Deployment Guide - Deploy CloudFormation Template

Permissions:

To enable seamless automation while deploying this CloudFormation Template (CFT), we will acquire the necessary permissions for the Executor and Requestor roles.

Please review the permissions below before proceeding with the deployment.

  • Executor Role Permissions
Service Permissions Table
Service Summary
IAM RoleManagement Pass the Onyx-Execution-Role
SSM Parameters Get and put parameters under parameter/onyx/*
EventBridge Rules Full access to EventBridge rules starting with Onyx-*
EC2 Operations Read and write permissions for managing auto-scaling groups, EC2 instance profiles, IAM roles and policies
SSM Parameters Full access to all SSM operations
SNS Publish to SNS topics prefixed with Automation* or onyx-*
S3 Bucket Access Read access to S3 buckets/objects matching *-onyx-*
SQS Queue Access Full access to Onyx-Orchestrator-Queue
Scheduler Permissions Full access to schedule group Onyx-Orchestrator-Schedule-Group
Auto Scaling & EC2 Describe and manage Auto Scaling groups and EC2 instance profiles
IAM Manage IAM roles and policies, attach policies, and pass roles
Lambda Read and update Lambda functions and layers
Tagging Add and manage tags for resources
JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteSnapshot",
        "ec2:DescribeInstanceStatus",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DescribeTags",
        "ec2:AssociateIamInstanceProfile",
        "ec2:DescribeAddresses",
        "ec2:DescribeIamInstanceProfileAssociations",
        "ec2:DescribeInstances",
        "ssm:*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "iam:AddRoleToInstanceProfile",
        "iam:AttachRolePolicy",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetRole",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:GetRolePolicy",
        "tag:TagResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"]
    },
    {
      "Effect": "Allow",
      "Action": "sqs:*",
      "Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue"
    },
    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": ["arn:aws:sns:*:*:onyx-*", "arn:aws:sns:*:*:Automation*"]
    },
    {
      "Effect": "Allow",
      "Action": "scheduler:*",
      "Resource": [
        "arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group",
        "arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:*:*:function:Automation*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::471112792234:role/Onyx-Execution-Role"
    },
    {
      "Effect": "Allow",
      "Action": ["ssm:GetParameter", "ssm:PutParameter"],
      "Resource": "arn:aws:ssm:*:*:parameter/onyx/*"
    },
    {
      "Effect": "Allow",
      "Action": "events:*",
      "Resource": "arn:aws:events:*:*:rule/Onyx-*"
    },
    {
      "Effect": "Allow",
      "Action": ["iam:CreatePolicy", "iam:PutRolePolicy"],
      "Resource": [
        "arn:aws:iam::471112792234:policy/Onyx-*",
        "arn:aws:iam::471112792234:role/Onyx-*"
      ]
    }
  ]
}

 

  • Requestor Role Permissions
Service Permissions Table 2
Service Summary
ECR Get Image for Lambda Execution
Organizations List accounts for parent
SSM (OpsItem) Get OpsItem, list OpsItem events
SSM (Documents) Add tags, create, delete, get, and update documents prefixed with Onyx*
EventBridge List tags for EventBridge rules prefixed with Onyx-
SSM (Automation) Start change request execution for automations prefixed with Onyx*
SSM (Automation) Add tags, get automation execution details
S3 Bucket Access Get and list access for S3 buckets and objects matching *-onyx-*
SQS Queue Access Full access to Onyx-Orchestrator-Queue
SNS Publish to SNS topics prefixed with onyx-*
JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "ecr:BatchCheckLayerAvailability",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "organizations:ListAccountsForParent",
        "ssm:GetOpsItem",
        "ssm:ListOpsItemEvents"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"]
    },
    {
      "Effect": "Allow",
      "Action": "sqs:*",
      "Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue"
    },
    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:*:*:onyx-*"
    },
    {
      "Effect": "Allow",
      "Action": "scheduler:*",
      "Resource": [
        "arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group",
        "arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": [
        "arn:aws:iam::471112792234:role/Onyx-Orchestrator-Role",
        "arn:aws:iam::471112792234:role/Onyx-Execution-Role"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:AddTagsToResource",
        "ssm:CreateDocument",
        "ssm:DeleteDocument",
        "ssm:GetDocument",
        "ssm:UpdateDocument",
        "ssm:UpdateDocumentDefaultVersion",
        "ssm:UpdateDocumentMetadata",
        "ssm:UpdateOpsItem"
      ],
      "Resource": "arn:aws:ssm:*:471112792234:document/Onyx*"
    },
    {
      "Effect": "Allow",
      "Action": "events:ListTagsForResource",
      "Resource": "arn:aws:events:*:*:rule/Onyx-*"
    },
    {
      "Effect": "Allow",
      "Action": "ssm:StartChangeRequestExecution",
      "Resource": "arn:aws:ssm:*:*:automation-definition/Onyx*:*"
    },
    {
      "Effect": "Allow",
      "Action": ["ssm:AddTagsToResource", "ssm:GetAutomationExecution"],
      "Resource": "arn:aws:ssm:*:*:automation-execution/*"
    },
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/Onyx-Execution-Role*"
    }
  ]
}

1. Deploy Delegated Account Stack

  • Log in to the Delegated Account chosen while setting up the Change Manager.
  • Navigate to CloudFormation and click "Create Stack."
  • Choose "Use an existing template"
  • Use this URL to paste in template section.
    Master Stack URL
  • Provide a stack name, keep the Environment as "prod," and Region to "mum" (change region to "us" if in the US region).
  • Enter your Organization ID (Only if you have master-child setup.)
  • Add tags as needed, acknowledge role creation, and click "Submit."
  • Wait for deployment to complete.

2. Deploy Child Stack

  • Log in to the Master Account.
  • Navigate to CloudFormation, select StackSets and click "Create Stack."
  • Select "Service-managed permissions" as the Permission Model
  • Use this URL to paste in template section.
    Child Stack URL
  • Select a Preferred Stack Name
    Enter the Delegated Account ID, keep the Environment as "prod," and Region to "mum" (change region to "us" if in the US region) for deploying the Child Stack.
  • Add any desired tags and click "Next."
  • Select "Deploy new stacks"  
  • Under Deployment targets, choose "Deploy to organizational units."
    Enter the root OU ID saved earlier.
    For Account filter type, select "Difference" and input the Delegated Account ID in the Account numbers section.
  • Select a region where you want to deploy the child stack.
  • Define the maximum concurrent accounts linked in your organization. Select "Parallel" for region concurrency and click next
  • Acknowledge IAM role creation and click "Submit."
  • Allow deployment to complete

When finished you are all set!

Table of content
Example H2

Use the following URL for Master stack

Copy Master Stack URL

Use the following URL for Child stack

Copy Child Stack URL