AttiniCfn

AttiniCfn will create, update, or delete a CloudFormation stack.

See more information about the configuration options here.

Note

If a stack is in “ROLLBACK_COMPLETE” state, and you re-run the deployment plan, the stack will be deleted and recreated. The “ROLLBACK_COMPLETE” state only occurs after a failed creation, and the rollback has deleted all the resources in the stack.

Type: AttiniCfn
Properties:
    Template: String
    StackName: String
    ConfigFile: String
    Parameters: Map<String,String>
    Tags: Map<String,String>
    StackRoleArn: String
    ExecutionRoleArn: String
    Region: String
    OutputPath: String
    Variables: Map<String,String>
    Action: String
    EnableTerminationProtection: Boolean

Template

Type: String

The path to the CloudFormation template. Can either be:

A path to a file in the distribution.
A URL to a public S3 file, starting with https://.
An S3 path, starting with s3://.

Required: Yes (can be configured in the ConfigFile)

StackName

Type: String

AWS API compatibility: This property is passed directly to the StackName property of the CreateStack or UpdateStack API call.

Required: Yes (can be configured in the ConfigFile)

ConfigFile

Type: String

This is a reference to a JSON or a YAML file in the distribution.

Note

Public HTTPS endpoints, ex https://path/to/my/parameters.json does not work for configuration files.

Find more info in the CloudFormation configuration documentation

Required: No

Parameters

Type: Map<String, String>

The CloudFormation parameters, find more info in the CloudFormation configuration documentation

Required: No (can be configured in the ConfigFile)

Tags

Type: Map<String,String>

The CloudFormation stack tags.

Required: No (can be configured in the ConfigFile)

StackRoleArn

Type: String

Arn of the StackRole, find more info here: AWS CloudFormation service role

Note

This IAM Role has to be in the same AWS Account that the CloudFormation stack is deployed in, so if “ExecutionRoleArn” is in a different AWS account, this “StackRoleArn” has to be in the same account as the “ExecutionRoleArn” If the “StackRoleArn” is in a different AWS Account then the “ExecutionRoleArn” you will receive a “Cross-account pass role is not allowed.” error.

Find more information about the security aspects of StackRoles here

Required: Conditional (can be configured in the ConfigFile)

Info

If the parameter “GiveAdminAccess” in attini-setup is false, this parameter or ExecutionRoleArn is required.

ExecutionRoleArn

Type: String

The role that you want to be assumed when the Attini Framework deploys the CloudFormation stack. This can be useful if you are:

Applying the least privilege policies without using Stack roles
Doing cross-account deployments

The ExecutionRole has to trust the attini action default role arn:aws:iam::{AccountId}:role/attini/attini-action-role-{Region} so that it can be assumed.

Example trust relationship policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Note

If you configure an execution role in another account or region, the Attini Framework will use a polling pattern to verify the state of the stack, this makes the deployment plan execution slower, and it can lead to throttling issues if it’s used a lot.

Find more information about the security aspects of ExecutionRoles here.

Required: No (can be configured in the ConfigFile)

Default: arn:aws:iam::{AccountId}:role/attini/attini-action-role-{Region}

Region

Type: String

Configure the region you want the CloudFormation stack in.

Note

If you configure a Region other than the current region the Attini Framework will use a polling pattern to verify the state of the stack. This makes the deployment plan execution slower, and it can lead to throttling issues if it's used a lot.

Required: No

Default: Current region

OutputPath

Type: String

If you need an extra level of separation for your payload output, you can use OutputPath. This is useful if you need to have multiple output sections from one step, example when you use AttiniMap.

If you, for example, have a State name buzz and an OutputPath: foo the output payload will look like this:

{
  "output": {
    "buzz": {
      "foo": {
        "OutputKey": "OutputValue"
      }
    }
  }
}

Required: No (can be configured in the ConfigFile)

Variables

Type: Map<String,String>

If your step has a ConfigFile configured, you can use Variables to pass values from your deployment plan payload into the file.

If you, for example, have an AttiniCfn State with the following config:

StateName:
  Type: AttiniCfn
  Properties:
    Template: /ecs-service.yaml
    ConfigFile: /ecs-config.yaml
    Variables:
      Environment: !Ref AttiniEnvironmentName
      DatabasePort.$: $.output.Database.Port
      StackRoleArn.$: $.output.StackRoles.EcsStackRole
    StackName: ecs-service

Your ConfigFile can look like this:

stackRoleArn: ${StackRoleArn}
parameters:
  ServiceName: ${Environment}-my-ecs-service
  DatabasePort: ${DatabasePort}

Note

By using Variables you can replace or manipulate any AttiniCfn configuration except for the ConfigFile path.

Required: No (can be configured in the ConfigFile)

Action

Type: String

Specify if the stack should be deployed (created/updated), or deleted.

Allowed values: Deploy | Delete

Required: No (can be configured in the ConfigFile)

Default: Deploy

EnableTerminationProtection

Type: Boolean

Specify if termination protection should be enabled for the stack.

Note

When first creating a stack, this is an atomic operation. However when updating an existing stack, the termination protection will be updated before the rest of the stack. This means that if the stack update fails and a rollback is performed, the termination protection will not be rolled back with the rest of the updates.

Required: No (can be configured in the ConfigFile)

Default: false