diff --git a/.yamllint b/.yamllint new file mode 100644 index 000000000..3e570ed67 --- /dev/null +++ b/.yamllint @@ -0,0 +1,40 @@ +--- +yaml-files: + - '*.yaml' + - '*.yml' + - '.yamllint' + +rules: + braces: + forbid: non-empty + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + brackets: enable + colons: enable + commas: enable + comments: + level: warning + comments-indentation: + level: warning + document-end: disable + document-start: disable + empty-lines: enable + empty-values: disable + empty-values: disable + float-values: + forbid-inf: true + forbid-nan: true + forbid-scientific-notation: true + require-numeral-before-decimal: true + hyphens: enable + indentation: enable + key-duplicates: enable + key-ordering: disable + line-length: disable + new-line-at-end-of-file: disable + new-lines: enable + octal-values: enable + quoted-strings: disable + trailing-spaces: enable + truthy: + level: error \ No newline at end of file diff --git a/Makefile b/Makefile index 467c37f08..a21a95798 100644 --- a/Makefile +++ b/Makefile @@ -10,9 +10,11 @@ test: pytest src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python -vvv -s -c src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/pytest.ini pytest src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk -vvv -s -c src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/pytest.ini pytest src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared -vvv -s -c src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/pytest.ini + lint: # Linter performs static analysis to catch latent bugs find src/ -iname "*.py" -not -path "src/.aws-sam/*" | xargs pylint --rcfile .pylintrc + find src -iname "*.yml" -o -iname "*.yaml" -not -path "src/.aws-sam/*" | xargs yamllint -c .yamllint cfn-lint build: diff --git a/requirements.txt b/requirements.txt index e8f42949e..42a5c8085 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,5 +8,6 @@ pytest~=6.2.5 pyyaml>=5.4.1 schema~=0.7.5 tox==3.24.4 +yamllint~=1.27.1 cfn-lint~=0.60.1 docutils~=0.15.2 \ No newline at end of file diff --git a/samples/sample-ec2-java-app-codedeploy/buildspec.yml b/samples/sample-ec2-java-app-codedeploy/buildspec.yml index 6c51511eb..412ffcc2d 100644 --- a/samples/sample-ec2-java-app-codedeploy/buildspec.yml +++ b/samples/sample-ec2-java-app-codedeploy/buildspec.yml @@ -8,7 +8,7 @@ phases: commands: - mvn clean package --quiet artifacts: - discard-paths: yes + discard-paths: yes # yamllint disable-line rule:truthy files: - target/* - scripts/* diff --git a/samples/sample-ec2-with-codedeploy/template.yml b/samples/sample-ec2-with-codedeploy/template.yml index 6c5131bf7..b2d581ede 100644 --- a/samples/sample-ec2-with-codedeploy/template.yml +++ b/samples/sample-ec2-with-codedeploy/template.yml @@ -126,7 +126,7 @@ Resources: GroupDescription: Access to the Instance VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id SecurityGroupIngressFromPublicALB: Type: AWS::EC2::SecurityGroupIngress Properties: @@ -147,25 +147,25 @@ Resources: GroupDescription: Access to the public facing load balancer VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id SecurityGroupIngress: - # Allow access to ALB from anywhere on the internet - - CidrIp: 0.0.0.0/0 - IpProtocol: -1 + # Allow access to ALB from anywhere on the internet + - CidrIp: 0.0.0.0/0 + IpProtocol: -1 PublicLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing LoadBalancerAttributes: - - Key: idle_timeout.timeout_seconds - Value: '30' + - Key: idle_timeout.timeout_seconds + Value: '30' Subnets: - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1a - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1b - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1c + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1a + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1b + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1c SecurityGroups: - !Ref 'PublicLoadBalancerSG' ApplicationLoadBalancerHTTPListener: @@ -197,7 +197,7 @@ Resources: Value: "5" VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id ScaleDownCloudWatchAlarm: Type: "AWS::CloudWatch::Alarm" Properties: diff --git a/samples/sample-ecs-cluster/template.yml b/samples/sample-ecs-cluster/template.yml index b157f3913..34b8f2950 100644 --- a/samples/sample-ecs-cluster/template.yml +++ b/samples/sample-ecs-cluster/template.yml @@ -7,10 +7,10 @@ AWSTemplateFormatVersion: '2010-09-09' Description: ADF CloudFormation Sample Template (ECS Cluster) Metadata: License: Apache-2.0 -Parameters: - Environment: - Description: The Current Environment - Type: String +Parameters: + Environment: + Description: The Current Environment + Type: String Resources: ECSCluster: Type: AWS::ECS::Cluster @@ -20,7 +20,7 @@ Resources: GroupDescription: Access to the Fargate containers VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id EcsSecurityGroupIngressFromPublicALB: Type: AWS::EC2::SecurityGroupIngress Properties: @@ -41,26 +41,26 @@ Resources: GroupDescription: Access to the public facing load balancer VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id SecurityGroupIngress: - # Allow access to ALB from anywhere on the internet - - CidrIp: 0.0.0.0/0 - IpProtocol: -1 + # Allow access to ALB from anywhere on the internet + - CidrIp: 0.0.0.0/0 + IpProtocol: -1 PublicLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing - LoadBalancerAttributes: - - Key: idle_timeout.timeout_seconds - Value: '30' - Subnets: - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1a - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1b - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1c SecurityGroups: [!Ref 'PublicLoadBalancerSG'] + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '30' + Subnets: + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1a + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1b + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1c DummyTargetGroupPublic: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: @@ -75,7 +75,7 @@ Resources: UnhealthyThresholdCount: 2 VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id PublicLoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: @@ -90,35 +90,35 @@ Resources: Properties: AssumeRolePolicyDocument: Statement: - - Effect: Allow - Principal: - Service: [ecs.amazonaws.com] - Action: ['sts:AssumeRole'] + - Effect: Allow + Principal: + Service: [ecs.amazonaws.com] + Action: ['sts:AssumeRole'] Path: / Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: - # Rules which allow ECS to attach network interfaces to instances - # on your behalf in order for awsvpc networking mode to work right - - 'ec2:AttachNetworkInterface' - - 'ec2:CreateNetworkInterface' - - 'ec2:CreateNetworkInterfacePermission' - - 'ec2:DeleteNetworkInterface' - - 'ec2:DeleteNetworkInterfacePermission' - - 'ec2:Describe*' - - 'ec2:DetachNetworkInterface' + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: + # Rules which allow ECS to attach network interfaces to instances + # on your behalf in order for awsvpc networking mode to work right + - 'ec2:AttachNetworkInterface' + - 'ec2:CreateNetworkInterface' + - 'ec2:CreateNetworkInterfacePermission' + - 'ec2:DeleteNetworkInterface' + - 'ec2:DeleteNetworkInterfacePermission' + - 'ec2:Describe*' + - 'ec2:DetachNetworkInterface' - # Rules which allow ECS to update load balancers on your behalf - # with the information sabout how to send traffic to your containers - - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' - - 'elasticloadbalancing:DeregisterTargets' - - 'elasticloadbalancing:Describe*' - - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' - - 'elasticloadbalancing:RegisterTargets' - Resource: '*' + # Rules which allow ECS to update load balancers on your behalf + # with the information sabout how to send traffic to your containers + - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' + - 'elasticloadbalancing:DeregisterTargets' + - 'elasticloadbalancing:Describe*' + - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' + - 'elasticloadbalancing:RegisterTargets' + Resource: '*' # This is a role which is used by the ECS tasks themselves. ECSTaskExecutionRole: @@ -126,33 +126,33 @@ Resources: Properties: AssumeRolePolicyDocument: Statement: - - Effect: Allow - Principal: - Service: [ecs-tasks.amazonaws.com] - Action: ['sts:AssumeRole'] + - Effect: Allow + Principal: + Service: [ecs-tasks.amazonaws.com] + Action: ['sts:AssumeRole'] Path: / Policies: - PolicyName: AmazonECSTaskExecutionRolePolicy PolicyDocument: Statement: - - Effect: Allow - Action: - # Allow the ECS Tasks to download images from ECR - - 'ecr:GetAuthorizationToken' - - 'ecr:BatchCheckLayerAvailability' - - 'ecr:GetDownloadUrlForLayer' - - 'ecr:BatchGetImage' + - Effect: Allow + Action: + # Allow the ECS Tasks to download images from ECR + - 'ecr:GetAuthorizationToken' + - 'ecr:BatchCheckLayerAvailability' + - 'ecr:GetDownloadUrlForLayer' + - 'ecr:BatchGetImage' - # Allow the ECS tasks to upload logs to CloudWatch - - 'logs:CreateLogStream' - - 'logs:PutLogEvents' - Resource: '*' + # Allow the ECS tasks to upload logs to CloudWatch + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + Resource: '*' Outputs: ClusterName: Description: The name of the ECS cluster Value: !Ref 'ECSCluster' Export: - Name: 'ClusterName' + Name: 'ClusterName' ExternalUrl: Description: The url of the external load balancer Value: !Sub http://${PublicLoadBalancer.DNSName} @@ -162,7 +162,7 @@ Outputs: Description: The ARN of the ECS role Value: !GetAtt 'ECSRole.Arn' Export: - Name: 'ECSRole' + Name: 'ECSRole' ECSTaskExecutionRole: Description: The ARN of the ECS role Value: !GetAtt 'ECSTaskExecutionRole.Arn' @@ -172,9 +172,9 @@ Outputs: Description: The ARN of the public load balancer's Listener Value: !Ref PublicLoadBalancerListener Export: - Name: 'PublicListener' + Name: 'PublicListener' FargateContainerSecurityGroup: Description: A security group used to allow Fargate containers to receive traffic Value: !Ref 'FargateContainerSecurityGroup' Export: - Name: 'FargateContainerSecurityGroup' \ No newline at end of file + Name: 'FargateContainerSecurityGroup' \ No newline at end of file diff --git a/samples/sample-fargate-node-app/template.yml b/samples/sample-fargate-node-app/template.yml index c283aff4f..4082baae4 100644 --- a/samples/sample-fargate-node-app/template.yml +++ b/samples/sample-fargate-node-app/template.yml @@ -86,13 +86,13 @@ Resources: AssignPublicIp: ENABLED SecurityGroups: - Fn::ImportValue: 'FargateContainerSecurityGroup' - Subnets: - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1a - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1b - - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1c + Subnets: + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1a + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1b + - Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1c TaskDefinition: !Ref 'TaskDefinition' LoadBalancers: - ContainerName: !Ref 'ServiceName' @@ -113,7 +113,7 @@ Resources: UnhealthyThresholdCount: 2 VpcId: Fn::ImportValue: - Fn::Sub: ${Environment}-vpc-id + Fn::Sub: ${Environment}-vpc-id LoadBalancerRule: Type: AWS::ElasticLoadBalancingV2::ListenerRule Properties: diff --git a/samples/sample-service-catalog-product/productX/template.yml b/samples/sample-service-catalog-product/productX/template.yml index 1313d5e69..2f520c3e1 100644 --- a/samples/sample-service-catalog-product/productX/template.yml +++ b/samples/sample-service-catalog-product/productX/template.yml @@ -44,7 +44,7 @@ Resources: Description: !Ref InstanceDescription InstanceType: !Ref InstanceType Name: !Ref InstanceName - OwnerArn: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/${UserName}" #In this sample case 'sample-developer' from the IAM stack can be used here + OwnerArn: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/${UserName}" # In this sample case 'sample-developer' from the IAM stack can be used here SubnetId: - Fn::ImportValue: - Fn::Sub: ${Environment}-public-subnet-1a # Imported from sample-vpc + Fn::ImportValue: + Fn::Sub: ${Environment}-public-subnet-1a # Imported from sample-vpc diff --git a/samples/sample-service-catalog-product/template.yml b/samples/sample-service-catalog-product/template.yml index e6a0d790e..1655e5dfc 100644 --- a/samples/sample-service-catalog-product/template.yml +++ b/samples/sample-service-catalog-product/template.yml @@ -1,7 +1,7 @@ # // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. # // SPDX-License-Identifier: Apache-2.0 -AWSTemplateFormatVersion: '2010-09-09' +AWSTemplateFormatVersion: "2010-09-09" Description: ADF CloudFormation Sample Template (Service Catalog Product) Metadata: License: Apache-2.0 @@ -36,7 +36,8 @@ Resources: Name: Cloud9 Development Environment Owner: Company ProvisioningArtifactParameters: - - Info: { "LoadTemplateFromURL": !Ref ProductXTemplateURL } + - Info: + LoadTemplateFromURL: !Ref ProductXTemplateURL SupportDescription: For help with Cloud9 Dev Environment contact us SupportEmail: john@example.com SupportUrl: http://example.com diff --git a/samples/sample-terraform/my_test_spec.yml b/samples/sample-terraform/my_test_spec.yml index f5f69f17c..9ab98bbd7 100644 --- a/samples/sample-terraform/my_test_spec.yml +++ b/samples/sample-terraform/my_test_spec.yml @@ -2,9 +2,9 @@ version: 0.2 env: variables: - AWS_DEFAULT_REGION: eu-central-1 # The region you plan on deploying resources into - TF_VAR_TARGET_ACCOUNT_ID: 111111111111 # The AWS Account you plan on targeting - TF_VAR_TARGET_ACCOUNT_ROLE: adf-custom-deploy-role # The IAM Role terraform will assume to deploy resources + AWS_DEFAULT_REGION: eu-central-1 # The region you plan on deploying resources into + TF_VAR_TARGET_ACCOUNT_ID: 111111111111 # The AWS Account you plan on targeting + TF_VAR_TARGET_ACCOUNT_ROLE: adf-custom-deploy-role # The IAM Role terraform will assume to deploy resources TF_IN_AUTOMATION: true TF_CLI_ARGS: "-no-color" diff --git a/samples/sample-vpc/template.yml b/samples/sample-vpc/template.yml index 5539b31bf..d311078c1 100644 --- a/samples/sample-vpc/template.yml +++ b/samples/sample-vpc/template.yml @@ -115,24 +115,24 @@ Resources: Properties: GroupDescription: Default Internet connectivity Security Group for EC2 instances SecurityGroupEgress: - - CidrIp: 0.0.0.0/0 - FromPort: 80 - IpProtocol: tcp - ToPort: 80 - - CidrIp: 0.0.0.0/0 - FromPort: 443 - IpProtocol: tcp - ToPort: 443 + - CidrIp: 0.0.0.0/0 + FromPort: 80 + IpProtocol: tcp + ToPort: 80 + - CidrIp: 0.0.0.0/0 + FromPort: 443 + IpProtocol: tcp + ToPort: 443 Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-default-internet-sg - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-default-internet-sg + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter VpcId: Ref: VPC Type: AWS::EC2::SecurityGroup @@ -143,34 +143,34 @@ Resources: InternetGateway: Properties: Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter Type: AWS::EC2::InternetGateway NATGateway: Properties: AllocationId: Fn::GetAtt: - - EIP - - AllocationId + - EIP + - AllocationId SubnetId: Ref: PublicSubnet1a Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: CostCenter - Value: - Ref: CostCenter - - Key: Environment - Value: - Ref: Environment + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: CostCenter + Value: + Ref: CostCenter + - Key: Environment + Value: + Ref: Environment Type: AWS::EC2::NatGateway PrivateRoute: Properties: @@ -183,15 +183,15 @@ Resources: PrivateRouteTable: Properties: Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter VpcId: Ref: VPC Type: AWS::EC2::RouteTable @@ -199,21 +199,21 @@ Resources: Type: AWS::EC2::Subnet Properties: AvailabilityZone: - Fn::Select: + Fn::Select: - 0 - Fn::GetAZs: {Ref: 'AWS::Region'} VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PrivateOne', 'CIDR'] Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter PrivateSubnet1aRouteTableAssociation: Properties: RouteTableId: @@ -225,21 +225,21 @@ Resources: Type: AWS::EC2::Subnet Properties: AvailabilityZone: - Fn::Select: + Fn::Select: - 1 - Fn::GetAZs: {Ref: 'AWS::Region'} VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PrivateTwo', 'CIDR'] Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter PrivateSubnet1bRouteTableAssociation: Properties: RouteTableId: @@ -251,21 +251,21 @@ Resources: Type: AWS::EC2::Subnet Properties: AvailabilityZone: - Fn::Select: + Fn::Select: - 2 - Fn::GetAZs: {Ref: 'AWS::Region'} VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PrivateThree', 'CIDR'] Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter PrivateSubnet1cRouteTableAssociation: Properties: RouteTableId: @@ -285,15 +285,15 @@ Resources: PublicRouteTable: Properties: Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter VpcId: Ref: VPC Type: AWS::EC2::RouteTable @@ -301,22 +301,22 @@ Resources: Type: AWS::EC2::Subnet Properties: AvailabilityZone: - Fn::Select: + Fn::Select: - 0 - Fn::GetAZs: {Ref: 'AWS::Region'} VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PublicOne', 'CIDR'] MapPublicIpOnLaunch: true Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter PublicSubnet1aRouteTableAssociation: Properties: RouteTableId: @@ -328,21 +328,21 @@ Resources: Type: AWS::EC2::Subnet Properties: AvailabilityZone: - Fn::Select: + Fn::Select: - 1 - Fn::GetAZs: {Ref: 'AWS::Region'} VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PublicTwo', 'CIDR'] Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter PublicSubnet1bRouteTableAssociation: Properties: RouteTableId: @@ -354,21 +354,21 @@ Resources: Type: AWS::EC2::Subnet Properties: AvailabilityZone: - Fn::Select: + Fn::Select: - 2 - Fn::GetAZs: {Ref: 'AWS::Region'} VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PublicThree', 'CIDR'] Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter PublicSubnet1cRouteTableAssociation: Properties: RouteTableId: @@ -382,13 +382,13 @@ Resources: EnableDnsHostnames: true CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] Tags: - - Key: Name - Value: - Fn::Sub: ${Environment}-vpc - - Key: Environment - Value: - Ref: Environment - - Key: CostCenter - Value: - Ref: CostCenter + - Key: Name + Value: + Fn::Sub: ${Environment}-vpc + - Key: Environment + Value: + Ref: Environment + - Key: CostCenter + Value: + Ref: CostCenter Type: AWS::EC2::VPC diff --git a/src/account_processing.yml b/src/account_processing.yml index 474579894..0e5c1dca0 100644 --- a/src/account_processing.yml +++ b/src/account_processing.yml @@ -5,19 +5,19 @@ Description: ADF CloudFormation Stack pertaing to account processing / OU manage Parameters: OrganizationID: Type: String - MinLength : "1" + MinLength: "1" ADFVersion: Type: String - MinLength : "1" + MinLength: "1" LambdaLayer: Type: String - MinLength : "1" + MinLength: "1" CrossAccountAccessRoleName: Type: String - MinLength : "1" + MinLength: "1" Globals: Function: @@ -438,152 +438,152 @@ Resources: RestrictPublicBuckets: true AccountManagementStateMachine: - Type: "AWS::StepFunctions::StateMachine" - Properties: - DefinitionString: !Sub |- - { - "Comment": "Create account?", - "StartAt": "CreateAccountChoice", - "States": { - "CreateAccountChoice": { - "Type": "Choice", - "Choices": [ - { - "Variable": "$.needs_created", - "BooleanEquals": true, - "Comment": "Create Account", - "Next": "CreateAccount" - } - ], - "Default": "ConfigureAccountAlias" - }, - "ConfigureAccountAlias": { - "Type": "Task", - "Resource": "${AccountAliasConfigFunction.Arn}", - "Retry": [{ - "ErrorEquals": ["States.TaskFailed"], - "IntervalSeconds": 3, - "BackoffRate": 1.5, - "MaxAttempts": 30 - }], - "Next": "ConfigureAccountTags" - }, - "CreateAccount": { - "Type": "Task", - "Resource": "${CreateAccountFunction.Arn}", - "Retry": [{ - "ErrorEquals": ["States.TaskFailed"], - "IntervalSeconds": 3, - "BackoffRate": 1.5, - "MaxAttempts": 30 - }], - "Next": "WaitFor10Seconds" - }, - "WaitFor10Seconds": { - "Type": "Wait", - "Seconds": 10, - "Next": "ConfigureAccountSupport" - }, - "ConfigureAccountSupport": { - "Type": "Task", - "Resource": "${RegisterAccountForSupportFunction.Arn}", - "Retry": [{ - "ErrorEquals": ["States.TaskFailed"], - "IntervalSeconds": 3, - "BackoffRate": 1.5, - "MaxAttempts": 30 - }], - "Next": "ConfigureAccountAlias" - }, - "ConfigureAccountTags": { - "Type": "Task", - "Resource": "${AccountTagConfigFunction.Arn}", - "Retry": [{ - "ErrorEquals": ["States.TaskFailed"], - "IntervalSeconds": 3, - "BackoffRate": 1.5, - "MaxAttempts": 30 - }], - "Next": "ConfigureAccountOU" - }, - "ConfigureAccountOU": { - "Type": "Task", - "Resource": "${AccountOUConfigFunction.Arn}", - "Retry": [{ - "ErrorEquals": ["States.TaskFailed"], - "IntervalSeconds": 3, - "BackoffRate": 1.5, - "MaxAttempts": 30 - }], - "Next": "DeleteDefaultVPCChoice" - }, - "DeleteDefaultVPCChoice": { - "Type": "Choice", - "Choices": [ - { - "Variable": "$.delete_default_vpc", - "BooleanEquals": true, - "Next": "GetAccountDefaultRegionsFunction" - } - ], - "Default": "Success" - }, - "GetAccountDefaultRegionsFunction": { - "Type": "Task", - "Resource": "${GetAccountRegionsFunction.Arn}", - "Retry": [{ - "ErrorEquals": ["States.TaskFailed"], - "IntervalSeconds": 3, - "BackoffRate": 1.5, - "MaxAttempts": 30 - }], - "Next": "DeleteDefaultVPCMap" - }, - "DeleteDefaultVPCMap": { - "Type": "Map", - "Next": "Success", - "Iterator": { - "StartAt": "DeleteDefaultVPC", - "States": { - "DeleteDefaultVPC": { - "Type": "Task", - "Resource": "${DeleteDefaultVPCFunction.Arn}", - "OutputPath": "$.Payload", - "Parameters": { - "Payload.$": "$" - }, - "Retry": [ - { - "ErrorEquals": [ - "Lambda.ServiceException", - "Lambda.AWSLambdaException", - "Lambda.SdkClientException" - ], - "IntervalSeconds": 2, - "MaxAttempts": 6, - "BackoffRate": 2 - } - ], - "End": true - } + Type: "AWS::StepFunctions::StateMachine" + Properties: + DefinitionString: !Sub |- + { + "Comment": "Create account?", + "StartAt": "CreateAccountChoice", + "States": { + "CreateAccountChoice": { + "Type": "Choice", + "Choices": [ + { + "Variable": "$.needs_created", + "BooleanEquals": true, + "Comment": "Create Account", + "Next": "CreateAccount" + } + ], + "Default": "ConfigureAccountAlias" + }, + "ConfigureAccountAlias": { + "Type": "Task", + "Resource": "${AccountAliasConfigFunction.Arn}", + "Retry": [{ + "ErrorEquals": ["States.TaskFailed"], + "IntervalSeconds": 3, + "BackoffRate": 1.5, + "MaxAttempts": 30 + }], + "Next": "ConfigureAccountTags" + }, + "CreateAccount": { + "Type": "Task", + "Resource": "${CreateAccountFunction.Arn}", + "Retry": [{ + "ErrorEquals": ["States.TaskFailed"], + "IntervalSeconds": 3, + "BackoffRate": 1.5, + "MaxAttempts": 30 + }], + "Next": "WaitFor10Seconds" + }, + "WaitFor10Seconds": { + "Type": "Wait", + "Seconds": 10, + "Next": "ConfigureAccountSupport" + }, + "ConfigureAccountSupport": { + "Type": "Task", + "Resource": "${RegisterAccountForSupportFunction.Arn}", + "Retry": [{ + "ErrorEquals": ["States.TaskFailed"], + "IntervalSeconds": 3, + "BackoffRate": 1.5, + "MaxAttempts": 30 + }], + "Next": "ConfigureAccountAlias" + }, + "ConfigureAccountTags": { + "Type": "Task", + "Resource": "${AccountTagConfigFunction.Arn}", + "Retry": [{ + "ErrorEquals": ["States.TaskFailed"], + "IntervalSeconds": 3, + "BackoffRate": 1.5, + "MaxAttempts": 30 + }], + "Next": "ConfigureAccountOU" + }, + "ConfigureAccountOU": { + "Type": "Task", + "Resource": "${AccountOUConfigFunction.Arn}", + "Retry": [{ + "ErrorEquals": ["States.TaskFailed"], + "IntervalSeconds": 3, + "BackoffRate": 1.5, + "MaxAttempts": 30 + }], + "Next": "DeleteDefaultVPCChoice" + }, + "DeleteDefaultVPCChoice": { + "Type": "Choice", + "Choices": [ + { + "Variable": "$.delete_default_vpc", + "BooleanEquals": true, + "Next": "GetAccountDefaultRegionsFunction" + } + ], + "Default": "Success" + }, + "GetAccountDefaultRegionsFunction": { + "Type": "Task", + "Resource": "${GetAccountRegionsFunction.Arn}", + "Retry": [{ + "ErrorEquals": ["States.TaskFailed"], + "IntervalSeconds": 3, + "BackoffRate": 1.5, + "MaxAttempts": 30 + }], + "Next": "DeleteDefaultVPCMap" + }, + "DeleteDefaultVPCMap": { + "Type": "Map", + "Next": "Success", + "Iterator": { + "StartAt": "DeleteDefaultVPC", + "States": { + "DeleteDefaultVPC": { + "Type": "Task", + "Resource": "${DeleteDefaultVPCFunction.Arn}", + "OutputPath": "$.Payload", + "Parameters": { + "Payload.$": "$" + }, + "Retry": [ + { + "ErrorEquals": [ + "Lambda.ServiceException", + "Lambda.AWSLambdaException", + "Lambda.SdkClientException" + ], + "IntervalSeconds": 2, + "MaxAttempts": 6, + "BackoffRate": 2 + } + ], + "End": true } - }, - "ItemsPath": "$.default_regions", - "MaxConcurrency": 20, - "Parameters": { - "region.$": "$$.Map.Item.Value", - "account_id.$": "$.account_id" - }, - "ResultPath": null + } }, - "Success": { - "Type": "Succeed" - } + "ItemsPath": "$.default_regions", + "MaxConcurrency": 20, + "Parameters": { + "region.$": "$$.Map.Item.Value", + "account_id.$": "$.account_id" + }, + "ResultPath": null + }, + "Success": { + "Type": "Succeed" } } - RoleArn: !GetAtt StateMachineExecutionRole.Arn - TracingConfiguration: - Enabled: True + } + RoleArn: !GetAtt StateMachineExecutionRole.Arn + TracingConfiguration: + Enabled: true Outputs: Bucket: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml index 9d6ad6c7b..e94687cae 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml @@ -17,7 +17,7 @@ Resources: Statement: - Effect: Allow Sid: "CloudFormation" - Action: # These are examples.. + Action: # These are examples.. - "s3:*" - "ecr:*" Resource: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index 417d26dc2..154413452 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -30,11 +30,11 @@ Parameters: ComputeType: Description: The Compute Type to use for AWS CodeBuild Type: String - Default: "BUILD_GENERAL1_LARGE" # For threading with large amounts of pipelines this is the most effective default + Default: "BUILD_GENERAL1_LARGE" # For threading with large amounts of pipelines this is the most effective default AllowedValues: - - "BUILD_GENERAL1_SMALL" # 3 GB memory, 2 vCPU - - "BUILD_GENERAL1_MEDIUM" # 7 GB memory, 4 vCPU - - "BUILD_GENERAL1_LARGE" # 15 GB memory, 8 vCPU + - "BUILD_GENERAL1_SMALL" # 3 GB memory, 2 vCPU + - "BUILD_GENERAL1_MEDIUM" # 7 GB memory, 4 vCPU + - "BUILD_GENERAL1_LARGE" # 15 GB memory, 8 vCPU NotificationEndpoint: Type: "AWS::SSM::Parameter::Value" Default: notification_endpoint @@ -263,7 +263,7 @@ Resources: aws:PrincipalOrgID: !Ref OrganizationId Action: - "secretsmanager:Get*" - Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" # Only allow CodeBuild access to secrets that start with /adf/* + Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" # Only allow CodeBuild access to secrets that start with /adf/* - Effect: Allow Action: - "ssm:GetParameter" @@ -285,7 +285,7 @@ Resources: Resource: - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/* - Effect: Allow - Action: # If you plan on building docker images in CodeBuild you need these + Action: # If you plan on building docker images in CodeBuild you need these - "ecr:GetAuthorizationToken" - "ecr:InitiateLayerUpload" - "ecr:UploadLayerPart" @@ -346,7 +346,7 @@ Resources: - Effect: Allow Action: - "secretsmanager:Get*" - Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" # Only allow CodeBuild access to secrets that start with /adf/* + Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" # Only allow CodeBuild access to secrets that start with /adf/* - Effect: Allow Action: - "events:PutPermission" @@ -438,9 +438,9 @@ Resources: aws:PrincipalOrgID: !Ref OrganizationId - Effect: Allow Action: - - "iam:PassRole" # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html + - "iam:PassRole" # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html Resource: - - !Sub arn:${AWS::Partition}:iam::*:role/* # This role can pass to any other role in the organization. + - !Sub arn:${AWS::Partition}:iam::*:role/* # This role can pass to any other role in the organization. Condition: StringEquals: aws:PrincipalOrgID: !Ref OrganizationId @@ -563,7 +563,7 @@ Resources: Statement: - Effect: Allow Sid: "KMS" - Action: # These are required for cross account deployments via codepipeline. + Action: # These are required for cross account deployments via codepipeline. - "kms:Decrypt" - "kms:DescribeKey" - "kms:Encrypt" @@ -819,7 +819,7 @@ Resources: AWS: !Ref AWS::AccountId Action: - sts:AssumeRole - CodePipelineRolePolicy: # https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#how-to-update-role-new-services + CodePipelineRolePolicy: # https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#how-to-update-role-new-services Type: AWS::IAM::Policy DependsOn: PipelineBucketPolicy Properties: @@ -1059,7 +1059,7 @@ Resources: - Effect: Allow Action: - "secretsmanager:Get*" - Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" # Only allow Lambda access to get secrets that start with /adf/* + Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" # Only allow Lambda access to get secrets that start with /adf/* - Effect: "Allow" Action: - "s3:Get*" @@ -1272,7 +1272,7 @@ Resources: - aws.codecommit detail-type: - "CodeCommit Repository State Change" - resources: + resources: - !Sub "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${CodeCommitRepository.Name}" detail: event: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml index 80e8dfca7..1de2e8791 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml @@ -10,8 +10,8 @@ pipelines: deploy: provider: cloudformation params: - notification_endpoint: john@example.com # The Notification (user/team/slack) responsible for this pipeline - restart_execution_on_update: True + notification_endpoint: john@example.com # The Notification (user/team/slack) responsible for this pipeline + restart_execution_on_update: true targets: # Deployment stages - /banking/testing # This will use the default deployment action as defined above - path: /banking/production @@ -19,10 +19,11 @@ pipelines: # while using specific properties for this target: properties: stack_name: my-cool-iam-stack # Override the default stack name to a specific one, useful when adopting a stack into ADF - change_set_approval: True # Override deploy action above and insert an approval in between create + execute change set + change_set_approval: true # Override deploy action above and insert an approval in between create + execute change set - provider: lambda properties: # See https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-invoke-lambda-function.html - input: {"name": "jon_doe"} # This input will be passed to the function as a string + input: + name: john_doe # This input will be passed to the function as a string function_name: my_lambda_function - name: ami-builder # The name of your pipeline (by default, the repository name will match the pipeline name) @@ -51,16 +52,16 @@ pipelines: source: provider: github properties: - repository: example-vpc-adf # Optional, above name property will be used if this is not specified + repository: example-vpc-adf # Optional, above name property will be used if this is not specified owner: bundyfx - oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager - json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token + oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager + json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token deploy: provider: cloudformation properties: action: replace_on_failure params: - notification_endpoint: john@example.com + notification_endpoint: john@example.com targets: # Long hand syntax including regions and names for stages - path: /banking/testing name: fancy-name @@ -76,7 +77,7 @@ pipelines: params: notification_endpoint: team@example.com targets: - - [ /banking/testing, /banking/production ] + - [/banking/testing, /banking/production] - name: sample-custom # Using a custom pipeline, we can execute code within CodeBuild to perform whichever tasks are required. default_providers: @@ -120,7 +121,7 @@ pipelines: deploy: provider: codedeploy params: - notification_endpoint: deployments + notification_endpoint: deployments targets: - target: 222222222222 properties: # These are stage specific properties for our deploy action @@ -153,7 +154,7 @@ pipelines: object_key: input.zip account_id: 444444444444 build: - enabled: False # If you wish to disable the build phase in a pipeline + enabled: false # If you wish to disable the build phase in a pipeline deploy: provider: s3 targets: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml index 053f6d0e0..4ae44f621 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml @@ -17,9 +17,9 @@ Resources: Statement: - Effect: Allow Sid: "CloudFormation" - Action: # These below actions are examples, change these to your requirements.. + Action: # These below actions are examples, change these to your requirements.. - "apigateway:*" - - "cloudformation:*" # You will need Cloudformation actions in order to work with Cloudformation + - "cloudformation:*" # You will need Cloudformation actions in order to work with Cloudformation - "ecr:*" - "ecs:*" - "ec2:*" @@ -33,39 +33,39 @@ Resources: Resource: - "*" Roles: - - adf-cloudformation-deployment-role # This role is created in the global.yml and is the default cloudformation deployment role for ADF. + - adf-cloudformation-deployment-role # This role is created in the global.yml and is the default cloudformation deployment role for ADF. - # MyExampleCustomRole: - # # Am example custom role that you would need to create in order to deploy custom resources in other AWS Accounts within the organization. - # Type: AWS::IAM::Role - # Properties: - # RoleName: "adf-custom-deploy-role" - # AssumeRolePolicyDocument: - # Version: "2012-10-17" - # Statement: - # - Effect: Allow - # Sid: "AssumeRole" - # Principal: - # AWS: - # # This would allow all codebuild projects to be able to assume this role - # # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role - # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role - # # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild - # Action: - # - sts:AssumeRole - # Path: / - # MyExampleCustomRolePolicy: - # Type: AWS::IAM::Policy - # Properties: - # PolicyName: "adf-custom-deploy-role-policy" - # PolicyDocument: - # Version: "2012-10-17" - # Statement: - # - Effect: Allow - # Action: - # - "ec2:*" - # - "s3:*" - # Resource: - # - "*" - # Roles: - # - !Ref MyExampleCustomRole +# MyExampleCustomRole: +# # Am example custom role that you would need to create in order to deploy custom resources in other AWS Accounts within the organization. +# Type: AWS::IAM::Role +# Properties: +# RoleName: "adf-custom-deploy-role" +# AssumeRolePolicyDocument: +# Version: "2012-10-17" +# Statement: +# - Effect: Allow +# Sid: "AssumeRole" +# Principal: +# AWS: +# # This would allow all codebuild projects to be able to assume this role +# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role +# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role +# # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild +# Action: +# - sts:AssumeRole +# Path: / +# MyExampleCustomRolePolicy: +# Type: AWS::IAM::Policy +# Properties: +# PolicyName: "adf-custom-deploy-role-policy" +# PolicyDocument: +# Version: "2012-10-17" +# Statement: +# - Effect: Allow +# Action: +# - "ec2:*" +# - "s3:*" +# Resource: +# - "*" +# Roles: +# - !Ref MyExampleCustomRole diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml index ae354d157..902bfc011 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml @@ -47,7 +47,7 @@ Resources: Resource: "*" Roles: - !Ref OrganizationsReadOnlyRole - OrganizationsRole: # Only required if you intend to bootstrap the master account. + OrganizationsRole: # Only required if you intend to bootstrap the master account. Type: AWS::IAM::Role Properties: RoleName: !Ref CrossAccountAccessRole @@ -57,11 +57,11 @@ Resources: - Effect: Allow Principal: AWS: - - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" # To update the master account + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" # To update the master account Action: - sts:AssumeRole Path: / - OrganizationsPolicy: # Only required if you intend to bootstrap the master account. + OrganizationsPolicy: # Only required if you intend to bootstrap the master account. Type: AWS::IAM::Policy Properties: PolicyName: "adf-master-account-bootstrap-policy" diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml index 67ae1a896..f0940c408 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml @@ -2,8 +2,8 @@ roles: cross-account-access: OrganizationAccountAccessRole # The role by ADF to assume cross account access regions: - deployment-account: eu-central-1 # The region you define as your main deployment region - targets: # A list of regions you wish to bootstrap and also deploy into via pipelines (Other than the Deployment Account region) + deployment-account: eu-central-1 # The region you define as your main deployment region + targets: # A list of regions you wish to bootstrap and also deploy into via pipelines (Other than the Deployment Account region) - eu-west-1 config: @@ -16,5 +16,5 @@ config: scp: keep-default-scp: enabled # Determines if the default AWSFullAccess SCP stays attached to all OU's scm: # Source control management - auto-create-repositories: enabled # If true and using CodeCommit as source, the repository will be automatically created - default-scm-branch: master # The default branch is used when the pipeline does not specify a specific branch. If this parameter is not specified, it defaults to the "master" branch. + auto-create-repositories: enabled # If true and using CodeCommit as source, the repository will be automatically created + default-scm-branch: master # The default branch is used when the pipeline does not specify a specific branch. If this parameter is not specified, it defaults to the "master" branch. diff --git a/src/template.yml b/src/template.yml index 52ed51bcd..f3b99c465 100644 --- a/src/template.yml +++ b/src/template.yml @@ -523,7 +523,7 @@ Resources: - Name: S3_BUCKET Value: !Ref BootstrapTemplatesBucket - Name: ACCOUNT_BUCKET - Value: !GetAtt AccountProcessingApplication.Outputs.Bucket + Value: !GetAtt AccountProcessingApplication.Outputs.Bucket - Name: MASTER_ACCOUNT_ID Value: !Ref AWS::AccountId - Name: DEPLOYMENT_ACCOUNT_BUCKET