Install the Attini Framework

Installation time: ca 4 minutes

For the Attini Framework to function you need to deploy the framework in your AWS Regions, this is done by creating a CloudFormation stack called attini-setup.

The underlying infrastructure for the Attini framework is essentially free if its not used so you can onboard AWS Accounts and Regions without being concerned about cost.

To use the Attini Framework you will require some prior knowledge of AWS and AWS CloudFormation.

Security information:

  • We strongly recommend you to not use AWS Root user for this deployment, instead you should create a IAM Role or IAM User.

  • The DynamoDB tables created by the attini-setup are encrypted with the AWS managed KMS keys.

  • The S3 Buckets created by the attini-setup are encrypted with S3 server side encryption (SSE-S3).

  • All API calls made by the Attini Framework are secured with AWS IAM.

Installation and update

Using the Attini CLI

  1. Install the Attini CLI

  2. Now run the Attini CLI command attini setup to deploy the Attini Framework with default configuration. If you run attini setup --help you will find more information about the configuration options. You can also find more information about the configuration below.

Example command:

The following command gives Attini very high permissions so its only recommended for sandbox environments.

attini setup --give-admin-access --create-deployment-plan-default-role --create-init-deploy-default-role --accept-license-agreement


You can always update the attini-setup Cloud​Formation stack with you own configurations after its been created. You can do this via Attini CLI command attini setup or in the AWS console (If you can’t see the CloudFormation stack attini-setup, please verify that you are in the correct AWS Region and Account).

Using the AWS console

  1. Create a CloudFormation stack using the template:


    Replace {Region} with your current region, ex us-east-1 or eu-west-1.

    If you want to install a specific version of Attini, replace “latest” in the URL with a specific version. Find more info about Attini versions here.

  2. The CloudFormation stack have to be named attini-setup

  3. Optional: Change the default configuration in the Parameter section. Find more here.


If you just want to download the attini-setup template you can download it from any region ex:



This email is only used to send operational information when needed.

Required: false


The Attini framework can auto configure certain CloudFormation parameters. If you want the Attini framework to automatically configure a CloudFormation parameter called ex “env”, “Environment” or “EnvironmentName” instead of “AttiniEnvironmentName”, you can change that here.

Required: true

Default: AttiniEnvironmentName


Should Attini create a high privileged default role for Attini init deploy? If this is false you have to configure InitDeployRoleArn.

Required: true

Default: false


Arn for the Attini init deploy.

This role needs the privileges to create all the resources for your Attini init deploys, which contains your Attini deployment plans.

Note: see AttachLeastPrivilegePolicyToInitDeployRole configuration as well.

Required: If CreateInitDeployDefaultRole is true, then is is required.

Default: empty sting


If InitDeployRoleArn is configured, should the attini-setup attach a least privilege policy to that IAM Role?

If you configure this to be false, you need to give InitDeployRole sufficient permissions, otherwise there is a risk that deployments freeze without proper error messages.

Find the current least privilege policy in the attini-setup template under the name AttiniInitDeploymentPolicy.


The main reason to set this to false is if you want to use the same IAM Role for the init deploy in multiple regions. If this is true and you use the same IAM role for the init deploy the attini-setup stack will fail with the error “Maximum policy size of 10240 bytes exceeded for role”. This is because multiple attini-setup stacks attach a least privilege policy to the same role.

Required: true

Default: true


Should Attini create a default Service role for the Attini DeploymentPlans underlying AWS StepFunctions?

The default role have the permission to trigger/run/execute/publish/put on any AWS Lambda, AWS StepFunction, ECS task, CodeBuild project, SNS topic, or SQS queue in your AWS Account.


If this is false, you will have to configure an RoleArn for every Attini DeploymentPlan you create.

Required: true

Default: true


Should the Attini deployment plan have AdministratorAccess when it manages CloudFormation Stacks on your behalf?

If this parameter is false each AttiniCfn step in Attini deployment plans will need to have either StackRoleArn or ExecutionRoleArn configured.


If this is true, the lambda that creates your Cloudformation stacks will have AdministratorAccess. This is user friendly when you are testing your deployments in a sandbox environment but should never be used for production deployment.

For production environments we recommend to set this parameter to false.

Required: true

Default: false


If you require the Attini lambda functions to be executed in any specific VPC, please fill it here. This also requires SubnetsIds to be configured.

This has to be a valid VPC id in your current region, or the value “AwsManagedNetwork”.

Required: true

Default: AwsManagedNetwork


If you require the Attini lambda functions to be executed in any specific subnets, please fill it here. This also requires VpcId to be configured.

This has to be a comma-separated list of private subnets ids in the VPC you specify in the VpcId, or the value “AwsManagedNetwork”.

Required: true

Default: AwsManagedNetwork


This parameter helps you control which Cloud​Formation Stack roles can be used by the Attini Framework. This means that a IAM Role configured in the StackRoleArn in the Attini deployment plan will need to have this string in the IAM Roles name or path.

If this parameter is “*” then Attini will be able to do iam:PassRole to any IAM Role in your AWS Account.

This parameter becomes irrelevant if you configure ExecutionRoleArn, because then the iam:PassRole permission will be configured in the Execution Role.

Example: If this is configured to be attini, the IAM Role name or path will need to have attini somewhere in it, like arn:aws:iam::{AccountId}:role/attini-my-cloudformation-stack-role.

Required: true

Default: attini


If you are running a lot of other AWS Lambda function in your account its recommended to use the reserved concurrency to make sure that your different workloads can’t interfere with each other. You can reserve concurrency for the Attini Lambda functions by configuring this parameter.

Dynamic will disable reserved concurrency for the Attini Lambda functions.

Small will reserve 15 AWS Lambda concurrency for the Attini functions.

Medium will reserve 30 AWS Lambda concurrency for the Attini functions.

Large will reserve 69 AWS Lambda concurrency for the Attini functions.

Required: true

Default: Dynamic


Specify how many distributions should be retained, specify 0 to retain all forever. Find more information at Attini artifact life cycle.

Required: true

Default: 10


Specify how many distributions should be retained, specify 0 to retain all forever. Find more information at Attini artifact life cycle.

Required: true

Default: 10


Should Attini framework auto update? If yes, enter a cron or rate expression or when it should be done. If you don’t want to auto update, leave this field empty. More info about cron or rate expressions

Required: true

Default: empty sting


Log level for all Attini lambdas, INFO is recommend. A higher LogLevel (ex WARN) will save CloudWatch cost. A lower LogLevel (ex DEBUG) might help to trouble shoot but will incur extra CloudWatch cost.

Required: true

Default: INFO


If you exceed the free tier limit of Attini this token is mandatory for managing billing information. Create a token in the Attini admin portal.

For more information, see how to manage your Attini license.

Required: false

Default: free-tier


(Required) Accept the Attini license agreement. Find more information in our Product.

Required: true

Default: false

Deleting/Clean up the Attini framework


All deployment history and Attini features will be lost if you do this.

If you no longer want to use the Attini framework you can delete it from you AWS region using these steps:

  1. Empty the s3 bucket attini-deployment-origin-${Region}-${AccountId}

  2. Empty the s3 bucket attini-artifact-store-${Region}-${AccountId}

  3. Delete the CloudFormation stack attini-setup

  4. Delete any parameters in AWS SSM Parameter store with the prefix /attini/

If you change your mind about using Attini, the framework can easily be installed again.