Deployment Guide - Deploy CloudFormation Template

Permissions:
To enable seamless automation while deploying this CloudFormation Template (CFT), we will acquire the necessary permissions for the Executor and Requestor roles.

Please review the permissions below before proceeding with the deployment.
  • Executor Role Permissions
    Service
    IAM RoleManagement
    SSM Parameters
    EventBridge Rules
    EC2 Operations
    SSM Parameters
    SNS
    S3 Bucket Access
    SQS Queue Access
    Scheduler Permissions
    Auto Scaling & EC2
    IAM
    Lambda
    Tagging
    Summary
    Pass the Onyx-Execution-Role
    Get and put parameters under parameter/onyx/*
    Full access to EventBridge rules starting with Onyx-*
    Read and write permissions for managing auto-scaling groups, EC2
    instance profiles, IAM roles and policies
    Full access to all SSM operations
    Publish to SNS topics prefixed with Automation* or onyx-*
    Read access to S3 buckets/objects matching *-onyx-*
    Full access to Onyx-Orchestrator-Queue
    Full access to schedule group Onyx-Orchestrator-Schedule-Group
    Describe and manage Auto Scaling groups and EC2 instance profiles
    Manage IAM roles and policies, attach policies, and pass roles
    Read and update Lambda functions and layers
    Add and manage tags for resources
JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteSnapshot",
        "ec2:DescribeInstanceStatus",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DescribeTags",
        "ec2:AssociateIamInstanceProfile",
        "ec2:DescribeAddresses",
        "ec2:DescribeIamInstanceProfileAssociations",
        "ec2:DescribeInstances",
        "ssm:*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "iam:AddRoleToInstanceProfile",
        "iam:AttachRolePolicy",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetRole",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:GetRolePolicy",
        "tag:TagResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"]
    },
    {
      "Effect": "Allow",
      "Action": "sqs:*",
      "Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue"
    },
    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": ["arn:aws:sns:*:*:onyx-*", "arn:aws:sns:*:*:Automation*"]
    },
    {
      "Effect": "Allow",
      "Action": "scheduler:*",
      "Resource": [
        "arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group",
        "arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:*:*:function:Automation*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::471112792234:role/Onyx-Execution-Role"
    },
    {
      "Effect": "Allow",
      "Action": ["ssm:GetParameter", "ssm:PutParameter"],
      "Resource": "arn:aws:ssm:*:*:parameter/onyx/*"
    },
    {
      "Effect": "Allow",
      "Action": "events:*",
      "Resource": "arn:aws:events:*:*:rule/Onyx-*"
    },
    {
      "Effect": "Allow",
      "Action": ["iam:CreatePolicy", "iam:PutRolePolicy"],
      "Resource": [
        "arn:aws:iam::471112792234:policy/Onyx-*",
        "arn:aws:iam::471112792234:role/Onyx-*"
      ]
    }
  ]
}
  • Requestor Role Permissions
    Service
    ECR
    Organizations
    SSM (OpsItem)
    SSM (Documents)
    EventBridge
    SSM (Automation)
    SSM (Automation)
    S3 Bucket Access
    SQS Queue Access
    SNS
    Summary
    Get Image for Lambda Execution
    List accounts for parent
    Get OpsItem, list OpsItem events
    Add tags, create, delete, get, and update documents prefixed withOnyx*
    List tags for EventBridge rules prefixed with Onyx-
    Start change request execution for automations prefixed with Onyx*
    Add tags, get automation execution details
    Get and list access for S3 buckets and objects matching *-onyx-*
    Full access to Onyx-Orchestrator-Queue
    Publish to SNS topics prefixed with onyx-*
JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "ecr:BatchCheckLayerAvailability",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "organizations:ListAccountsForParent",
        "ssm:GetOpsItem",
        "ssm:ListOpsItemEvents"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"]
    },
    {
      "Effect": "Allow",
      "Action": "sqs:*",
      "Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue"
    },
    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:*:*:onyx-*"
    },
    {
      "Effect": "Allow",
      "Action": "scheduler:*",
      "Resource": [
        "arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group",
        "arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": [
        "arn:aws:iam::471112792234:role/Onyx-Orchestrator-Role",
        "arn:aws:iam::471112792234:role/Onyx-Execution-Role"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:AddTagsToResource",
        "ssm:CreateDocument",
        "ssm:DeleteDocument",
        "ssm:GetDocument",
        "ssm:UpdateDocument",
        "ssm:UpdateDocumentDefaultVersion",
        "ssm:UpdateDocumentMetadata",
        "ssm:UpdateOpsItem"
      ],
      "Resource": "arn:aws:ssm:*:471112792234:document/Onyx*"
    },
    {
      "Effect": "Allow",
      "Action": "events:ListTagsForResource",
      "Resource": "arn:aws:events:*:*:rule/Onyx-*"
    },
    {
      "Effect": "Allow",
      "Action": "ssm:StartChangeRequestExecution",
      "Resource": "arn:aws:ssm:*:*:automation-definition/Onyx*:*"
    },
    {
      "Effect": "Allow",
      "Action": ["ssm:AddTagsToResource", "ssm:GetAutomationExecution"],
      "Resource": "arn:aws:ssm:*:*:automation-execution/*"
    },
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/Onyx-Execution-Role*"
    }
  ]
}
1. Deploy Master Stack
  • Log in to the Delegated Account.
  • Navigate to CloudFormation and click "Create Stack."
  • Choose "Use an existing template"
  • Use this url to paste in template section.
https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-master.template.json
  • Provide a stack name, set Environment to "prod," and Region to "us" (if in the US region).
  • Enter your Organization ID (Only if you have master child setup.)
  • Add tags as needed, acknowledge role creation, and click "Submit."
  • Wait for deployment to complete.
2. Deploy Child Stack
  • Log in to the Delegated Account.
  • Navigate to CloudFormation, select StackSets and click "Create Stack."
  • Select "Service-managed permissions" as the Permission Model
  • Use this url to paste in template section.
https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-child.template.json
  • Select a Preferred Stack Name
    Enter the Delegated Account ID, keep the Environment as "prod", and choose "us" as the Region if your account is in the US region for deploying the Master Stack.
  • Add any desired tags and click "Next."
  • Select "Deploy new stacks"  
  • Under Deployment targets, choose "Deploy to organizational units."
    Enter the root OU ID saved earlier.  
    For Account filter type, select "Difference" and input the Delegated Account ID in the Account numbers section.
  • Select a region where you want to deploy the child stack.
  • Define the maximum concurrent accounts linked in your organization. Select "Parallel" for region concurrency and click next
  • Acknowledge IAM role creation and click "Submit."
  • Allow deployment to complete
When finished you are all set!
Use the following URL for Master stack
Use the following URL for Master stack
Copy Master Stack URl
Use the following URL for Child stack
Copy Child Stack URL