aws-laura
commented
2 years ago Hello @skaminskitx, thank you for your feedback. We just released v2 that features a completely rearchitected design to ensure the solution scales better.
We have extrapolated the code into 2 main components:
- StackSet -- Assumed Role Template
- Stack -- Centralized Rotation Solution Template
This will allow us to deploy permissioning to all AWS accounts within an AWS Organization while keeping the core logic, rotation mechnism, and notification functions in one location.
Question Follow-up:
- The csv file is no longer needed; Account ID, Account Emails, and Account Names are all dynamically gathered via AWS Organization.
- To your question of "I now need to sort out the SES outbound from all the accounts for the notification", in version 2 this has been centralized.
Please try out the new version and reach out with any questions/issues!
This has been very helpful and worked well on my test with a single account.
When Deploying as a stackset for an Org, the current template tries to create a bucket for each of the accounts based on the CSVBucketName parameter. The first stack that gets created works fine but subsequent accounts fail as the bucket name is not unique now that it exists in the first account.
I was able to work around this by replacing the call to !RefCSVBucketName to the following
!Join [ "-", [!Ref CSVBucketName, !Ref AWS::AccountId]]Additionally, a bucket policy needs to be added to the bucket used in the S3BucketName parameter to allow the accounts in the org to GetObject and List Object
I now need to sort out the SES outbound from all the accounts for the notification. Any way that could come from a single account?