@aws-cdk-testing/cli-integ 2.159.0 → 2.160.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/lib/with-cdk-app.d.ts +6 -0
  2. package/lib/with-cdk-app.js +4 -1
  3. package/package.json +3 -3
  4. package/resources/bootstrap-templates/session-tags.all-roles-deny-all.yaml +703 -0
  5. package/resources/bootstrap-templates/session-tags.deploy-role-deny-sqs.yaml +700 -0
  6. package/resources/cdk-apps/app/app.js +79 -0
  7. package/tests/cli-integ-tests/bootstrapping.integtest.js +32 -1
  8. package/tests/cli-integ-tests/cli.integtest.js +25 -4
package/resources/bootstrap-templates/session-tags.all-roles-deny-all.yaml ADDED
@@ -0,0 +1,703 @@
1
+ Description: This stack includes resources needed to deploy AWS CDK apps into this
2
+ environment
3
+ Parameters:
4
+ TrustedAccounts:
5
+ Description: List of AWS accounts that are trusted to publish assets and deploy
6
+ stacks to this environment
7
+ Default: ''
8
+ Type: CommaDelimitedList
9
+ TrustedAccountsForLookup:
10
+ Description: List of AWS accounts that are trusted to look up values in this
11
+ environment
12
+ Default: ''
13
+ Type: CommaDelimitedList
14
+ CloudFormationExecutionPolicies:
15
+ Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation
16
+ deployment role
17
+ Default: ''
18
+ Type: CommaDelimitedList
19
+ FileAssetsBucketName:
20
+ Description: The name of the S3 bucket used for file assets
21
+ Default: ''
22
+ Type: String
23
+ FileAssetsBucketKmsKeyId:
24
+ Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed
25
+ S3 key, or the ID/ARN of an existing key.
26
+ Default: ''
27
+ Type: String
28
+ ContainerAssetsRepositoryName:
29
+ Description: A user-provided custom name to use for the container assets ECR repository
30
+ Default: ''
31
+ Type: String
32
+ Qualifier:
33
+ Description: An identifier to distinguish multiple bootstrap stacks in the same environment
34
+ Default: hnb659fds
35
+ Type: String
36
+ # "cdk-(qualifier)-image-publishing-role-(account)-(region)" needs to be <= 64 chars
37
+ # account = 12, region <= 14, 10 chars for qualifier and 28 for rest of role name
38
+ AllowedPattern: "[A-Za-z0-9_-]{1,10}"
39
+ ConstraintDescription: Qualifier must be an alphanumeric identifier of at most 10 characters
40
+ PublicAccessBlockConfiguration:
41
+ Description: Whether or not to enable S3 Staging Bucket Public Access Block Configuration
42
+ Default: 'true'
43
+ Type: 'String'
44
+ AllowedValues: ['true', 'false']
45
+ InputPermissionsBoundary:
46
+ Description: Whether or not to use either the CDK supplied or custom permissions boundary
47
+ Default: ''
48
+ Type: 'String'
49
+ UseExamplePermissionsBoundary:
50
+ Default: 'false'
51
+ AllowedValues: [ 'true', 'false' ]
52
+ Type: String
53
+ BootstrapVariant:
54
+ Type: String
55
+ Default: 'AWS CDK: Default Resources'
56
+ Description: Describe the provenance of the resources in this bootstrap
57
+ stack. Change this when you customize the template. To prevent accidents,
58
+ the CDK CLI will not overwrite bootstrap stacks with a different variant.
59
+ Conditions:
60
+ HasTrustedAccounts:
61
+ Fn::Not:
62
+ - Fn::Equals:
63
+ - ''
64
+ - Fn::Join:
65
+ - ''
66
+ - Ref: TrustedAccounts
67
+ HasTrustedAccountsForLookup:
68
+ Fn::Not:
69
+ - Fn::Equals:
70
+ - ''
71
+ - Fn::Join:
72
+ - ''
73
+ - Ref: TrustedAccountsForLookup
74
+ HasCloudFormationExecutionPolicies:
75
+ Fn::Not:
76
+ - Fn::Equals:
77
+ - ''
78
+ - Fn::Join:
79
+ - ''
80
+ - Ref: CloudFormationExecutionPolicies
81
+ HasCustomFileAssetsBucketName:
82
+ Fn::Not:
83
+ - Fn::Equals:
84
+ - ''
85
+ - Ref: FileAssetsBucketName
86
+ CreateNewKey:
87
+ Fn::Equals:
88
+ - ''
89
+ - Ref: FileAssetsBucketKmsKeyId
90
+ UseAwsManagedKey:
91
+ Fn::Equals:
92
+ - 'AWS_MANAGED_KEY'
93
+ - Ref: FileAssetsBucketKmsKeyId
94
+ ShouldCreatePermissionsBoundary:
95
+ Fn::Equals:
96
+ - 'true'
97
+ - Ref: UseExamplePermissionsBoundary
98
+ PermissionsBoundarySet:
99
+ Fn::Not:
100
+ - Fn::Equals:
101
+ - ''
102
+ - Ref: InputPermissionsBoundary
103
+ HasCustomContainerAssetsRepositoryName:
104
+ Fn::Not:
105
+ - Fn::Equals:
106
+ - ''
107
+ - Ref: ContainerAssetsRepositoryName
108
+ UsePublicAccessBlockConfiguration:
109
+ Fn::Equals:
110
+ - 'true'
111
+ - Ref: PublicAccessBlockConfiguration
112
+ Resources:
113
+ FileAssetsBucketEncryptionKey:
114
+ Type: AWS::KMS::Key
115
+ Properties:
116
+ KeyPolicy:
117
+ Statement:
118
+ - Action:
119
+ - kms:Create*
120
+ - kms:Describe*
121
+ - kms:Enable*
122
+ - kms:List*
123
+ - kms:Put*
124
+ - kms:Update*
125
+ - kms:Revoke*
126
+ - kms:Disable*
127
+ - kms:Get*
128
+ - kms:Delete*
129
+ - kms:ScheduleKeyDeletion
130
+ - kms:CancelKeyDeletion
131
+ - kms:GenerateDataKey
132
+ - kms:TagResource
133
+ - kms:UntagResource
134
+ Effect: Allow
135
+ Principal:
136
+ AWS:
137
+ Ref: AWS::AccountId
138
+ Resource: "*"
139
+ - Action:
140
+ - kms:Decrypt
141
+ - kms:DescribeKey
142
+ - kms:Encrypt
143
+ - kms:ReEncrypt*
144
+ - kms:GenerateDataKey*
145
+ Effect: Allow
146
+ Principal:
147
+ # Not actually everyone -- see below for Conditions
148
+ AWS: "*"
149
+ Resource: "*"
150
+ Condition:
151
+ StringEquals:
152
+ # See https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account
153
+ kms:CallerAccount:
154
+ Ref: AWS::AccountId
155
+ kms:ViaService:
156
+ - Fn::Sub: s3.${AWS::Region}.amazonaws.com
157
+ - Action:
158
+ - kms:Decrypt
159
+ - kms:DescribeKey
160
+ - kms:Encrypt
161
+ - kms:ReEncrypt*
162
+ - kms:GenerateDataKey*
163
+ Effect: Allow
164
+ Principal:
165
+ AWS:
166
+ Fn::Sub: "${FilePublishingRole.Arn}"
167
+ Resource: "*"
168
+ Condition: CreateNewKey
169
+ FileAssetsBucketEncryptionKeyAlias:
170
+ Condition: CreateNewKey
171
+ Type: AWS::KMS::Alias
172
+ Properties:
173
+ AliasName:
174
+ Fn::Sub: "alias/cdk-${Qualifier}-assets-key"
175
+ TargetKeyId:
176
+ Ref: FileAssetsBucketEncryptionKey
177
+ StagingBucket:
178
+ Type: AWS::S3::Bucket
179
+ Properties:
180
+ BucketName:
181
+ Fn::If:
182
+ - HasCustomFileAssetsBucketName
183
+ - Fn::Sub: "${FileAssetsBucketName}"
184
+ - Fn::Sub: cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region}
185
+ AccessControl: Private
186
+ BucketEncryption:
187
+ ServerSideEncryptionConfiguration:
188
+ - ServerSideEncryptionByDefault:
189
+ SSEAlgorithm: aws:kms
190
+ KMSMasterKeyID:
191
+ Fn::If:
192
+ - CreateNewKey
193
+ - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
194
+ - Fn::If:
195
+ - UseAwsManagedKey
196
+ - Ref: AWS::NoValue
197
+ - Fn::Sub: "${FileAssetsBucketKmsKeyId}"
198
+ PublicAccessBlockConfiguration:
199
+ Fn::If:
200
+ - UsePublicAccessBlockConfiguration
201
+ - BlockPublicAcls: true
202
+ BlockPublicPolicy: true
203
+ IgnorePublicAcls: true
204
+ RestrictPublicBuckets: true
205
+ - Ref: AWS::NoValue
206
+ VersioningConfiguration:
207
+ Status: Enabled
208
+ LifecycleConfiguration:
209
+ Rules:
210
+ # Exising objects will never be overwritten but Security Hub wants this rule to exist
211
+ - Id: CleanupOldVersions
212
+ Status: Enabled
213
+ NoncurrentVersionExpiration:
214
+ NoncurrentDays: 365
215
+ UpdateReplacePolicy: Retain
216
+ DeletionPolicy: Retain
217
+ StagingBucketPolicy:
218
+ Type: 'AWS::S3::BucketPolicy'
219
+ Properties:
220
+ Bucket: { Ref: 'StagingBucket' }
221
+ PolicyDocument:
222
+ Id: 'AccessControl'
223
+ Version: '2012-10-17'
224
+ Statement:
225
+ - Sid: 'AllowSSLRequestsOnly'
226
+ Action: 's3:*'
227
+ Effect: 'Deny'
228
+ Resource:
229
+ - { 'Fn::Sub': '${StagingBucket.Arn}' }
230
+ - { 'Fn::Sub': '${StagingBucket.Arn}/*' }
231
+ Condition:
232
+ Bool: { 'aws:SecureTransport': 'false' }
233
+ Principal: '*'
234
+ ContainerAssetsRepository:
235
+ Type: AWS::ECR::Repository
236
+ Properties:
237
+ ImageTagMutability: IMMUTABLE
238
+ # Untagged images should never exist but Security Hub wants this rule to exist
239
+ LifecyclePolicy:
240
+ LifecyclePolicyText: |
241
+ {
242
+ "rules": [
243
+ {
244
+ "rulePriority": 1,
245
+ "description": "Untagged images should not exist, but expire any older than one year",
246
+ "selection": {
247
+ "tagStatus": "untagged",
248
+ "countType": "sinceImagePushed",
249
+ "countUnit": "days",
250
+ "countNumber": 365
251
+ },
252
+ "action": { "type": "expire" }
253
+ }
254
+ ]
255
+ }
256
+ RepositoryName:
257
+ Fn::If:
258
+ - HasCustomContainerAssetsRepositoryName
259
+ - Fn::Sub: "${ContainerAssetsRepositoryName}"
260
+ - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}
261
+ RepositoryPolicyText:
262
+ Version: "2012-10-17"
263
+ Statement:
264
+ # Necessary for Lambda container images
265
+ # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions
266
+ - Sid: LambdaECRImageRetrievalPolicy
267
+ Effect: Allow
268
+ Principal: { Service: "lambda.amazonaws.com" }
269
+ Action:
270
+ - ecr:BatchGetImage
271
+ - ecr:GetDownloadUrlForLayer
272
+ Condition:
273
+ StringLike:
274
+ "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
275
+ FilePublishingRole:
276
+ Type: AWS::IAM::Role
277
+ Properties:
278
+ AssumeRolePolicyDocument:
279
+ Statement:
280
+ - Action: sts:AssumeRole
281
+ Effect: Allow
282
+ Principal:
283
+ AWS:
284
+ Ref: AWS::AccountId
285
+ # The TagSession action is required to be able to assume this role with session tags.
286
+ # Without this trust policy, attemping to assume this role with session tags will fail.
287
+ - Action: sts:TagSession
288
+ Effect: Allow
289
+ Principal:
290
+ AWS:
291
+ Ref: AWS::AccountId
292
+ - Fn::If:
293
+ - HasTrustedAccounts
294
+ - Action: sts:AssumeRole
295
+ Effect: Allow
296
+ Principal:
297
+ AWS:
298
+ Ref: TrustedAccounts
299
+ - Ref: AWS::NoValue
300
+ RoleName:
301
+ Fn::Sub: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region}
302
+ Tags:
303
+ - Key: aws-cdk:bootstrap-role
304
+ Value: file-publishing
305
+ ImagePublishingRole:
306
+ Type: AWS::IAM::Role
307
+ Properties:
308
+ AssumeRolePolicyDocument:
309
+ Statement:
310
+ - Action: sts:AssumeRole
311
+ Effect: Allow
312
+ Principal:
313
+ AWS:
314
+ Ref: AWS::AccountId
315
+ # The TagSession action is required to be able to assume this role with session tags.
316
+ # Without this trust policy, attemping to assume this role with session tags will fail.
317
+ - Action: sts:TagSession
318
+ Effect: Allow
319
+ Principal:
320
+ AWS:
321
+ Ref: AWS::AccountId
322
+ - Fn::If:
323
+ - HasTrustedAccounts
324
+ - Action: sts:AssumeRole
325
+ Effect: Allow
326
+ Principal:
327
+ AWS:
328
+ Ref: TrustedAccounts
329
+ - Ref: AWS::NoValue
330
+ RoleName:
331
+ Fn::Sub: cdk-${Qualifier}-image-publishing-role-${AWS::AccountId}-${AWS::Region}
332
+ Tags:
333
+ - Key: aws-cdk:bootstrap-role
334
+ Value: image-publishing
335
+ LookupRole:
336
+ Type: AWS::IAM::Role
337
+ Properties:
338
+ AssumeRolePolicyDocument:
339
+ Statement:
340
+ - Action: sts:AssumeRole
341
+ Effect: Allow
342
+ Principal:
343
+ AWS:
344
+ Ref: AWS::AccountId
345
+ # The TagSession action is required to be able to assume this role with session tags.
346
+ # Without this trust policy, attemping to assume this role with session tags will fail.
347
+ - Action: sts:TagSession
348
+ Effect: Allow
349
+ Principal:
350
+ AWS:
351
+ Ref: AWS::AccountId
352
+ - Fn::If:
353
+ - HasTrustedAccountsForLookup
354
+ - Action: sts:AssumeRole
355
+ Effect: Allow
356
+ Principal:
357
+ AWS:
358
+ Ref: TrustedAccountsForLookup
359
+ - Ref: AWS::NoValue
360
+ - Fn::If:
361
+ - HasTrustedAccounts
362
+ - Action: sts:AssumeRole
363
+ Effect: Allow
364
+ Principal:
365
+ AWS:
366
+ Ref: TrustedAccounts
367
+ - Ref: AWS::NoValue
368
+ RoleName:
369
+ Fn::Sub: cdk-${Qualifier}-lookup-role-${AWS::AccountId}-${AWS::Region}
370
+ Policies:
371
+ - PolicyDocument:
372
+ Statement:
373
+ - Sid: AllowEc2OnlyIfEngineeringDepartement
374
+ Effect: Allow
375
+ Action:
376
+ - ec2:*
377
+ Resource: "*"
378
+ Condition:
379
+ StringEquals:
380
+ aws:PrincipalTag/Department: "Engineering"
381
+ Version: '2012-10-17'
382
+ PolicyName: LookupRolePolicy
383
+ Tags:
384
+ - Key: aws-cdk:bootstrap-role
385
+ Value: lookup
386
+ FilePublishingRoleDefaultPolicy:
387
+ Type: AWS::IAM::Policy
388
+ Properties:
389
+ PolicyDocument:
390
+ Statement:
391
+ - Action:
392
+ - s3:GetObject*
393
+ - s3:GetBucket*
394
+ - s3:GetEncryptionConfiguration
395
+ - s3:List*
396
+ - s3:DeleteObject*
397
+ - s3:PutObject*
398
+ - s3:Abort*
399
+ Resource:
400
+ - Fn::Sub: "${StagingBucket.Arn}"
401
+ - Fn::Sub: "${StagingBucket.Arn}/*"
402
+ # This condition requires that the File Publishing Role is assumed with the session tags
403
+ # 'Department: Engineering'; if these tags are not passed in, the role will
404
+ # not be able to perform these S3 actions.
405
+ Condition:
406
+ StringEquals:
407
+ aws:ResourceAccount:
408
+ - Fn::Sub: ${AWS::AccountId}
409
+ aws:PrincipalTag/Department: "Engineering"
410
+ Effect: Allow
411
+ - Action:
412
+ - kms:Decrypt
413
+ - kms:DescribeKey
414
+ - kms:Encrypt
415
+ - kms:ReEncrypt*
416
+ - kms:GenerateDataKey*
417
+ Effect: Allow
418
+ Resource:
419
+ Fn::If:
420
+ - CreateNewKey
421
+ - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
422
+ - Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId}
423
+ Version: '2012-10-17'
424
+ Roles:
425
+ - Ref: FilePublishingRole
426
+ PolicyName:
427
+ Fn::Sub: cdk-${Qualifier}-file-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}
428
+ ImagePublishingRoleDefaultPolicy:
429
+ Type: AWS::IAM::Policy
430
+ Properties:
431
+ PolicyDocument:
432
+ Statement:
433
+ - Action:
434
+ - ecr:PutImage
435
+ - ecr:InitiateLayerUpload
436
+ - ecr:UploadLayerPart
437
+ - ecr:CompleteLayerUpload
438
+ - ecr:BatchCheckLayerAvailability
439
+ - ecr:DescribeRepositories
440
+ - ecr:DescribeImages
441
+ - ecr:BatchGetImage
442
+ - ecr:GetDownloadUrlForLayer
443
+ Resource:
444
+ Fn::Sub: "${ContainerAssetsRepository.Arn}"
445
+ Effect: Allow
446
+ # This condition requires that the Image Publishing Role is assumed with the session tags
447
+ # 'Department: Engineering'; if these tags are not passed in, the role will
448
+ # not be able to perform these ECR actions.
449
+ Condition:
450
+ StringEquals:
451
+ aws:PrincipalTag/Department: "Engineering"
452
+ - Action:
453
+ - ecr:GetAuthorizationToken
454
+ Resource: "*"
455
+ Effect: Allow
456
+ Version: '2012-10-17'
457
+ Roles:
458
+ - Ref: ImagePublishingRole
459
+ PolicyName:
460
+ Fn::Sub: cdk-${Qualifier}-image-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}
461
+ DeploymentActionRole:
462
+ Type: AWS::IAM::Role
463
+ Properties:
464
+ AssumeRolePolicyDocument:
465
+ Statement:
466
+ - Action: sts:AssumeRole
467
+ Effect: Allow
468
+ Principal:
469
+ AWS:
470
+ Ref: AWS::AccountId
471
+ # The TagSession action is required to be able to assume this role with session tags.
472
+ # Without this trust policy, attemping to assume this role with session tags will fail.
473
+ - Action: sts:TagSession
474
+ Effect: Allow
475
+ Principal:
476
+ AWS:
477
+ Ref: AWS::AccountId
478
+ - Fn::If:
479
+ - HasTrustedAccounts
480
+ - Action: sts:AssumeRole
481
+ Effect: Allow
482
+ Principal:
483
+ AWS:
484
+ Ref: TrustedAccounts
485
+ - Ref: AWS::NoValue
486
+ Policies:
487
+ - PolicyDocument:
488
+ Statement:
489
+ - Sid: CloudFormationPermissions
490
+ Effect: Allow
491
+ Action:
492
+ - cloudformation:CreateChangeSet
493
+ - cloudformation:DeleteChangeSet
494
+ - cloudformation:DescribeChangeSet
495
+ - cloudformation:DescribeStacks
496
+ - cloudformation:ExecuteChangeSet
497
+ - cloudformation:CreateStack
498
+ - cloudformation:UpdateStack
499
+ Resource: "*"
500
+ # This condition requires that the Deploy Role is assumed with the session tags
501
+ # 'Department: Engineering'; if these tags are not passed in, the Deploy Role will
502
+ # not be able to perform these CloudFormation actions.
503
+ Condition:
504
+ StringEquals:
505
+ aws:PrincipalTag/Department: "Engineering"
506
+ - Sid: PipelineCrossAccountArtifactsBucket
507
+ # Read/write buckets in different accounts. Permissions to buckets in
508
+ # same account are granted by bucket policies.
509
+ #
510
+ # Write permissions necessary to write outputs to the cross-region artifact replication bucket
511
+ # https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-deploy-cloudformation/.
512
+ Effect: Allow
513
+ Action:
514
+ - s3:GetObject*
515
+ - s3:GetBucket*
516
+ - s3:List*
517
+ - s3:Abort*
518
+ - s3:DeleteObject*
519
+ - s3:PutObject*
520
+ Resource: "*"
521
+ Condition:
522
+ StringNotEquals:
523
+ s3:ResourceAccount:
524
+ Ref: 'AWS::AccountId'
525
+ - Sid: PipelineCrossAccountArtifactsKey
526
+ # Use keys only for the purposes of reading encrypted files from S3.
527
+ Effect: Allow
528
+ Action:
529
+ - kms:Decrypt
530
+ - kms:DescribeKey
531
+ - kms:Encrypt
532
+ - kms:ReEncrypt*
533
+ - kms:GenerateDataKey*
534
+ Resource: "*"
535
+ Condition:
536
+ StringEquals:
537
+ kms:ViaService:
538
+ Fn::Sub: s3.${AWS::Region}.amazonaws.com
539
+ - Action: iam:PassRole
540
+ Resource:
541
+ Fn::Sub: "${CloudFormationExecutionRole.Arn}"
542
+ Effect: Allow
543
+ - Sid: CliPermissions
544
+ Action:
545
+ # Permissions needed by the CLI when doing `cdk deploy`.
546
+ # Our CI/CD does not need DeleteStack,
547
+ # but we also want to use this role from the CLI,
548
+ # and there you can call `cdk destroy`
549
+ - cloudformation:DescribeStackEvents
550
+ - cloudformation:GetTemplate
551
+ - cloudformation:DeleteStack
552
+ - cloudformation:UpdateTerminationProtection
553
+ - sts:GetCallerIdentity
554
+ # `cdk import`
555
+ - cloudformation:GetTemplateSummary
556
+ Resource: "*"
557
+ Effect: Allow
558
+ - Sid: CliStagingBucket
559
+ Effect: Allow
560
+ Action:
561
+ - s3:GetObject*
562
+ - s3:GetBucket*
563
+ - s3:List*
564
+ Resource:
565
+ - Fn::Sub: ${StagingBucket.Arn}
566
+ - Fn::Sub: ${StagingBucket.Arn}/*
567
+ - Sid: ReadVersion
568
+ Effect: Allow
569
+ Action:
570
+ - ssm:GetParameter
571
+ - ssm:GetParameters # CreateChangeSet uses this to evaluate any SSM parameters (like `CdkBootstrapVersion`)
572
+ Resource:
573
+ - Fn::Sub: "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${CdkBootstrapVersion}"
574
+ Version: '2012-10-17'
575
+ PolicyName: default
576
+ RoleName:
577
+ Fn::Sub: cdk-${Qualifier}-deploy-role-${AWS::AccountId}-${AWS::Region}
578
+ Tags:
579
+ - Key: aws-cdk:bootstrap-role
580
+ Value: deploy
581
+ CloudFormationExecutionRole:
582
+ Type: AWS::IAM::Role
583
+ Properties:
584
+ AssumeRolePolicyDocument:
585
+ Statement:
586
+ - Action: sts:AssumeRole
587
+ Effect: Allow
588
+ Principal:
589
+ Service: cloudformation.amazonaws.com
590
+ Version: '2012-10-17'
591
+ ManagedPolicyArns:
592
+ Fn::If:
593
+ - HasCloudFormationExecutionPolicies
594
+ - Ref: CloudFormationExecutionPolicies
595
+ - Fn::If:
596
+ - HasTrustedAccounts
597
+ # The CLI will prevent this case from occurring
598
+ - Ref: AWS::NoValue
599
+ # The CLI will advertise that we picked this implicitly
600
+ - - Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
601
+ RoleName:
602
+ Fn::Sub: cdk-${Qualifier}-cfn-exec-role-${AWS::AccountId}-${AWS::Region}
603
+ PermissionsBoundary:
604
+ Fn::If:
605
+ - PermissionsBoundarySet
606
+ - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
607
+ - Ref: AWS::NoValue
608
+ CdkBoostrapPermissionsBoundaryPolicy:
609
+ # Edit the template prior to boostrap in order to have this example policy created
610
+ Condition: ShouldCreatePermissionsBoundary
611
+ Type: AWS::IAM::ManagedPolicy
612
+ Properties:
613
+ PolicyDocument:
614
+ Statement:
615
+ # If permission boundaries do not have an explicit `allow`, then the effect is `deny`
616
+ - Sid: ExplicitAllowAll
617
+ Action:
618
+ - "*"
619
+ Effect: Allow
620
+ Resource: "*"
621
+ # Default permissions to prevent privilege escalation
622
+ - Sid: DenyAccessIfRequiredPermBoundaryIsNotBeingApplied
623
+ Action:
624
+ - iam:CreateUser
625
+ - iam:CreateRole
626
+ - iam:PutRolePermissionsBoundary
627
+ - iam:PutUserPermissionsBoundary
628
+ Condition:
629
+ StringNotEquals:
630
+ iam:PermissionsBoundary:
631
+ Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
632
+ Effect: Deny
633
+ Resource: "*"
634
+ # Forbid the policy itself being edited
635
+ - Sid: DenyPermBoundaryIAMPolicyAlteration
636
+ Action:
637
+ - iam:CreatePolicyVersion
638
+ - iam:DeletePolicy
639
+ - iam:DeletePolicyVersion
640
+ - iam:SetDefaultPolicyVersion
641
+ Effect: Deny
642
+ Resource:
643
+ Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
644
+ # Forbid removing the permissions boundary from any user or role that has it associated
645
+ - Sid: DenyRemovalOfPermBoundaryFromAnyUserOrRole
646
+ Action:
647
+ - iam:DeleteUserPermissionsBoundary
648
+ - iam:DeleteRolePermissionsBoundary
649
+ Effect: Deny
650
+ Resource: "*"
651
+ # Add your specific organizational security policy here
652
+ # Uncomment the example to deny access to AWS Config
653
+ #- Sid: OrganizationalSecurityPolicy
654
+ # Action:
655
+ # - "config:*"
656
+ # Effect: Deny
657
+ # Resource: "*"
658
+ Version: "2012-10-17"
659
+ Description: "Bootstrap Permission Boundary"
660
+ ManagedPolicyName:
661
+ Fn::Sub: cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
662
+ Path: /
663
+ # The SSM parameter is used in pipeline-deployed templates to verify the version
664
+ # of the bootstrap resources.
665
+ CdkBootstrapVersion:
666
+ Type: AWS::SSM::Parameter
667
+ Properties:
668
+ Type: String
669
+ Name:
670
+ Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
671
+ Value: '22'
672
+ Outputs:
673
+ BucketName:
674
+ Description: The name of the S3 bucket owned by the CDK toolkit stack
675
+ Value:
676
+ Fn::Sub: "${StagingBucket}"
677
+ BucketDomainName:
678
+ Description: The domain name of the S3 bucket owned by the CDK toolkit stack
679
+ Value:
680
+ Fn::Sub: "${StagingBucket.RegionalDomainName}"
681
+ # @deprecated - This Export can be removed at some future point in time.
682
+ # We can't do it today because if there are stacks that use it, the bootstrap
683
+ # stack cannot be updated. Not used anymore by apps >= 1.60.0
684
+ FileAssetKeyArn:
685
+ Description: The ARN of the KMS key used to encrypt the asset bucket (deprecated)
686
+ Value:
687
+ Fn::If:
688
+ - CreateNewKey
689
+ - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
690
+ - Fn::Sub: "${FileAssetsBucketKmsKeyId}"
691
+ Export:
692
+ Name:
693
+ Fn::Sub: CdkBootstrap-${Qualifier}-FileAssetKeyArn
694
+ ImageRepositoryName:
695
+ Description: The name of the ECR repository which hosts docker image assets
696
+ Value:
697
+ Fn::Sub: "${ContainerAssetsRepository}"
698
+ # The Output is used by the CLI to verify the version of the bootstrap resources.
699
+ BootstrapVersion:
700
+ Description: The version of the bootstrap resources that are currently mastered
701
+ in this stack
702
+ Value:
703
+ Fn::GetAtt: [CdkBootstrapVersion, Value]