Description: This stack includes resources needed to deploy AWS CDK apps into this environment Parameters: TrustedAccounts: Description: List of AWS accounts that are trusted to publish assets and deploy stacks to this environment Default: '' Type: CommaDelimitedList CloudFormationExecutionPolicies: Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation deployment role Default: '' Type: CommaDelimitedList FileAssetsBucketName: Description: The name of the S3 bucket used for file assets Default: '' Type: String FileAssetsBucketKmsKeyId: Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed S3 key, or the ID/ARN of an existing key. Default: '' Type: String ContainerAssetsRepositoryName: Description: A user-provided custom name to use for the container assets ECR repository Default: '' Type: String Qualifier: Description: An identifier to distinguish multiple bootstrap stacks in the same environment Default: hnb659fds Type: String # "cdk-(qualifier)-image-publishing-role-(account)-(region)" needs to be <= 64 chars # account = 12, region <= 14, 10 chars for qualifier and 28 for rest of role name AllowedPattern: "[A-Za-z0-9_-]{1,10}" ConstraintDescription: Qualifier must be an alphanumeric identifier of at most 10 characters PublicAccessBlockConfiguration: Description: Whether or not to enable S3 Staging Bucket Public Access Block Configuration Default: 'true' Type: 'String' AllowedValues: ['true', 'false'] Conditions: HasTrustedAccounts: Fn::Not: - Fn::Equals: - '' - Fn::Join: - '' - Ref: TrustedAccounts HasCloudFormationExecutionPolicies: Fn::Not: - Fn::Equals: - '' - Fn::Join: - '' - Ref: CloudFormationExecutionPolicies HasCustomFileAssetsBucketName: Fn::Not: - Fn::Equals: - '' - Ref: FileAssetsBucketName CreateNewKey: Fn::Equals: - '' - Ref: FileAssetsBucketKmsKeyId UseAwsManagedKey: Fn::Equals: - 'AWS_MANAGED_KEY' - Ref: FileAssetsBucketKmsKeyId HasCustomContainerAssetsRepositoryName: Fn::Not: - Fn::Equals: - '' - Ref: ContainerAssetsRepositoryName UsePublicAccessBlockConfiguration: Fn::Equals: - 'true' - Ref: PublicAccessBlockConfiguration Resources: FileAssetsBucketEncryptionKey: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion - kms:GenerateDataKey Effect: Allow Principal: AWS: Ref: AWS::AccountId Resource: "*" - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Principal: # Not actually everyone -- see below for Conditions AWS: "*" Resource: "*" Condition: StringEquals: # See https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account kms:CallerAccount: Ref: AWS::AccountId kms:ViaService: - Fn::Sub: s3.${AWS::Region}.amazonaws.com - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Principal: AWS: Fn::Sub: "${FilePublishingRole.Arn}" Resource: "*" Condition: CreateNewKey FileAssetsBucketEncryptionKeyAlias: Condition: CreateNewKey Type: AWS::KMS::Alias Properties: AliasName: Fn::Sub: "alias/cdk-${Qualifier}-assets-key" TargetKeyId: Ref: FileAssetsBucketEncryptionKey StagingBucket: Type: AWS::S3::Bucket Properties: BucketName: Fn::If: - HasCustomFileAssetsBucketName - Fn::Sub: "${FileAssetsBucketName}" - Fn::Sub: cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region} AccessControl: Private BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: Fn::If: - CreateNewKey - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}" - Fn::If: - UseAwsManagedKey - Ref: AWS::NoValue - Fn::Sub: "${FileAssetsBucketKmsKeyId}" PublicAccessBlockConfiguration: Fn::If: - UsePublicAccessBlockConfiguration - BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Ref: AWS::NoValue UpdateReplacePolicy: Retain DeletionPolicy: Retain StagingBucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: { Ref: 'StagingBucket' } PolicyDocument: Id: 'AccessControl' Version: '2012-10-17' Statement: - Sid: 'AllowSSLRequestsOnly' Action: 's3:*' Effect: 'Deny' Resource: - { 'Fn::Sub': '${StagingBucket.Arn}' } - { 'Fn::Sub': '${StagingBucket.Arn}/*' } Condition: Bool: { 'aws:SecureTransport': 'false' } Principal: '*' ContainerAssetsRepository: Type: AWS::ECR::Repository Properties: RepositoryName: Fn::If: - HasCustomContainerAssetsRepositoryName - Fn::Sub: "${ContainerAssetsRepositoryName}" - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region} FilePublishingRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region} ImagePublishingRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-image-publishing-role-${AWS::AccountId}-${AWS::Region} FilePublishingRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Resource: - Fn::Sub: "${StagingBucket.Arn}" - Fn::Sub: "${StagingBucket.Arn}/*" Effect: Allow - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::If: - CreateNewKey - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}" - Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId} Version: '2012-10-17' Roles: - Ref: FilePublishingRole PolicyName: Fn::Sub: cdk-${Qualifier}-file-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region} ImagePublishingRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload - ecr:BatchCheckLayerAvailability - ecr:DescribeRepositories - ecr:DescribeImages Resource: Fn::Sub: "${ContainerAssetsRepository.Arn}" Effect: Allow - Action: - ecr:GetAuthorizationToken Resource: "*" Effect: Allow Version: '2012-10-17' Roles: - Ref: ImagePublishingRole PolicyName: Fn::Sub: cdk-${Qualifier}-image-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region} DeploymentActionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue Policies: - PolicyDocument: Statement: - Action: # Permissions needed in CodePipeline. # S3 and KMS are needed on '*', # as we don't know the IDs of the CodePipeline's bucket and key in advance - cloudformation:CreateChangeSet - cloudformation:DeleteChangeSet - cloudformation:DescribeChangeSet - cloudformation:DescribeStacks - cloudformation:ExecuteChangeSet - s3:GetObject* - s3:GetBucket* - s3:List* - s3:Abort* - s3:DeleteObject* - s3:PutObject* # Necessary to write to the cross-region artifact replication bucket # https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-deploy-cloudformation/. - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Resource: "*" Effect: Allow - Action: iam:PassRole Resource: Fn::Sub: "${CloudFormationExecutionRole.Arn}" Effect: Allow - Sid: CliPermissions Action: # Permissions needed by the CLI when doing `cdk deploy`. # Our CI/CD does not need DeleteStack, # but we also want to use this role from the CLI, # and there you can call `cdk destroy` - cloudformation:DescribeStackEvents - cloudformation:GetTemplate - cloudformation:DeleteStack - cloudformation:UpdateTerminationProtection - sts:GetCallerIdentity Resource: "*" Effect: Allow - Sid: ReadVersion Effect: Allow Action: - ssm:GetParameter Resource: - Fn::Sub: "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${CdkBootstrapVersion}" Version: '2012-10-17' PolicyName: default RoleName: Fn::Sub: cdk-${Qualifier}-deploy-role-${AWS::AccountId}-${AWS::Region} CloudFormationExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: cloudformation.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: Fn::If: - HasCloudFormationExecutionPolicies - Ref: CloudFormationExecutionPolicies - Fn::If: - HasTrustedAccounts # The CLI will prevent this case from occurring - Ref: AWS::NoValue # The CLI will advertise that we picked this implicitly - - Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess" RoleName: Fn::Sub: cdk-${Qualifier}-cfn-exec-role-${AWS::AccountId}-${AWS::Region} # The SSM parameter is used in pipeline-deployed templates to verify the version # of the bootstrap resources. CdkBootstrapVersion: Type: AWS::SSM::Parameter Properties: Type: String Name: Fn::Sub: '/cdk-bootstrap/${Qualifier}/version' Value: '5' Outputs: BucketName: Description: The name of the S3 bucket owned by the CDK toolkit stack Value: Fn::Sub: "${StagingBucket}" BucketDomainName: Description: The domain name of the S3 bucket owned by the CDK toolkit stack Value: Fn::Sub: "${StagingBucket.RegionalDomainName}" # @deprecated - This Export can be removed at some future point in time. # We can't do it today because if there are stacks that use it, the bootstrap # stack cannot be updated. Not used anymore by apps >= 1.60.0 FileAssetKeyArn: Description: The ARN of the KMS key used to encrypt the asset bucket (deprecated) Value: Fn::If: - CreateNewKey - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}" - Fn::Sub: "${FileAssetsBucketKmsKeyId}" Export: Name: Fn::Sub: CdkBootstrap-${Qualifier}-FileAssetKeyArn ImageRepositoryName: Description: The name of the ECR repository which hosts docker image assets Value: Fn::Sub: "${ContainerAssetsRepository}" # The Output is used by the CLI to verify the version of the bootstrap resources. BootstrapVersion: Description: The version of the bootstrap resources that are currently mastered in this stack Value: Fn::GetAtt: [CdkBootstrapVersion, Value]