t.aws-cdk-maven-plugin.0.0.6.source-code.bootstrap-template-v1.yaml Maven / Gradle / Ivy
Description: This stack includes resources needed to deploy AWS CDK apps into this
environment
Parameters:
TrustedAccounts:
Description: List of AWS accounts that are trusted to publish assets and deploy
stacks to this environment
Default: ''
Type: CommaDelimitedList
CloudFormationExecutionPolicies:
Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation
deployment role
Default: ''
Type: CommaDelimitedList
FileAssetsBucketName:
Description: The name of the S3 bucket used for file assets
Default: ''
Type: String
FileAssetsBucketKmsKeyId:
Description: Custom KMS key ID to use for encrypting file assets (by default a
KMS key will be automatically defined)
Default: ''
Type: String
ContainerAssetsRepositoryName:
Description: A user-provided custom name to use for the container assets ECR repository
Default: ''
Type: String
Conditions:
HasTrustedAccounts:
Fn::Not:
- Fn::Equals:
- ''
- Fn::Join:
- ''
- Ref: TrustedAccounts
HasCloudFormationExecutionPolicies:
Fn::Not:
- Fn::Equals:
- ''
- Fn::Join:
- ''
- Ref: CloudFormationExecutionPolicies
HasCustomFileAssetsBucketName:
Fn::Not:
- Fn::Equals:
- ''
- Ref: FileAssetsBucketName
CreateNewKey:
Fn::Equals:
- ''
- Ref: FileAssetsBucketKmsKeyId
HasCustomContainerAssetsRepositoryName:
Fn::Not:
- Fn::Equals:
- ''
- Ref: ContainerAssetsRepositoryName
Resources:
FileAssetsBucketEncryptionKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:GenerateDataKey
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
Resource: "*"
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
Resource: "*"
Condition:
StringEquals:
kms:ViaService:
- Fn::Sub: s3.${AWS::Region}.amazonaws.com
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Principal:
AWS:
Fn::Sub: "${PublishingRole.Arn}"
Resource: "*"
Condition: CreateNewKey
StagingBucket:
Type: AWS::S3::Bucket
Properties:
BucketName:
Fn::If:
- HasCustomFileAssetsBucketName
- Fn::Sub: "${FileAssetsBucketName}"
- Fn::Sub: cdk-bootstrap-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID:
Fn::If:
- CreateNewKey
- Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
- Fn::Sub: "${FileAssetsBucketKmsKeyId}"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
UpdateReplacePolicy: Retain
StagingBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: { Ref: 'StagingBucket' }
PolicyDocument:
Id: 'AccessControl'
Version: '2012-10-17'
Statement:
- Sid: 'AllowSSLRequestsOnly'
Action: 's3:*'
Effect: 'Deny'
Resource:
- { 'Fn::Sub': '${StagingBucket.Arn}' }
- { 'Fn::Sub': '${StagingBucket.Arn}/*' }
Condition:
Bool: { 'aws:SecureTransport': 'false' }
Principal: '*'
ContainerAssetsRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName:
Fn::If:
- HasCustomContainerAssetsRepositoryName
- Fn::Sub: "${ContainerAssetsRepositoryName}"
- Fn::Sub: cdk-bootstrap-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}
PublishingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
- Fn::If:
- HasTrustedAccounts
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: TrustedAccounts
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-bootstrap-publishing-role-${AWS::AccountId}-${AWS::Region}
PublishingRoleDefaultPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject*
- s3:Abort*
Resource:
- Fn::Sub: "${StagingBucket.Arn}"
- Fn::Sub: "${StagingBucket.Arn}/*"
Effect: Allow
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Resource:
Fn::If:
- CreateNewKey
- Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
- Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId}
- Action:
- ecr:PutImage
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:BatchCheckLayerAvailability
- ecr:DescribeRepositories
- ecr:DescribeImages
Resource:
Fn::Sub: "${ContainerAssetsRepository.Arn}"
Effect: Allow
- Action:
- ecr:GetAuthorizationToken
Resource: "*"
Effect: Allow
Version: '2012-10-17'
Roles:
- Ref: PublishingRole
PolicyName:
Fn::Sub: cdk-bootstrap-hnb659fds-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}
DeploymentActionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: AWS::AccountId
- Fn::If:
- HasTrustedAccounts
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Ref: TrustedAccounts
- Ref: AWS::NoValue
Policies:
- PolicyDocument:
Statement:
- Action:
# Permissions needed in CodePipeline.
# S3 and KMS are needed on '*',
# as we don't know the IDs of the CodePipeline's bucket and key in advance
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:DescribeStacks
- cloudformation:ExecuteChangeSet
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:Abort*
- s3:DeleteObject*
- s3:PutObject*
# Necessary to write to the cross-region artifact replication bucket
# https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-deploy-cloudformation/.
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Resource: "*"
Effect: Allow
- Action: iam:PassRole
Resource:
Fn::Sub: "${CloudFormationExecutionRole.Arn}"
Effect: Allow
- Sid: CliPermissions
Action:
# Permissions needed by the CLI when doing `cdk deploy`.
# Our CI/CD does not need DeleteStack,
# but we also want to use this role from the CLI,
# and there you can call `cdk destroy`
- cloudformation:DescribeStackEvents
- cloudformation:GetTemplate
- cloudformation:DeleteStack
- sts:GetCallerIdentity
Resource: "*"
Effect: Allow
Version: '2012-10-17'
PolicyName: default
RoleName:
Fn::Sub: cdk-bootstrap-deploy-action-role-${AWS::AccountId}-${AWS::Region}
CloudFormationExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
Fn::If:
- HasCloudFormationExecutionPolicies
- Ref: CloudFormationExecutionPolicies
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-bootstrap-cfn-exec-role-${AWS::AccountId}-${AWS::Region}
Outputs:
BucketName:
Description: The name of the S3 bucket owned by the CDK toolkit stack
Value:
Fn::Sub: "${StagingBucket}"
BucketDomainName:
Description: The domain name of the S3 bucket owned by the CDK toolkit stack
Value:
Fn::Sub: "${StagingBucket.RegionalDomainName}"
BootstrapVersion:
Description: The version of the bootstrap resources that are currently mastered
in this stack
Value: '1'
Export:
Name:
Fn::Sub: AwsCdkBootstrapVersion
© 2015 - 2025 Weber Informatics LLC | Privacy Policy