AWS: CloudFormation StackSet IAM Roles

December 11th, 2020 270 Words

With AWS CloudFormation StackSets you can deploy a CloudFormation template to multiple AWS Accounts or AWS Regions. You can use the AWS Management Console, the AWS CLI, or CloudFormation to use StackSets. Before using StackSets, you need to configure specific IAM roles to be used with CloudFormation StackSets.

IAM Roles

All requirements to grant self-managed permissions for StackSets are available as CloudFormation Templates. When using StackSets without the AWS Organization feature, you might need to deploy these roles by yourself.

StackSet Administration

AWSTemplateFormatVersion: 2010-09-09
Description: Configure the AWSCloudFormationStackSetAdministrationRole to enable use of AWS CloudFormation StackSets.

Resources:
  AdministrationRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AWSCloudFormationStackSetAdministrationRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource:
                  - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole"

StackSet Executions

AWSTemplateFormatVersion: 2010-09-09
Description: Configure the AWSCloudFormationStackSetExecutionRole to enable use of your account as a target account in AWS CloudFormation StackSets.

Parameters:
  AdministratorAccountId:
    Type: String
    Description: AWS Account Id of the administrator account (the account in which StackSets will be created).
    MaxLength: 12
    MinLength: 12

Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AWSCloudFormationStackSetExecutionRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref AdministratorAccountId
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess

StackSets with AWS CDK

When using CloudFormation to create StackSets, you can either use the resource Cloudformation::StackSet in CloudFormation templates or CfnStackSet with the AWS Cloud Development Kit:

new cdk.CfnStackSet(this, "StackSet", {
  stackSetName: "Topic",
  permissionModel: "SELF_MANAGED",
  stackInstancesGroup: [
    {
      regions: ["eu-central-1", "us-east-1"],
      deploymentTargets: {
        accounts: [this.account],
      },
    },
  ],
  templateBody: `
    Resources:
      Topic:
        Type: AWS::SNS::Topic
        Properties:
          TopicName: Events
  `,
});

AWS: Encrypted SQS with SNS Subscription using KMS

December 17 th, 2020 486 Words

To decouple services on AWS, it’s a common pattern to use Amazon SQS and Amazon SNS. With AWS Key Management Service, you can encrypt the messages stored in the SNS topic and SQS queue. For the AWS Cloud Development Kit using TypeScript, you can easily create an architecture for secure message processing.
AWS CDK: API Gateway Service Integration for Step Functions

December 7 th, 2020 380 Words

Most people only use Amazon API Gateway as an HTTP interface to invoke AWS Lambda functions. But, the service has way more to offer. For example, you can easily create an HTTP interface for nearly any AWS Service; not only AWS Lambda. Based on the previous post, on how to create a State Machine with AWS Step Functions and AWS Cloud Development Kit, this post describes how to create an HTTP interface to start an execution of a State Machine using the AWS CDK.
AWS CDK: Amazon API Gateway integration for SQS

December 7 th, 2020 327 Words

Most people know Amazon API Gateway from using it to build HTTP interfaces for AWS Lambda functions. But, in general, you can use API Gateway to call a variety AWS APIs using HTTPS. This post shows how to create an HTTPS interface for Amazon SQS using the AWS Cloud Development Kit.
AWS CDK: State Machine with Step Functions

December 6 th, 2020 435 Words

With AWS Step Functions, you can easily orchestrate serverless functions and sequence them with other AWS services to a bundle application. You can create AWS Step Functions with CloudFormation, the AWS Cloud Development Kit, or - of course - using the visual interface available in the AWS Management Console. This post shows how to orchestrate AWS Lambda functions to a simple State Machine using AWS Step Functions.
AWS CDK Construct: Lambda Fleet for Dockerfile

December 6 th, 2020 463 Words

Using the AWS Cloud Development Kit, deploying a AWS Lambda function using Docker container images is pure gold. The installation of dependencies for Lambda functions always stressed me out. Regardless of using Node.js or Python, managing dependencies for AWS Lambda was never fun.
AWS CDK: Deploy Lambda with Docker

December 5 th, 2020 195 Words

The AWS Cloud Development Kit supports building docker images for AWS Lambda. With the most recent version, the CDK builds your docker images if needed and can push the image directly to AWS Elastic Container Registry. Personally, I think this is a great feature. With supporting docker images, AWS Lambda has immutable deployment artifacts!
Event-Driven Continuous Integration & Delivery

December 2 nd, 2020 717 Words

The more complex your application and architecture becomes, the more complex your deployment process usually gets. Most people and engineering teams only think about pipelines as a fix path of actions, that need to happen in a specific order. That’s true, no questions about that. But your process for Continuous Integration and Continuous Delivery does not need to be a monolith!