From 8dc1a63b11737565696921d2308a5e5ce9bc7cfc Mon Sep 17 00:00:00 2001
From: Chris Kalafarski <chris@farski.com>
Date: Wed, 26 Jun 2024 12:49:43 -0400
Subject: [PATCH] Add management sink rules and deployment workflow

---
 .../workflows/deploy-eventrules-mgmt-sink.yml | 39 +++++++++++++++++++
 event-rules/mgmt-sink-rules/README.md         |  3 ++
 event-rules/mgmt-sink-rules/template.yml      | 16 ++++++++
 3 files changed, 58 insertions(+)
 create mode 100644 .github/workflows/deploy-eventrules-mgmt-sink.yml
 create mode 100644 event-rules/mgmt-sink-rules/README.md
 create mode 100644 event-rules/mgmt-sink-rules/template.yml

diff --git a/.github/workflows/deploy-eventrules-mgmt-sink.yml b/.github/workflows/deploy-eventrules-mgmt-sink.yml
new file mode 100644
index 000000000..39bb90c82
--- /dev/null
+++ b/.github/workflows/deploy-eventrules-mgmt-sink.yml
@@ -0,0 +1,39 @@
+name: Deploy management sink rules
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - event-rules/mgmt-sink-rules/template.yml
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-mgmt-sink-rules
+
+      - name: Deploy to management account
+        working-directory: event-rules/mgmt-sink-rules
+        run: |
+          template_body=$(cat template.yml)
+
+          aws cloudformation update-stack-set \
+            --stack-set-name mgmt-sink-event-rules \
+            --capabilities CAPABILITY_NAMED_IAM \
+            --template-body "$template_body" \
+            --operation-preferences FailureTolerancePercentage=100,MaxConcurrentPercentage=100,ConcurrencyMode=SOFT_FAILURE_TOLERANCE,RegionConcurrencyType=PARALLEL
diff --git a/event-rules/mgmt-sink-rules/README.md b/event-rules/mgmt-sink-rules/README.md
new file mode 100644
index 000000000..2e0928c9b
--- /dev/null
+++ b/event-rules/mgmt-sink-rules/README.md
@@ -0,0 +1,3 @@
+Similar to event rules created for _organization sink_ setups. There are some events that only occur within the management account of an AWS Organization. In order to capture and funnel those events to a single consumer, rules are created on the default event buses in all regions of the management account, which forward the events to purpose-built custom buses, to which the consumers subscribe.
+
+This template should be deployed to CloudFormation stacks using a StackSet. The StackSet should be created once in the management account, and configured to deploy to every region of the management account.
diff --git a/event-rules/mgmt-sink-rules/template.yml b/event-rules/mgmt-sink-rules/template.yml
new file mode 100644
index 000000000..fde2c325a
--- /dev/null
+++ b/event-rules/mgmt-sink-rules/template.yml
@@ -0,0 +1,16 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+  HealthEventsRule:
+    Type: AWS::Events::Rule
+    Properties:
+      EventPattern:
+        detail-type:
+          - AWS Health Event
+        source:
+          - aws.health
+      State: ENABLED
+      Targets:
+        - Arn: arn:aws:events:us-east-2:578003269847:event-bus/HealthEvents-sink
+          Id: mgmt-sink-health-event
+          RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PRX-HealthEventsSinkRole