t.aws-cdk-maven-plugin.0.0.3.source-code.bootstrap-template-v1.yaml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of aws-cdk-maven-plugin Show documentation
Show all versions of aws-cdk-maven-plugin Show documentation
The AWS CDK Maven plugin produces and deploys CloudFormation templates based on the cloud infrastructure defined
by means of CDK. The goal of the project is to improve the experience of Java developers while working with
CDK by eliminating the need for installing Node.js and interacting with the CDK application by means of CDK
Toolkit.
Description: This stack includes resources needed to deploy AWS CDK apps into this
environment
Parameters:
TrustedAccounts:
Description: List of AWS accounts that are trusted to publish assets and deploy
stacks to this environment
Default: ''
Type: CommaDelimitedList
CloudFormationExecutionPolicies:
Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation
deployment role
Default: ''
Type: CommaDelimitedList
FileAssetsBucketName:
Description: The name of the S3 bucket used for file assets
Default: ''
Type: String
FileAssetsBucketKmsKeyId:
Description: Custom KMS key ID to use for encrypting file assets (by default a
KMS key will be automatically defined)
Default: ''
Type: String
ContainerAssetsRepositoryName:
Description: A user-provided custom name to use for the container assets ECR repository
Default: ''
Type: String
Conditions:
HasTrustedAccounts:
Fn::Not:
- Fn::Equals:
- ''
- Fn::Join:
- ''
- Ref: TrustedAccounts
HasCloudFormationExecutionPolicies:
Fn::Not:
- Fn::Equals:
- ''
- Fn::Join:
- ''
- Ref: CloudFormationExecutionPolicies
HasCustomFileAssetsBucketName:
Fn::Not:
- Fn::Equals:
- ''
- Ref: FileAssetsBucketName
CreateNewKey:
Fn::Equals:
- ''
- Ref: FileAssetsBucketKmsKeyId
HasCustomContainerAssetsRepositoryName:
Fn::Not:
- Fn::Equals:
- ''
- Ref: ContainerAssetsRepositoryName
Resources:
FileAssetsBucketEncryptionKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:GenerateDataKey
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
Resource: "*"
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
Resource: "*"
Condition:
StringEquals:
kms:ViaService:
- Fn::Sub: s3.${AWS::Region}.amazonaws.com
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Principal:
AWS:
Fn::Sub: "${PublishingRole.Arn}"
Resource: "*"
Condition: CreateNewKey
StagingBucket:
Type: AWS::S3::Bucket
Properties:
BucketName:
Fn::If:
- HasCustomFileAssetsBucketName
- Fn::Sub: "${FileAssetsBucketName}"
- Fn::Sub: cdk-bootstrap-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID:
Fn::If:
- CreateNewKey
- Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
- Fn::Sub: "${FileAssetsBucketKmsKeyId}"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
UpdateReplacePolicy: Retain
StagingBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: { Ref: 'StagingBucket' }
PolicyDocument:
Id: 'AccessControl'
Version: '2012-10-17'
Statement:
- Sid: 'AllowSSLRequestsOnly'
Action: 's3:*'
Effect: 'Deny'
Resource:
- { 'Fn::Sub': '${StagingBucket.Arn}' }
- { 'Fn::Sub': '${StagingBucket.Arn}/*' }
Condition:
Bool: { 'aws:SecureTransport': 'false' }
Principal: '*'
ContainerAssetsRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName:
Fn::If:
- HasCustomContainerAssetsRepositoryName
- Fn::Sub: "${ContainerAssetsRepositoryName}"
- Fn::Sub: cdk-bootstrap-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}
PublishingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
- Fn::If:
- HasTrustedAccounts
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: TrustedAccounts
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-bootstrap-publishing-role-${AWS::AccountId}-${AWS::Region}
PublishingRoleDefaultPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject*
- s3:Abort*
Resource:
- Fn::Sub: "${StagingBucket.Arn}"
- Fn::Sub: "${StagingBucket.Arn}/*"
Effect: Allow
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Resource:
Fn::If:
- CreateNewKey
- Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
- Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId}
- Action:
- ecr:PutImage
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:BatchCheckLayerAvailability
- ecr:DescribeRepositories
- ecr:DescribeImages
Resource:
Fn::Sub: "${ContainerAssetsRepository.Arn}"
Effect: Allow
- Action:
- ecr:GetAuthorizationToken
Resource: "*"
Effect: Allow
Version: '2012-10-17'
Roles:
- Ref: PublishingRole
PolicyName:
Fn::Sub: cdk-bootstrap-hnb659fds-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}
DeploymentActionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
- Fn::If:
- HasTrustedAccounts
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: TrustedAccounts
- Ref: AWS::NoValue
Policies:
- PolicyDocument:
Statement:
- Action:
# Permissions needed in CodePipeline.
# S3 and KMS are needed on '*',
# as we don't know the IDs of the CodePipeline's bucket and key in advance
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:DescribeStacks
- cloudformation:ExecuteChangeSet
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:Abort*
- s3:DeleteObject*
- s3:PutObject*
# Necessary to write to the cross-region artifact replication bucket
# https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-deploy-cloudformation/.
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Resource: "*"
Effect: Allow
- Action: iam:PassRole
Resource:
Fn::Sub: "${CloudFormationExecutionRole.Arn}"
Effect: Allow
- Sid: CliPermissions
Action:
# Permissions needed by the CLI when doing `cdk deploy`.
# Our CI/CD does not need DeleteStack,
# but we also want to use this role from the CLI,
# and there you can call `cdk destroy`
- cloudformation:DescribeStackEvents
- cloudformation:GetTemplate
- cloudformation:DeleteStack
- sts:GetCallerIdentity
Resource: "*"
Effect: Allow
Version: '2012-10-17'
PolicyName: default
RoleName:
Fn::Sub: cdk-bootstrap-deploy-action-role-${AWS::AccountId}-${AWS::Region}
CloudFormationExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
Fn::If:
- HasCloudFormationExecutionPolicies
- Ref: CloudFormationExecutionPolicies
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-bootstrap-cfn-exec-role-${AWS::AccountId}-${AWS::Region}
Outputs:
BucketName:
Description: The name of the S3 bucket owned by the CDK toolkit stack
Value:
Fn::Sub: "${StagingBucket}"
BucketDomainName:
Description: The domain name of the S3 bucket owned by the CDK toolkit stack
Value:
Fn::Sub: "${StagingBucket.RegionalDomainName}"
BootstrapVersion:
Description: The version of the bootstrap resources that are currently mastered
in this stack
Value: '1'
Export:
Name:
Fn::Sub: AwsCdkBootstrapVersion
© 2015 - 2025 Weber Informatics LLC | Privacy Policy