feat: add sub domain and cert to org formation (#786)

Signed-off-by: hxtree <[email protected]>

.devcontainer/.aws/config

@@ -1,3 +1,19 @@
+[default]
+region = us-east-2
+output = json
+
+; IAM Accounts -- use for OrgFormation
+; 1. create IAM credentials for Administrator AWS account
+; https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html
+; 2. set IAM credentials in local config:
+; aws config --profile Administrator
+[profile Administrator]
+region = us-east-2
+output = json
+
+; SSO Accounts -- use for cdk:deploy, etc.
+; to use profile with `rush sso` define accounts as parameter
+; common/config/rush/command-line.json
 [profile ManagementAccount]
 sso_start_url = https://ouxsoft.awsapps.com/start
 sso_region = us-east-2
@@ -24,7 +40,3 @@ sso_role_name = AdministratorAccess
 region = us-east-2
 output = json
 credential_process = aws-sso-credential-process --profile tools
-
-[default]
-region = us-east-2
-output = json

platform/aws-org-formation/README.md

@@ -3,6 +3,11 @@
 The AWS Organization is initialized, managed, and synced using
 [AWS Organization Formation](https://github.com/org-formation/org-formation-cli).
 
+## Domain Registration
+
+Domain registration is done manually via Route 53. Populate domainName. Delete
+any hostedZone in master account as org formation will create one.
+
 ## Getting Started
 
 1. Login to the AWS Management Console. Go to Org Formations and create an Org.

platform/aws-org-formation/bin/organization-tasks.yml

@@ -0,0 +1,22 @@
+OrganizationUpdate:
+  Type: update-organization
+  Template: ./organization.yml
+
+SubDomains:
+  Type: update-stacks
+  Template: ./templates/subdomains.yml
+  StackName: SubDomains
+  Parameters:
+    rootHostedZoneName: nekosgate.com
+  MaxConcurrentStacks: 10
+  FailedStackTolerance: 10
+
+WildCardCerts:
+  Type: update-stacks
+  Template: ./templates/wildcard-certs.yml
+  StackName: WildCardCerts
+  Parameters:
+    rootHostedZoneName: nekosgate.com
+    resourcePrefix: orgformation
+  MaxConcurrentStacks: 10
+  FailedStackTolerance: 10

platform/aws-org-formation/bin/organization.yml

@@ -2,10 +2,11 @@ AWSTemplateFormatVersion: '2010-09-09-OC'
 Description: default template generated for organization with master account 124653296725
 
 Organization:
-  ManagementAccount:
+
+  MasterAccount:
     Type: OC::ORG::MasterAccount
     Properties:
-      AccountName: Matt Heroux
+      AccountName: root
       AccountId: '124653296725'
       RootEmail: [email protected]
 
@@ -17,21 +18,25 @@ Organization:
         - !Ref DenyChangeOfOrgRoleSCP
         - !Ref RestrictUnusedRegionsSCP
 
-  SandboxAccount:
+  ToolsAccount:
     Type: OC::ORG::Account
     Properties:
       AccountName: tools
       AccountId: '760440398296'
-      RootEmail: matthew.heroux+1@gmail.com
+      RootEmail: matthew.heroux+tools@gmail.com
       Alias: tools-1
+      Tags:
+        subdomain: tools
 
   SandboxAccount:
     Type: OC::ORG::Account
     Properties:
-      AccountName: Sandbox
+      AccountName: sandbox
       AccountId: '298217020330'
-      RootEmail: [email protected]
-      Alias: dev-1
+      RootEmail: [email protected]
+      # Alias: sandbox-1
+      Tags:
+        subdomain: sandbox
 
   RestrictUnusedRegionsSCP:
     Type: OC::ORG::ServiceControlPolicy

platform/aws-org-formation/bin/sync.sh

@@ -1,3 +1,4 @@
 #!/bin/bash
 
 org-formation update organization.yml --profile=Administrator
+org-formation perform-tasks organization-tasks.yml --profile=Administrator

platform/aws-org-formation/bin/templates/subdomains.yml

@@ -0,0 +1,86 @@
+AWSTemplateFormatVersion: '2010-09-09-OC'
+
+# Include file that contains Organization Section.
+# The Organization Section describes Accounts, Organizational Units, etc.
+Organization: !Include ../organization.yml
+
+# Any Binding that does not explicitly specify a region will default to this.
+# Value can be either string or list
+DefaultOrganizationBindingRegion: us-east-2
+
+Parameters:
+  resourcePrefix:
+    Type: String
+    Default: my
+
+  rootHostedZoneName:
+    Type: String
+
+# Section contains a named set of Bindings.
+# Bindings determine what resources are deployed where
+# These bindings can be !Ref'd from the Resources in the resource section
+OrganizationBindings:
+
+  # binding for HostedZone, HostedZoneIdParam, HostedZoneNameParam
+  HostedZoneBinding:
+    AccountsWithTag: subdomain
+
+  # binding for RootHostedZone, ParentNsRecord
+  RootHostedZoneBinding:
+    IncludeMasterAccount: true
+
+Resources:
+
+  #=========================================#
+  # Zone
+  #=========================================#
+
+  HostedZone:
+    Type: AWS::Route53::HostedZone
+    OrganizationBinding: !Ref HostedZoneBinding
+    Properties:
+      HostedZoneConfig:
+        Comment: Domain Hosted Zone
+      Name: !Sub '${AWSAccount.Tags.subdomain}.${rootHostedZoneName}.'
+
+  HostedZoneIdParam:
+    Type: AWS::SSM::Parameter
+    OrganizationBinding: !Ref HostedZoneBinding
+    Properties:
+      Name: !Sub '${resourcePrefix}-domains-hosted-zone-id'
+      Type: String
+      Value: !GetAtt AWSAccount.Resources.HostedZone
+
+  HostedZoneNameParam:
+    Type: AWS::SSM::Parameter
+    OrganizationBinding: !Ref HostedZoneBinding
+    Properties:
+      Name: !Sub '${resourcePrefix}-domains-hosted-zone-name'
+      Type: String
+      Value: !Sub '${AWSAccount.Tags.subdomain}.${rootHostedZoneName}.'
+
+  #=========================================#
+  # Parent Record
+  #=========================================#
+
+  RootHostedZone:
+    Type: AWS::Route53::HostedZone
+    OrganizationBinding: !Ref RootHostedZoneBinding
+    Properties:
+      HostedZoneConfig:
+        Comment: Root domain
+      Name: !Ref rootHostedZoneName
+
+  # be aware that changing the logicalName for a AWS::Route53::RecordSet resource
+  # might result in an error. workaround is to remove the resource and then add it.
+  ParentNsRecord:
+    DependsOn: RootHostedZone
+    Type: AWS::Route53::RecordSet
+    OrganizationBinding: !Ref RootHostedZoneBinding
+    ForeachAccount: !Ref HostedZoneBinding
+    Properties:
+      Type: NS
+      HostedZoneName: !Sub '${rootHostedZoneName}.'
+      Name: !Sub '${CurrentAccount.Tags.subdomain}.${rootHostedZoneName}.'
+      TTL: 86400
+      ResourceRecords: !GetAtt CurrentAccount.Resources.HostedZone.NameServers

platform/aws-org-formation/bin/templates/wildcard-certs.yml

@@ -0,0 +1,42 @@
+AWSTemplateFormatVersion: '2010-09-09-OC'
+
+Organization: !Include ../organization.yml
+
+OrganizationBindings:
+
+  CertificateBinding:
+    Region:
+      - us-east-2
+    AccountsWithTag: subdomain
+
+Parameters:
+
+  resourcePrefix:
+    Type: String
+
+  rootHostedZoneName:
+    Type: String
+
+Resources:
+
+  LocalCert1:
+    Type: AWS::CertificateManager::Certificate
+    OrganizationBinding: !Ref CertificateBinding
+    Properties:
+      DomainName: !Sub '*.${AWSAccount.Tags.subdomain}.${rootHostedZoneName}'
+      SubjectAlternativeNames:
+        - !Sub '${AWSAccount.Tags.subdomain}.${rootHostedZoneName}'
+      ValidationMethod: DNS
+      DomainValidationOptions:
+        - DomainName: !Sub '${AWSAccount.Tags.subdomain}.${rootHostedZoneName}'
+          ValidationDomain: !Ref rootHostedZoneName
+        - DomainName: !Sub '*.${AWSAccount.Tags.subdomain}.${rootHostedZoneName}'
+          ValidationDomain: !Ref rootHostedZoneName
+
+  LocalCert1ArnParam:
+    Type: AWS::SSM::Parameter
+    OrganizationBinding: !Ref CertificateBinding
+    Properties:
+      Name: !Sub '${resourcePrefix}-certs-wildcard-cert1-arn'
+      Type: String
+      Value: !Ref LocalCert1