private addStepFunctionInitializeOrganization()

in source/lib/compliant-framework-stack.ts [923:1024]

• 99 lines of code
• 1 McCabe index (conditional complexity)

  private addStepFunctionInitializeOrganization(): tasks.LambdaInvoke {
    const functionName = 'CompliantFramework-InitializeOrganization'

    const lambdaFunction = new lambda.Function(this, 'initializeOrganizationFunction', {
      functionName,
      code: new lambda.AssetCode('lambda/initialize_organization'),
      handler: 'index.lambda_handler',
      timeout: cdk.Duration.seconds(300),
      runtime: lambda.Runtime.PYTHON_3_8,
      initialPolicy: [
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            'logs:CreateLogGroup',
            'logs:CreateLogStream',
            'logs:PutLogEvents'
          ],
          resources: [this.formatArn({
            service: 'logs',
            resource: 'log-group',
            sep: ':',
            resourceName: functionName
          })]
        }),
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            'ssm:GetParameter'
          ],
          resources: [this.formatArn({
            service: 'ssm',
            resource: 'parameter',
            sep: '/',
            resourceName: '*'
          })]
        }),
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            'organizations:ListRoots',
            'organizations:DescribeOrganization',
            'organizations:CreateOrganization'
          ],
          resources: ['*']
        }),
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            'organizations:ListOrganizationalUnitsForParent',
            'organizations:CreateOrganizationalUnit',
          ],
          resources: [
            this.formatArn({
              service: 'organizations',
              region: '',
              resource: 'ou',
              sep: '/',
              resourceName: 'o-*/ou-*'
            }),
            this.formatArn({
              service: 'organizations',
              region: '',
              resource: 'root',
              sep: '/',
              resourceName: 'o-*/r-*'
            })
          ]
        }),
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            'iam:CreateServiceLinkedRole'
          ],
          resources: [
            this.formatArn({
              service: 'iam',
              region: '',
              account: '*',
              resource: 'role',
              sep: '/',
              resourceName: 'aws-service-role/*'
            })
          ]
        })
      ]
    })
    this.suppressWarnings(lambdaFunction)

    const cfnLambdaFunctionDefPolicy = lambdaFunction.role?.node.tryFindChild('DefaultPolicy')?.node.findChild('Resource') as iam.CfnPolicy;
    cfnLambdaFunctionDefPolicy.cfnOptions.metadata = {
      cfn_nag: {
        rules_to_suppress: [{
          id: 'W12',
          reason: `Lambda permission actions require use of * resource`
        }]
      }
    };

    return new tasks.LambdaInvoke(this, 'Initialize Organization', {
      lambdaFunction
    })
  }