blog.lukach.io
ClickOps #5 - Cloud Development Kit Bootstrap
by John Lukach
CloudFormation StackSets is used to deploy the Cloud Development Kit (CDK) Bootstrap, which will help me move from ClickOps to Infrastructure-as-Code (IaC). In the management account, I need to enable trust access for the organization.
I previously set up a new StackSets account to register the delegated administrator from the management account.
In the StackSets account, I need to create an S3 bucket to host the CDK Bootstrap CloudFormation template.
https://github.com/jblukach/cdkv2/blob/main/bootstrap/template.yaml
)
The S3 bucket needs the s3:GetObject permission across the organization, granted via a Bucket Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::stacksets-deployment-lukach-io",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxx"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::stacksets-deployment-lukach-io/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxx"
}
}
}
]
}
Now I can set up a Service-Managed StackSet that handles the IAM permissions.
Choose a template
Specify stack set details
Configure stack set options
Set deployment options
