Cross account CloudFormation deploy


To enable cross AWS account CloudFormation deployments you need to do the following:

  1. Create a role in the target account that the Attini framework should assume.

  2. Configure the ExecutionRoleArn in the deployment plan to reference the role from step 1.

  3. Apply a s3 bucket policy to the attini-artifact-store-{Region}-{AccountId} that allows the role from step 1 to get template and configuration needed.

The Attini framework is deployed into eu-west-1 in account 111111111111 and we want to deploy into account 222222222222.

CrossAccountCfnDeploys

1. Create a custom execution role

This role needs the permission to manage all the resources in your CloudFormation stack OR the iam:PassRole permission if you are using a Stack role.

The role also needs to be assumed by arn:aws:iam::{AccountId*}:role/attini/attini-action-role-{Region**}.

* Your AWS Account Id
** The region that your deployment plan is in

Example: Role config

{
  "Role": {
    "RoleName": "custom-execution-role",
    "Arn": "arn:aws:iam::222222222222:role/custom-execution-role",
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    },
    "Description": "Cross account deployment",
    "MaxSessionDuration": 3600,
  }
}

Example: role configured in CloudFormation

This example role have full s3 access, that might not be what you need.

CreateS3ExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: custom-execution-role
    AssumeRolePolicyDocument:
      Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1
      Version: '2012-10-17'
    Policies:
      - PolicyName: !Ref AWS::StackName
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Action: s3:*
              Effect: Allow
              Resource: "*"

2. Configure the step in the deployment plan

Example: example of a deployment plan step using a ExecutionRoleArn

Resources:
  CrossAccountDeploymentPlan:
    Type: Attini::Deploy::DeploymentPlan
    Properties:
      DeploymentPlan:
        StartAt: DeployVpc
        States:
          DeployVpc:
            Type: AttiniCfn
            Properties:
              Template: /network/vpc.yaml
              StackName: vpc
              ExecutionRoleArn: arn:aws:iam::222222222222:role/custom-execution-role
            End: true

3. Apply a s3 bucket policy

The execution role that you provide needs access to the template and config file for the deploy. This is easily given by applying a S3 Bucket Policy.

Example: example of a S3 Bucket Policy

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:role/custom-execution-role"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::attini-artifact-store-eu-west-1-111111111111/*"
    }
  ]
}