Using AWS Cloudformation to configure CloudTrail with SNS Topic

1
votes

I'm new to AWS CloudFormation, I've used it to deploy CloudTrail to a number of accounts without issue however I'm trying to use one centralised SNS Topic that each CloudTrail can use, if I edit via the CloudTrail GUI it works but I can't get CloudFormation to work.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Centralised CloudTrail
Resources: 
  CloudTrail:
Type: "AWS::CloudTrail::Trail"
Properties:
  EnableLogFileValidation: 'false'
  IncludeGlobalServiceEvents: 'true'
  IsLogging: 'true'
  IsMultiRegionTrail: 'true'
  S3BucketName: company-cloudtrail-au
  TrailName: Trail1
  SnsTopicName: SNSTopic

I'm trying to use the ARN for the SNS Topic (example below) but I can't figure out how to tell CloudFormation to use the ARN instead of the Name, if I just put the name in then it creates a new SNS topic in each child account.

If I go to the GUI after CloudFormation is deployed I can then point it to the correct ARN and it's centralised but it's not ideal, let me know if SNS isn't meant to be shared across accounts or if there is a better way to do this.

Example ARN for SNS Topic - arn:aws:sns:ap-southeast-1:1111111111:SNSTopic

2
amazon-cloudformation
Have you looked at CloudTrail support via AWS Organizations? If all your accounts are under an AWS Organization then you can create an Organization Trail in the master account that will get automatically propagated (including SNS, S3, and CWL configurations) to all member accounts.Gaston

2 Answers

0
votes

The solution depends on how you have created the Centralized SNS. If it is created using CF template, you can export the ARN of the SNS topic as output. Ref CloudFormation Output

In the current stack where you are creating the CloudTrail you can refer to the SNS Topic's ARN using import option. Ref Fn::ImportValue.

(or)

If you have manually created the SNS Topic, you can still pass the ARN of the SNS as an parameter for the Cloud Formation create stack call. Ref Parameters.

Hope this helps.

0
votes

there are number of ways to pass the Arn to the SnsTopicName:

  1. If you have created the SNS Topic in the Template itself as - Type: AWS::SNS::Topic , then you can refer the ARN of the SNS Topic as 
SnsTopicName: !GetAtt MY_SNS_Topic.Arn
  1. If you have manually created the SNS Topic in the Console , then you can give the Arn as 
SnsTopicName: !Sub "your-full-ARN-of-the-SNS-Topic"
  1. You can pass the ARN from the Parameters with Default: value(arn) 
Parameters:
 SNSTopic:
   Description: SNS Topic Name
   Type: String
   Default: arn:aws:sns:ap-southeast-1:1111111111:SNSTopic

##########
Properties:
 SnsTopicName: !Ref SNSTopic
  1. You can define the ARN in a separate config file and pass it as an parameter with the Deploy Function for the Template or while calling the Script to deploy the Template
Filename - configfile.conf
SNSTopic="arn:aws:sns:ap-southeast-1:1111111111:SNSTopic"

AWS Serverless Template
Parameters:
 SNSTopic:
   Type: String
##########
Properties:
 SnsTopicName: !Sub "${SNSTopic}"