use privledgedRole input, tag account closure dates

vendrinc · Dec 22, 2023 · bfd59a0 · bfd59a0
1 parent ce397be
commit bfd59a0
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 5 deletions.
diff --git a/API.md b/API.md
diff --git a/src/index.ts b/src/index.ts
@@ -1,7 +1,7 @@
 import { EventbridgeToStepfunctions } from "@aws-solutions-constructs/aws-eventbridge-stepfunctions";
 import { Duration } from "aws-cdk-lib";
 import { Schedule } from "aws-cdk-lib/aws-events";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Effect, PolicyStatement, Role } from "aws-cdk-lib/aws-iam";
 import {
   Choice,
   Map,
@@ -11,15 +11,27 @@ import {
   Condition,
   JsonPath,
   DefinitionBody,
+  TaskRole,
 } from "aws-cdk-lib/aws-stepfunctions";
 import { CallAwsService } from "aws-cdk-lib/aws-stepfunctions-tasks";
 import { Construct } from "constructs";
 
+export interface AccountClosureStepFunctionProps {
+  readonly privledgedRoleArn: string; // TODO provide example role for repo with all required permissions
+}
 export class AccountClosureStepFunction extends Construct {
-  constructor(scope: Construct, id: string) {
+  constructor(
+    scope: Construct,
+    id: string,
+    props: AccountClosureStepFunctionProps
+  ) {
     super(scope, id);
+    const privledgedRole = TaskRole.fromRole(
+      Role.fromRoleArn(this, "PrivledgedRole", props.privledgedRoleArn)
+    );
 
     const describeAccount = new CallAwsService(this, "describeAccount", {
+      credentials: { role: privledgedRole },
       comment: "Describe Account",
       service: "organizations",
       action: "describeAccount",
@@ -47,6 +59,7 @@ export class AccountClosureStepFunction extends Construct {
     });
 
     const findAccounts = new CallAwsService(this, "findAccounts", {
+      credentials: { role: privledgedRole },
       comment: "Find accounts tagged for closure",
       service: "resourcegroupstaggingapi",
       action: "getResources",
@@ -72,6 +85,7 @@ export class AccountClosureStepFunction extends Construct {
     });
 
     const tagAcknowledged = new CallAwsService(this, "tagAcknowledged", {
+      credentials: { role: privledgedRole },
       service: "organizations",
       action: "tagResource",
       parameters: {
@@ -91,6 +105,7 @@ export class AccountClosureStepFunction extends Construct {
     });
 
     const closeAccount = new CallAwsService(this, "closeAccount", {
+      credentials: { role: privledgedRole },
       service: "organizations",
       action: "closeAccount",
       iamResources: ["arn:aws:organizations::*:account/o-*/*"],

diff --git a/test/index.test.ts b/test/index.test.ts
@@ -12,7 +12,10 @@ describe("Account Closure Construct", () => {
       super(scope, id);
       new AccountClosureStepFunction(
         this,
-        "AccountClosureStepFunctionConstruct"
+        "AccountClosureStepFunctionConstruct",
+        {
+          privledgedRoleArn: "arn:aws:iam::123456789012:role/PrivledgedRole",
+        }
       );
     }
   }