Cross account CloudFormation deploy


To enable cross AWS account CloudFormation deployments you need to do the following:

  1. Create a role in the target account that the Attini framework should assume.

  2. Configure the ExecutionRoleArn in the deployment plan to reference the role from step 1.

  3. Apply an s3 bucket policy to the attini-artifact-store-{Region}-{AccountId} that allows the role from step 1 to get templates and configuration needed.

The Attini framework is deployed into eu-west-1 in account 111111111111 and we want to deploy into account 222222222222.

CrossAccountCfnDeploys


1. Create a custom execution role

This role needs the permission to manage all the resources in your CloudFormation stack OR the iam:PassRole permission if you are using a Stack role.

The role also needs to be assumed by arn:aws:iam::{AccountId*}:role/attini/attini-action-role-{Region**}.

* Your AWS Account Id
** The region that your deployment plan is in

Example role config

{
  "Role": {
    "RoleName": "custom-execution-role",
    "Arn": "arn:aws:iam::222222222222:role/custom-execution-role",
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    },
    "Description": "Cross account deployment",
    "MaxSessionDuration": 3600,
  }
}

Example role configured in CloudFormation

This example role have full s3 access, that might not be what you need.

CreateS3ExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: custom-execution-role
    AssumeRolePolicyDocument:
      Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1
      Version: '2012-10-17'
    Policies:
      - PolicyName: !Ref AWS::StackName
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Action: s3:*
              Effect: Allow
              Resource: "*"

2. Configure the step in the deployment plan

Example of a deployment plan step using an ExecutionRoleArn

Resources:
  CrossAccountDeploymentPlan:
    Type: Attini::Deploy::DeploymentPlan
    Properties:
      DeploymentPlan:
        StartAt: DeployVpc
        States:
          DeployVpc:
            Type: AttiniCfn
            Properties:
              Template: /network/vpc.yaml
              StackName: vpc
              ExecutionRoleArn: arn:aws:iam::222222222222:role/custom-execution-role
            End: true

3. Apply an s3 bucket policy

The execution role that you provide needs access to the template and config file for the deploy. This is easily given by applying a S3 Bucket Policy.

Example of an S3 Bucket Policy

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:role/custom-execution-role"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::attini-artifact-store-eu-west-1-111111111111/*"
    }
  ]
}