-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstackset.yaml
91 lines (91 loc) · 3.22 KB
/
stackset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create StackSet Execution and Administrator Roles for Target Accounts - (v1.0.0)"
Parameters:
# General Configuration
StackSetAdministratorAccountId:
Type: "String"
Description: AWS Account ID of the administrator account (the account in which StackSets will be created).
MaxLength: 12
MinLength: 12
Resources:
StackSetExecutionRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "AWSCloudFormationStackSetExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS:
- !Ref StackSetAdministratorAccountId
Action:
- "sts:AssumeRole"
Path: "/"
# NOTE: Select the managed policies that your templates will need, do not keep this role with administrator access
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
StackSetAdministrationRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "AWSCloudFormationStackSetAdministrationRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "cloudformation.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: "AssumeRole-AWSCloudFormationStackSetExecutionRole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource:
- "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole"
Outputs:
StackSetExecutionRoleName:
Description: "The name of the StackSet Execution Role."
Value: !Ref StackSetExecutionRole
Export:
Name: !Sub "${AWS::StackName}-StackSetExecutionRoleName"
StackSetExecutionRoleArn:
Description: "The ARN of the StackSet Execution Role."
Value: !GetAtt StackSetExecutionRole.Arn
Export:
Name: !Sub "${AWS::StackName}-StackSetExecutionRoleArn"
StackSetExecutionRoleId:
Description: "The Role ID of the StackSet Execution Role."
Value: !GetAtt StackSetExecutionRole.RoleId
Export:
Name: !Sub "${AWS::StackName}-StackSetExecutionRoleId"
StackSetAdministrationRoleName:
Description: "The name of the StackSet Administration Role."
Value: !Ref StackSetAdministrationRole
Export:
Name: !Sub "${AWS::StackName}-StackSetAdministrationRoleName"
StackSetAdministrationRoleArn:
Description: "The ARN of the StackSet Administration Role."
Value: !GetAtt StackSetAdministrationRole.Arn
Export:
Name: !Sub "${AWS::StackName}-StackSetAdministrationRoleArn"
StackSetAdministrationRoleId:
Description: "The Role ID of the StackSet Execution Role."
Value: !GetAtt StackSetAdministrationRole.RoleId
Export:
Name: !Sub "${AWS::StackName}-StackSetAdministrationRoleId"
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "General Configuration"
Parameters:
- StackSetAdministratorAccountId
ParameterLabels:
StackSetAdministratorAccountId:
default: "StackSet Administrator Account ID:"