Create CloudFormation code that provisions service link IAM role

mozilla / guardduty-multi-account-manager

Automate the AWS GuardDuty account invitation lifecycle for all of your organizations AWS accounts in all regions as well as aggregate and normalize the GuardDuty findings

Mozilla Public License 2.0

65 stars 14 forks source link

Create CloudFormation code that provisions service link IAM role #4

Closed gene1wood closed 5 years ago

gene1wood commented 5 years ago

Let's put this in the role cloudformation stack that grants role assumption rights. Set it to remain if the stack every gets deleted.

gene1wood commented 5 years ago

So in order to conditionally create the service linked role (because it could exist already) we'd need to use either

2 nested stacks, the parent that runs lambda to find out if the role exists and the child that creates the role conditionally on the parents output (how we did it with mozdef)
with a custom resource and lambda function

I'm thinking the latter