveAccountId
           - pOrganizationId
           - pHomeRegion
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
       - Label:
           default: Config Recorder Properties
         Parameters:
@@ -44,6 +49,10 @@ Metadata:
           - pLambdaLogGroupKmsKey
           - pLambdaLogLevel
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAllSupported:
         default: All Supported
       pAuditAccountId:
@@ -80,6 +89,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAllSupported:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -204,10 +223,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-config-management-account
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Enables AWS Config in the Control Tower Management account.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
