in source/repositories/compliant-framework-central-pipeline/lib/environment-pipeline-stack.ts [615:728]
private getSecurityBaselineActions(): codepipeline.IAction[] {
let tags: any = [
{
Key: 'solution-info:built-by',
Value: this.props.solutionInfo.builtBy
},
{
Key: 'solution-info:name',
Value: this.props.solutionInfo.name
},
{
Key: 'solution-info:version',
Value: this.props.solutionInfo.version
}
]
let actions: codepipeline.IAction[] = []
for (var region of this.props.config.deployToRegions) {
var security_baseline_stackset_name = `security-baseline-stackset-${region}`
var backup_services_stackset_name = `backup-services-stackset-${region}`
if (this.props.environment === 'default') {
security_baseline_stackset_name = `${this.props.environment}-security-baseline-stackset-${region}`
backup_services_stackset_name = `${this.props.environment}-backup-services-stackset-${region}`
}
// Only configure these stacksets if region is enabled
// for management services
if (region in this.props.config.managementServices) {
actions.push(
new codepipeline_actions.LambdaInvokeAction({
actionName: `SecurityBase-StackSet-${cfw.getActionName(region)}`,
lambda: this.lambdas[cfw.STACK_SET_ACTION],
userParameters: {
'stackSetName': security_baseline_stackset_name,
'ouName': this.getOuName(region),
'templateUrl': `https://${this.s3Bucket.bucketRegionalDomainName}/` +
`${this.sources[cfw.SECURITY_BASELINE].repo.repositoryName}/` +
`templates/security-baseline.yml`,
'region': region,
'ssmParameterPath':
'/compliant/framework/central/stack-set/parameters/security-baseline',
'parameters': {
'pCentralAccountId': this.props.config.central.accountId,
'pManagementServicesAccountId': this.props.config.managementServices[region]
.environments[this.props.environment].accountId,
//'pComplianceSet': this.props.config.complianceSet
},
'capabilities': [
'CAPABILITY_NAMED_IAM'
],
'tags': tags
},
runOrder: 1,
}),
)
// Create account list for SecurityHub invites
var environmentAccounts = [
this.props.config.transit[region].environments[this.props.environment].accountId,
this.props.config.managementServices[region].environments[this.props.environment].accountId
]
for (var plugin in this.props.config.plugins) {
for (var action of this.props.config.plugins[plugin][region].actions) {
var accountId = action.environments[this.props.environment].accountId
if (!environmentAccounts.includes(accountId)) {
environmentAccounts.push(accountId)
}
}
}
actions.push(
new codepipeline_actions.LambdaInvokeAction({
actionName: `SecurityHub-InviteMembers-${cfw.getActionName(region)}`,
lambda: this.lambdas[cfw.SECURITY_HUB_INVITE_MEMBERS],
userParameters: {
'accountIds': environmentAccounts,
'partition': this.partition,
'region': region
},
runOrder: 2,
})
);
actions.push(
new codepipeline_actions.LambdaInvokeAction({
actionName: `BackupServices-StackSet-${cfw.getActionName(region)}`,
lambda: this.lambdas[cfw.STACK_SET_ACTION],
userParameters: {
'stackSetName': backup_services_stackset_name,
'ouName': this.getOuName(region),
'templateUrl': `https://${this.s3Bucket.bucketRegionalDomainName}/` +
`${this.sources[cfw.SECURITY_BASELINE].repo.repositoryName}/` +
`templates/backup-services.yml`,
'region': region,
'parameters': {
},
'capabilities': [
'CAPABILITY_NAMED_IAM'
],
'tags': tags
},
runOrder: 1,
}),
);
}
}
return actions
}