
Deployment Guide - Deploy CloudFormation Template
Permissions:
To enable seamless automation while deploying this CloudFormation Template (CFT), we will acquire the necessary permissions for the Executor and Requestor roles.
Please review the permissions below before proceeding with the deployment.
Please review the permissions below before proceeding with the deployment.
- Executor Role PermissionsServiceIAM RoleManagementSSM ParametersEventBridge RulesEC2 Operations
SSM ParametersSNSS3 Bucket AccessSQS Queue AccessScheduler PermissionsAuto Scaling & EC2IAMLambdaTaggingSummaryPass the Onyx-Execution-RoleGet and put parameters under parameter/onyx/*Full access to EventBridge rules starting with Onyx-*Read and write permissions for managing auto-scaling groups, EC2
instance profiles, IAM roles and policiesFull access to all SSM operationsPublish to SNS topics prefixed with Automation* or onyx-*Read access to S3 buckets/objects matching *-onyx-*Full access to Onyx-Orchestrator-QueueFull access to schedule group Onyx-Orchestrator-Schedule-GroupDescribe and manage Auto Scaling groups and EC2 instance profilesManage IAM roles and policies, attach policies, and pass rolesRead and update Lambda functions and layersAdd and manage tags for resources
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot",
"ec2:DescribeInstanceStatus",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeAddresses",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeInstances",
"ssm:*",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetRole",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"tag:TagResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"]
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue"
},
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": ["arn:aws:sns:*:*:onyx-*", "arn:aws:sns:*:*:Automation*"]
},
{
"Effect": "Allow",
"Action": "scheduler:*",
"Resource": [
"arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group",
"arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*"
]
},
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:Automation*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::471112792234:role/Onyx-Execution-Role"
},
{
"Effect": "Allow",
"Action": ["ssm:GetParameter", "ssm:PutParameter"],
"Resource": "arn:aws:ssm:*:*:parameter/onyx/*"
},
{
"Effect": "Allow",
"Action": "events:*",
"Resource": "arn:aws:events:*:*:rule/Onyx-*"
},
{
"Effect": "Allow",
"Action": ["iam:CreatePolicy", "iam:PutRolePolicy"],
"Resource": [
"arn:aws:iam::471112792234:policy/Onyx-*",
"arn:aws:iam::471112792234:role/Onyx-*"
]
}
]
}
- Requestor Role PermissionsServiceECROrganizationsSSM (OpsItem)SSM (Documents)EventBridgeSSM (Automation)SSM (Automation)S3 Bucket AccessSQS Queue AccessSNSSummaryGet Image for Lambda ExecutionList accounts for parentGet OpsItem, list OpsItem eventsAdd tags, create, delete, get, and update documents prefixed withOnyx*List tags for EventBridge rules prefixed with Onyx-Start change request execution for automations prefixed with Onyx*Add tags, get automation execution detailsGet and list access for S3 buckets and objects matching *-onyx-*Full access to Onyx-Orchestrator-QueuePublish to SNS topics prefixed with onyx-*
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ecr:BatchCheckLayerAvailability",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"organizations:ListAccountsForParent",
"ssm:GetOpsItem",
"ssm:ListOpsItemEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"]
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue"
},
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:*:*:onyx-*"
},
{
"Effect": "Allow",
"Action": "scheduler:*",
"Resource": [
"arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group",
"arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::471112792234:role/Onyx-Orchestrator-Role",
"arn:aws:iam::471112792234:role/Onyx-Execution-Role"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:AddTagsToResource",
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:GetDocument",
"ssm:UpdateDocument",
"ssm:UpdateDocumentDefaultVersion",
"ssm:UpdateDocumentMetadata",
"ssm:UpdateOpsItem"
],
"Resource": "arn:aws:ssm:*:471112792234:document/Onyx*"
},
{
"Effect": "Allow",
"Action": "events:ListTagsForResource",
"Resource": "arn:aws:events:*:*:rule/Onyx-*"
},
{
"Effect": "Allow",
"Action": "ssm:StartChangeRequestExecution",
"Resource": "arn:aws:ssm:*:*:automation-definition/Onyx*:*"
},
{
"Effect": "Allow",
"Action": ["ssm:AddTagsToResource", "ssm:GetAutomationExecution"],
"Resource": "arn:aws:ssm:*:*:automation-execution/*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/Onyx-Execution-Role*"
}
]
}
1. Deploy Master Stack
- Log in to the Delegated Account.
- Navigate to CloudFormation and click "Create Stack."

- Choose "Use an existing template"
- Use this url to paste in template section.

- Provide a stack name, set Environment to "prod," and Region to "us" (if in the US region).
- Enter your Organization ID (Only if you have master child setup.)

- Add tags as needed, acknowledge role creation, and click "Submit."

- Wait for deployment to complete.

2. Deploy Child Stack
- Log in to the Delegated Account.
- Navigate to CloudFormation, select StackSets and click "Create Stack."

- Select "Service-managed permissions" as the Permission Model
- Use this url to paste in template section.

- Select a Preferred Stack Name
Enter the Delegated Account ID, keep the Environment as "prod", and choose "us" as the Region if your account is in the US region for deploying the Master Stack.

- Add any desired tags and click "Next."

- Select "Deploy new stacks"
- Under Deployment targets, choose "Deploy to organizational units."
Enter the root OU ID saved earlier.
For Account filter type, select "Difference" and input the Delegated Account ID in the Account numbers section.

- Select a region where you want to deploy the child stack.

- Define the maximum concurrent accounts linked in your organization. Select "Parallel" for region concurrency and click next

- Acknowledge IAM role creation and click "Submit."

- Allow deployment to complete

When finished you are all set!
Use the following URL for Child stack
Copy Child Stack URL