AWSTemplateFormatVersion: '2010-09-09' Conditions: ShouldCommitInitialBootstrapContent: Fn::Equals: - true - Ref: CommitInitialBootstrapContent Description: ADF CloudFormation Initial Base Stack for the Master Account in the us-east-1 region. Outputs: ADFVersionNumber: Export: Name: ADFVersionNumber Value: 1.2.8 CodeCommitHttpURL: Description: The CodeCommit HTTP Url Export: Name: BaseTemplatesRepoHttpURL Value: Fn::GetAtt: - CodeCommitRepository - CloneUrlHttp CodeCommitSshURL: Description: The CodeCommit SSH Url Export: Name: BaseTemplatesRepoSSHURL Value: Fn::GetAtt: - CodeCommitRepository - CloneUrlSsh LayerArn: Description: The Shared modules Lambda Layer Arn Export: Name: SharedLayerArn Value: Ref: LambdaLayerVersion Parameters: CommitInitialBootstrapContent: AllowedValues: - true - false Default: true Description: If you want AWS CloudFormation to automatically make the initial commit into the Bootstrap AWS CodeCommit Repository for on your behalf, the commit will only be made if the master branch does not yet exist - can be left as true while updating Type: String CrossAccountAccessRoleName: Default: OrganizationAccountAccessRole Description: The Name of the Role that ADF will use to access other AWS Accounts within your Organization and create base and update stacks. Type: String DeploymentAccountEmailAddress: Default: '' Description: The Email address associated with the Deployment Account, only required if Deployment Account requires creation, not required for updating. Type: String DeploymentAccountId: Default: '' Description: The AWS Account number of the existing Deployment Account, only required if an existing account should be re-used. A deployment account will be created if this value is omitted. Only required if using pre-existing AWS Account as the Deployment Account, not required for updating. Type: String DeploymentAccountMainRegion: Default: '' Description: The region that will centrally hold all CodePipeline deployments. This would be considered your default ADF AWS Region, not required for updating. Type: String DeploymentAccountName: Default: '' Description: The Name of the centralized Deployment Account - only required if Deployment Account requires creation, not required for updating. Type: String DeploymentAccountTargetRegions: Default: '' Description: An optional comma separated list of regions that you may want to deploy resources (Applications, CloudFormation etc) into via CodePipeline, this can always be updated later, not required for updating. (us-west-1,eu-west-1) Type: CommaDelimitedList LogLevel: AllowedValues: - CRITICAL - ERROR - WARNING - INFO - DEBUG Default: INFO Description: General Logging level output for ADF that will be shown in AWS Lambda and AWS CodeBuild Type: String MainNotificationEndpoint: Default: '' Description: The Email Address/Slack Channel (see docs) that will receive notifications in regards to the bootstrapping pipeline on the master account, not required for updating. Type: String TerminationProtection: AllowedValues: - true - false Default: false Description: Termination Protection can be passed in to enable Protection for all ADF base stacks Type: String Resources: AccountHandler: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: 1a278648-f18a-491f-ace9-fa68fb6f3fed Description: ADF Lambda Function - Create Account FunctionName: AccountHandler Handler: handler.lambda_handler Policies: - Statement: - Action: - organizations:CreateAccount - organizations:DescribeCreateAccountStatus Effect: Allow Resource: '*' - Action: ssm:GetParameter Effect: Allow Resource: Fn::Sub: arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_id Version: '2012-10-17' Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function BootstrapTemplatesBucket: DeletionPolicy: Retain Properties: AccessControl: BucketOwnerFullControl BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 VersioningConfiguration: Status: Enabled Type: AWS::S3::Bucket BootstrapTemplatesBucketPolicy: Properties: Bucket: Ref: BootstrapTemplatesBucket PolicyDocument: Statement: - Action: - s3:Get* - s3:PutReplicationConfiguration - s3:List* Condition: StringEquals: aws:PrincipalOrgID: Fn::GetAtt: - Organization - OrganizationId Effect: Allow Principal: AWS: '*' Resource: - Fn::Sub: arn:aws:s3:::${BootstrapTemplatesBucket} - Fn::Sub: arn:aws:s3:::${BootstrapTemplatesBucket}/* - Action: - s3:PutObject* Effect: Allow Principal: AWS: Ref: AWS::AccountId Resource: - Fn::Sub: arn:aws:s3:::${BootstrapTemplatesBucket} - Fn::Sub: arn:aws:s3:::${BootstrapTemplatesBucket}/* Type: AWS::S3::BucketPolicy CloudWatchEventsRule: Properties: Description: Triggers StateMachine on Move OU EventPattern: detail: eventName: - MoveAccount eventSource: - organizations.amazonaws.com source: - aws.organizations Targets: - Arn: Ref: StateMachine Id: CreateStackLinkedAccountV1 RoleArn: Fn::GetAtt: - StatesExecutionRole - Arn Type: AWS::Events::Rule CodeBuildPolicy: Properties: Description: Policy to allow codebuild to perform actions PolicyDocument: Statement: - Action: - cloudformation:* - codebuild:* - codecommit:* - iam:CreatePolicy - iam:CreateRole - iam:DeleteRole - iam:DeleteRolePolicy - iam:GetRole - iam:PutRolePolicy - iam:UpdateAssumeRolePolicy - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - organizations:AttachPolicy - organizations:CreatePolicy - organizations:DeletePolicy - organizations:DescribeAccount - organizations:DescribeOrganization - organizations:DescribeOrganizationalUnit - organizations:DescribePolicy - organizations:DetachPolicy - organizations:EnablePolicyType - organizations:ListAccounts - organizations:ListAccountsForParent - organizations:ListChildren - organizations:ListParents - organizations:ListPolicies - organizations:ListPoliciesForTarget - organizations:ListRoots - organizations:UpdatePolicy - s3:DeleteObject - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket - s3:PutObject - sns:* - ssm:GetParameter - ssm:GetParameters - ssm:PutParameter - states:Describe* - states:StartExecution - sts:GetCallerIdentity - sts:assumeRole Effect: Allow Resource: '*' Version: '2012-10-17' Type: AWS::IAM::ManagedPolicy CodeBuildProject: Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - Name: ADF_VERSION Value: 1.2.8 - Name: TERMINATION_PROTECTION Value: Ref: TerminationProtection - Name: PYTHONPATH Value: ./adf-build/shared/python - Name: S3_BUCKET Value: Ref: BootstrapTemplatesBucket - Name: MASTER_ACCOUNT_ID Value: Ref: AWS::AccountId - Name: DEPLOYMENT_ACCOUNT_BUCKET Value: Fn::GetAtt: - SharedModulesBucketName - Value - Name: ORGANIZATION_ID Value: Fn::GetAtt: - Organization - OrganizationId - Name: ADF_LOG_LEVEL Value: Ref: LogLevel Image: aws/codebuild/standard:2.0 PrivilegedMode: true Type: LINUX_CONTAINER Name: aws-deployment-framework-base-templates ServiceRole: Ref: CodeBuildRole Source: BuildSpec: Fn::Sub: | version: 0.2 phases: install: runtime-versions: python: 3.7 pre_build: commands: - apt-get update -qq - pip install --upgrade pip --quiet - pip install -r adf-build/requirements.txt --upgrade --quiet - pytest -vvv build: commands: - sam build -t deployment/global.yml - sam package --output-template-file deployment/global.yml --s3-prefix deployment --s3-bucket $DEPLOYMENT_ACCOUNT_BUCKET - aws s3 sync ./adf-build/shared s3://$DEPLOYMENT_ACCOUNT_BUCKET/adf-build --quiet # Shared Modules to be used with AWS CodeBuild - aws s3 sync . s3://$S3_BUCKET --quiet --delete # Base Templates - python adf-build/main.py # Updates config, updates (or creates) base stacks. Type: CODEPIPELINE Tags: - Key: Name Value: aws-deployment-framework-base-templates TimeoutInMinutes: 40 Type: AWS::CodeBuild::Project CodeBuildRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Ref: CodeBuildPolicy RoleName: adf-codebuild-role Type: AWS::IAM::Role CodeCommitPolicy: Properties: PolicyDocument: Statement: - Action: - codecommit:BatchGetRepositories - codecommit:Get* - codecommit:GitPull - codecommit:List* - codecommit:CancelUploadArchive - codecommit:UploadArchive - s3:Get Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: adf-organizations-codecommit-role-policy Roles: - Ref: CodeCommitRole Type: AWS::IAM::Policy CodeCommitRepository: Properties: RepositoryDescription: Fn::Sub: CodeCommit Repo for all AWS Deployment Framework base in ${AWS::AccountId} RepositoryName: aws-deployment-framework-bootstrap Type: AWS::CodeCommit::Repository CodeCommitRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: codecommit.amazonaws.com Version: '2012-10-17' Path: / RoleName: adf-codecommit-role-base Type: AWS::IAM::Role CodePipeline: Properties: ArtifactStore: Location: Ref: BootstrapTemplatesBucket Type: S3 Name: aws-deployment-framework-bootstrap-pipeline RoleArn: Fn::GetAtt: - CodePipelineRole - Arn Stages: - Actions: - ActionTypeId: Category: Source Owner: AWS Provider: CodeCommit Version: '1' Configuration: BranchName: master RepositoryName: aws-deployment-framework-bootstrap Name: Source OutputArtifacts: - Name: TemplateSource RunOrder: 1 Name: CodeCommit - Actions: - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: '1' Configuration: ProjectName: Ref: CodeBuildProject InputArtifacts: - Name: TemplateSource Name: UploadAndUpdateBaseStacks OutputArtifacts: - Name: aws-deployment-framework-bootstrap-build RunOrder: 1 Name: UploadAndUpdateBaseStacks Type: AWS::CodePipeline::Pipeline CodePipelineRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - codepipeline.amazonaws.com Version: '2012-10-17' Path: / RoleName: adf-codepipeline-role Type: AWS::IAM::Role CodePipelineRolePolicy: Properties: Description: Policy to allow codepipeline to perform actions PolicyDocument: Statement: - Action: - codebuild:* - codecommit:* - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket - s3:PutObject Effect: Allow Resource: '*' Version: '2012-10-17' Roles: - Ref: CodePipelineRole Type: AWS::IAM::ManagedPolicy CrossAccountExecuteFunction: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: efd4cb32-9565-4c40-8781-96644f4194ce Description: ADF Lambda Function - CrossAccountExecuteFunction Environment: Variables: ADF_LOG_LEVEL: Ref: LogLevel ADF_VERSION: 1.2.8 DEPLOYMENT_ACCOUNT_BUCKET: Fn::GetAtt: - SharedModulesBucketName - Value MASTER_ACCOUNT_ID: Ref: AWS::AccountId ORGANIZATION_ID: Fn::GetAtt: - Organization - OrganizationId S3_BUCKET_NAME: Ref: BootstrapTemplatesBucket TERMINATION_PROTECTION: Ref: TerminationProtection FunctionName: CrossAccountExecuteFunction Handler: account_bootstrap.lambda_handler Layers: - Ref: LambdaLayerVersion Role: Fn::GetAtt: - LambdaRole - Arn Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function CrossRegionBucketHandler: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: a4eba757-0252-49de-adfd-2a8561aaf417 Description: ADF Lambda Function - Create Deployment Bucket in Main Deployment Region FunctionName: CrossRegionBucketHandler Handler: handler.lambda_handler Policies: - Statement: - Action: s3:CreateBucket Effect: Allow Resource: '*' - Action: - s3:DeleteBucket - s3:PutEncryptionConfiguration - s3:PutBucketPolicy Effect: Allow Resource: arn:aws:s3:::adf-shared-modules-* - Action: ssm:GetParameter Effect: Allow Resource: - Fn::Sub: arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/shared_modules_bucket - Fn::Sub: arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_region Version: '2012-10-17' Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function DeploymentAccount: DependsOn: Organization Properties: AccountEmailAddress: Ref: DeploymentAccountEmailAddress AccountName: Ref: DeploymentAccountName CrossAccountAccessRoleName: Ref: CrossAccountAccessRoleName ExistingAccountId: Ref: DeploymentAccountId ServiceToken: Fn::GetAtt: - AccountHandler - Arn Type: Custom::Account DeploymentOrganizationUnit: Properties: OrganizationUnitName: deployment ParentId: Fn::GetAtt: - Organization - OrganizationRootId ServiceToken: Fn::GetAtt: - OrganizationUnitHandler - Arn Type: Custom::OrganizationUnit DetermineEventFunction: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: efd4cb32-9565-4c40-8781-96644f4194ce Description: ADF Lambda Function - DetermineEvent Environment: Variables: ADF_LOG_LEVEL: Ref: LogLevel ADF_VERSION: 1.2.8 DEPLOYMENT_ACCOUNT_BUCKET: Fn::GetAtt: - SharedModulesBucketName - Value MASTER_ACCOUNT_ID: Ref: AWS::AccountId ORGANIZATION_ID: Fn::GetAtt: - Organization - OrganizationId S3_BUCKET_NAME: Ref: BootstrapTemplatesBucket TERMINATION_PROTECTION: Ref: TerminationProtection FunctionName: DetermineEventFunction Handler: determine_event.lambda_handler Layers: - Ref: LambdaLayerVersion Role: Fn::GetAtt: - LambdaRole - Arn Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function InitialCommit: Condition: ShouldCommitInitialBootstrapContent Properties: CrossAccountAccessRole: Ref: CrossAccountAccessRoleName DeploymentAccountRegion: Ref: DeploymentAccountMainRegion DirectoryName: bootstrap_repository NotificationEndpoint: Ref: MainNotificationEndpoint RepositoryArn: Fn::GetAtt: - CodeCommitRepository - Arn ServiceToken: Fn::GetAtt: - InitialCommitHandler - Arn TargetRegions: Ref: DeploymentAccountTargetRegions Version: 1.2.8 Type: Custom::InitialCommit InitialCommitHandler: Condition: ShouldCommitInitialBootstrapContent Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: 22d71a24-5d28-4938-8509-023ffc487b45 Description: ADF Lambda Function - BootstrapCreateInitialCommitFunction FunctionName: BootstrapCreateInitialCommitFunction Handler: handler.lambda_handler Policies: - Statement: - Action: - codecommit:CreateBranch - codecommit:CreateCommit - codecommit:CreatePullRequest - codecommit:DeleteBranch - codecommit:GetBranch - codecommit:GetDifferences Effect: Allow Resource: Fn::GetAtt: - CodeCommitRepository - Arn Version: '2012-10-17' Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function LambdaLayerVersion: Properties: CompatibleRuntimes: - python3.8 - python3.9 ContentUri: Bucket: <%REPO_BUCKET%> Key: 677db015-533a-4139-813d-82478550d54c Description: Shared Lambda Layer between master and deployment account LayerName: shared_layer Type: AWS::Serverless::LayerVersion LambdaLayerVersionPermission: Properties: Action: lambda:GetLayerVersion LayerVersionArn: Ref: LambdaLayerVersion OrganizationId: Fn::GetAtt: - Organization - OrganizationId Principal: '*' Type: AWS::Lambda::LayerVersionPermission LambdaPolicy: Properties: Description: Policy to allow Lambda to perform actions PolicyDocument: Statement: - Action: - sts:AssumeRole - lambda:GetLayerVersion - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - organizations:DescribeOrganizationalUnit - organizations:ListParents - cloudformation:* - iam:GetRole - iam:PassRole - iam:CreateRole - iam:PutRolePolicy - organizations:DescribeOrganization - organizations:DescribeAccount - ssm:* - states:StartExecution Effect: Allow Resource: '*' - Action: s3:ListBucket Effect: Allow Resource: Fn::GetAtt: - BootstrapTemplatesBucket - Arn - Action: s3:GetObject Effect: Allow Resource: Fn::Join: - '' - - Fn::GetAtt: - BootstrapTemplatesBucket - Arn - /* Version: '2012-10-17' Roles: - Ref: LambdaRole Type: AWS::IAM::ManagedPolicy LambdaRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - states.amazonaws.com - lambda.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role LogLevelSetting: Properties: Description: DO NOT EDIT - Used by The AWS Deployment Framework Name: adf_log_level Type: String Value: Ref: LogLevel Type: AWS::SSM::Parameter MovedToRootActionFunction: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: efd4cb32-9565-4c40-8781-96644f4194ce Description: ADF Lambda Function - MovedToRootActionFunction Environment: Variables: ADF_LOG_LEVEL: Ref: LogLevel ADF_VERSION: 1.2.8 MASTER_ACCOUNT_ID: Ref: AWS::AccountId S3_BUCKET_NAME: Ref: BootstrapTemplatesBucket TERMINATION_PROTECTION: Ref: TerminationProtection FunctionName: MovedToRootActionFunction Handler: moved_to_root.lambda_handler Layers: - Ref: LambdaLayerVersion Role: Fn::GetAtt: - LambdaRole - Arn Runtime: python3.7 Timeout: 900 Type: AWS::Serverless::Function Organization: Properties: ServiceToken: Fn::GetAtt: - OrganizationHandler - Arn Type: Custom::Organization OrganizationHandler: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: 5174556c-78c7-4665-b454-d58189ad120e Description: ADF Lambda Function - Enable AWS Organizations FunctionName: AwsOrganizationsHandler Handler: handler.lambda_handler Policies: - Statement: - Action: - organizations:CreateOrganization - organizations:DeleteOrganization - organizations:DescribeOrganization - organizations:ListRoots Effect: Allow Resource: '*' - Action: iam:CreateServiceLinkedRole Effect: Allow Resource: arn:aws:iam::*:role/aws-service-role/* Version: '2012-10-17' Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function OrganizationUnitHandler: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: ddeeb55b-a6b6-4b02-8c10-940c737e86b0 Description: ADF Lambda Function - Create Organization Unit FunctionName: OrganizationUnitHandler Handler: handler.lambda_handler Policies: - Statement: - Action: - organizations:CreateOrganizationalUnit - organizations:DeleteOrganizationalUnit - organizations:ListOrganizationalUnitsForParent Effect: Allow Resource: '*' Version: '2012-10-17' Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function RoleStackDeploymentFunction: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: efd4cb32-9565-4c40-8781-96644f4194ce Description: ADF Lambda Function - RoleStackDeploymentFunction Environment: Variables: ADF_LOG_LEVEL: Ref: LogLevel ADF_VERSION: 1.2.8 MASTER_ACCOUNT_ID: Ref: AWS::AccountId S3_BUCKET_NAME: Ref: BootstrapTemplatesBucket TERMINATION_PROTECTION: Ref: TerminationProtection FunctionName: RoleStackDeploymentFunction Handler: deployment_account_config.lambda_handler Layers: - Ref: LambdaLayerVersion Role: Fn::GetAtt: - LambdaRole - Arn Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function SharedModulesBucket: Properties: BucketNamePrefix: Fn::Sub: adf-shared-modules-${DeploymentAccountMainRegion} PolicyDocument: Statement: - Action: - s3:Get* - s3:List* Effect: Allow Principal: AWS: - Fn::Join: - '' - - 'arn:aws:iam::' - Fn::GetAtt: - DeploymentAccount - AccountId - :root Service: - codebuild.amazonaws.com - lambda.amazonaws.com - cloudformation.amazonaws.com Region: Ref: DeploymentAccountMainRegion ServiceToken: Fn::GetAtt: - CrossRegionBucketHandler - Arn Type: Custom::CrossRegionBucket SharedModulesBucketName: Properties: Description: DO NOT EDIT - Used by The AWS Deployment Framework Name: shared_modules_bucket Type: String Value: Fn::GetAtt: - SharedModulesBucket - BucketName Type: AWS::SSM::Parameter StackWaiterFunction: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: efd4cb32-9565-4c40-8781-96644f4194ce Description: ADF Lambda Function - StackWaiterFunction Environment: Variables: ADF_LOG_LEVEL: Ref: LogLevel ADF_VERSION: 1.2.8 MASTER_ACCOUNT_ID: Ref: AWS::AccountId ORGANIZATION_ID: Fn::GetAtt: - Organization - OrganizationId S3_BUCKET_NAME: Ref: BootstrapTemplatesBucket TERMINATION_PROTECTION: Ref: TerminationProtection FunctionName: StackWaiter Handler: wait_until_complete.lambda_handler Layers: - Ref: LambdaLayerVersion Role: Fn::GetAtt: - LambdaRole - Arn Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function StateMachine: Properties: DefinitionString: Fn::Sub: |- { "Comment": "ADF Account Bootstrapping Process", "StartAt": "DetermineEvent", "States": { "DetermineEvent": { "Type": "Task", "Resource": "${DetermineEventFunction.Arn}", "Next": "MovedToRootOrProtected?", "TimeoutSeconds": 300 }, "MovedToRootOrProtected?": { "Type": "Choice", "Choices": [{ "Variable": "$.moved_to_protected", "NumericEquals": 1, "Next": "ExecuteDeploymentAccountStateMachine" }, { "Variable": "$.moved_to_root", "NumericEquals": 1, "Next": "MovedToRootAction" } ], "Default": "CreateOrUpdateBaseStack" }, "CreateOrUpdateBaseStack": { "Type": "Task", "Resource": "${CrossAccountExecuteFunction.Arn}", "Next": "WaitUntilBootstrapComplete", "Catch": [{ "ErrorEquals": ["States.ALL"], "Next": "ExecuteDeploymentAccountStateMachine", "ResultPath": "$.error" }], "TimeoutSeconds": 300 }, "MovedToRootAction": { "Type": "Task", "Resource": "${MovedToRootActionFunction.Arn}", "Retry": [{ "ErrorEquals": ["RetryError"], "IntervalSeconds": 10, "BackoffRate": 1.0, "MaxAttempts": 20 }], "Catch": [{ "ErrorEquals": ["States.ALL"], "Next": "ExecuteDeploymentAccountStateMachine", "ResultPath": "$.error" }], "Next": "ExecuteDeploymentAccountStateMachine", "TimeoutSeconds": 900 }, "WaitUntilBootstrapComplete": { "Type": "Task", "Resource": "${StackWaiterFunction.Arn}", "Retry": [{ "ErrorEquals": ["RetryError"], "IntervalSeconds": 10, "BackoffRate": 1.0, "MaxAttempts": 500 }], "Catch": [{ "ErrorEquals": ["States.ALL"], "Next": "ExecuteDeploymentAccountStateMachine", "ResultPath": "$.error" }], "Next": "DeploymentAccount?", "TimeoutSeconds": 900 }, "DeploymentAccount?": { "Type": "Choice", "Choices": [{ "Variable": "$.is_deployment_account", "NumericEquals": 1, "Next": "DeploymentAccountConfig" }], "Default": "ExecuteDeploymentAccountStateMachine" }, "DeploymentAccountConfig": { "Type": "Task", "Resource": "${RoleStackDeploymentFunction.Arn}", "End": true, "TimeoutSeconds": 900 }, "ExecuteDeploymentAccountStateMachine": { "Type": "Task", "Resource": "${UpdateResourcePoliciesFunction.Arn}", "End": true, "TimeoutSeconds": 900 } } } RoleArn: Fn::GetAtt: - StatesExecutionRole - Arn Type: AWS::StepFunctions::StateMachine StatesExecutionRole: Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: - events.amazonaws.com - lambda.amazonaws.com - states.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Action: - lambda:InvokeFunction - states:StartExecution Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: adf-state-machine-role-policy Type: AWS::IAM::Role UpdateResourcePoliciesFunction: Properties: CodeUri: Bucket: <%REPO_BUCKET%> Key: efd4cb32-9565-4c40-8781-96644f4194ce Description: ADF Lambda Function - UpdateResourcePoliciesFunction Environment: Variables: ADF_LOG_LEVEL: Ref: LogLevel ADF_VERSION: 1.2.8 MASTER_ACCOUNT_ID: Ref: AWS::AccountId S3_BUCKET_NAME: Ref: BootstrapTemplatesBucket TERMINATION_PROTECTION: Ref: TerminationProtection FunctionName: UpdateResourcePoliciesFunction Handler: generic_account_config.lambda_handler Layers: - Ref: LambdaLayerVersion Role: Fn::GetAtt: - LambdaRole - Arn Runtime: python3.7 Timeout: 300 Type: AWS::Serverless::Function Transform: AWS::Serverless-2016-10-31