Description: This stack includes resources needed to deploy AWS CDK apps into this environment Parameters: TrustedAccounts: Description: List of AWS accounts that are trusted to publish assets and deploy stacks to this environment Default: "" Type: CommaDelimitedList TrustedAccountsForLookup: Description: List of AWS accounts that are trusted to look up values in this environment Default: "" Type: CommaDelimitedList CloudFormationExecutionPolicies: Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation deployment role Default: "" Type: CommaDelimitedList FileAssetsBucketName: Description: The name of the S3 bucket used for file assets Default: "" Type: String FileAssetsBucketKmsKeyId: Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed S3 key, or the ID/ARN of an existing key. Default: "" Type: String ContainerAssetsRepositoryName: Description: A user-provided custom name to use for the container assets ECR repository Default: "" Type: String Qualifier: Description: An identifier to distinguish multiple bootstrap stacks in the same environment Default: hnb659fds Type: String AllowedPattern: "[A-Za-z0-9_-]{1,10}" ConstraintDescription: Qualifier must be an alphanumeric identifier of at most 10 characters PublicAccessBlockConfiguration: Description: Whether or not to enable S3 Staging Bucket Public Access Block Configuration Default: "true" Type: String AllowedValues: - "true" - "false" Conditions: HasTrustedAccounts: Fn::Not: - Fn::Equals: - "" - Fn::Join: - "" - Ref: TrustedAccounts HasTrustedAccountsForLookup: Fn::Not: - Fn::Equals: - "" - Fn::Join: - "" - Ref: TrustedAccountsForLookup HasCloudFormationExecutionPolicies: Fn::Not: - Fn::Equals: - "" - Fn::Join: - "" - Ref: CloudFormationExecutionPolicies HasCustomFileAssetsBucketName: Fn::Not: - Fn::Equals: - "" - Ref: FileAssetsBucketName CreateNewKey: Fn::Equals: - "" - Ref: FileAssetsBucketKmsKeyId UseAwsManagedKey: Fn::Equals: - AWS_MANAGED_KEY - Ref: FileAssetsBucketKmsKeyId HasCustomContainerAssetsRepositoryName: Fn::Not: - Fn::Equals: - "" - Ref: ContainerAssetsRepositoryName UsePublicAccessBlockConfiguration: Fn::Equals: - "true" - Ref: PublicAccessBlockConfiguration Resources: FileAssetsBucketEncryptionKey: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion - kms:GenerateDataKey Effect: Allow Principal: AWS: Ref: AWS::AccountId Resource: "*" - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Principal: AWS: "*" Resource: "*" Condition: StringEquals: kms:CallerAccount: Ref: AWS::AccountId kms:ViaService: - Fn::Sub: s3.${AWS::Region}.amazonaws.com - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Principal: AWS: Fn::Sub: ${FilePublishingRole.Arn} Resource: "*" Condition: CreateNewKey FileAssetsBucketEncryptionKeyAlias: Condition: CreateNewKey Type: AWS::KMS::Alias Properties: AliasName: Fn::Sub: alias/cdk-${Qualifier}-assets-key TargetKeyId: Ref: FileAssetsBucketEncryptionKey StagingBucket: Type: AWS::S3::Bucket Properties: BucketName: Fn::If: - HasCustomFileAssetsBucketName - Fn::Sub: ${FileAssetsBucketName} - Fn::Sub: cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region} AccessControl: Private BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: Fn::If: - CreateNewKey - Fn::Sub: ${FileAssetsBucketEncryptionKey.Arn} - Fn::If: - UseAwsManagedKey - Ref: AWS::NoValue - Fn::Sub: ${FileAssetsBucketKmsKeyId} PublicAccessBlockConfiguration: Fn::If: - UsePublicAccessBlockConfiguration - BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Ref: AWS::NoValue VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Delete StagingBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: StagingBucket PolicyDocument: Id: AccessControl Version: "2012-10-17" Statement: - Sid: AllowSSLRequestsOnly Action: s3:* Effect: Deny Resource: - Fn::Sub: ${StagingBucket.Arn} - Fn::Sub: ${StagingBucket.Arn}/* Condition: Bool: aws:SecureTransport: "false" Principal: "*" ContainerAssetsRepository: Type: AWS::ECR::Repository Properties: ImageTagMutability: IMMUTABLE RepositoryName: Fn::If: - HasCustomContainerAssetsRepositoryName - Fn::Sub: ${ContainerAssetsRepositoryName} - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region} RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: LambdaECRImageRetrievalPolicy Effect: Allow Principal: Service: lambda.amazonaws.com Action: - ecr:BatchGetImage - ecr:GetDownloadUrlForLayer Condition: StringLike: aws:sourceArn: Fn::Sub: arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:* FilePublishingRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region} Tags: - Key: aws-cdk:bootstrap-role Value: file-publishing ImagePublishingRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-image-publishing-role-${AWS::AccountId}-${AWS::Region} Tags: - Key: aws-cdk:bootstrap-role Value: image-publishing LookupRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccountsForLookup - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccountsForLookup - Ref: AWS::NoValue - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-lookup-role-${AWS::AccountId}-${AWS::Region} ManagedPolicyArns: - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess Policies: - PolicyDocument: Statement: - Sid: DontReadSecrets Effect: Deny Action: - kms:Decrypt Resource: "*" Version: "2012-10-17" PolicyName: LookupRolePolicy Tags: - Key: aws-cdk:bootstrap-role Value: lookup FilePublishingRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject* - s3:GetBucket* - s3:GetEncryptionConfiguration - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Resource: - Fn::Sub: ${StagingBucket.Arn} - Fn::Sub: ${StagingBucket.Arn}/* Effect: Allow - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::If: - CreateNewKey - Fn::Sub: ${FileAssetsBucketEncryptionKey.Arn} - Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId} Version: "2012-10-17" Roles: - Ref: FilePublishingRole PolicyName: Fn::Sub: cdk-${Qualifier}-file-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region} ImagePublishingRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload - ecr:BatchCheckLayerAvailability - ecr:DescribeRepositories - ecr:DescribeImages - ecr:BatchGetImage - ecr:GetDownloadUrlForLayer Resource: Fn::Sub: ${ContainerAssetsRepository.Arn} Effect: Allow - Action: - ecr:GetAuthorizationToken Resource: "*" Effect: Allow Version: "2012-10-17" Roles: - Ref: ImagePublishingRole PolicyName: Fn::Sub: cdk-${Qualifier}-image-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region} DeploymentActionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue Policies: - PolicyDocument: Statement: - Sid: CloudFormationPermissions Effect: Allow Action: - cloudformation:CreateChangeSet - cloudformation:DeleteChangeSet - cloudformation:DescribeChangeSet - cloudformation:DescribeStacks - cloudformation:ExecuteChangeSet - cloudformation:CreateStack - cloudformation:UpdateStack Resource: "*" - Sid: PipelineCrossAccountArtifactsBucket Effect: Allow Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:Abort* - s3:DeleteObject* - s3:PutObject* Resource: "*" Condition: StringNotEquals: s3:ResourceAccount: Ref: AWS::AccountId - Sid: PipelineCrossAccountArtifactsKey Effect: Allow Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Resource: "*" Condition: StringEquals: kms:ViaService: Fn::Sub: s3.${AWS::Region}.amazonaws.com - Action: iam:PassRole Resource: Fn::Sub: ${CloudFormationExecutionRole.Arn} Effect: Allow - Sid: CliPermissions Action: - cloudformation:DescribeStackEvents - cloudformation:GetTemplate - cloudformation:DeleteStack - cloudformation:UpdateTerminationProtection - sts:GetCallerIdentity - cloudformation:GetTemplateSummary Resource: "*" Effect: Allow - Sid: CliStagingBucket Effect: Allow Action: - s3:GetObject* - s3:GetBucket* - s3:List* Resource: - Fn::Sub: ${StagingBucket.Arn} - Fn::Sub: ${StagingBucket.Arn}/* - Sid: ReadVersion Effect: Allow Action: - ssm:GetParameter Resource: - Fn::Sub: arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${CdkBootstrapVersion} Version: "2012-10-17" PolicyName: default RoleName: Fn::Sub: cdk-${Qualifier}-deploy-role-${AWS::AccountId}-${AWS::Region} Tags: - Key: aws-cdk:bootstrap-role Value: deploy CloudFormationExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: cloudformation.amazonaws.com Version: "2012-10-17" RoleName: Fn::Sub: cdk-${Qualifier}-cfn-exec-role-${AWS::AccountId}-${AWS::Region} DpraCfnExecutionPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: - access-analyzer:ListAnalyzers - cloudformation:CreateChangeSet - cloudformation:DeleteStack - cloudformation:DescribeChangeSet - cloudformation:DescribeStackEvents - cloudformation:DescribeStacks - cloudformation:ExecuteChangeSet - cloudformation:GetStackPolicy - cloudformation:GetTemplate - cloudformation:ListStackResources - cloudformation:ListStacks - cloudtrail:DescribeTrails - cloudtrail:ListTags - cloudtrail:LookupEvents - cloudwatch:DeleteAlarms - cloudwatch:DescribeAlarms - cloudwatch:PutCompositeAlarm - cloudwatch:PutMetricAlarm - codebuild:BatchGetProjects - codebuild:CreateProject - codebuild:DeleteProject - codebuild:StartBuild - codebuild:UpdateProject - codecommit:CreateCommit - codecommit:CreateRepository - codecommit:DeleteRepository - codecommit:GetRepository - codecommit:ListRepositories - codecommit:PutRepositoryTriggers - codecommit:TagResource - codecommit:UnTagResource - codedeploy:CreateApplication - codedeploy:*DeploymentGroup - codedeploy:DeleteApplication - codedeploy:GetDeployment* - codeguru-reviewer:*TagResource - codeguru-reviewer:AssociateRepository - codeguru-reviewer:CreateCodeReview - codeguru-reviewer:Describe* - codeguru-reviewer:DisassociateRepository - codeguru-reviewer:List* - codepipeline:CreatePipeline - codepipeline:DeletePipeline - codepipeline:UpdatePipeline - codepipeline:StartPipelineExecution - codepipeline:GetPipeline - codepipeline:GetPipelineState - ec2:*Address - ec2:RevokeSecurityGroupIngress - ec2:*Tags - ec2:AssociateRouteTable - ec2:AttachInternetGateway - ec2:AuthorizeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress - ec2:CreateFlowLogs - ec2:CreateInternetGateway - ec2:CreateNatGateway - ec2:CreateRoute - ec2:CreateRouteTable - ec2:CreateSecurityGroup - ec2:CreateSubnet - ec2:CreateVpc - ec2:DeleteFlowLogs - ec2:DeleteInternetGateway - ec2:DeleteNatGateway - ec2:DeleteRoute - ec2:DeleteRouteTable - ec2:DeleteSecurityGroup - ec2:DeleteSubnet - ec2:DeleteVpc - ec2:Describe* - ec2:DetachInternetGateway - ec2:DisassociateRouteTable - ec2:Get* - ec2:ModifySubnetAttribute - ec2:ModifyVpcAttribute - ec2:RevokeSecurityGroupEgress - ecr:CreateRepository - ecr:DeleteRepository - ecr:DescribeRepositories - ecr:GetLifecyclePolicy - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:SetRepositoryPolicy - ecs:CreateCluster - ec2:Describe* - ecs:CreateService - ecs:DeleteCluster - ecs:DeleteService - ecs:Describe* - ecs:DeregisterTaskDefinition - ecs:RegisterTaskDefinition - elasticloadbalancing:AddTags - elasticloadbalancing:CreateListener - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteListener - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:Describe* - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:ModifyTargetGroupAttributes - events:DeleteRule - events:DescribeRule - events:PutRule - events:PutTargets - events:RemoveTargets - iam:AttachRolePolicy - iam:CreatePolicy - iam:CreateRole - iam:CreateServiceLinkedRole - iam:DeletePolicy - iam:DeleteRole - iam:DeleteRolePolicy - iam:DeleteServiceLinkedRole - iam:DetachRolePolicy - iam:GetAccountSummary - iam:GetPolicy - iam:GetRole - iam:GetRolePolicy - iam:GetServiceLastAccessedDetails - iam:GetServiceLinkedRoleDeletionStatus - iam:ListAccountAliases - iam:ListGroups - iam:ListOpenIDConnectProviders - iam:ListPolicies - iam:ListPolicyVersions - iam:ListRoles - iam:ListSAMLProviders - iam:ListUsers - iam:PassRole - iam:PutRolePolicy - kms:CancelKeyDeletion - kms:Create* - kms:Decrypt - kms:Delete* - kms:Describe* - kms:Disable* - kms:Enable* - kms:Encrypt - kms:GenerateDataKey* - kms:Get* - kms:List* - kms:ListAliases - kms:Put* - kms:ReEncrypt* - kms:Revoke* - kms:ScheduleKeyDeletion - kms:TagResource - kms:Update* - lambda:*LayerVersion - lambda:AddPermission - lambda:CreateFunction - lambda:DeleteFunction - lambda:GetFunction - lambda:GetFunctionConfiguration - lambda:InvokeFunction - lambda:ListFunctions - lambda:PublishVersion - lambda:TagResource - lambda:UpdateFunctionConfiguration - logs:Tag* - logs:PutRetentionPolicy - logs:CreateLogGroup - logs:DeleteLogGroup - logs:Describe* - ram:ListResources - rds:AddTagsToResource - rds:CreateDBCluster - rds:CreateDBSubnetGroup - rds:DeleteDBCluster - rds:DeleteDBSubnetGroup - rds:DescribeDBClusters - rds:DescribeDBSubnetGroups - s3:Abort* - s3:CreateBucket - s3:DeleteBucket - s3:DeleteBucketPolicy - s3:DeleteObject* - s3:GetAccelerateConfiguration - s3:GetAccountPublicAccessBlock - s3:GetBucket* - s3:GetEncryptionConfiguration - s3:GetIntelligentTieringConfiguration - s3:GetLifecycleConfiguration - s3:GetObject* - s3:List* - s3:PutBucketPolicy - s3:PutBucketPublicAccessBlock - s3:PutBucketTagging - s3:PutBucketVersioning - s3:PutEncryptionConfiguration - s3:PutObject* - secretsmanager:CreateSecret - secretsmanager:DeleteSecret - secretsmanager:GetRandomPassword - secretsmanager:GetSecretValue - secretsmanager:List* - secretsmanager:PutSecretValue - secretsmanager:TagResource - ssm:DeleteParameter - ssm:GetParameters - ssm:PutParameter - states:CreateStateMachine - states:DeleteStateMachine - states:Describe* - states:TagResource - sts:GetCallerIdentity - synthetics:CreateCanary - synthetics:DeleteCanary - synthetics:GetCanary - synthetics:StartCanary - synthetics:StopCanary - synthetics:TagResource Resource: - "*" Effect: Allow Version: "2012-10-17" Roles: - Ref: CloudFormationExecutionRole ManagedPolicyName: Fn::Sub: cdk-${Qualifier}-dpra-cfn-execution-policy-${AWS::AccountId}-${AWS::Region} CdkBootstrapVersion: Type: AWS::SSM::Parameter Properties: Type: String Name: Fn::Sub: /cdk-bootstrap/${Qualifier}/version Value: "14" Outputs: BucketName: Description: The name of the S3 bucket owned by the CDK toolkit stack Value: Fn::Sub: ${StagingBucket} BucketDomainName: Description: The domain name of the S3 bucket owned by the CDK toolkit stack Value: Fn::Sub: ${StagingBucket.RegionalDomainName} FileAssetKeyArn: Description: The ARN of the KMS key used to encrypt the asset bucket (deprecated) Value: Fn::If: - CreateNewKey - Fn::Sub: ${FileAssetsBucketEncryptionKey.Arn} - Fn::Sub: ${FileAssetsBucketKmsKeyId} Export: Name: Fn::Sub: CdkBootstrap-${Qualifier}-FileAssetKeyArn ImageRepositoryName: Description: The name of the ECR repository which hosts docker image assets Value: Fn::Sub: ${ContainerAssetsRepository} BootstrapVersion: Description: The version of the bootstrap resources that are currently mastered in this stack Value: Fn::GetAtt: - CdkBootstrapVersion - Value