The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.
Initially, ADF would generate bootstrap stack names that included the name
of the OU at the end. For example, for an OU named banking, it would generate
the global adf-global-base-banking stack.
This, however, makes it harder to harden ADF. As it would need access rights
to deploy and manage CloudFormation stacks with a wildcard at the end.
Instead of listing a limited number of stack names.
Additionally, it makes it harder to write an SCP to limit who can update these
stacks as well.
It also makes it impossible to move an account from one OU to another, as the
previous bootstrap stack will contain resources that the new stack attempts
to create.
What?
Instead of using the OU name, the bootstrap stacks will be named:
adf-(global|regional)-base-bootstrap.
Exception being the adf-(global|regional)-base-deployment stack,
as this stack contains the resources that ADF needs to operate.
As well as the adf-global-base-adf-build stack that gets deployed to the
management account.
Renaming these stacks would require uninstalling ADF and reinstalling it from
scratch. Hence these are kept as-is.
Tightened the IAM policies that grant access to manage the bootstrap stacks.
Added a functionality to delete deprecated stacks automatically and upgrade
to the new stack name via the aws-deployment-framework-bootstrap pipeline.
When a deprecated bootstrap stack is deleted, it will first delete the
global-iam stack if required. As the global-iam stack adds policies to the
roles that are created in the bootstrap stack. Therefore, the global-iam
stack should be removed before the bootstrap stack can be deleted in the
global region.
Fix CloudFormation Stack/ChangeSet waiter error capture, to report back the
account, region, and stack name that ran into a failure when needed.
Additional fix:
The parameter /adf_version would not be written with the /adf/ prefix. This is fixed in the second commit in this PR as well. I tested it with the improvements in this PR and taking it out would generate too many conflicts.
By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.
Why?
Initially, ADF would generate bootstrap stack names that included the name of the OU at the end. For example, for an OU named banking, it would generate the global
adf-global-base-bankingstack.This, however, makes it harder to harden ADF. As it would need access rights to deploy and manage CloudFormation stacks with a wildcard at the end. Instead of listing a limited number of stack names.
Additionally, it makes it harder to write an SCP to limit who can update these stacks as well.
It also makes it impossible to move an account from one OU to another, as the previous bootstrap stack will contain resources that the new stack attempts to create.
What?
adf-(global|regional)-base-bootstrap.adf-(global|regional)-base-deploymentstack, as this stack contains the resources that ADF needs to operate. As well as theadf-global-base-adf-buildstack that gets deployed to the management account. Renaming these stacks would require uninstalling ADF and reinstalling it from scratch. Hence these are kept as-is.aws-deployment-framework-bootstrappipeline.Additional fix:
/adf_versionwould not be written with the/adf/prefix. This is fixed in the second commit in this PR as well. I tested it with the improvements in this PR and taking it out would generate too many conflicts.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.