add and modify tech solu

aliyun · Feb 29, 2024 · ad1074b · ad1074b
1 parent e133fd9
commit ad1074b
Show file tree

Hide file tree

Showing 6 changed files with 229 additions and 86 deletions.
diff --git a/README-CN.md b/README-CN.md
@@ -561,6 +561,8 @@ ROS 模板的示例和最佳实践。模板分类如下：
 | [efficiently-build-a-new-account-with-security-and-compliance.yml](documents/solution/security-and-compliance/efficiently-build-a-new-account-with-security-and-compliance.yml) | 高效构建安全合规的新账号。｜ [解决方案](https://www.aliyun.com/solution/tech-solution/ecosacna)       |
 | [multiple-accounts-support-configuration-auditing.yml](documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml) | 企业多账号配置统一合规审计。｜ [解决方案](https://www.aliyun.com/solution/tech-solution/ucafmac)       |
 | [cloud-firewall-in-multiple-accounts.yml](documents/solution/security-and-compliance/cloud-firewall-in-multiple-accounts.yml) | 创建VPC类型ECS，并绑定EIP。 ｜ [解决方案](https://www.aliyun.com/solution/tech-solution/umomaicf) |
+| [enterprise-multi-account-identity-permissions.yml](documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml) | Centralized management of enterprise multi-account identity permissions. |
+
 
   </details>
 

diff --git a/README.md b/README.md
@@ -562,11 +562,12 @@ Examples and best practices of ROS templates. The templates are categorized as f
 
 - security-and-compliance
 
-| Template                                                                                                                                                             | Description                                                  |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
+| Template                                                                                                                                                           | Description                                                  |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
 | [efficiently-build-a-new-account-with-security-and-compliance.yml](documents/solution/security-and-compliance/efficiently-build-a-new-account-with-security-and-compliance.yml) | Efficiently build a new account with security and compliance. |
 | [multiple-accounts-support-configuration-auditing.yml](documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml) | Configure unified compliance audit for multiple accounts. |
 | [cloud-firewall-in-multiple-accounts.yml](documents/solution/security-and-compliance/cloud-firewall-in-multiple-accounts.yml) | Create a VPC type ECS and bind EIP. |
+| [enterprise-multi-account-identity-permissions.yml](documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml) | Centralized management of enterprise multi-account identity permissions. |
 
   </details>
 

diff --git a/...s/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml b/...s/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml
@@ -274,31 +274,6 @@ Resources:
             - RDAccount1
             - AccountId
           - Ref: Account1
-Metadata:
-  ALIYUN::ROS::Interface:
-    ParameterGroups:
-      - Parameters:
-          - WhetherCreateAccount
-          - FolderName1
-          - DisplayName1
-          - Account1
-        Label:
-          default:
-            zh-cn: 配置资源目录
-            en:
-              Resource account
-      - Parameters:
-          - SamlConfigurationMode
-          - EncodedMetadataDocument
-          - EntityId
-          - LoginUrl
-          - X509Certificate
-        Label:
-          default:
-            zh-cn: 配置单点登录
-            en: Configuration single sign-on
-    TemplateTags:
-      - acs:technical-solution:account:企业多账号身份权限集中管理
 Outputs:
   FolderId:
     Condition: CreateAccount
@@ -351,4 +326,29 @@ Outputs:
       Fn::GetAtt:
       - CloudSSOCredential
       - CredentialSecret
+Metadata:
+  ALIYUN::ROS::Interface:
+    ParameterGroups:
+      - Parameters:
+          - WhetherCreateAccount
+          - FolderName1
+          - DisplayName1
+          - Account1
+        Label:
+          default:
+            zh-cn: 配置资源目录
+            en:
+              Resource account
+      - Parameters:
+          - SamlConfigurationMode
+          - EncodedMetadataDocument
+          - EntityId
+          - LoginUrl
+          - X509Certificate
+        Label:
+          default:
+            zh-cn: 配置单点登录
+            en: Configuration single sign-on
+    TemplateTags:
+      - acs:technical-solution:account:企业多账号身份权限集中管理
 
diff --git a/documents/solution/ops-on-cloud/global-view-and-search-of-cross-account-resources.yml b/documents/solution/ops-on-cloud/global-view-and-search-of-cross-account-resources.yml
@@ -1,55 +1,143 @@
 ROSTemplateFormatVersion: '2015-09-01'
-Description:
-  en: Global view and search of cross-account resources.
-  zh-cn: 跨账号资源全局视图及搜索。
 Parameters:
-  CommonName:
-    Type: String
-    Default: for-search
   ZoneId:
     Type: String
-    AssociationProperty: ALIYUN::ECS::Instance::ZoneId
     Label:
-      en: VSwitch Availability Zone
-      zh-cn: 交换机可用区
+      en: VSwitch Available Zone
+      zh-cn: 可用区
+    AssociationProperty: ALIYUN::VPC::Zone::ZoneId
+    AssociationPropertyMetadata:
+      AutoSelectFirst: true
+  FolderName:
+    Type: String
+    Label:
+      zh-cn: 资源目录名称
+      en: Resource directory folder name
+    AssociationProperty: AutoCompleteInput
+    AssociationPropertyMetadata:
+      Length: 5
+      Prefix: ros-folder-
+      CharacterClasses:
+        - Class: lowercase
+  AccountDisplayName:
+    Type: String
+    AssociationProperty: AutoCompleteInput
+    AssociationPropertyMetadata:
+      Length: 5
+      Prefix: account-for-search-
+      CharacterClasses:
+        - Class: lowercase
 Resources:
-  EcsVpc:
-    Type: 'ALIYUN::ECS::VPC'
+  RDFolder:
+    Type: ALIYUN::ResourceManager::Folder
+    Properties:
+      FolderName:
+        Ref: FolderName
+  RDAccount1:
+    Type: ALIYUN::ResourceManager::Account
+    Properties:
+      DeleteAccount: true
+      DisplayName:
+        'Fn::Sub': '${AccountDisplayName}-1'
+      FolderId:
+        Fn::GetAtt:
+          - RDFolder
+          - FolderId
+  RDAccount2:
+    Type: ALIYUN::ResourceManager::Account
+    Properties:
+      DeleteAccount: true
+      DisplayName:
+        'Fn::Sub': '${AccountDisplayName}-2'
+      FolderId:
+        Fn::GetAtt:
+          - RDFolder
+          - FolderId
+  AutoEnableTrustedRos:
+    Type: ALIYUN::ROS::AutoEnableService
     Properties:
-      VpcName:
-        'Fn::Sub': 'vpc-${CommonName}-${ALIYUN::TenantId}'
-      CidrBlock: 192.168.0.0/16
-  EcsVSwitch:
-    Type: 'ALIYUN::ECS::VSwitch'
+      ServiceName: 'TrustedService/ROS'
+  StackGroup:
+    Type: ALIYUN::ROS::StackGroup
+    DependsOn: AutoEnableTrustedRos
     Properties:
-      ZoneId:
-        Ref: ZoneId
-      VpcId:
-        Ref: EcsVpc
-      VSwitchName:
-        'Fn::Sub': 'vsw-${CommonName}-${ALIYUN::TenantId}'
-      CidrBlock: 192.168.0.0/24
-  EcsSecurityGroup:
-    Type: 'ALIYUN::ECS::SecurityGroup'
+      StackGroupName: ros-test-stack-group
+      PermissionModel: SERVICE_MANAGED
+      AutoDeployment:
+        Enabled: false
+      Parameters:
+        ZoneId:
+          Ref: ZoneId
+      TemplateBody:
+        ROSTemplateFormatVersion: '2015-09-01'
+        Parameters:
+          CommonName:
+            Type: String
+            Default: for-search
+          ZoneId:
+            Type: String
+        Resources:
+          EcsVpc:
+            Type: 'ALIYUN::ECS::VPC'
+            Properties:
+              VpcName:
+                'Fn::Sub': 'vpc-${CommonName}-${ALIYUN::TenantId}'
+              CidrBlock: 192.168.0.0/16
+          EcsVSwitch:
+            Type: 'ALIYUN::ECS::VSwitch'
+            Properties:
+              ZoneId:
+                Ref: ZoneId
+              VpcId:
+                Ref: EcsVpc
+              VSwitchName:
+                'Fn::Sub': 'vsw-${CommonName}-${ALIYUN::TenantId}'
+              CidrBlock: 192.168.0.0/24
+          EcsSecurityGroup:
+            Type: 'ALIYUN::ECS::SecurityGroup'
+            Properties:
+              VpcId:
+                Ref: EcsVpc
+              SecurityGroupName:
+                'Fn::Sub': 'sg-${CommonName}-${ALIYUN::TenantId}'
+              SecurityGroupIngress:
+                - PortRange: 22/22
+                  Priority: 1
+                  SourceCidrIp: 0.0.0.0/0
+                  IpProtocol: tcp
+                  NicType: internet
+                - PortRange: 80/80
+                  Priority: 1
+                  SourceCidrIp: 0.0.0.0/0
+                  IpProtocol: tcp
+                  NicType: internet
+  StackGroupInstances:
+    Type: ALIYUN::ROS::StackInstances
+    DependsOn:
+      - RDAccount1
+      - RDAccount2
     Properties:
-      VpcId:
-        Ref: EcsVpc
-      SecurityGroupName:
-        'Fn::Sub': 'sg-${CommonName}-${ALIYUN::TenantId}'
-      SecurityGroupIngress:
-        - PortRange: 22/22
-          Priority: 1
-          SourceCidrIp: 0.0.0.0/0
-          IpProtocol: tcp
-          NicType: internet
-        - PortRange: 80/80
-          Priority: 1
-          SourceCidrIp: 0.0.0.0/0
-          IpProtocol: tcp
-          NicType: internet
+      StackGroupName:
+        Ref: StackGroup
+      RegionIds:
+        - Ref: ALIYUN::Region
+      DeploymentTargets:
+        RdFolderIds:
+          - Ref: RDFolder
+      ParameterOverrides:
+        ZoneId:
+          Ref: ZoneId
+      RetainStacks: false
+      OperationPreferences:
+        MaxConcurrentCount: 2
 Metadata:
-  ALIYUN::ROS::Interface:
+  'ALIYUN::ROS::Interface':
+    ParameterGroups:
+      - Parameters:
+          - FolderName
+          - AccountDisplayName
+          - ZoneId
     TemplateTags:
-    - acs:technical-solution:ops-on-cloud:跨账号资源全局视图及搜索-tech_solu_70
+      - 'acs:technical-solution:ops-on-cloud:跨账号资源全局视图及搜索-tech_solu_70'
     Hidden:
-    - CommonName
+      - CommonName
diff --git a/documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml b/documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml
@@ -0,0 +1,68 @@
+ROSTemplateFormatVersion: '2015-09-01'
+Description:
+  en: Centralized management of enterprise multi-account identity permissions.
+  zh-cn: 企业多账号身份权限集中管理。
+Parameters:
+  FolderName1:
+    Type: String
+    Label:
+      zh-cn: Core 资源目录名称
+      en: Resource directory folder name
+    AssociationProperty: AutoCompleteInput
+    AssociationPropertyMetadata:
+      Length: 5
+      Prefix: core-
+      CharacterClasses:
+        - Class: lowercase
+  FolderName2:
+    Type: String
+    Label:
+      zh-cn: Application 资源目录名称
+      en: Resource directory folder name
+    AssociationProperty: AutoCompleteInput
+    AssociationPropertyMetadata:
+      Length: 5
+      Prefix: application-
+      CharacterClasses:
+        - Class: lowercase
+  AccountDisplayName:
+    Type: String
+    Label:
+      zh-cn: Core文件夹下的账号名称
+      en: The account name under the Core folder
+    AssociationProperty: AutoCompleteInput
+    AssociationPropertyMetadata:
+      Length: 5
+      Prefix: sandbox-account-
+      CharacterClasses:
+        - Class: lowercase
+Resources:
+  RDFolder1:
+    Type: ALIYUN::ResourceManager::Folder
+    Properties:
+      FolderName:
+        Ref: FolderName1
+  RDFolder2:
+    Type: ALIYUN::ResourceManager::Folder
+    Properties:
+      FolderName:
+        Ref: FolderName2
+  RDAccount1:
+    Type: ALIYUN::ResourceManager::Account
+    Properties:
+      DeleteAccount: true
+      DisplayName:
+        Ref: AccountDisplayName
+      FolderId:
+        Fn::GetAtt:
+          - RDFolder1
+          - FolderId
+Metadata:
+  'ALIYUN::ROS::Interface':
+    ParameterGroups:
+      - Parameters:
+          - FolderName1
+          - FolderName2
+          - AccountDisplayName
+    TemplateTags:
+      - 'acs:technical-solution:account:企业多账号身份权限集中管理-tech_solu_67'
diff --git a/...nts/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml b/...nts/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml
@@ -3,12 +3,6 @@ Description:
   zh-cn: 企业多账号配置统一合规审计
   en: Configure unified compliance audit for multiple accounts.
 Parameters:
-  IsEnableRD:
-    Type: Boolean
-    Label:
-      zh-cn: 是否开通资源目录
-      en: Whether to enable a Resource Directory
-    Default: false
   RDAccountName1:
     Default: Alice1
     Type: String
@@ -21,16 +15,7 @@ Parameters:
     Label:
       zh-cn: 资源目录成员名称2
       en: Resource directory member name 2
-Outputs: {}
-Conditions:
-  EnableRD:
-    Fn::Equals:
-      - true
-      - Ref: IsEnableRD
 Resources:
-  ResourceDirectory:
-    Condition: EnableRD
-    Type: ALIYUN::ResourceManager::ResourceDirectory
   RDFolder:
     Type: ALIYUN::ResourceManager::Folder
     Properties:
@@ -99,7 +84,6 @@ Metadata:
   ALIYUN::ROS::Interface:
     ParameterGroups:
       - Parameters:
-          - IsEnableRD
           - RDAccountName1
           - RDAccountName2
         Label: