Handism's Tech Blog

AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS Account Factory Architecture - Automated account provisioning with Service Catalog, Organizations, and StackSets'

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Portfolio Configuration
        Parameters:
          - PortfolioName
          - PortfolioDescription
      - Label:
          default: Account Baseline Configuration
        Parameters:
          - BaselineStackSetName
          - OrganizationId
      - Label:
          default: Tagging Configuration
        Parameters:
          - Environment
          - CostCenter

Parameters:
  PortfolioName:
    Type: String
    Default: 'Account Factory Portfolio'
    Description: Name of the Service Catalog portfolio

  PortfolioDescription:
    Type: String
    Default: 'Automated AWS account provisioning with baseline configurations'
    Description: Description of the Service Catalog portfolio

  BaselineStackSetName:
    Type: String
    Default: 'AccountBaseline'
    Description: Name of the StackSet for account baseline

  OrganizationId:
    Type: String
    Description: AWS Organization ID (e.g., o-xxxxxxxxxx)
    AllowedPattern: '^o-[a-z0-9]{10,32}$'

  Environment:
    Type: String
    Default: production
    AllowedValues:
      - development
      - staging
      - production
    Description: Environment type

  CostCenter:
    Type: String
    Default: 'IT'
    Description: Cost center for billing

Resources:
  # S3 Bucket for CloudFormation templates
  TemplateBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub 'account-factory-templates-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LifecycleConfiguration:
        Rules:
          - Id: DeleteOldVersions
            Status: Enabled
            NoncurrentVersionExpirationInDays: 90
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-templates'
        - Key: Environment
          Value: !Ref Environment

  TemplateBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref TemplateBucket
      PolicyDocument:
        Statement:
          - Sid: AllowServiceCatalogRead
            Effect: Allow
            Principal:
              Service: servicecatalog.amazonaws.com
            Action:
              - s3:GetObject
            Resource: !Sub '${TemplateBucket.Arn}/*'

  # DynamoDB table for account metadata
  AccountMetadataTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Sub '${AWS::StackName}-accounts'
      BillingMode: PAY_PER_REQUEST
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      SSESpecification:
        SSEEnabled: true
      AttributeDefinitions:
        - AttributeName: AccountId
          AttributeType: S
        - AttributeName: AccountEmail
          AttributeType: S
      KeySchema:
        - AttributeName: AccountId
          KeyType: HASH
      GlobalSecondaryIndexes:
        - IndexName: EmailIndex
          KeySchema:
            - AttributeName: AccountEmail
              KeyType: HASH
          Projection:
            ProjectionType: ALL
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-metadata'
        - Key: Environment
          Value: !Ref Environment

  # SNS Topic for notifications
  AccountProvisioningTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Sub '${AWS::StackName}-notifications'
      DisplayName: Account Factory Notifications
      KmsMasterKeyId: alias/aws/sns
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-topic'
        - Key: Environment
          Value: !Ref Environment

  # CloudWatch Log Group
  AccountFactoryLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/aws/account-factory/${AWS::StackName}'
      RetentionInDays: 30
      KmsKeyId: !GetAtt LogEncryptionKey.Arn

  # KMS Key for CloudWatch Logs
  LogEncryptionKey:
    Type: AWS::KMS::Key
    Properties:
      Description: KMS key for Account Factory logs
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow CloudWatch Logs
            Effect: Allow
            Principal:
              Service: !Sub 'logs.${AWS::Region}.amazonaws.com'
            Action:
              - 'kms:Encrypt'
              - 'kms:Decrypt'
              - 'kms:ReEncrypt*'
              - 'kms:GenerateDataKey*'
              - 'kms:CreateGrant'
              - 'kms:DescribeKey'
            Resource: '*'
            Condition:
              ArnLike:
                'kms:EncryptionContext:aws:logs:arn': !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*'

  LogEncryptionKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub 'alias/${AWS::StackName}-logs'
      TargetKeyId: !Ref LogEncryptionKey

  # IAM Role for Lambda
  AccountProvisioningLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${AWS::StackName}-lambda-role'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: AccountFactoryPermissions
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - organizations:CreateAccount
                  - organizations:DescribeCreateAccountStatus
                  - organizations:DescribeAccount
                  - organizations:ListAccounts
                  - organizations:TagResource
                  - organizations:MoveAccount
                Resource: '*'
              - Effect: Allow
                Action:
                  - dynamodb:PutItem
                  - dynamodb:GetItem
                  - dynamodb:UpdateItem
                  - dynamodb:Query
                Resource:
                  - !GetAtt AccountMetadataTable.Arn
                  - !Sub '${AccountMetadataTable.Arn}/index/*'
              - Effect: Allow
                Action:
                  - sns:Publish
                Resource: !Ref AccountProvisioningTopic
              - Effect: Allow
                Action:
                  - cloudformation:CreateStackSet
                  - cloudformation:CreateStackInstances
                  - cloudformation:DescribeStackSet
                  - cloudformation:DescribeStackInstance
                Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/${BaselineStackSetName}:*'
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource: !Sub 'arn:aws:iam::*:role/OrganizationAccountAccessRole'
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-lambda-role'

  # Lambda Function for account provisioning
  AccountProvisioningFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub '${AWS::StackName}-provisioning'
      Runtime: python3.12
      Handler: index.handler
      Role: !GetAtt AccountProvisioningLambdaRole.Arn
      Timeout: 900
      MemorySize: 512
      Environment:
        Variables:
          METADATA_TABLE: !Ref AccountMetadataTable
          SNS_TOPIC_ARN: !Ref AccountProvisioningTopic
          ORGANIZATION_ID: !Ref OrganizationId
          STACKSET_NAME: !Ref BaselineStackSetName
      Code:
        ZipFile: |
          import json
          import boto3
          import os
          from datetime import datetime
          
          orgs = boto3.client('organizations')
          dynamodb = boto3.resource('dynamodb')
          sns = boto3.client('sns')
          
          def handler(event, context):
              print(f"Event: {json.dumps(event)}")
              
              table = dynamodb.Table(os.environ['METADATA_TABLE'])
              
              # Extract account details from event
              account_name = event.get('AccountName')
              account_email = event.get('AccountEmail')
              ou_id = event.get('OrganizationalUnitId', None)
              
              try:
                  # Create account
                  response = orgs.create_account(
                      Email=account_email,
                      AccountName=account_name
                  )
                  
                  request_id = response['CreateAccountStatus']['Id']
                  
                  # Store metadata
                  table.put_item(
                      Item={
                          'AccountId': request_id,
                          'AccountEmail': account_email,
                          'AccountName': account_name,
                          'Status': 'IN_PROGRESS',
                          'CreatedAt': datetime.utcnow().isoformat(),
                          'RequestId': request_id
                      }
                  )
                  
                  # Send notification
                  sns.publish(
                      TopicArn=os.environ['SNS_TOPIC_ARN'],
                      Subject='Account Provisioning Started',
                      Message=f'Account provisioning started for {account_name} ({account_email})'
                  )
                  
                  return {
                      'statusCode': 200,
                      'body': json.dumps({
                          'RequestId': request_id,
                          'Status': 'IN_PROGRESS'
                      })
                  }
                  
              except Exception as e:
                  print(f"Error: {str(e)}")
                  return {
                      'statusCode': 500,
                      'body': json.dumps({'error': str(e)})
                  }
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-provisioning'

  # Lambda Function for account status check
  AccountStatusCheckFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub '${AWS::StackName}-status-check'
      Runtime: python3.12
      Handler: index.handler
      Role: !GetAtt AccountProvisioningLambdaRole.Arn
      Timeout: 300
      MemorySize: 256
      Environment:
        Variables:
          METADATA_TABLE: !Ref AccountMetadataTable
          SNS_TOPIC_ARN: !Ref AccountProvisioningTopic
      Code:
        ZipFile: |
          import json
          import boto3
          import os
          
          orgs = boto3.client('organizations')
          dynamodb = boto3.resource('dynamodb')
          sns = boto3.client('sns')
          
          def handler(event, context):
              table = dynamodb.Table(os.environ['METADATA_TABLE'])
              
              for record in event['Records']:
                  request_id = record['dynamodb']['Keys']['AccountId']['S']
                  
                  try:
                      response = orgs.describe_create_account_status(
                          CreateAccountRequestId=request_id
                      )
                      
                      status = response['CreateAccountStatus']['State']
                      
                      if status == 'SUCCEEDED':
                          account_id = response['CreateAccountStatus']['AccountId']
                          
                          table.update_item(
                              Key={'AccountId': request_id},
                              UpdateExpression='SET #status = :status, ActualAccountId = :account_id',
                              ExpressionAttributeNames={'#status': 'Status'},
                              ExpressionAttributeValues={
                                  ':status': 'SUCCEEDED',
                                  ':account_id': account_id
                              }
                          )
                          
                          sns.publish(
                              TopicArn=os.environ['SNS_TOPIC_ARN'],
                              Subject='Account Provisioning Completed',
                              Message=f'Account {account_id} provisioned successfully'
                          )
                      
                  except Exception as e:
                      print(f"Error checking status: {str(e)}")
              
              return {'statusCode': 200}
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-status-check'

  # EventBridge Rule for periodic status checks
  AccountStatusCheckRule:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub '${AWS::StackName}-status-check'
      Description: Periodic check for account provisioning status
      ScheduleExpression: 'rate(5 minutes)'
      State: ENABLED
      Targets:
        - Arn: !GetAtt AccountStatusCheckFunction.Arn
          Id: StatusCheckTarget

  AccountStatusCheckPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref AccountStatusCheckFunction
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt AccountStatusCheckRule.Arn

  # Service Catalog Portfolio
  AccountFactoryPortfolio:
    Type: AWS::ServiceCatalog::Portfolio
    Properties:
      DisplayName: !Ref PortfolioName
      Description: !Ref PortfolioDescription
      ProviderName: 'Platform Engineering Team'
      Tags:
        - Key: Name
          Value: !Ref PortfolioName
        - Key: Environment
          Value: !Ref Environment

  # IAM Role for Service Catalog Launch
  ServiceCatalogLaunchRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${AWS::StackName}-sc-launch-role'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: servicecatalog.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-sc-launch-role'

  # Service Catalog Product - Account Vending Machine
  AccountVendingProduct:
    Type: AWS::ServiceCatalog::CloudFormationProduct
    Properties:
      Name: 'AWS Account Vending Machine'
      Description: 'Provision a new AWS account with baseline configurations'
      Owner: 'Platform Engineering Team'
      Distributor: 'Cloud Center of Excellence'
      SupportDescription: 'Contact platform-engineering@example.com for support'
      SupportEmail: 'platform-engineering@example.com'
      ProvisioningArtifactParameters:
        - Name: 'v1.0'
          Description: 'Initial version with baseline configurations'
          Info:
            LoadTemplateFromURL: !Sub 'https://${TemplateBucket.RegionalDomainName}/account-template.yaml'
          Type: CLOUD_FORMATION_TEMPLATE
      Tags:
        - Key: Name
          Value: 'Account Vending Machine'

  # Associate Product with Portfolio
  PortfolioProductAssociation:
    Type: AWS::ServiceCatalog::PortfolioProductAssociation
    Properties:
      PortfolioId: !Ref AccountFactoryPortfolio
      ProductId: !Ref AccountVendingProduct

  # Launch Constraint
  LaunchConstraint:
    Type: AWS::ServiceCatalog::LaunchRoleConstraint
    Properties:
      PortfolioId: !Ref AccountFactoryPortfolio
      ProductId: !Ref AccountVendingProduct
      RoleArn: !GetAtt ServiceCatalogLaunchRole.Arn

  # CloudWatch Dashboard
  AccountFactoryDashboard:
    Type: AWS::CloudWatch::Dashboard
    Properties:
      DashboardName: !Sub '${AWS::StackName}-dashboard'
      DashboardBody: !Sub |
        {
          "widgets": [
            {
              "type": "metric",
              "properties": {
                "metrics": [
                  ["AWS/Lambda", "Invocations", {"stat": "Sum", "label": "Provisioning Invocations"}],
                  [".", "Errors", {"stat": "Sum", "label": "Provisioning Errors"}],
                  [".", "Duration", {"stat": "Average", "label": "Avg Duration"}]
                ],
                "period": 300,
                "stat": "Average",
                "region": "${AWS::Region}",
                "title": "Account Provisioning Metrics",
                "yAxis": {
                  "left": {
                    "min": 0
                  }
                }
              }
            },
            {
              "type": "log",
              "properties": {
                "query": "SOURCE '${AccountFactoryLogGroup}'\n| fields @timestamp, @message\n| sort @timestamp desc\n| limit 20",
                "region": "${AWS::Region}",
                "title": "Recent Provisioning Logs"
              }
            }
          ]
        }

  # CloudWatch Alarms
  ProvisioningErrorAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub '${AWS::StackName}-provisioning-errors'
      AlarmDescription: Alert when account provisioning errors occur
      MetricName: Errors
      Namespace: AWS/Lambda
      Statistic: Sum
      Period: 300
      EvaluationPeriods: 1
      Threshold: 1
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Dimensions:
        - Name: FunctionName
          Value: !Ref AccountProvisioningFunction
      AlarmActions:
        - !Ref AccountProvisioningTopic

Outputs:
  PortfolioId:
    Description: Service Catalog Portfolio ID
    Value: !Ref AccountFactoryPortfolio
    Export:
      Name: !Sub '${AWS::StackName}-PortfolioId'

  ProductId:
    Description: Service Catalog Product ID
    Value: !Ref AccountVendingProduct
    Export:
      Name: !Sub '${AWS::StackName}-ProductId'

  TemplateBucketName:
    Description: S3 Bucket for CloudFormation templates
    Value: !Ref TemplateBucket
    Export:
      Name: !Sub '${AWS::StackName}-TemplateBucket'

  MetadataTableName:
    Description: DynamoDB table for account metadata
    Value: !Ref AccountMetadataTable
    Export:
      Name: !Sub '${AWS::StackName}-MetadataTable'

  ProvisioningFunctionArn:
    Description: Lambda function ARN for account provisioning
    Value: !GetAtt AccountProvisioningFunction.Arn
    Export:
      Name: !Sub '${AWS::StackName}-ProvisioningFunction'

  NotificationTopicArn:
    Description: SNS topic ARN for notifications
    Value: !Ref AccountProvisioningTopic
    Export:
      Name: !Sub '${AWS::StackName}-NotificationTopic'

  DashboardURL:
    Description: CloudWatch Dashboard URL
    Value: !Sub 'https://console.aws.amazon.com/cloudwatch/home?region=${AWS::Region}#dashboards:name=${AWS::StackName}-dashboard'
マルチアカウント構造（アカウントファクトリ）

構成要素 (AWS Services):

アーキテクチャ図 (Architecture Diagram)

AWS CLI でのデプロイ例
