in source/lib/compliant-framework-stack.ts [1030:1099]
private addStepFunctionCreateAccounts(): tasks.LambdaInvoke {
const functionName = 'CompliantFramework-CreateAccounts'
const lambdaFunction = new lambda.Function(this, 'createAccountsFunction', {
functionName,
code: new lambda.AssetCode('lambda/create_accounts'),
handler: 'index.lambda_handler',
timeout: cdk.Duration.seconds(900),
runtime: lambda.Runtime.PYTHON_3_8,
initialPolicy: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources: [this.formatArn({
service: 'logs',
resource: 'log-group',
sep: ':',
resourceName: functionName
})]
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'ssm:PutParameter'
],
resources: [this.formatArn({
service: 'ssm',
resource: 'parameter',
sep: '/',
resourceName: '*'
})]
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'organizations:ListAccounts',
'organizations:CreateGovCloudAccount',
'organizations:DescribeCreateAccountStatus'
],
resources: ['*']
})
]
})
this.suppressWarnings(lambdaFunction)
const cfnLambdaFunctionDefPolicy = lambdaFunction.role?.node.tryFindChild('DefaultPolicy')?.node.findChild('Resource') as iam.CfnPolicy;
cfnLambdaFunctionDefPolicy.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [{
id: 'W12',
reason: `Lambda permission actions require use of * resource`
}]
}
};
return new tasks.LambdaInvoke(this, 'Create Accounts', {
lambdaFunction,
payload: sfn.TaskInput.fromText(JSON.stringify(
{
'LoggingAccountEmail': this.loggingAccountEmail.valueAsString,
'ManagementServicesAccountEmail': this.managementServicesAccountEmail.valueAsString,
'TransitAccountEmail': this.transitAccountEmail.valueAsString
}
))
})
}