Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets'
Parameters:
  ZillaSSOReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-SSO-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    #region specific default value for account ID: US/087210011007, EU/319105906071, ANZ/868976368166 
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaSSOReaderRoleName
      Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSSSOReadOnly'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
      Policies:
          - PolicyName: zilla-sso-reader-policy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Resource: '*'
                  Action:
                    - identitystore:Describe*
                    - identitystore:List*
    Metadata:
      'AWS::CloudFormation::Designer':
        id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaSSOReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaSSOReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla SSO Reader Role ARN

...

Create stack for Zilla-SSO-Reader-Role in Management Account

  1. Go to

...

  1. CloudFormation stack and

...

  1. click Create stack.

    Image Modified

     

  2. Select Template is ready

...

  1. and upload the Zilla-SSO-Reader-Role template

...

  1. in

...

  1. the .yml file from local.

    Image Modified

     

  2. Give a name to the stack and add the parameter values.
    ZillaSSOReaderRoleName should be Zilla-SSO-Reader-Role.

...

  1. ZillaExternalID should be your company domain name. For example: If your company’s domain name is example.com, then enter the value as example.com.
    ZillaAccountId should be region specific Zilla’s Account ID:

    • US region Account ID: 087210011007

...

    • EU region Account ID: 319105906071

    • Australia/New Zealand region Account ID: 868976368166

  1. Click Next .

    Image Modified

  2. Click Next on Configuration stack options page.

    Image ModifiedImage Modified

     

  3. Review the details and

...

  1. click Create stack.

    Image Modified

  2. Check the status of the stack. Go to the Events tab. Wait for the Status to become CREATE_COMPLETE.

    Image Modified

  3. Go to the IAM console. On Roles page search for Zilla-SSO-Reader-Role. Copy the Role ARN for configuration in sync settings.

    Image Added