{ "Description": "(SO0199) Landing Zone Accelerator on AWS. Version 1.15.2.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Source Code Repository Configuration" }, "Parameters": [ "RepositorySource", "RepositoryOwner", "RepositoryName", "RepositoryBranchName" ] }, { "Label": { "default": "Pipeline Configuration" }, "Parameters": [ "EnableApprovalStage", "ApprovalStageNotifyEmailList" ] }, { "Label": { "default": "Mandatory Accounts Configuration" }, "Parameters": [ "ManagementAccountEmail", "LogArchiveAccountEmail", "AuditAccountEmail" ] }, { "Label": { "default": "Environment Configuration" }, "Parameters": [ "ControlTowerEnabled", "AcceleratorPrefix", "EnableDiagnosticsPack" ] }, { "Label": { "default": "Config Repository Configuration" }, "Parameters": [ "ConfigurationRepositoryLocation", "UseExistingConfigRepo", "ExistingConfigRepositoryName", "ExistingConfigRepositoryBranchName", "ExistingConfigRepositoryOwner", "ConfigCodeConnectionArn" ] } ], "ParameterLabels": { "RepositorySource": { "default": "Source Location" }, "RepositoryOwner": { "default": "Repository Owner" }, "RepositoryName": { "default": "Repository Name" }, "RepositoryBranchName": { "default": "Branch Name" }, "ConfigurationRepositoryLocation": { "default": "Configuration Repository Location" }, "UseExistingConfigRepo": { "default": "Use Existing Config Repository" }, "ExistingConfigRepositoryName": { "default": "Existing Config Repository Name" }, "ExistingConfigRepositoryBranchName": { "default": "Existing Config Repository Branch Name" }, "ExistingConfigRepositoryOwner": { "default": "Existing Config Repository Owner" }, "ConfigCodeConnectionArn": { "default": "Existing Config Repository CodeConnection ARN" }, "EnableDiagnosticsPack": { "default": "Enable Diagnostics Pack" }, "EnableApprovalStage": { "default": "Enable Approval Stage" }, "ApprovalStageNotifyEmailList": { "default": "Manual Approval Stage notification email list" }, "ManagementAccountEmail": { "default": "Management Account Email" }, "LogArchiveAccountEmail": { "default": "Log Archive Account Email" }, "AuditAccountEmail": { "default": "Audit Account Email" }, "ControlTowerEnabled": { "default": "Control Tower Environment" }, "AcceleratorPrefix": { "default": "Accelerator Resource name prefix" } } } }, "Parameters": { "RepositorySource": { "Type": "String", "Default": "github", "AllowedValues": [ "github", "codecommit" ], "Description": "Specify the location to use to host the LZA source code" }, "RepositoryOwner": { "Type": "String", "Default": "awslabs", "Description": "The owner of the repository containing the accelerator code. (GitHub Only)" }, "RepositoryName": { "Type": "String", "Default": "landing-zone-accelerator-on-aws", "Description": "The name of the git repository hosting the accelerator code" }, "RepositoryBranchName": { "Type": "String", "Default": "release/v1.15.2", "AllowedPattern": ".+", "ConstraintDescription": "The repository branch name must not be empty", "Description": "The name of the git branch to use for installation. To determine the branch name, navigate to the Landing Zone Accelerator GitHub branches page and choose the release branch you would like to deploy. Release branch names will align with the semantic versioning of our GitHub releases. New release branches will be available as the open source project is updated with new features." }, "EnableApprovalStage": { "Type": "String", "Default": "Yes", "AllowedValues": [ "Yes", "No" ], "Description": "Select yes to add a Manual Approval stage to accelerator pipeline" }, "ApprovalStageNotifyEmailList": { "Type": "String", "AllowedPattern": "^$|^[^\\s@]+@[^\\s@]+\\.[^\\s@]+(\\s*,\\s*[^\\s@]+@[^\\s@]+\\.[^\\s@]+)*$", "ConstraintDescription": "Must be a valid list of one or more email addresses separated by commas", "Description": "Provide comma(,) separated list of email ids to receive manual approval stage notification email" }, "ManagementAccountEmail": { "Type": "String", "AllowedPattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+", "ConstraintDescription": "Must be a valid email address matching \"[^\\s@]+@[^\\s@]+\\.[^\\s@]+\"", "Description": "The management (primary) account email - NOTE: This must match the address of the management account email as listed in AWS Organizations > AWS accounts." }, "LogArchiveAccountEmail": { "Type": "String", "AllowedPattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+", "ConstraintDescription": "Must be a valid email address matching \"[^\\s@]+@[^\\s@]+\\.[^\\s@]+\"", "Description": "The log archive account email" }, "AuditAccountEmail": { "Type": "String", "AllowedPattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+", "ConstraintDescription": "Must be a valid email address matching \"[^\\s@]+@[^\\s@]+\\.[^\\s@]+\"", "Description": "The security audit account (also referred to as the audit account)" }, "ControlTowerEnabled": { "Type": "String", "Default": "Yes", "AllowedValues": [ "Yes", "No" ], "Description": "Select yes if deploying to a Control Tower environment. Select no if using just Organizations. If no, you must first set up mandatory accounts." }, "AcceleratorPrefix": { "Type": "String", "Default": "AWSAccelerator", "AllowedPattern": "[A-Za-z0-9-]+", "Description": "The prefix value for accelerator deployed resources. Leave the default value if using solution defined resource name prefix, the solution will use AWSAccelerator as resource name prefix. Note: Updating this value after initial installation will cause stack failure. Non-default value can not start with keyword \"aws\" or \"ssm\". Trailing dash (-) in non-default value will be ignored.", "MaxLength": 15 }, "ConfigurationRepositoryLocation": { "Type": "String", "AllowedValues": [ "codecommit", "s3", "codeconnection" ], "Description": "Specify the location to use to host the LZA configuration files" }, "UseExistingConfigRepo": { "Type": "String", "Default": "No", "AllowedValues": [ "Yes", "No" ], "Description": "Select Yes if deploying the solution with an existing configuration repository. Leave the default value if using the solution-deployed repository. If the AcceleratorPrefix parameter is set to the default value, the solution will deploy a repository named \"aws-accelerator-config.\" Otherwise, the solution-deployed repository will be named \"AcceleratorPrefix-config.\" Note: Updating this value after initial installation may cause adverse affects." }, "ConfigCodeConnectionArn": { "Type": "String", "Default": "", "Description": "The ARN of an AWS CodeConnection referencing your existing LZA configuration repository. To use this parameter, useExistingConfigRepo must be set to Yes and ConfigurationRepositoryLocation must be set to codeconnection." }, "ExistingConfigRepositoryOwner": { "Type": "String", "Default": "", "Description": "The owner ID or namespace of the LZA configuration repository accessed through CodeConnection, such as the owner ID in GitHub. (CodeConnection only)" }, "ExistingConfigRepositoryName": { "Type": "String", "Default": "", "Description": "The name of an existing LZA configuration repository hosting the accelerator configuration." }, "ExistingConfigRepositoryBranchName": { "Type": "String", "Default": "", "Description": "Specify the branch name of the existing LZA configuration repository to pull the accelerator configuration from." }, "EnableDiagnosticsPack": { "Type": "String", "Default": "Yes", "AllowedValues": [ "Yes", "No" ], "Description": "Select Yes if deploying the solution with diagnostics pack enabled. Diagnostics pack enables you to generate root cause reports to potentially diagnose pipeline failures." } }, "Mappings": { "GlobalRegionMap": { "aws": { "regionName": "us-east-1" }, "aws-us-gov": { "regionName": "us-gov-west-1" }, "aws-iso-e": { "regionName": "eu-isoe-west-1" }, "aws-iso-f": { "regionName": "us-isof-south-1" }, "aws-iso-b": { "regionName": "us-isob-east-1" }, "aws-iso": { "regionName": "us-iso-east-1" }, "aws-cn": { "regionName": "cn-northwest-1" } }, "SolutionHelperAnonymousData14B64A81": { "SendAnonymizedData": { "Data": "Yes" } } }, "Rules": { "RequireApprovalNotificationEmail": { "RuleCondition": { "Fn::Equals": [ { "Ref": "EnableApprovalStage" }, "Yes" ] }, "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "ApprovalStageNotifyEmailList" }, "" ] } ] }, "AssertDescription": "Approval Stage notification email list is required when approval is enabled" } ] }, "RequiredParametersForCodeConnection": { "RuleCondition": { "Fn::Equals": [ "codeconnection", { "Ref": "ConfigurationRepositoryLocation" } ] }, "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "ConfigCodeConnectionArn" } ] } ] }, "AssertDescription": "codeconnectionArn parameter must be provided when configRepositoryLocation is set to codeconnection" }, { "Assert": { "Fn::Not": [ { "Fn::Equals": [ "No", { "Ref": "UseExistingConfigRepo" } ] } ] }, "AssertDescription": "useExistingConfigRepo parameter must be set to \"Yes\" when configRepositoryLocation is set to codeconnection" }, { "Assert": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "ExistingConfigRepositoryOwner" } ] } ] }, "AssertDescription": "existingConfigRepositoryOwner parameter must be populated when configRepositoryLocation is set to codeconnection" } ] }, "RequiredParametersForExistingRepo": { "RuleCondition": { "Fn::Equals": [ "Yes", { "Ref": "UseExistingConfigRepo" } ] }, "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "ExistingConfigRepositoryBranchName" } ] } ] }, "AssertDescription": "existingConfigRepositoryBranchName parameter must be provided when useExistingRepository is set to Yes" }, { "Assert": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "ExistingConfigRepositoryName" } ] } ] }, "AssertDescription": "existingConfigRepositoryName parameter must be provided when useExistingRepository is set to Yes" } ] }, "RequiredParametersForS3Repo": { "RuleCondition": { "Fn::Equals": [ "s3", { "Ref": "ConfigurationRepositoryLocation" } ] }, "Assertions": [ { "Assert": { "Fn::And": [ { "Fn::Equals": [ "", { "Ref": "ExistingConfigRepositoryName" } ] }, { "Fn::Equals": [ "", { "Ref": "ExistingConfigRepositoryBranchName" } ] }, { "Fn::Equals": [ "No", { "Ref": "UseExistingConfigRepo" } ] } ] }, "AssertDescription": "Existing configuration repository parameters cannot be provided when configurationRepositoryLocation is set to s3" } ] } }, "Resources": { "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRole17DDBBF2": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ResourceNamePrefixes/ResourceNamePrefixesFunction/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" }, { "id": "AwsSolutions-IAM5", "reason": "Needed to create SSM parameter for prefix" } ] } } }, "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRoleDefaultPolicyDC1CC159": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter", "ssm:DeleteParameter" ], "Condition": { "StringEquals": { "aws:PrincipalAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/accelerator/lza-prefix" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/accelerator/AWSAccelerator-PipelineStack-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" }, "/version" ] ] } ], "Sid": "SsmReadParameterAccess" } ], "Version": "2012-10-17" }, "PolicyName": "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRoleDefaultPolicyDC1CC159", "Roles": [ { "Ref": "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRole17DDBBF2" } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ResourceNamePrefixes/ResourceNamePrefixesFunction/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" }, { "id": "AwsSolutions-IAM5", "reason": "Needed to create SSM parameter for prefix" } ] } } }, "ResourceNamePrefixesResourceNamePrefixesFunction138C66F1": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "\n const response = require('cfn-response'); \n const { SSMClient, DeleteParameterCommand, GetParameterCommand, ParameterNotFound, PutParameterCommand } = require(\"@aws-sdk/client-ssm\");\n const { ConfiguredRetryStrategy } = require(\"@aws-sdk/util-retry\");\n exports.handler = async function (event, context) { \n console.log(JSON.stringify(event, null, 4)); \n const prefix=event.ResourceProperties.prefix;\n const pipelineStackVersionSsmParamName=event.ResourceProperties.pipelineStackVersionSsmParamName;\n const lowerCasePrefix=prefix.toLowerCase();\n \n const ssm = new SSMClient({retryStrategy: new ConfiguredRetryStrategy(10, (attempt) => 100 + attempt * 1000)});\n \n let data = {};\n \n let paramName = event.ResourceProperties.prefixParameterName;\n \n if (lowerCasePrefix === 'awsaccelerator') {\n data['acceleratorPrefix'] = 'AWSAccelerator';\n data['lowerCasePrefix'] = 'aws-accelerator'; \n data['oneWordPrefix'] = 'accelerator'; \n } else {\n data['acceleratorPrefix'] = prefix;\n data['lowerCasePrefix'] = lowerCasePrefix; \n data['oneWordPrefix'] = prefix; \n }\n \n\n if (event.RequestType === 'Update'){\n\n var params = {\n Name: paramName,\n };\n try {\n const ssmResponse = await ssm.send(new GetParameterCommand(params));\n // Fail stack if prefix was changed during update\n if (ssmResponse.Parameter.Value !== prefix) {\n await response.send(event, context, response.FAILED, {'FailureReason': 'LZA does not allow changing AcceleratorPrefix parameter value after initial deploy !!! Existing prefix: ' + event.OldResourceProperties.prefix + ' New prefix: ' + prefix + '.' }, event.PhysicalResourceId);\n return;\n }\n await response.send(event, context, response.SUCCESS, data, event.PhysicalResourceId);\n } catch (error) {\n console.log(error);\n if (error instanceof ParameterNotFound){\n await response.send(event, context, response.FAILED, {'FailureReason': 'LZA prefix ssm parameter ' + paramName + ' not found!!! Recreate the parameter with existing AcceleratorPrefix parameter value to fix the issue'}, event.PhysicalResourceId);\n return;\n }\n else {\n await response.send(event, context, response.FAILED, {'FailureReason': error.code + ' error occurred while accessing LZA prefix ssm parameter ' + paramName }, event.PhysicalResourceId);\n return;\n }\n } \n } \n \n if (event.RequestType === 'Create') {\n \n if (lowerCasePrefix !== 'awsaccelerator') {\n // Fail stack if prefix starts with aws or ssm\n if (lowerCasePrefix.startsWith('aws') || lowerCasePrefix.startsWith('ssm')) { \n await response.send(event, context, response.FAILED, {'FailureReason': 'Accelerator prefix ' + prefix + ' can not be started with aws or ssm !!!'}, event.PhysicalResourceId);\n return;\n }\n\n // Check if this is an existing deployment and prefix changed with initial deployment of custom resource\n var versionParams = {\n Name: pipelineStackVersionSsmParamName,\n };\n try {\n await ssm.send(new GetParameterCommand(versionParams));\n await response.send(event, context, response.FAILED, {'FailureReason': 'Can not change AcceleratorPrefix parameter for existing deployment, existing prefix value is AWSAccelerator, keep AcceleratorPrefix parameter value to default value for successfully stack update !!!'}, event.PhysicalResourceId);\n return;\n }\n catch (error) {\n console.log(error);\n if (!(error instanceof ParameterNotFound)){\n await response.send(event, context, response.FAILED, {'FailureReason': error.code + ' error occurred while accessing LZA ssm parameter ' + pipelineStackVersionSsmParamName }, event.PhysicalResourceId);\n return;\n }\n }\n }\n \n // Create /accelerator/lza-prefix SSM parameter to store prefix value to protect updating prefix\n try {\n var newParams = {\n Name: paramName,\n Value: prefix,\n Description: 'LZA created SSM parameter for Accelerator prefix value, DO NOT MODIFY/DELETE this parameter',\n Type: 'String',\n };\n await ssm.send(new PutParameterCommand(newParams));\n await response.send(event, context, response.SUCCESS, data, event.PhysicalResourceId);\n }\n catch (error) {\n console.log(error);\n await response.send(event, context, response.FAILED, {'FailureReason': error.code + ' error occurred while creating LZA prefix ssm parameter ' + paramName }, event.PhysicalResourceId);\n return;\n }\n }\n if (event.RequestType === 'Delete') {\n\n var deleteParams = {\n Name: paramName,\n };\n try {\n await ssm.send(new DeleteParameterCommand(deleteParams));\n }\n catch (error) {\n console.log(error);\n if (!(error instanceof ParameterNotFound)){\n await response.send(event, context, response.FAILED, {'FailureReason': error.code + ' error occurred while deleting LZA ssm parameter ' + paramName }, event.PhysicalResourceId);\n return;\n }\n }\n await response.send(event, context, response.SUCCESS, {'Status': 'Custom resource deleted successfully' }, event.PhysicalResourceId);\n }\n \n return;\n }" }, "Description": "This function converts accelerator prefix parameter to lower case to name s3 buckets in installer stack", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRole17DDBBF2", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "DependsOn": [ "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRoleDefaultPolicyDC1CC159", "ResourceNamePrefixesResourceNamePrefixesFunctionServiceRole17DDBBF2" ], "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ResourceNamePrefixes/ResourceNamePrefixesFunction/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" }, { "id": "AwsSolutions-IAM5", "reason": "Needed to create SSM parameter for prefix" } ] }, "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch Logs are enabled in AWSLambdaBasicExecutionRole" }, { "id": "W89", "reason": "This function supports infrastructure deployment and is not deployed inside a VPC." }, { "id": "W92", "reason": "This function supports infrastructure deployment and does not require setting ReservedConcurrentExecutions." } ] } } }, "ResourceNamePrefixesGetPrefixResource96A10E6E": { "Type": "Custom::GetPrefixes", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "ResourceNamePrefixesResourceNamePrefixesFunction138C66F1", "Arn" ] }, "prefix": { "Ref": "AcceleratorPrefix" }, "pipelineStackVersionSsmParamName": { "Fn::Join": [ "", [ "/accelerator/AWSAccelerator-PipelineStack-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" }, "/version" ] ] }, "prefixParameterName": "/accelerator/lza-prefix" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ResourceNamePrefixes/GetPrefixResource/Default" } }, "ValidateInstallerValidationFunctionServiceRoleF5BE8F9B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ValidateInstaller/ValidationFunction/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" } ] } } }, "ValidateInstallerValidationFunctionServiceRoleDefaultPolicyAA8D9A47": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:GetPipeline", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Pipeline" ] ] }, "Sid": "ReadCodePipeline" } ], "Version": "2012-10-17" }, "PolicyName": "ValidateInstallerValidationFunctionServiceRoleDefaultPolicyAA8D9A47", "Roles": [ { "Ref": "ValidateInstallerValidationFunctionServiceRoleF5BE8F9B" } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ValidateInstaller/ValidationFunction/ServiceRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" } ] } } }, "ValidateInstallerValidationFunction21674768": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "const response = require('cfn-response');\nconst { CodePipelineClient, GetPipelineCommand } = require('@aws-sdk/client-codepipeline');\nexports.handler = async function (event, context) {\n console.log(JSON.stringify(event, null, 4));\n\n const configRepositoryLocation = event.ResourceProperties.configRepositoryLocation;\n\n if (event.RequestType === 'Delete') {\n await response.send(event, context, response.SUCCESS, {}, event.PhysicalResourceId);\n return;\n }\n\n if (configRepositoryLocation === 's3') {\n try {\n const pipelineName = event.ResourceProperties.acceleratorPipelineName;\n const client = new CodePipelineClient();\n const input = { name: pipelineName };\n const command = new GetPipelineCommand(input);\n const pipelineResponse = await client.send(command);\n const sourceStage = pipelineResponse.pipeline.stages.find(stage => stage.name === 'Source');\n const configAction = sourceStage?.actions.find(action => action.name === 'Configuration');\n if (configAction.actionTypeId.provider === 'CodeCommit') {\n await response.send(\n event,\n context,\n response.FAILED,\n {\n FailureReason:\n 'ConfigRepositoryLocation parameter set to s3, but existing deployment using CodeCommit was detected. This value cannot be changed for existing deployments. Please set ConfigRepositoryLocation to CodeCommit and try again.',\n },\n event.PhysicalResourceId,\n );\n return;\n }\n } catch (err) {\n console.log('Encountered error finding existing pipeline, continuing');\n console.log(err);\n await response.send(event, context, response.SUCCESS, {}, event.PhysicalResourceId);\n return;\n }\n }\n\n // End of Validation\n await response.send(event, context, response.SUCCESS, {}, event.PhysicalResourceId);\n return;\n};\n" }, "Description": "This function validates installer parameters", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "ValidateInstallerValidationFunctionServiceRoleF5BE8F9B", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "DependsOn": [ "ValidateInstallerValidationFunctionServiceRoleDefaultPolicyAA8D9A47", "ValidateInstallerValidationFunctionServiceRoleF5BE8F9B" ], "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ValidateInstaller/ValidationFunction/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" } ] }, "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch Logs are enabled in AWSLambdaBasicExecutionRole" }, { "id": "W89", "reason": "This function supports infrastructure deployment and is not deployed inside a VPC." }, { "id": "W92", "reason": "This function supports infrastructure deployment and does not require setting ReservedConcurrentExecutions." } ] } } }, "ValidateInstallerValidateResource24181D5D": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "ValidateInstallerValidationFunction21674768", "Arn" ] }, "acceleratorPipelineName": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Pipeline" ] ] }, "configRepositoryLocation": { "Ref": "ConfigurationRepositoryLocation" }, "resourceType": "Custom::ValidateInstallerStack" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/ValidateInstaller/ValidateResource/Default" } }, "SsmParamStackId521A78D3": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": { "Fn::Join": [ "", [ "/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "oneWordPrefix" ] }, "/AWSAccelerator-InstallerStack/stack-id" ] ] }, "Tags": { "Accelerator": { "Ref": "AcceleratorPrefix" } }, "Type": "String", "Value": { "Ref": "AWS::StackId" } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SsmParamStackId/Resource" } }, "SsmParamAcceleratorVersionFF83282D": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": { "Fn::Join": [ "", [ "/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "oneWordPrefix" ] }, "/AWSAccelerator-InstallerStack/version" ] ] }, "Tags": { "Accelerator": { "Ref": "AcceleratorPrefix" } }, "Type": "String", "Value": "1.15.2" }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SsmParamAcceleratorVersion/Resource" } }, "SolutionHelperServiceRoleF70C0E2A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SolutionHelper/SolutionHelper/ServiceRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Needed to write to CWL group" } ] } } }, "SolutionHelper4825923B": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "\n const response = require('cfn-response');\n const https = require('https');\n\n async function post(url, data) {\n const dataString = JSON.stringify(data)\n const options = {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json'\n },\n timeout: 1000, // in ms\n }\n \n return new Promise((resolve, reject) => {\n const req = https.request(url, options, (res) => {\n if (res.statusCode < 200 || res.statusCode > 299) {\n return reject(new Error('HTTP status code: ', res.statusCode))\n }\n const body = []\n res.on('data', (chunk) => body.push(chunk))\n res.on('end', () => {\n const resString = Buffer.concat(body).toString()\n resolve(resString)\n })\n })\n req.on('error', (err) => {\n reject(err)\n })\n req.on('timeout', () => {\n req.destroy()\n reject(new Error('Request time out'))\n })\n req.write(dataString)\n req.end()\n })\n }\n\n function uuidv4() {\n return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {\n var r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8);\n return v.toString(16);\n });\n }\n\n\n function sanitizeData(resourceProperties) {\n const keysToExclude = ['ServiceToken', 'Resource', 'SolutionId', 'UUID'];\n return Object.keys(resourceProperties).reduce((sanitizedData, key) => {\n if (!keysToExclude.includes(key)) {\n sanitizedData[key] = resourceProperties[key];\n }\n return sanitizedData;\n }, {})\n }\n\n exports.handler = async function (event, context) {\n console.log(JSON.stringify(event, null, 4));\n const requestType = event.RequestType;\n const resourceProperties = event.ResourceProperties;\n const resource = resourceProperties.Resource;\n let data = {};\n try {\n if (resource === 'UUID' && requestType === 'Create') {\n data['UUID'] = uuidv4();\n }\n if (resource === 'AnonymousMetric') {\n const currentDate = new Date()\n data = sanitizeData(resourceProperties);\n data['RequestType'] = requestType;\n const payload = {\n Solution: resourceProperties.SolutionId,\n UUID: resourceProperties.UUID,\n TimeStamp: currentDate.toISOString(),\n Data: data\n }\n\n console.log('Sending metrics data: ', JSON.stringify(payload, null, 2));\n await post('https://metrics.awssolutionsbuilder.com/generic', payload);\n console.log('Sent Data');\n }\n } catch (error) {\n console.log(error);\n }\n \n if (requestType === 'Create') {\n await response.send(event, context, response.SUCCESS, data);\n }\n else {\n await response.send(event, context, response.SUCCESS, data, event.PhysicalResourceId);\n }\n return;\n } \n " }, "Description": "This function generates UUID for each deployment and sends anonymous data to the AWS Solutions team", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "SolutionHelperServiceRoleF70C0E2A", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ], "Timeout": 30 }, "DependsOn": [ "SolutionHelperServiceRoleF70C0E2A" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch Logs are enabled in AWSLambdaBasicExecutionRole" }, { "id": "W89", "reason": "This function supports infrastructure deployment and is not deployed inside a VPC." }, { "id": "W92", "reason": "This function supports infrastructure deployment and does not require setting ReservedConcurrentExecutions." } ] } }, "Condition": "SolutionHelperAnonymousDataToAWS62E4FDE2" }, "SolutionHelperSolutionCreateUniqueID070ED802": { "Type": "Custom::CreateUUID", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "SolutionHelper4825923B", "Arn" ] }, "Resource": "UUID" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SolutionHelper/SolutionCreateUniqueID/Default" }, "Condition": "SolutionHelperAnonymousDataToAWS62E4FDE2" }, "SolutionHelperSolutionSendAnonymousData271B3D26": { "Type": "Custom::AnonymousData", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "SolutionHelper4825923B", "Arn" ] }, "Resource": "AnonymousMetric", "SolutionId": "SO0199", "UUID": { "Fn::GetAtt": [ "SolutionHelperSolutionCreateUniqueID070ED802", "UUID" ] }, "Region": { "Ref": "AWS::Region" }, "BranchName": { "Ref": "RepositoryBranchName" }, "RepositoryName": { "Ref": "RepositoryName" }, "RepositoryOwner": { "Ref": "RepositoryOwner" }, "RepositorySource": { "Ref": "RepositorySource" } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SolutionHelper/SolutionSendAnonymousData/Default" }, "Condition": "SolutionHelperAnonymousDataToAWS62E4FDE2" }, "InstallerKey2A6A8C6D": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS key for encrypting LZA installer S3 buckets, CodeBuild projects, and Lambda functions created by the template", "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow Accelerator Role to use the encryption key", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ArnLike": { "aws:PrincipalARN": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-*" ] ] } } } }, { "Sid": "Allow SNS service to use the encryption key", "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow EventBridge service to use the encryption key", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow Cloudwatch Logs service to use the encryption key", "Effect": "Allow", "Principal": { "Service": { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::Region" }, ".amazonaws.com" ] ] } }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ArnLike": { "kms:EncryptionContext:aws:logs:arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } } } } ] }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "RetainExceptOnCreate", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F76", "reason": "KMS key using * principal with added arn condition" } ] } } }, "InstallerKeyAliasD5C174F0": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Join": [ "", [ "alias/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "oneWordPrefix" ] }, "/installer/kms/key" ] ] }, "TargetKeyId": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/InstallerKey/Alias/Resource" } }, "AcceleratorManagementKmsArnParameter1E6975BF": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": { "Fn::Join": [ "", [ "/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "oneWordPrefix" ] }, "/installer/kms/key-arn" ] ] }, "Tags": { "Accelerator": { "Ref": "AcceleratorPrefix" } }, "Type": "String", "Value": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/AcceleratorManagementKmsArnParameter/Resource" } }, "InstallerAccessLogsBucket647700E9": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "BucketName": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-s3-logs-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" } ] ] }, "LifecycleConfiguration": { "Rules": [ { "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 1 }, "ExpirationInDays": 1825, "ExpiredObjectDeleteMarker": false, "Id": { "Fn::Join": [ "", [ "LifecycleRule", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-s3-logs-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" } ] ] }, "NoncurrentVersionExpiration": { "NoncurrentDays": 1825 }, "NoncurrentVersionTransitions": [ { "StorageClass": "DEEP_ARCHIVE", "TransitionInDays": 366 } ], "Status": "Enabled", "Transitions": [ { "StorageClass": "DEEP_ARCHIVE", "TransitionInDays": 365 } ] } ] }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred" } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This is an access logging bucket." } ] }, "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-S1", "reason": "AccessLogsBucket has server access logs disabled till the task for access logging completed." } ] } } }, "InstallerAccessLogsBucketPolicy20D4E285": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "InstallerAccessLogsBucket647700E9" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "InstallerAccessLogsBucket647700E9", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "InstallerAccessLogsBucket647700E9", "Arn" ] }, "/*" ] ] } ], "Sid": "deny-insecure-connections" } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/InstallerAccessLogsBucket/Resource/Policy/Resource" } }, "InstallerAccessLogsBucketName4F700F48": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": { "Fn::Join": [ "", [ "/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "oneWordPrefix" ] }, "/installer-access-logs-bucket-name" ] ] }, "Tags": { "Accelerator": { "Ref": "AcceleratorPrefix" } }, "Type": "String", "Value": { "Ref": "InstallerAccessLogsBucket647700E9" } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/InstallerAccessLogsBucketName/Resource" } }, "SecureBucket747CD8C0": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] }, "SSEAlgorithm": "aws:kms" } } ] }, "BucketName": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" } ] ] }, "LifecycleConfiguration": { "Rules": [ { "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 1 }, "ExpirationInDays": 1825, "ExpiredObjectDeleteMarker": false, "Id": { "Fn::Join": [ "", [ "LifecycleRule", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" }, "LifecycleRule", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" } ] ] }, "NoncurrentVersionExpiration": { "NoncurrentDays": 1825 }, "NoncurrentVersionTransitions": [ { "StorageClass": "DEEP_ARCHIVE", "TransitionInDays": 366 } ], "Prefix": "", "Status": "Enabled", "Transitions": [ { "StorageClass": "DEEP_ARCHIVE", "TransitionInDays": 366 } ] }, { "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 1 }, "ExpiredObjectDeleteMarker": false, "Id": { "Fn::Join": [ "", [ "LifecycleRule", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" }, "LifecycleRuleLza", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" } ] ] }, "NoncurrentVersionExpiration": { "NoncurrentDays": 1825 }, "NoncurrentVersionTransitions": [ { "StorageClass": "ONEZONE_IA", "TransitionInDays": 30 } ], "Prefix": "lza/", "Status": "Enabled" } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "InstallerAccessLogsBucket647700E9" }, "LogFilePrefix": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" }, "/" ] ] } }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred" } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "RetainExceptOnCreate", "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SecureBucket/Resource/Resource" } }, "SecureBucketPolicy6374AC61": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "SecureBucket747CD8C0" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, "/*" ] ] } ], "Sid": "deny-insecure-connections" } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/SecureBucket/Resource/Policy/Resource" } }, "InstallerAdminRole7DEE4AC8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/AdministratorAccess" ] ] } ], "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/InstallerAdminRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Managed policies required for IAM role." } ] } } }, "InstallerAdminRoleDefaultPolicy7EEE1AAB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/codebuild/", { "Ref": "InstallerProject879FF821" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/codebuild/", { "Ref": "InstallerProject879FF821" }, ":*" ] ] } ] }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codebuild:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":report-group/", { "Ref": "InstallerProject879FF821" }, "-*" ] ] } }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] } }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "InstallerAdminRoleDefaultPolicy7EEE1AAB", "Roles": [ { "Ref": "InstallerAdminRole7DEE4AC8" } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/InstallerAdminRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Managed policies required for IAM role." }, { "id": "AwsSolutions-IAM5", "reason": "IAM role requires wildcard permissions." } ] } } }, "InstallerProject879FF821": { "Type": "AWS::CodeBuild::Project", "Properties": { "Artifacts": { "Type": "CODEPIPELINE" }, "Cache": { "Type": "NO_CACHE" }, "EncryptionKey": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] }, "Environment": { "ComputeType": "BUILD_GENERAL1_LARGE", "EnvironmentVariables": [ { "Name": "NODE_OPTIONS", "Type": "PLAINTEXT", "Value": "--max_old_space_size=12288 --no-warnings" }, { "Name": "CDK_NEW_BOOTSTRAP", "Type": "PLAINTEXT", "Value": "1" }, { "Name": "ACCELERATOR_REPOSITORY_SOURCE", "Type": "PLAINTEXT", "Value": { "Ref": "RepositorySource" } }, { "Name": "ACCELERATOR_REPOSITORY_OWNER", "Type": "PLAINTEXT", "Value": { "Ref": "RepositoryOwner" } }, { "Name": "ACCELERATOR_REPOSITORY_NAME", "Type": "PLAINTEXT", "Value": { "Ref": "RepositoryName" } }, { "Name": "ACCELERATOR_REPOSITORY_BRANCH_NAME", "Type": "PLAINTEXT", "Value": { "Ref": "RepositoryBranchName" } }, { "Name": "CONFIG_REPOSITORY_LOCATION", "Type": "PLAINTEXT", "Value": { "Ref": "ConfigurationRepositoryLocation" } }, { "Name": "CODECONNECTION_ARN", "Type": "PLAINTEXT", "Value": { "Ref": "ConfigCodeConnectionArn" } }, { "Name": "USE_EXISTING_CONFIG_REPO", "Type": "PLAINTEXT", "Value": { "Ref": "UseExistingConfigRepo" } }, { "Name": "EXISTING_CONFIG_REPOSITORY_NAME", "Type": "PLAINTEXT", "Value": { "Ref": "ExistingConfigRepositoryName" } }, { "Name": "EXISTING_CONFIG_REPOSITORY_BRANCH_NAME", "Type": "PLAINTEXT", "Value": { "Ref": "ExistingConfigRepositoryBranchName" } }, { "Name": "EXISTING_CONFIG_REPOSITORY_OWNER", "Type": "PLAINTEXT", "Value": { "Ref": "ExistingConfigRepositoryOwner" } }, { "Name": "ACCELERATOR_ENABLE_APPROVAL_STAGE", "Type": "PLAINTEXT", "Value": { "Ref": "EnableApprovalStage" } }, { "Name": "APPROVAL_STAGE_NOTIFY_EMAIL_LIST", "Type": "PLAINTEXT", "Value": { "Ref": "ApprovalStageNotifyEmailList" } }, { "Name": "MANAGEMENT_ACCOUNT_EMAIL", "Type": "PLAINTEXT", "Value": { "Ref": "ManagementAccountEmail" } }, { "Name": "LOG_ARCHIVE_ACCOUNT_EMAIL", "Type": "PLAINTEXT", "Value": { "Ref": "LogArchiveAccountEmail" } }, { "Name": "AUDIT_ACCOUNT_EMAIL", "Type": "PLAINTEXT", "Value": { "Ref": "AuditAccountEmail" } }, { "Name": "CONTROL_TOWER_ENABLED", "Type": "PLAINTEXT", "Value": { "Ref": "ControlTowerEnabled" } }, { "Name": "ACCELERATOR_PREFIX", "Type": "PLAINTEXT", "Value": { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] } }, { "Name": "INSTALLER_STACK_NAME", "Type": "PLAINTEXT", "Value": "AWSAccelerator-InstallerStack" }, { "Name": "ENABLE_DIAGNOSTICS_PACK", "Type": "PLAINTEXT", "Value": { "Ref": "EnableDiagnosticsPack" } }, { "Name": "PIPELINE_ACCOUNT_ID", "Type": "PLAINTEXT", "Value": { "Ref": "AWS::AccountId" } }, { "Name": "SECURE_BUCKET_NAME", "Type": "PLAINTEXT", "Value": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" } ] ] } } ], "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" }, "Name": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-InstallerProject" ] ] }, "ServiceRole": { "Fn::GetAtt": [ "InstallerAdminRole7DEE4AC8", "Arn" ] }, "Source": { "BuildSpec": { "Fn::Join": [ "", [ "version: \"0.2\"\nphases:\n install:\n runtime-versions:\n nodejs: \"22\"\n pre_build:\n commands:\n - ENABLE_EXTERNAL_PIPELINE_ACCOUNT=\"no\"\n - if [ ! -z \"$MANAGEMENT_ACCOUNT_ID\" ] && [ ! -z \"$MANAGEMENT_ACCOUNT_ROLE_NAME\" ]; then ENABLE_EXTERNAL_PIPELINE_ACCOUNT=\"yes\"; fi\n build:\n commands:\n - cd source\n - |-\n if [ \"", { "Ref": "AWS::Partition" }, "\" = \"aws-cn\" ]; then\n sed -i \"s#registry.yarnpkg.com#registry.npmmirror.com#g\" yarn.lock;\n set -e && yarn config set registry https://registry.npmmirror.com\n fi\n - if [ -f .yarnrc ]; then yarn install --use-yarnrc .yarnrc; else yarn install; fi\n - yarn build-prod\n - cd packages/@aws-accelerator/installer\n - set -e && ./lib/bash/bootstrap-management.sh ", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, " ", { "Ref": "AWS::Region" }, " ", { "Ref": "AWS::AccountId" }, " ", { "Fn::FindInMap": [ "GlobalRegionMap", { "Ref": "AWS::Partition" }, "regionName" ] }, " $FORCE_BOOTSTRAP\n - |-\n set -e && if [ $ENABLE_EXTERNAL_PIPELINE_ACCOUNT = \"yes\" ]; then\n if ! MANAGEMENT_ACCOUNT_CREDENTIAL=$(aws sts assume-role --role-arn arn:", { "Ref": "AWS::Partition" }, ":iam::\"$MANAGEMENT_ACCOUNT_ID\":role/\"$MANAGEMENT_ACCOUNT_ROLE_NAME\" --role-session-name acceleratorAssumeRoleSession --query \"Credentials.[AccessKeyId,SecretAccessKey,SessionToken]\" --output text); then\n echo \"Failed to assume $MANAGEMENT_ACCOUNT_ROLE_NAME role in management account $MANAGEMENT_ACCOUNT_ID\"\n exit 1\n fi\n export $(printf \"AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s\" $MANAGEMENT_ACCOUNT_CREDENTIAL);\n set -e && ./lib/bash/bootstrap-management.sh ", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, " ", { "Ref": "AWS::Region" }, " $MANAGEMENT_ACCOUNT_ID ", { "Fn::FindInMap": [ "GlobalRegionMap", { "Ref": "AWS::Partition" }, "regionName" ] }, " $FORCE_BOOTSTRAP;\n unset AWS_ACCESS_KEY_ID;\n unset AWS_SECRET_ACCESS_KEY;\n unset AWS_SESSION_TOKEN;\n fi\n - cd ../accelerator\n - |-\n aws ssm get-parameter --name /accelerator/migration --query \"Parameter.Value\" 2> /dev/null\n status=$?\n if [ $status -ne 0 ]; then\n echo \"No SSM Parameter found, setting ENABLE_ASEA_MIGRATION to false\";\n export ENABLE_ASEA_MIGRATION=false\n else\n echo \"SSM Parameter Found, setting ENABLE_ASEA_MIGRATION to true\"\n export ENABLE_ASEA_MIGRATION=true\n fi;\n - |-\n set -e && if [ $ENABLE_DIAGNOSTICS_PACK = \"Yes\" ]; then\n yarn run ts-node --transpile-only cdk.ts synth --stage diagnostics-pack --account ", { "Ref": "AWS::AccountId" }, " --region ", { "Ref": "AWS::Region" }, " --partition ", { "Ref": "AWS::Partition" }, "\n yarn run ts-node --transpile-only cdk.ts deploy --stage diagnostics-pack --account ", { "Ref": "AWS::AccountId" }, " --region ", { "Ref": "AWS::Region" }, " --partition ", { "Ref": "AWS::Partition" }, "\n fi\n - set -e && yarn run ts-node --transpile-only cdk.ts synth --stage pipeline --account ", { "Ref": "AWS::AccountId" }, " --region ", { "Ref": "AWS::Region" }, " --partition ", { "Ref": "AWS::Partition" }, "\n - set -e && yarn run ts-node --transpile-only cdk.ts deploy --stage pipeline --account ", { "Ref": "AWS::AccountId" }, " --region ", { "Ref": "AWS::Region" }, " --partition ", { "Ref": "AWS::Partition" }, "\n - set -e && if [ \"$ENABLE_TESTER\" = \"true\" ]; then yarn run ts-node --transpile-only cdk.ts deploy --stage tester-pipeline --account ", { "Ref": "AWS::AccountId" }, " --region ", { "Ref": "AWS::Region" }, "; fi\n - chmod +x scripts/post_pipeline_s3_config_check.sh\n - set -e && bash -e scripts/post_pipeline_s3_config_check.sh\n - set -e && cd ../../../../ && zip -rqy /tmp/lza.zip . && aws s3 cp /tmp/lza.zip s3://", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "lowerCasePrefix" ] }, "-installer-", { "Ref": "AWS::AccountId" }, "-", { "Ref": "AWS::Region" }, "/lza/v1.15.2.zip --region ", { "Ref": "AWS::Region" }, " --no-progress && rm -fr /tmp/lza.zip;\n post_build:\n commands:\n - |-\n if [ $CODEBUILD_BUILD_SUCCEEDING -eq 1 ]; then\n inprogress_status_count=$(aws codepipeline get-pipeline-state --name \"", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Pipeline\" | grep '\"status\": \"InProgress\"' | grep -v grep | wc -l) &&\n if [ $inprogress_status_count -eq 0 ]; then\n set -e && aws codepipeline start-pipeline-execution --name \"", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Pipeline\";\n fi\n fi\n" ] ] }, "Type": "CODEPIPELINE" }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/InstallerProject/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CB3", "reason": "Project requires access to the Docker daemon." } ] } } }, "CodeCommitPipelineRole5C35E76C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/CodeCommitPipelineRole/Resource" }, "Condition": "UseCodeCommitCondition" }, "CodeCommitPipelineRoleDefaultPolicyDE8B332B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CodeCommitPipelineRole5C35E76C", "Arn" ] } }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codecommit:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "RepositoryName" } ] ] } }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InstallerProject879FF821", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "CodeCommitPipelineRoleDefaultPolicyDE8B332B", "Roles": [ { "Ref": "CodeCommitPipelineRole5C35E76C" } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/CodeCommitPipelineRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "IAM role requires wildcard permissions." } ] } }, "Condition": "UseCodeCommitCondition" }, "CodeCommitPipeline2208527B": { "Type": "AWS::CodePipeline::Pipeline", "Properties": { "ArtifactStore": { "EncryptionKey": { "Id": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] }, "Type": "KMS" }, "Location": { "Ref": "SecureBucket747CD8C0" }, "Type": "S3" }, "Name": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Installer" ] ] }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "CodeCommitPipelineRole5C35E76C", "Arn" ] }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1" }, "Configuration": { "RepositoryName": { "Ref": "RepositoryName" }, "BranchName": { "Ref": "RepositoryBranchName" }, "PollForSourceChanges": false }, "Name": "Source", "OutputArtifacts": [ { "Name": "Source" } ], "RoleArn": { "Fn::GetAtt": [ "CodeCommitPipelineRole5C35E76C", "Arn" ] }, "RunOrder": 1 } ], "Name": "Source" }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1" }, "Configuration": { "ProjectName": { "Ref": "InstallerProject879FF821" } }, "InputArtifacts": [ { "Name": "Source" } ], "Name": "Install", "RoleArn": { "Fn::GetAtt": [ "CodeCommitPipelineRole5C35E76C", "Arn" ] }, "RunOrder": 1 } ], "Name": "Install" } ], "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "DependsOn": [ "CodeCommitPipelineRoleDefaultPolicyDE8B332B", "CodeCommitPipelineRole5C35E76C" ], "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/CodeCommitPipeline/Resource" }, "Condition": "UseCodeCommitCondition" }, "GitHubPipelineRole6F4DEF1B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/GitHubPipelineRole/Resource" }, "Condition": "UseGitHubCondition" }, "GitHubPipelineRoleDefaultPolicyD82457D6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SecureBucket747CD8C0", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "GitHubPipelineRole6F4DEF1B", "Arn" ] } }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "InstallerProject879FF821", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "GitHubPipelineRoleDefaultPolicyD82457D6", "Roles": [ { "Ref": "GitHubPipelineRole6F4DEF1B" } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/GitHubPipelineRole/DefaultPolicy/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "IAM role requires wildcard permissions." } ] } }, "Condition": "UseGitHubCondition" }, "GitHubPipeline7B79E906": { "Type": "AWS::CodePipeline::Pipeline", "Properties": { "ArtifactStore": { "EncryptionKey": { "Id": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] }, "Type": "KMS" }, "Location": { "Ref": "SecureBucket747CD8C0" }, "Type": "S3" }, "Name": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Installer" ] ] }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "GitHubPipelineRole6F4DEF1B", "Arn" ] }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "ThirdParty", "Provider": "GitHub", "Version": "1" }, "Configuration": { "Owner": { "Ref": "RepositoryOwner" }, "Repo": { "Ref": "RepositoryName" }, "Branch": { "Ref": "RepositoryBranchName" }, "OAuthToken": "{{resolve:secretsmanager:accelerator/github-token:SecretString:::}}", "PollForSourceChanges": false }, "Name": "Source", "OutputArtifacts": [ { "Name": "Source" } ], "RunOrder": 1 } ], "Name": "Source" }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1" }, "Configuration": { "ProjectName": { "Ref": "InstallerProject879FF821" } }, "InputArtifacts": [ { "Name": "Source" } ], "Name": "Install", "RoleArn": { "Fn::GetAtt": [ "GitHubPipelineRole6F4DEF1B", "Arn" ] }, "RunOrder": 1 } ], "Name": "Install" } ], "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "DependsOn": [ "GitHubPipelineRoleDefaultPolicyD82457D6", "GitHubPipelineRole6F4DEF1B" ], "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/GitHubPipeline/Resource" }, "Condition": "UseGitHubCondition" }, "UpdatePipelineLambdaRole88CE0535": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/UpdatePipelineLambdaRole/Resource", "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM4", "reason": "Managed policies required for IAM role." } ] } }, "Condition": "UseGitHubCondition" }, "UpdatePipelineLambdaPolicy284ABC36": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codepipeline:GetPipeline", "codepipeline:UpdatePipeline" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Installer*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Pipeline*" ] ] } ] }, { "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":secret:accelerator/github-token*" ] ] } }, { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/", { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-*" ] ] }, { "Fn::GetAtt": [ "GitHubPipelineRole6F4DEF1B", "Arn" ] } ] }, { "Action": [ "codestar-connections:PassConnection", "codestar-connections:UseConnection" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codeconnections:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":connection/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "UpdatePipelineLambdaPolicy284ABC36", "Roles": [ { "Ref": "UpdatePipelineLambdaRole88CE0535" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "IAM policy should not allow * resource." } ] }, "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "IAM role requires wildcard permissions." } ] } }, "Condition": "UseGitHubCondition" }, "UpdatePipelineGithubTokenFunction29B64F2E": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "/**\n * Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\"). You may not use this file except in compliance\n * with the License. A copy of the License is located at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES\n * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions\n * and limitations under the License.\n */\n\nconst { SecretsManagerClient, GetSecretValueCommand } = require('@aws-sdk/client-secrets-manager');\nconst { CodePipelineClient, GetPipelineCommand, UpdatePipelineCommand } = require('@aws-sdk/client-codepipeline');\nconst { ConfiguredRetryStrategy } = require('@aws-sdk/util-retry');\n\nconst secretsManager = new SecretsManagerClient({\n retryStrategy: new ConfiguredRetryStrategy(10, attempt => 100 + attempt * 1000),\n});\nconst codePipeline = new CodePipelineClient({\n retryStrategy: new ConfiguredRetryStrategy(10, attempt => 100 + attempt * 1000),\n});\nconst installerPipelineName = process.env['INSTALLER_PIPELINE_NAME'] ?? '';\nconst acceleratorPipelineName = process.env['ACCELERATOR_PIPELINE_NAME'] ?? '';\nconst pipelineArray = [installerPipelineName, acceleratorPipelineName];\n\n/**\n * update-pipeline-github-token - lambda handler\n *\n * @param event\n * @returns\n */\n\nexports.handler = async (event, context) => {\n const secretDetails = event.detail.requestParameters;\n const secretArn = secretDetails.secretId;\n const secretValue = await getSecretValue(secretArn);\n await updatePipelineDetailsForBothPipelines(secretValue);\n return {\n statusCode: 200,\n };\n};\n\nasync function getSecretValue(secretName) {\n try {\n const data = await secretsManager.send(\n new GetSecretValueCommand({\n SecretId: secretName,\n }),\n );\n if (!data || !data.SecretString) {\n throw new Error(`Secret ${secretName} didn't exist.`);\n }\n console.log(`Retrieved secret: ${secretName}...`);\n return data.SecretString;\n } catch (error) {\n console.log(error);\n throw new Error(`Error retrieving secret: ${secretName}.`);\n }\n}\n\nasync function updateCodePipelineSourceStage(pipelineDetails, secretValue) {\n const pipelineStages = pipelineDetails.pipeline.stages;\n const sourceStage = pipelineStages.find(o => o.name == 'Source');\n const sourceAction = sourceStage.actions.find(a => a.name == 'Source');\n if (sourceAction.actionTypeId.provider !== 'GitHub') {\n console.log('Pipeline source is not GitHub, no action will be taken.');\n return;\n }\n sourceAction.configuration.OAuthToken = secretValue;\n\n return pipelineDetails;\n}\n\nasync function getPipelineDetails(pipelineName) {\n //This function retrieves the original Code Pipeline structure, so we can update it.\n const getPipelineParams = {\n name: pipelineName,\n };\n console.log(`Retrieving existing pipeline configuration for: ${pipelineName}...`);\n const pipelineObject = await codePipeline.send(new GetPipelineCommand(getPipelineParams));\n console.log(JSON.stringify(pipelineObject));\n return pipelineObject;\n}\n\nasync function updatePipeline(updatedPipelineDetails) {\n //Remove metadata from getPipelineOutput to use as updatePipelineInput\n delete updatedPipelineDetails.metadata;\n console.log(`Updating pipeline with new OAuth Token...`);\n return codePipeline.send(new UpdatePipelineCommand(updatedPipelineDetails));\n}\n\nasync function updatePipelineDetailsForBothPipelines(secretValue) {\n for (const pipeline of pipelineArray) {\n try {\n const pipelineDetails = await getPipelineDetails(pipeline);\n const updatedPipelineDetails = await updateCodePipelineSourceStage(pipelineDetails, secretValue);\n if (updatedPipelineDetails) {\n await updatePipeline(updatedPipelineDetails);\n }\n } catch (error) {\n console.error(error);\n throw new Error(`Error occurred while updating pipeline ${pipeline}`);\n }\n }\n}\n" }, "Description": "Lambda function to update CodePipeline OAuth Token", "Environment": { "Variables": { "ACCELERATOR_PIPELINE_NAME": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Pipeline" ] ] }, "INSTALLER_PIPELINE_NAME": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceNamePrefixesGetPrefixResource96A10E6E", "acceleratorPrefix" ] }, "-Installer" ] ] } } }, "Handler": "index.handler", "KmsKeyArn": { "Fn::GetAtt": [ "InstallerKey2A6A8C6D", "Arn" ] }, "Role": { "Fn::GetAtt": [ "UpdatePipelineLambdaRole88CE0535", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ], "Timeout": 60 }, "DependsOn": [ "UpdatePipelineLambdaRole88CE0535" ], "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/UpdatePipelineGithubTokenFunction/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch Logs are enabled in AWSLambdaBasicExecutionRole" }, { "id": "W89", "reason": "This function supports infrastructure deployment and is not deployed inside a VPC." }, { "id": "W92", "reason": "This function supports infrastructure deployment and does not require setting ReservedConcurrentExecutions." } ] } }, "Condition": "UseGitHubCondition" }, "UpdatePipelineGithubTokenRule79D83132": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Rule to trigger Lambda Function when the Github Accelerator Token has been updated.", "EventPattern": { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "secretsmanager.amazonaws.com" ], "eventName": [ "UpdateSecret", "PutSecretValue" ], "requestParameters": { "secretId": [ { "prefix": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":secret:accelerator/github-token" ] ] } } ] } } }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "UpdatePipelineGithubTokenFunction29B64F2E", "Arn" ] }, "Id": "Target0", "RetryPolicy": { "MaximumEventAgeInSeconds": 14400, "MaximumRetryAttempts": 2 } } ] }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/UpdatePipelineGithubTokenRule/Resource" }, "Condition": "UseGitHubCondition" }, "UpdatePipelineGithubTokenRuleAllowEventRuleAWSAcceleratorInstallerStackUpdatePipelineGithubTokenFunction2367C02A6E48B7BC": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "UpdatePipelineGithubTokenFunction29B64F2E", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "UpdatePipelineGithubTokenRule79D83132", "Arn" ] } }, "Metadata": { "aws:cdk:path": "AWSAccelerator-InstallerStack/UpdatePipelineGithubTokenRule/AllowEventRuleAWSAcceleratorInstallerStackUpdatePipelineGithubTokenFunction2367C02A" }, "Condition": "UseGitHubCondition" }, "UpdatePipelineGithubTokenFunctionLogGroupFCE3723A": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "UpdatePipelineGithubTokenFunction29B64F2E" } ] ] }, "RetentionInDays": 731, "Tags": [ { "Key": "Accelerator", "Value": { "Ref": "AcceleratorPrefix" } } ] }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W84", "reason": "CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data" } ] } }, "Condition": "UseGitHubCondition" } }, "Conditions": { "SolutionHelperAnonymousDataToAWS62E4FDE2": { "Fn::Equals": [ { "Fn::FindInMap": [ "SolutionHelperAnonymousData14B64A81", "SendAnonymizedData", "Data" ] }, "Yes" ] }, "UseCodeCommitCondition": { "Fn::Equals": [ { "Ref": "RepositorySource" }, "codecommit" ] }, "UseGitHubCondition": { "Fn::Equals": [ { "Ref": "RepositorySource" }, "github" ] } } }