Account provisioning customizations

Author: ritsok

.gitignore

@@ -0,0 +1,245 @@
+### Linux ###
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+### Terraform ###
+.terraform.lock.hcl
+backend.tf
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk

README.md

@@ -0,0 +1,143 @@
+# Learn Terraform - Use Control Tower Account Factory for Terraform
+
+This is a companion repository for the [Provision and Manage Accounts with
+Control Tower Account Factory for Terraform
+tutorial](https://learn.hashicorp.com/tutorials/terraform/aws-control-tower-aft)
+tutorial on HashiCorp Learn.
+
+This repository contains boilerplate configuration for defining account
+provisioning customizations to use with the Account Factory for Terraform
+module. The README below and the template files in this repository were
+provided by AWS.
+
+To create your own state machine and step functions, replicate this repository
+and extend the Terraform configuration.
+
+## AFT Account Provisioning Customizations Customizations
+
+### Problem Statement
+
+AFT provides flexibility to customize the provisioning process for new accounts and integrate with systems prior to the account customization stage.
+
+While the customization stage does include integrations for pre- and post-
+customization steps, the Account Provisioning standard allows for further
+integration by using an AWS Step Functions State Machine to integrate with
+additional environments.
+
+Using this state machine integration, customers may define Account Provisioning
+Customizations steps as:
+
+* Lambda functions in the language of their choice
+* ECS or Fargate Tasks using docker containers
+* AWS Step Functions Activities using custom workers, hosted either in AWS or on-prem
+* Amazon SNS or SQS integrations to decoupled consumer-based applications
+
+### Example Payload
+
+```
+{
+  "account_request": {
+    "supported_regions": "",
+    "account_tags": {
+      "Key": "Value",
+    },
+    "custom_fields": "{}",
+    "id": "Account Email",
+    "control_tower_parameters": {
+      "SSOUserEmail": "",
+      "AccountEmail": "",
+      "SSOUserFirstName": "",
+      "SSOUserLastName": "",
+      "ManagedOrganizationalUnit": "Sandbox",
+      "AccountName": "sandbox03"
+    },
+    "customer_baselines": [],
+    "operation": "create"
+  },
+  "control_tower_event": {},
+  "validated": {
+    "Success": true
+  },
+  "account_info": {
+    "account": {
+      "id": "",
+      "type": "account",
+      "email": "",
+      "name": "sandbox03",
+      "method": "CREATED",
+      "joined_date": "2021-06-15 13:57:35.129000+00:00",
+      "status": "ACTIVE",
+      "parent_id": "",
+      "parent_type": "ORGANIZATIONAL_UNIT",
+      "org_name": "Sandbox",
+      "vendor": "aws"
+    }
+  },
+  "persist_metadata": {
+    "StatusCode": 200
+  },
+  "role": {
+    "Arn": "arn:aws:iam:::role/AWSAFTExecution"
+  },
+  "account_tags": {
+    "StatusCode": 200
+  }
+}
+```
+
+
+### Example Function
+
+##### Validate Request:
+
+Source location: `modules/account-provisioning-customizations/lambda/account-provisioning-customizations-validate-request/lambda_function.py`
+
+###### Description:
+
+Compares the incoming payload to the state machine against an expected
+jsonschema. Returns `True` if valid, raises an exception if not.
+
+Demonstrates the import of `aft_common` and customers can explore the `aft_utils` module for existing AFT integrations, such as role assumption or SSM parameter retrieval.
+
+```python
+import json
+import os
+import boto3
+import jsonschema
+import aft_common.aft_utils as utils
+from boto3.dynamodb.conditions import Key
+
+
+logger = utils.get_logger()
+
+
+def validate_request(payload, logger):
+    logger.info("Function Start - validate_request")
+    schema_path = os.path.join(os.path.dirname(__file__), "schema/request_schema.json")
+    with open(schema_path) as schema_file:
+        schema_object = json.load(schema_file)
+    logger.info("Schema Loaded:" + json.dumps(schema_object))
+    validated = jsonschema.validate(payload, schema_object)
+    if validated is None:
+        logger.info("Request Validated")
+        return True
+    else:
+        raise Exception("Failure validating request.\n{validated}")
+
+
+def lambda_handler(event, context):
+    logger.info("Account Provisioning Customizations Handler Start")
+
+    payload = event['payload']
+    action = event['action']
+
+    if action == "validate":
+        request_validated = validate_request(payload, logger)
+        return request_validated
+    else:
+        raise BaseException(
+            "Incorrect Command Passed to Lambda Function. Input: {action}. Expected: 'validate'"
+        )
+
+```
+