| # Deployed in each account where Terraform will be used. | |
| # aws cloudformation deploy \ | |
| # --template-file ./TerraformProviderRole.yml \ | |
| # --stack-name TerraformProviderRole \ | |
| # --capabilities CAPABILITY_IAM | |
| Resources: | |
| TerraformProviderRole: | |
| Type: AWS::IAM::Role |
A CloudFormation template to quickstart a CloudFormation "Live" repository strategy. This supports a "GitOps" strategy for deploying CloudFormation stacks to multiple AWS accounts and regions.
cfn-live-deploy-role.yml to one or more accounts you need to manage CloudFormation stacks in. Note the created role ARNs.cfn-live.yml into a central account where the CodeCommit repository and CodeBuild CI/CD job will be stored.
| { | |
| "StartAt": "Pass1", | |
| "States": { | |
| "Pass1": { | |
| "Type": "Pass", | |
| "Result": { | |
| "Items": [ | |
| "a", | |
| "b", | |
| "c", |
| #!/usr/bin/env python3 | |
| # Example usage: | |
| # | |
| # ~ $ export AWS_PROFILE=organization-management-account | |
| # ~ $ python ~/tmp/config_aggregator_query.py | |
| # 53 resources inspected | |
| # | |
| import json |
| aws configservice batch-get-aggregate-resource-config \ | |
| --configuration-aggregator-name 'MyConfigAggregator' \ | |
| --resource-identifiers "$( | |
| aws configservice list-aggregate-discovered-resources \ | |
| --configuration-aggregator-name 'MyConfigAggregator' \ | |
| --resource-type 'AWS::EC2::Instance' \ | |
| --query 'ResourceIdentifiers' | |
| )" |
| Description: >- | |
| Scheduled Lambda function to delete Default VPC from all accounts in the organization. Deploys an IAM role via | |
| CloudFormation stackset to the organization root and schedules a Lambda function to assume the IAM roles in each | |
| account and attempt to delete the Default VPCs in every Region. If any operation fails, or if a Default VPC is not | |
| empty, or if a Default VPC has a peering connection, the function invocation fails. | |
| Parameters: | |
| OrgRootId: | |
| Type: String | |
| AllowedPattern: '^r-[a-zA-Z0-9]+$' |
| Conditions: | |
| PrimaryRegion: !Or [!Equals [!Ref AWS::Region, 'us-east-1'], !Equals [!Ref AWS::Region, 'us-gov-west-1']] | |
| Resources: | |
| BackupSlr: | |
| Type: AWS::IAM::ServiceLinkedRole | |
| Condition: PrimaryRegion | |
| DeletionPolicy: Retain | |
| UpdateReplacePolicy: Retain | |
| Properties: |
| # Usage examples: | |
| # | |
| # Create a new CodeCommit repository with CodeBuild CI/CD | |
| # | |
| # aws cloudformation deploy \ | |
| # --stack-name my-new-project \ | |
| # --template-file ./template.yml \ | |
| # --capabilities CAPABILITY_IAM \ | |
| # --parameter-overrides 'RepositoryDescription=My new project description' | |
| # |
| # Lint (cfn-lint) and Package (aws cloudformation package ...) run on templates for all branches. | |
| # Deploy all templates on 'main' branch (stack names will be built from template names). | |
| version: 0.2 | |
| phases: | |
| install: | |
| runtime-versions: | |
| python: 3.9 | |
| pre_build: |
| Resources: | |
| CodeCommitRepository: | |
| Type: AWS::CodeCommit::Repository | |
| Properties: | |
| RepositoryName: !Ref AWS::StackName | |
| CodeBuildProject: | |
| Type: AWS::CodeBuild::Project | |
| Properties: | |
| Name: !Ref AWS::StackName |