From ad1074bc0251a1c4519537c0ebf700d5b1b1940d Mon Sep 17 00:00:00 2001 From: qitan Date: Thu, 29 Feb 2024 11:41:00 +0800 Subject: [PATCH 1/2] add and modify tech solu --- README-CN.md | 2 + README.md | 5 +- ...ntity-authority-centralized-management.yml | 50 ++--- ...-and-search-of-cross-account-resources.yml | 174 +++++++++++++----- ...ise-multi-account-identity-permissions.yml | 68 +++++++ ...ccounts-support-configuration-auditing.yml | 16 -- 6 files changed, 229 insertions(+), 86 deletions(-) create mode 100644 documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml diff --git a/README-CN.md b/README-CN.md index e285e190..67ddadee 100644 --- a/README-CN.md +++ b/README-CN.md @@ -561,6 +561,8 @@ ROS 模板的示例和最佳实践。模板分类如下: | [efficiently-build-a-new-account-with-security-and-compliance.yml](documents/solution/security-and-compliance/efficiently-build-a-new-account-with-security-and-compliance.yml) | 高效构建安全合规的新账号。| [解决方案](https://www.aliyun.com/solution/tech-solution/ecosacna) | | [multiple-accounts-support-configuration-auditing.yml](documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml) | 企业多账号配置统一合规审计。| [解决方案](https://www.aliyun.com/solution/tech-solution/ucafmac) | | [cloud-firewall-in-multiple-accounts.yml](documents/solution/security-and-compliance/cloud-firewall-in-multiple-accounts.yml) | 创建VPC类型ECS,并绑定EIP。 | [解决方案](https://www.aliyun.com/solution/tech-solution/umomaicf) | +| [enterprise-multi-account-identity-permissions.yml](documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml) | Centralized management of enterprise multi-account identity permissions. | + diff --git a/README.md b/README.md index 1b9506a6..ad263c31 100644 --- a/README.md +++ b/README.md @@ -562,11 +562,12 @@ Examples and best practices of ROS templates. The templates are categorized as f - security-and-compliance -| Template | Description | -|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------| +| Template | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------| | [efficiently-build-a-new-account-with-security-and-compliance.yml](documents/solution/security-and-compliance/efficiently-build-a-new-account-with-security-and-compliance.yml) | Efficiently build a new account with security and compliance. | | [multiple-accounts-support-configuration-auditing.yml](documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml) | Configure unified compliance audit for multiple accounts. | | [cloud-firewall-in-multiple-accounts.yml](documents/solution/security-and-compliance/cloud-firewall-in-multiple-accounts.yml) | Create a VPC type ECS and bind EIP. | +| [enterprise-multi-account-identity-permissions.yml](documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml) | Centralized management of enterprise multi-account identity permissions. | diff --git a/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml b/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml index 3e3ccfa0..4077a63e 100644 --- a/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml +++ b/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml @@ -274,31 +274,6 @@ Resources: - RDAccount1 - AccountId - Ref: Account1 -Metadata: - ALIYUN::ROS::Interface: - ParameterGroups: - - Parameters: - - WhetherCreateAccount - - FolderName1 - - DisplayName1 - - Account1 - Label: - default: - zh-cn: 配置资源目录 - en: - Resource account - - Parameters: - - SamlConfigurationMode - - EncodedMetadataDocument - - EntityId - - LoginUrl - - X509Certificate - Label: - default: - zh-cn: 配置单点登录 - en: Configuration single sign-on - TemplateTags: - - acs:technical-solution:account:企业多账号身份权限集中管理 Outputs: FolderId: Condition: CreateAccount @@ -351,4 +326,29 @@ Outputs: Fn::GetAtt: - CloudSSOCredential - CredentialSecret +Metadata: + ALIYUN::ROS::Interface: + ParameterGroups: + - Parameters: + - WhetherCreateAccount + - FolderName1 + - DisplayName1 + - Account1 + Label: + default: + zh-cn: 配置资源目录 + en: + Resource account + - Parameters: + - SamlConfigurationMode + - EncodedMetadataDocument + - EntityId + - LoginUrl + - X509Certificate + Label: + default: + zh-cn: 配置单点登录 + en: Configuration single sign-on + TemplateTags: + - acs:technical-solution:account:企业多账号身份权限集中管理 diff --git a/documents/solution/ops-on-cloud/global-view-and-search-of-cross-account-resources.yml b/documents/solution/ops-on-cloud/global-view-and-search-of-cross-account-resources.yml index e32e4b37..6bb5ca94 100644 --- a/documents/solution/ops-on-cloud/global-view-and-search-of-cross-account-resources.yml +++ b/documents/solution/ops-on-cloud/global-view-and-search-of-cross-account-resources.yml @@ -1,55 +1,143 @@ ROSTemplateFormatVersion: '2015-09-01' -Description: - en: Global view and search of cross-account resources. - zh-cn: 跨账号资源全局视图及搜索。 Parameters: - CommonName: - Type: String - Default: for-search ZoneId: Type: String - AssociationProperty: ALIYUN::ECS::Instance::ZoneId Label: - en: VSwitch Availability Zone - zh-cn: 交换机可用区 + en: VSwitch Available Zone + zh-cn: 可用区 + AssociationProperty: ALIYUN::VPC::Zone::ZoneId + AssociationPropertyMetadata: + AutoSelectFirst: true + FolderName: + Type: String + Label: + zh-cn: 资源目录名称 + en: Resource directory folder name + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: ros-folder- + CharacterClasses: + - Class: lowercase + AccountDisplayName: + Type: String + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: account-for-search- + CharacterClasses: + - Class: lowercase Resources: - EcsVpc: - Type: 'ALIYUN::ECS::VPC' + RDFolder: + Type: ALIYUN::ResourceManager::Folder + Properties: + FolderName: + Ref: FolderName + RDAccount1: + Type: ALIYUN::ResourceManager::Account + Properties: + DeleteAccount: true + DisplayName: + 'Fn::Sub': '${AccountDisplayName}-1' + FolderId: + Fn::GetAtt: + - RDFolder + - FolderId + RDAccount2: + Type: ALIYUN::ResourceManager::Account + Properties: + DeleteAccount: true + DisplayName: + 'Fn::Sub': '${AccountDisplayName}-2' + FolderId: + Fn::GetAtt: + - RDFolder + - FolderId + AutoEnableTrustedRos: + Type: ALIYUN::ROS::AutoEnableService Properties: - VpcName: - 'Fn::Sub': 'vpc-${CommonName}-${ALIYUN::TenantId}' - CidrBlock: 192.168.0.0/16 - EcsVSwitch: - Type: 'ALIYUN::ECS::VSwitch' + ServiceName: 'TrustedService/ROS' + StackGroup: + Type: ALIYUN::ROS::StackGroup + DependsOn: AutoEnableTrustedRos Properties: - ZoneId: - Ref: ZoneId - VpcId: - Ref: EcsVpc - VSwitchName: - 'Fn::Sub': 'vsw-${CommonName}-${ALIYUN::TenantId}' - CidrBlock: 192.168.0.0/24 - EcsSecurityGroup: - Type: 'ALIYUN::ECS::SecurityGroup' + StackGroupName: ros-test-stack-group + PermissionModel: SERVICE_MANAGED + AutoDeployment: + Enabled: false + Parameters: + ZoneId: + Ref: ZoneId + TemplateBody: + ROSTemplateFormatVersion: '2015-09-01' + Parameters: + CommonName: + Type: String + Default: for-search + ZoneId: + Type: String + Resources: + EcsVpc: + Type: 'ALIYUN::ECS::VPC' + Properties: + VpcName: + 'Fn::Sub': 'vpc-${CommonName}-${ALIYUN::TenantId}' + CidrBlock: 192.168.0.0/16 + EcsVSwitch: + Type: 'ALIYUN::ECS::VSwitch' + Properties: + ZoneId: + Ref: ZoneId + VpcId: + Ref: EcsVpc + VSwitchName: + 'Fn::Sub': 'vsw-${CommonName}-${ALIYUN::TenantId}' + CidrBlock: 192.168.0.0/24 + EcsSecurityGroup: + Type: 'ALIYUN::ECS::SecurityGroup' + Properties: + VpcId: + Ref: EcsVpc + SecurityGroupName: + 'Fn::Sub': 'sg-${CommonName}-${ALIYUN::TenantId}' + SecurityGroupIngress: + - PortRange: 22/22 + Priority: 1 + SourceCidrIp: 0.0.0.0/0 + IpProtocol: tcp + NicType: internet + - PortRange: 80/80 + Priority: 1 + SourceCidrIp: 0.0.0.0/0 + IpProtocol: tcp + NicType: internet + StackGroupInstances: + Type: ALIYUN::ROS::StackInstances + DependsOn: + - RDAccount1 + - RDAccount2 Properties: - VpcId: - Ref: EcsVpc - SecurityGroupName: - 'Fn::Sub': 'sg-${CommonName}-${ALIYUN::TenantId}' - SecurityGroupIngress: - - PortRange: 22/22 - Priority: 1 - SourceCidrIp: 0.0.0.0/0 - IpProtocol: tcp - NicType: internet - - PortRange: 80/80 - Priority: 1 - SourceCidrIp: 0.0.0.0/0 - IpProtocol: tcp - NicType: internet + StackGroupName: + Ref: StackGroup + RegionIds: + - Ref: ALIYUN::Region + DeploymentTargets: + RdFolderIds: + - Ref: RDFolder + ParameterOverrides: + ZoneId: + Ref: ZoneId + RetainStacks: false + OperationPreferences: + MaxConcurrentCount: 2 Metadata: - ALIYUN::ROS::Interface: + 'ALIYUN::ROS::Interface': + ParameterGroups: + - Parameters: + - FolderName + - AccountDisplayName + - ZoneId TemplateTags: - - acs:technical-solution:ops-on-cloud:跨账号资源全局视图及搜索-tech_solu_70 + - 'acs:technical-solution:ops-on-cloud:跨账号资源全局视图及搜索-tech_solu_70' Hidden: - - CommonName + - CommonName diff --git a/documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml b/documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml new file mode 100644 index 00000000..8f9beef8 --- /dev/null +++ b/documents/solution/security-and-compliance/enterprise-multi-account-identity-permissions.yml @@ -0,0 +1,68 @@ +ROSTemplateFormatVersion: '2015-09-01' +Description: + en: Centralized management of enterprise multi-account identity permissions. + zh-cn: 企业多账号身份权限集中管理。 +Parameters: + FolderName1: + Type: String + Label: + zh-cn: Core 资源目录名称 + en: Resource directory folder name + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: core- + CharacterClasses: + - Class: lowercase + FolderName2: + Type: String + Label: + zh-cn: Application 资源目录名称 + en: Resource directory folder name + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: application- + CharacterClasses: + - Class: lowercase + AccountDisplayName: + Type: String + Label: + zh-cn: Core文件夹下的账号名称 + en: The account name under the Core folder + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: sandbox-account- + CharacterClasses: + - Class: lowercase +Resources: + RDFolder1: + Type: ALIYUN::ResourceManager::Folder + Properties: + FolderName: + Ref: FolderName1 + RDFolder2: + Type: ALIYUN::ResourceManager::Folder + Properties: + FolderName: + Ref: FolderName2 + RDAccount1: + Type: ALIYUN::ResourceManager::Account + Properties: + DeleteAccount: true + DisplayName: + Ref: AccountDisplayName + FolderId: + Fn::GetAtt: + - RDFolder1 + - FolderId +Metadata: + 'ALIYUN::ROS::Interface': + ParameterGroups: + - Parameters: + - FolderName1 + - FolderName2 + - AccountDisplayName + TemplateTags: + - 'acs:technical-solution:account:企业多账号身份权限集中管理-tech_solu_67' \ No newline at end of file diff --git a/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml b/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml index 14a251af..7a62708a 100644 --- a/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml +++ b/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml @@ -3,12 +3,6 @@ Description: zh-cn: 企业多账号配置统一合规审计 en: Configure unified compliance audit for multiple accounts. Parameters: - IsEnableRD: - Type: Boolean - Label: - zh-cn: 是否开通资源目录 - en: Whether to enable a Resource Directory - Default: false RDAccountName1: Default: Alice1 Type: String @@ -21,16 +15,7 @@ Parameters: Label: zh-cn: 资源目录成员名称2 en: Resource directory member name 2 -Outputs: {} -Conditions: - EnableRD: - Fn::Equals: - - true - - Ref: IsEnableRD Resources: - ResourceDirectory: - Condition: EnableRD - Type: ALIYUN::ResourceManager::ResourceDirectory RDFolder: Type: ALIYUN::ResourceManager::Folder Properties: @@ -99,7 +84,6 @@ Metadata: ALIYUN::ROS::Interface: ParameterGroups: - Parameters: - - IsEnableRD - RDAccountName1 - RDAccountName2 Label: From 9a519e98c2a63eb06692936c6bd3d4e729e2aada Mon Sep 17 00:00:00 2001 From: qitan Date: Thu, 29 Feb 2024 13:47:05 +0800 Subject: [PATCH 2/2] fix tech solu 68 --- ...ccounts-support-configuration-auditing.yml | 29 +++++++++++++++++-- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml b/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml index 7a62708a..d56f7d2b 100644 --- a/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml +++ b/documents/solution/security-and-compliance/multiple-accounts-support-configuration-auditing.yml @@ -3,27 +3,49 @@ Description: zh-cn: 企业多账号配置统一合规审计 en: Configure unified compliance audit for multiple accounts. Parameters: + FolderName: + Type: String + Label: + zh-cn: 资源目录名称 + en: Resource directory folder name + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: ros-folder- + CharacterClasses: + - Class: lowercase RDAccountName1: - Default: Alice1 Type: String Label: zh-cn: 资源目录成员名称1 en: Resource directory member name 1 + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: account1- + CharacterClasses: + - Class: lowercase RDAccountName2: - Default: Tom1 Type: String Label: zh-cn: 资源目录成员名称2 en: Resource directory member name 2 + AssociationProperty: AutoCompleteInput + AssociationPropertyMetadata: + Length: 5 + Prefix: account2- + CharacterClasses: + - Class: lowercase Resources: RDFolder: Type: ALIYUN::ResourceManager::Folder Properties: FolderName: - Ref: ALIYUN::StackId + Ref: FolderName RDAccount1: Type: ALIYUN::ResourceManager::Account Properties: + DeleteAccount: true DisplayName: Ref: RDAccountName1 FolderId: @@ -33,6 +55,7 @@ Resources: RDAccount2: Type: ALIYUN::ResourceManager::Account Properties: + DeleteAccount: true DisplayName: Ref: RDAccountName2 FolderId: