Merge branch 'master' into pozeus-master

Author: sbkok

CONTRIBUTING.md

@@ -57,5 +57,3 @@ If you discover a potential security issue in this project we ask that you notif
 ## Licensing
 
 See the [LICENSE](https://github.com/awslabs/aws-deployment-framework/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
-
-We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.

docs/providers-guide.md

@@ -230,6 +230,7 @@ Provider type: `codebuild`.
   > pipeline to consume a custom image if required.
   > Along with `repository_arn`, we also support a `tag` key which can be used
   > to define which image should be used (defaults to `latest`).
+  > An example of this setup is provided [here](https://github.com/awslabs/aws-deployment-framework/blob/master/docs/user-guide.md#custom-build-images).
   > 
   > Image can also take an object that contains a reference to a
   > public docker hub image with a prefix of `docker-hub://`, such as
@@ -238,8 +239,6 @@ Provider type: `codebuild`.
   > Along with the docker hub image name, we also support using a tag which can
   > be provided after the docker hub image name such as `docker-hub://bitnami/mongodb:3.6.23`
   > in order to define which image should be used (defaults to `latest`).
-  > 
-  > 
 - *size* *(String)* **(small|medium|large)** - default: `small`.
   > The Compute type to use for the build, types can be found
   > [here](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html).

docs/user-guide.md

@@ -314,7 +314,7 @@ pipelines:
         provider: codebuild
         image:
           repository_arn: arn:aws:ecr:region:012345678910:repository/test
-          tag: latest #optional (and also defaults to latest)
+          tag: latest # optional (defaults to latest)
     targets:
       - ...
 ```

requirements.txt

@@ -1,10 +1,10 @@
-astroid~=2.4.2
-botocore==1.17.63
-boto3==1.14.63
-isort==5.6.4
+astroid~=2.6.4
+botocore==1.21.2
+boto3==1.18.2
+isort==5.9.2
 mock~=4.0.3
-pylint~=2.6.0
-pytest~=6.2.1
-pyyaml>=5.3
-schema~=0.7.2
-tox==3.20.1
+pylint~=2.9.3
+pytest~=6.2.4
+pyyaml>=5.4.1
+schema~=0.7.4
+tox==3.24.0

resources/OrganizationAccountAccessRole.yaml

@@ -0,0 +1,42 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >
+  Organizational Account Access Role for Cross-Account automation
+
+Parameters:
+  RoleName:
+    Type: String
+    Description: >-
+      The name of the Cross-Account role
+    Default: OrganizationAccountAccessRole
+  AdministratorAccountId:
+    Type: String
+    Description: >-
+      AWS Account Id of the administrator account
+      (the account in which StackSets will be created).
+    MaxLength: 12
+    MinLength: 12
+
+Resources:
+  OrganizationAccountAccessRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref RoleName
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Ref AdministratorAccountId
+            Action:
+              - sts:AssumeRole
+      Path: /
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess
+
+Outputs:
+  RoleArn:
+    Description: The ARN of the Organization Account Access Role
+    Value: !GetAtt OrganizationAccountAccessRole.Arn
+    Export:
+      Name: !Sub "${AWS::StackName}-RoleArn"

samples/sample-ec2-with-codedeploy/template.yml

@@ -166,7 +166,7 @@ Resources:
               Fn::Sub: ${Environment}-public-subnet-1b
           - Fn::ImportValue:
               Fn::Sub: ${Environment}-public-subnet-1c
-      SecurityGroups: 
+      SecurityGroups:
         - !Ref 'PublicLoadBalancerSG'
   ApplicationLoadBalancerHTTPListener:
     Type: "AWS::ElasticLoadBalancingV2::Listener"
@@ -251,4 +251,4 @@ Outputs:
     Description: The url of the external load balancer
     Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]
     Export:
-      Name: 'LoadBalancerExternalUrl'
+      Name: 'LoadBalancerExternalUrl'

samples/sample-ecr-repository/template.yml

@@ -1,22 +1,22 @@
 # // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # // SPDX-License-Identifier: Apache-2.0
 
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: "2010-09-09"
 Description: ADF CloudFormation Sample Template (Shared ECR Repository)
 Metadata:
   License: Apache-2.0
 Parameters:
   TestingAccountId:
-    Description: Testing Accound Id that will pull from this repository
+    Description: Testing Account Id that will pull from this repository
     Type: String
   ProductionAccountId:
-    Description: Production Accound Id that will pull from this repository
+    Description: Production Account Id that will pull from this repository
     Type: String
 Resources:
   SampleAppRepository:
     Type: AWS::ECR::Repository
     Properties:
-      RepositoryName: 'sample-node-app'
+      RepositoryName: "sample-node-app"
       LifecyclePolicy:
         LifecyclePolicyText: !Sub
           - |
@@ -48,21 +48,21 @@ Resources:
             }
           - DaysToRetainUntaggedContainerImages: 2
             MaxTaggedContainerImagesToRetain: 2
-      RepositoryPolicyText: 
+      RepositoryPolicyText:
         Version: "2012-10-17"
-        Statement: 
+        Statement:
           - Sid: AllowPull
             Effect: Allow
-            Principal: 
-              AWS: 
-                - !Sub "arn:aws:iam::${TestingAccountId}:root"
-                - !Sub "arn:aws:iam::${ProductionAccountId}:root"
-            Action: 
+            Principal:
+              AWS:
+                - !Sub "arn:${AWS::Partition}:iam::${TestingAccountId}:root"
+                - !Sub "arn:${AWS::Partition}:iam::${ProductionAccountId}:root"
+            Action:
               - "ecr:Get*"
               - "ecr:Describe*"
               - "ecr:BatchGetImage"
               - "ecr:BatchCheckLayerAvailability"
 
-Outputs:    
+Outputs:
   SampleAppRepository:
     Value: !GetAtt SampleAppRepository.Arn

samples/sample-expunge-vpc/template.yml

@@ -1,30 +1,30 @@
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: "2010-09-09"
 Transform: AWS::Serverless-2016-10-31
 Description: Deploys the Custom Resource for deleting the default VPC in all regions
 Resources:
   LambdaVPCPolicyRole:
-    Type: 'AWS::IAM::Role'
+    Type: "AWS::IAM::Role"
     Properties:
       AssumeRolePolicyDocument:
-        Version: '2012-10-17'
+        Version: "2012-10-17"
         Statement:
           - Effect: Allow
             Principal:
-              Service: 'lambda.amazonaws.com'
+              Service: "lambda.amazonaws.com"
             Action:
-              - 'sts:AssumeRole'
-      Path: '/'
+              - "sts:AssumeRole"
+      Path: "/"
       ManagedPolicyArns:
-        - 'arn:aws:iam::aws:policy/AmazonVPCFullAccess'
-        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonVPCFullAccess"
       Policies:
         - PolicyName: ec2
           PolicyDocument:
             Statement:
               - Effect: Allow
                 Action:
-                  - 'ec2:DescribeRegions'
-                Resource: '*'
+                  - "ec2:DescribeRegions"
+                Resource: "*"
   DeleteVPCLambda:
     Type: AWS::Serverless::Function
     Properties:
@@ -35,8 +35,8 @@ Resources:
       Runtime: python3.8
       Timeout: 600
       Environment:
-          Variables:
-            region_name: !Ref "AWS::Region"
+        Variables:
+          region_name: !Ref "AWS::Region"
   DeleteVPCCustom:
     Type: Custom::DeleteVPC
     Properties:

samples/sample-iam/template.yml

@@ -1,21 +1,21 @@
 # // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # // SPDX-License-Identifier: Apache-2.0
 
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: "2010-09-09"
 Description: ADF CloudFormation Sample Template (IAM)
 Metadata:
   License: Apache-2.0
 Resources:
   DevelopersIAMGroup:
     Type: AWS::IAM::Group
-    Properties: 
+    Properties:
       GroupName: adf-sample-developers-group
       ManagedPolicyArns:
-        - 'arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess'
-        - 'arn:aws:iam::aws:policy/AWSCloud9User'
-        - 'arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess'
-        - 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess'
-        - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSServiceCatalogEndUserFullAccess"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSCloud9User"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSCloudFormationReadOnlyAccess"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSCodeCommitFullAccess"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess"
   GlobalInstanceProfile:
     Type: "AWS::IAM::InstanceProfile"
     Properties:
@@ -75,7 +75,7 @@ Resources:
             Action:
               - "sts:AssumeRole"
       ManagedPolicyArns:
-        - "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSCodeDeployRole"
       RoleName: "codedeploy-service-role"
 Outputs:
   DevelopersIAMGroup:

samples/sample-service-catalog-product/productX/template.yml

@@ -5,35 +5,35 @@ AWSTemplateFormatVersion: '2010-09-09'
 Description: ADF CloudFormation Sample Service Catalog Product
 Metadata:
   License: Apache-2.0
-Parameters: 
+Parameters:
   Environment:
     Type: String
     Default: testing
-    AllowedValues: 
+    AllowedValues:
       - testing
     Description: The environment to use, IDE are only supported in testing
-  InstanceType: 
+  InstanceType:
     Type: String
     Default: t3.micro
-    AllowedValues: 
+    AllowedValues:
       - t3.micro
       - m5.large
     Description: Enter t3.micro or m5.large. Default is t3.micro.
-  AutomaticStopTimeInMinutes: 
+  AutomaticStopTimeInMinutes:
     Type: Number
     Default: 480
     AllowedValues:
       - 480
       - 960
     Description: The amount of minutes that this Cloud9 Instance should stop after (8 or 16 hours).
-  InstanceDescription: 
+  InstanceDescription:
     Type: String
     Default: "Development environment used during office hours"
     Description: The Description of the Cloud9 Instance.
-  InstanceName: 
+  InstanceName:
     Type: String
     Description: The name of the Cloud9 Instance.
-  UserName: 
+  UserName:
     Type: String
     Description: Your IAM UserName that will be used as the OwnerArn in the Cloud9 Instance.
 Resources:
@@ -44,7 +44,7 @@ Resources:
       Description: !Ref InstanceDescription
       InstanceType: !Ref InstanceType
       Name: !Ref InstanceName
-      OwnerArn: !Sub "arn:aws:iam::${AWS::AccountId}:user/${UserName}" #In this sample case 'sample-developer' from the IAM stack can be used here
+      OwnerArn: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/${UserName}" #In this sample case 'sample-developer' from the IAM stack can be used here
       SubnetId:
           Fn::ImportValue:
               Fn::Sub: ${Environment}-public-subnet-1a # Imported from sample-vpc