fix(core): Removing StackSet for installing Pipeline role in Org Accounts (aws-samples#568)

* Creating Accelerator Execution Role in all accounts
* Adding Cloudformation service to assume pipelinerole
* Setting maxConcurrency for installing pipeline roles to 40

Author: naveenkoppula

src/core/cdk/src/assets/execution-role.template.json

@@ -31,6 +31,13 @@
               "Principal": {
                 "Service": "ssm.amazonaws.com"
               }
+            },
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "cloudformation.amazonaws.com"
+              }
             }
           ],
           "Version": "2012-10-17"

src/core/cdk/src/initial-setup.ts

@@ -206,6 +206,7 @@ export namespace InitialSetup {
           'phases.$': '$.configuration.baselineOutput.phases',
           'acceleratorVersion.$': '$.configuration.acceleratorVersion',
           'configRootFilePath.$': '$.configuration.configRootFilePath',
+          'organizationAdmiRole.$': '$.configuration.baselineOutput.organizationAdmiRole',
         },
         resultPath: '$.configuration',
       });
@@ -225,6 +226,7 @@ export namespace InitialSetup {
           'phases.$': '$.configuration.baselineOutput.phases',
           'acceleratorVersion.$': '$.configuration.acceleratorVersion',
           'configRootFilePath.$': '$.configuration.configRootFilePath',
+          'organizationAdmiRole.$': '$.configuration.baselineOutput.organizationAdmiRole',
         },
         resultPath: '$.configuration',
       });
@@ -350,6 +352,7 @@ export namespace InitialSetup {
           'regions.$': '$.configuration.regions',
           'accounts.$': '$.configuration.accounts',
           'configRootFilePath.$': '$.configuration.configRootFilePath',
+          'organizationAdmiRole.$': '$.configuration.organizationAdmiRole',
         },
         resultPath: '$',
       });
@@ -389,18 +392,15 @@ export namespace InitialSetup {
         },
       );
 
-      const installRoleTemplate = new s3assets.Asset(this, 'ExecutionRoleTemplate', {
-        path: path.join(__dirname, 'assets', 'execution-role.template.json'),
-      });
-
-      // Make sure the Lambda can read the template
-      installRoleTemplate.bucket.grantRead(pipelineRole);
+      const accountsPath = path.join(__dirname, 'assets', 'execution-role.template.json');
+      const executionRoleContent = fs.readFileSync(accountsPath);
 
       const installRolesStateMachine = new sfn.StateMachine(this, `${props.acceleratorPrefix}InstallRoles_sm`, {
         stateMachineName: `${props.acceleratorPrefix}InstallRoles_sm`,
-        definition: new CreateStackSetTask(this, 'Install', {
+        definition: new CreateStackTask(this, 'Install', {
           lambdaCode,
           role: pipelineRole,
+          suffix: 'ExecutionRole',
         }),
       });
 
@@ -416,16 +416,25 @@ export namespace InitialSetup {
             // TODO Only add root role for development environments
             AssumedByRoleArn: `arn:aws:iam::${stack.account}:root,${pipelineRole.roleArn}`,
           },
-          stackTemplate: {
-            s3BucketName: installRoleTemplate.s3BucketName,
-            s3ObjectKey: installRoleTemplate.s3ObjectKey,
-          },
-          'instanceAccounts.$': '$.accounts',
-          instanceRegions: [stack.region],
+          stackTemplate: executionRoleContent.toString(),
+          'accountId.$': '$.accountId',
+          'assumedRoleName.$': '$.organizationAdmiRole',
         }),
         resultPath: 'DISCARD',
       });
 
+      const installExecRolesInAccounts = new sfn.Map(this, `Install Execution Roles Map`, {
+        itemsPath: '$.accounts',
+        resultPath: 'DISCARD',
+        maxConcurrency: 40,
+        parameters: {
+          'accountId.$': '$$.Map.Item.Value',
+          'organizationAdmiRole.$': '$.organizationAdmiRole',
+        },
+      });
+
+      installExecRolesInAccounts.iterator(installRolesTask);
+
       const deleteVpcSfn = new sfn.StateMachine(this, 'Delete Default Vpcs Sfn', {
         stateMachineName: `${props.acceleratorPrefix}DeleteDefaultVpcs_sfn`,
         definition: new RunAcrossAccountsTask(this, 'DeleteDefaultVPCs', {
@@ -853,7 +862,7 @@ export namespace InitialSetup {
 
       const commonDefinition = loadOrganizationsTask.startState
         .next(loadAccountsTask)
-        .next(installRolesTask)
+        .next(installExecRolesInAccounts)
         .next(deleteVpcTask)
         .next(loadLimitsTask)
         .next(enableTrustedAccessForServicesTask)

src/core/cdk/src/tasks/create-stack-task.ts

@@ -9,6 +9,7 @@ export namespace CreateStackTask {
     role: iam.IRole;
     lambdaCode: lambda.Code;
     waitSeconds?: number;
+    suffix?: string;
   }
 }
 
@@ -19,7 +20,7 @@ export class CreateStackTask extends sfn.StateMachineFragment {
   constructor(scope: cdk.Construct, id: string, props: CreateStackTask.Props) {
     super(scope, id);
 
-    const { role, lambdaCode, waitSeconds = 10 } = props;
+    const { role, lambdaCode, suffix, waitSeconds = 10 } = props;
 
     role.addToPrincipalPolicy(
       new iam.PolicyStatement({
@@ -36,7 +37,7 @@ export class CreateStackTask extends sfn.StateMachineFragment {
       }),
     );
 
-    const deployTask = new CodeTask(scope, `Deploy`, {
+    const deployTask = new CodeTask(scope, `Deploy${suffix || ''}`, {
       resultPath: 'DISCARD',
       functionProps: {
         role,
@@ -47,7 +48,7 @@ export class CreateStackTask extends sfn.StateMachineFragment {
 
     const verifyTaskResultPath = '$.verify';
     const verifyTaskStatusPath = `${verifyTaskResultPath}.status`;
-    const verifyTask = new CodeTask(scope, 'Verify', {
+    const verifyTask = new CodeTask(scope, `Verify${suffix || ''}`, {
       resultPath: verifyTaskResultPath,
       functionProps: {
         role,
@@ -56,19 +57,19 @@ export class CreateStackTask extends sfn.StateMachineFragment {
       },
     });
 
-    const waitTask = new sfn.Wait(scope, 'Wait', {
+    const waitTask = new sfn.Wait(scope, `Wait${suffix || ''}`, {
       time: sfn.WaitTime.duration(cdk.Duration.seconds(waitSeconds)),
     });
 
-    const pass = new sfn.Pass(this, 'Succeeded');
+    const pass = new sfn.Pass(this, `Succeeded${suffix || ''}`);
 
-    const fail = new sfn.Fail(this, 'Failed');
+    const fail = new sfn.Fail(this, `Failed${suffix || ''}`);
 
     const chain = sfn.Chain.start(deployTask)
       .next(waitTask)
       .next(verifyTask)
       .next(
-        new sfn.Choice(scope, 'Choice')
+        new sfn.Choice(scope, `Choice${suffix || ''}`)
           .when(sfn.Condition.stringEquals(verifyTaskStatusPath, 'SUCCESS'), pass)
           .when(sfn.Condition.stringEquals(verifyTaskStatusPath, 'IN_PROGRESS'), waitTask)
           .otherwise(fail)

src/core/runtime/src/create-stack/create.ts

@@ -1,26 +1,36 @@
 import { CloudFormation, objectToCloudFormationParameters } from '@aws-accelerator/common/src/aws/cloudformation';
 import { StackTemplateLocation, getTemplateBody } from '../create-stack-set/create-stack-set';
+import { STS } from '@aws-accelerator/common/src/aws/sts';
 
 interface CreateStackInput {
   stackName: string;
   stackCapabilities: string[];
   stackParameters: { [key: string]: string };
   stackTemplate: StackTemplateLocation;
+  accountId?: string;
+  assumedRoleName?: string;
 }
 
 export const handler = async (input: CreateStackInput) => {
   console.log(`Creating stack...`);
   console.log(JSON.stringify(input, null, 2));
 
-  const { stackName, stackCapabilities, stackParameters, stackTemplate } = input;
+  const { stackName, stackCapabilities, stackParameters, stackTemplate, accountId, assumedRoleName } = input;
 
   console.debug(`Creating stack template`);
   console.debug(stackTemplate);
 
   // Load the template body from the given location
   const templateBody = await getTemplateBody(stackTemplate);
 
-  const cfn = new CloudFormation();
+  let cfn: CloudFormation;
+  if (accountId && assumedRoleName) {
+    const sts = new STS();
+    const credentials = await sts.getCredentialsForAccountAndRole(accountId, assumedRoleName);
+    cfn = new CloudFormation(credentials);
+  } else {
+    cfn = new CloudFormation();
+  }
   await cfn.createOrUpdateStack({
     StackName: stackName,
     TemplateBody: templateBody,

src/core/runtime/src/create-stack/verify.ts

@@ -1,19 +1,29 @@
 import { CloudFormation } from '@aws-accelerator/common/src/aws/cloudformation';
+import { STS } from '@aws-accelerator/common/src/aws/sts';
 
 const SUCCESS_STATUSES = ['CREATE_COMPLETE', 'UPDATE_COMPLETE'];
 const FAILED_STATUSES = ['CREATE_FAILED', 'ROLLBACK_COMPLETE', 'ROLLBACK_FAILED', 'UPDATE_ROLLBACK_COMPLETE'];
 
 interface CheckStepInput {
   stackName?: string;
+  accountId?: string;
+  assumedRoleName?: string;
 }
 
 export const handler = async (input: Partial<CheckStepInput>) => {
   console.log(`Verifying stack with parameters ${JSON.stringify(input, null, 2)}`);
 
-  const { stackName } = input;
+  const { stackName, accountId, assumedRoleName } = input;
 
   // Deploy the stack using the assumed role in the current region
-  const cfn = new CloudFormation();
+  let cfn: CloudFormation;
+  if (accountId && assumedRoleName) {
+    const sts = new STS();
+    const credentials = await sts.getCredentialsForAccountAndRole(accountId, assumedRoleName);
+    cfn = new CloudFormation(credentials);
+  } else {
+    cfn = new CloudFormation();
+  }
   const stack = await cfn.describeStack(stackName!);
   if (!stack) {
     return {

src/core/runtime/src/get-baseline-step.ts

@@ -20,6 +20,7 @@ export interface GetBaseelineOutput {
   baseline: string;
   storeAllOutputs: boolean;
   phases: number[];
+  organizationAdmiRole: string;
 }
 
 const dynamoDB = new DynamoDB();
@@ -68,5 +69,6 @@ export const handler = async (input: GetBaseLineInput): Promise<GetBaseelineOutp
     baseline,
     storeAllOutputs: runStoreAllOutputs,
     phases: [-1, 0, 1, 2, 3],
+    organizationAdmiRole: globalOptionsConfig['organization-admin-role'] || 'AWSCloudFormationStackSetExecutionRole',
   };
 };

src/core/runtime/src/load-configuration-step.ts

@@ -4,6 +4,7 @@ export interface LoadConfigurationInput {
   configFilePath: string;
   configRepositoryName: string;
   configCommitId: string;
+  organizationAdmiRole: string;
   baseline?: BaseLineType;
   acceleratorVersion?: string;
   configRootFilePath?: string;