added marketplace agreements module

README.md

@@ -24,7 +24,7 @@ This repository is a part of [Cloud Intelligence Dashboards](https://docs.aws.am
 
 This repository contains following elements:
 * [data-exports](/data-exports) - a Cloud Formation Templates for AWS Data Exports, such as Cost and Usage Report 2.0 and others. This allows a replication of Exports from your Management Account(s) to a Dedicated Data Collection Accounts as well as aggregation of multiple Exports from a set of Linked Accounts.
-* [data-collection](/data-collection) - a set of Cloud Formation Templates for collecting infrastructure operational data from Management and Linked Accounts. Such as data from AWS Trusted Advisor, AWS Compute Optimizer, Inventories, Pricing, AWS Health, AWS Support Cases etc. See more about types of data collected [here](/data-collection).
+* [data-collection](/data-collection) - a set of Cloud Formation Templates for collecting infrastructure operational data from Management and Linked Accounts. Such as data from AWS Trusted Advisor, AWS Compute Optimizer, Inventories, Pricing, AWS Health, AWS Support Cases, AWS Marketplace etc. See more about types of data collected [here](/data-collection).
 * [case-summarization](/case-summarization) - an additional Cloud Formation Template for deploying the AWS Support Case Summarization plugin that offers the capability to summarize cases through Generative AI powered by Amazon Bedrock.
 * [rls](/rls) - a stack for managing Row Level Security for CID Dashboards.
 * [security-hub](/security-hub) - Collection of data from AWS Security Hub.

data-collection/README.md

@@ -43,6 +43,7 @@ List of modules and objects collected:
 | `aws-feeds`                  |  N/A                  | Data Collection Account | Collects Blog posts and News Feeds |
 | `quicksight`                 |  [Amazon QuickSight](https://aws.amazon.com/quicksight/)    | Data Collection Account | Collects QuickSight User and Group information in the Data Collection Account only |
 | `resilience-hub`                 |   [AWS Resilince Hub](https://aws.amazon.com/resilience-hub/) | Linked Accounts |  |
+| `marketplace`                 |   [AWS Marketplace](https://aws.amazon.com/marketplace/) | Linked Accounts | Collects AWS Marketplace data and terms |
 | `reference`                 |   Various services      | Data Collection Account | Collects reference data for other modules and dashboard to function |
 
 ### Deployment Overview

data-collection/deploy/deploy-data-read-permissions.yaml

@@ -1,6 +1,6 @@
-# https://github.com/awslabs/cid-data-collection-framework/blob/main/data-collection/v3.12.1/deploy/deploy-data-read-permissions.yaml
+# https://github.com/awslabs/cid-data-collection-framework/blob/main/data-collection/v3.13.1/deploy/deploy-data-read-permissions.yaml
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - All-in-One for Management Account v3.12.1 - AWS Solution SO9011
+Description: CID Data Collection - All-in-One for Management Account v3.13.1 - AWS Solution SO9011
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -33,6 +33,7 @@ Metadata:
           - IncludeLicenseManagerModule
           - IncludeServiceQuotasModule
           - IncludeResilienceHubModule
+          - IncludeMarketplaceModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -80,6 +81,8 @@ Metadata:
         default: "Include Service Quotas Module"
       IncludeResilienceHubModule:
         default: "Include ResilienceHub Module"
+      IncludeMarketplaceModule:
+        default: "Include Marketplace Agreements Module"
 
 Parameters:
   ManagementAccountRole:
@@ -191,14 +194,19 @@ Parameters:
     Description: Collects Resilience Hub information
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeMarketplaceModule:
+    Type: String
+    Description: Collects Marketplace Agreement information
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 Conditions:
   DeployModuleReadInMgmt: !Equals [!Ref AllowModuleReadInMgmt, "yes"]
 
 Resources:
   DataCollectorMgmtAccountReadStack:
     Type: AWS::CloudFormation::Stack
     Properties:
-      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.12.1/deploy-in-management-account.yaml"
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.13.1/deploy-in-management-account.yaml"
       Parameters:
         DataCollectionAccountID: !Ref DataCollectionAccountID
         ManagementAccountRole: !Ref ManagementAccountRole
@@ -215,7 +223,7 @@ Resources:
     Type: AWS::CloudFormation::Stack
     Condition: DeployModuleReadInMgmt
     Properties:
-      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.12.1/deploy-in-linked-account.yaml"
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.13.1/deploy-in-linked-account.yaml"
       Parameters:
         DataCollectionAccountID: !Ref DataCollectionAccountID
         MultiAccountRoleName: !Ref MultiAccountRoleName
@@ -230,11 +238,12 @@ Resources:
         IncludeTransitGatewayModule: !Ref IncludeTransitGatewayModule
         IncludeServiceQuotasModule: !Ref IncludeServiceQuotasModule
         IncludeResilienceHubModule: !Ref IncludeResilienceHubModule
+        IncludeMarketplaceModule: !Ref IncludeMarketplaceModule
 
   DataCollectorOrgAccountModulesReadStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
-      Description: "StackSet in charge of deploying read roles across organization accounts v3.12.1"
+      Description: "StackSet in charge of deploying read roles across organization accounts v3.13.1"
       PermissionModel: SERVICE_MANAGED
       AutoDeployment:
         Enabled: true
@@ -272,6 +281,8 @@ Resources:
           ParameterValue: !Ref IncludeServiceQuotasModule
         - ParameterKey: IncludeResilienceHubModule
           ParameterValue: !Ref IncludeResilienceHubModule
+        - ParameterKey: IncludeMarketplaceModule
+          ParameterValue: !Ref IncludeMarketplaceModule
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [",", !Ref OrganizationalUnitIds]
@@ -281,4 +292,4 @@ Resources:
         - CAPABILITY_IAM
         - CAPABILITY_NAMED_IAM
       StackSetName: !Sub "StackSet-${AWS::AccountId}-OptimizationDataRole"
-      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.12.1/deploy-in-linked-account.yaml"
+      TemplateURL: !Sub "https://${CFNSourceBucket}.s3.${AWS::URLSuffix}/cfn/data-collection/v3.13.1/deploy-in-linked-account.yaml"

data-collection/deploy/deploy-in-linked-account.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Linked Account v3.12.1
+Description: CID Data Collection - Role for Linked Account v3.13.1
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -22,6 +22,7 @@ Metadata:
         - IncludeTransitGatewayModule
         - IncludeServiceQuotasModule
         - IncludeResilienceHubModule
+        - IncludeMarketplaceModule
     ParameterLabels:
       DataCollectionAccountID:
         default: 'Data Collection Account ID'
@@ -49,6 +50,8 @@ Metadata:
         default: 'Include Service Quotas Module'
       IncludeResilienceHubModule:
         default: 'Include Resilience Hub Module'
+      IncludeMarketplaceModule:
+        default: 'Include Marketplace Agreements Module'
 
 Parameters:
   DataCollectionAccountID:
@@ -112,6 +115,11 @@ Parameters:
     Description: Collects Resilience Hub data from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeMarketplaceModule:
+    Type: String
+    Description: Collects Marketplace Agreement data from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   IncludeTAModulePolicy:                 !Equals [!Ref IncludeTAModule, "yes"]
@@ -124,6 +132,7 @@ Conditions:
   IncludeTransitGatewayModulePolicy:     !Equals [!Ref IncludeTransitGatewayModule, "yes"]
   IncludeServiceQuotasModulePolicy:      !Equals [!Ref IncludeServiceQuotasModule, "yes"]
   IncludeResilienceHubModulePolicy:      !Equals [!Ref IncludeResilienceHubModule, "yes"]
+  IncludeMarketplaceModulePolicy:         !Equals [!Ref IncludeMarketplaceModule, "yes"]
 
 Outputs:
   LambdaRole:
@@ -155,6 +164,7 @@ Resources:
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}support-cases-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}service-quotas-LambdaRole"
                   - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}resilience-hub-LambdaRole"
+                  - !Sub "arn:${AWS::Partition}:iam::${DataCollectionAccountID}:role/${ResourcePrefix}marketplace-LambdaRole"
       Path: /
     Metadata:
       cfn_nag:
@@ -464,4 +474,40 @@ Resources:
       cfn_nag:
         rules_to_suppress:
           - id: W12
-            reason: "Policy is used for scanning of a wide range of resources"
+            reason: "Policy is used for scanning of a wide range of resources"
+  # Marketplace Agreements policy
+  AgreementsPolicy:
+    Type: 'AWS::IAM::Policy'
+    Condition: IncludeMarketplaceModulePolicy
+    Properties:
+      PolicyName: AgreementsPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - "organizations:ListAccounts"
+              - "organizations:DescribeOrganization"
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - "aws-marketplace:DescribeAgreement"
+              - "aws-marketplace:DescribeEntity"
+              - "aws-marketplace:GetAgreementTerms"
+              - "aws-marketplace:GetProduct"
+              - "aws-marketplace:ListAgreementCharges"
+              - "aws-marketplace:ListEntities"
+              - "aws-marketplace:SearchAgreements"
+              - "aws-marketplace:SearchEntities"
+              - "marketplace-agreement:DescribeAgreement"
+              - "marketplace-agreement:GetAgreementTerms"
+              - "marketplace-agreement:ListAgreementCharges"
+              - "marketplace-agreement:SearchAgreements"
+            Resource: "*"
+      Roles:
+        - Ref: LambdaRole
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "Policy is used for scanning of a wide range of marketplace resources"

data-collection/deploy/deploy-in-management-account.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: CID Data Collection - Role for Management Account v3.12.1
+Description: CID Data Collection - Role for Management Account v3.13.1
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -19,6 +19,7 @@ Metadata:
           - IncludeRightsizingModule
           - IncludeLicenseManagerModule
           - IncludeServiceQuotasModule
+          - IncludeMarketplaceModule
     ParameterLabels:
       ManagementAccountRole:
         default: "Management account role"
@@ -40,6 +41,8 @@ Metadata:
         default: "Include Marketplace Licensing Module"
       IncludeServiceQuotasModule:
         default: "Include Service Quotas Module"
+      IncludeMarketplaceModule:
+        default: "Include Marketplace Agreements Module"
 Parameters:
   DataCollectionAccountID:
     Type: String
@@ -87,6 +90,11 @@ Parameters:
     Description: Collects Service Quotas Information from your accounts
     AllowedValues: ['yes', 'no']
     Default: 'no'
+  IncludeMarketplaceModule:
+    Type: String
+    Description: Collects Marketplace Agreement Information from your accounts
+    AllowedValues: ['yes', 'no']
+    Default: 'no'
 
 Conditions:
   EnableComputeOptimizerModule: !Equals [!Ref IncludeComputeOptimizerModule, "yes"]
@@ -96,6 +104,7 @@ Conditions:
   EnableHealthEventsModule: !Equals [!Ref IncludeHealthEventsModule, "yes"]
   EnableLicenseManagerModule: !Equals [!Ref IncludeLicenseManagerModule, "yes"]
   EnableServiceQuotasModule: !Equals [!Ref IncludeServiceQuotasModule, "yes"]
+  EnableMarketplaceModule: !Equals [!Ref IncludeMarketplaceModule, "yes"]
 
 Outputs:
   LambdaRole: