awslabs · sbkok · Nov 11, 2021 · Mar 31, 2021 · Mar 31, 2021 · Mar 31, 2021
diff --git a/src/template.yml b/src/template.yml
@@ -72,20 +72,21 @@ Resources:
               StringEquals:
                 aws:PrincipalOrgID: !GetAtt Organization.OrganizationId
             Resource:
-              - !Sub arn:aws:s3:::${BootstrapTemplatesBucket}
-              - !Sub arn:aws:s3:::${BootstrapTemplatesBucket}/*
+              - !GetAtt BootstrapTemplatesBucket.Arn
+              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
             Principal:
               AWS: "*"
           - Action:
               - s3:PutObject*
             Effect: Allow
             Resource:
-              - !Sub arn:aws:s3:::${BootstrapTemplatesBucket}
-              - !Sub arn:aws:s3:::${BootstrapTemplatesBucket}/*
+              - !GetAtt BootstrapTemplatesBucket.Arn
+              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
             Principal:
               AWS: !Ref AWS::AccountId
   BootstrapArtifactStorageBucket:
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: BucketOwnerFullControl
@@ -103,6 +104,7 @@ Resources:
   BootstrapTemplatesBucket:
     Type: "AWS::S3::Bucket"
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Properties:
       AccessControl: BucketOwnerFullControl
       BucketEncryption:
@@ -177,10 +179,7 @@ Resources:
           - Effect: "Allow"
             Action: "s3:GetObject"
             Resource:
-              !Join
-                - ''
-                - - !GetAtt BootstrapTemplatesBucket.Arn
-                  - '/*'
+              !Sub "${BootstrapTemplatesBucket.Arn}/*"
       Roles:
         - !Ref LambdaRole
   StackWaiterFunction:
@@ -346,7 +345,6 @@ Resources:
               - "codecommit:List*"
               - "codecommit:CancelUploadArchive"
               - "codecommit:UploadArchive"
-              - "s3:Get"
             Resource: "*"
       Roles:
         - !Ref CodeCommitRole
@@ -425,9 +423,9 @@ Resources:
               - "cloudformation:SignalResource"
               - "cloudformation:UpdateTerminationProtection"
             Resource:
-              - "arn:aws:cloudformation:*:*:stack/adf-global-base-*/*"
-              - "arn:aws:cloudformation:*:*:stack/adf-regional-base-*/*"
-              - !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/adf-global-base-adf-build/*"
+              - !Sub "arn:${AWS::Partition}:cloudformation:*:*:stack/adf-global-base-*/*"
+              - !Sub "arn:${AWS::Partition}:cloudformation:*:*:stack/adf-regional-base-*/*"
+              - !Sub "arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/adf-global-base-adf-build/*"
           - Effect: "Allow"
             Action:
               - "s3:DeleteObject"
@@ -436,17 +434,19 @@ Resources:
               - "s3:ListBucket"
               - "s3:PutObject"
             Resource:
-              - "arn:aws:s3:::serverlessrepo-aws-deplo-bootstraptemplatesbucket-*"
-              - "arn:aws:s3:::serverlessrepo-aws-deplo-bootstraptemplatesbucket-*/*"
+              - !GetAtt "BootstrapTemplatesBucket.Arn"
+              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
               - !GetAtt BootstrapArtifactStorageBucket.Arn
               - !Sub "${BootstrapArtifactStorageBucket.Arn}/*"
-              - "arn:aws:s3:::adf-shared-modules-*-*"
-              - "arn:aws:s3:::adf-shared-modules-*-*/*"
+              - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}"
+              - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}/*"
           - Effect: "Allow"
             Action:
               - "codebuild:*"
             Resource:
-              - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/aws-deployment-framework-base-templates"
+              # Hardcoded name (instead of !GetAtt CodeBuildProject.Arn)to avoid a circular dependency.
+              # Converting this to an inline policy can break the circle
+              - !Sub "arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/aws-deployment-framework-base-templates"
           - Effect: "Allow"
             Action:
               - "iam:CreatePolicy"
@@ -457,8 +457,8 @@ Resources:
               - "iam:PutRolePolicy"
               - "iam:UpdateAssumeRolePolicy"
             Resource:
-              - !Sub "arn:aws:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}"
-              - !Sub "arn:aws:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}-readonly"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}-readonly"
   CodeCommitRepository:
     Type: AWS::CodeCommit::Repository
     Properties:
@@ -478,7 +478,7 @@ Resources:
           - Name: ADF_VERSION
             Value: !FindInMap ['Metadata', 'ADF', 'Version']
           - Name: TERMINATION_PROTECTION
-            Value: false
+            Value: 'false'
           - Name: PYTHONPATH
             Value: './adf-build/shared/python'
           - Name: S3_BUCKET
@@ -495,7 +495,7 @@ Resources:
       Name: 'aws-deployment-framework-base-templates'
       ServiceRole: !Ref CodeBuildRole
       Source:
-        BuildSpec: !Sub |
+        BuildSpec: |
           version: 0.2
           phases:
             install:
@@ -538,7 +538,7 @@ Resources:
                 - Name: "TemplateSource"
               Configuration:
                 BranchName: "master"
-                RepositoryName: 'aws-deployment-framework-bootstrap'
+                RepositoryName: !GetAtt CodeCommitRepository.Name
                 PollForSourceChanges: false
               RunOrder: 1
         - Name: UploadAndUpdateBaseStacks
@@ -611,7 +611,7 @@ Resources:
           - Effect: Allow
             Action:
               - "codepipeline:StartPipelineExecution"
-            Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}
+            Resource: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}
       Roles:
         - !Ref OrgEventCodePipelineRole
   StatesExecutionRole:
@@ -788,12 +788,7 @@ Resources:
               - s3:PutObject
             Effect: Allow
             Principal:
-              AWS:
-                - Fn::Join:
-                  - ""
-                  - - "arn:aws:iam::"
-                    - !GetAtt DeploymentAccount.AccountId
-                    - ":root"
+              AWS: !Sub "arn:${AWS::Partition}:iam::${DeploymentAccount.AccountId}:root"
               Service:
                 - codebuild.amazonaws.com
                 - lambda.amazonaws.com
@@ -830,12 +825,15 @@ Resources:
                 - s3:PutEncryptionConfiguration
                 - s3:PutBucketPolicy
                 - s3:PutBucketPublicAccessBlock
-              Resource: "arn:aws:s3:::adf-shared-modules-*"
+              # This must match BucketNamePrefix of the SharedModulesBucket resource
+              Resource: !Sub "arn:${AWS::Partition}:s3:::adf-shared-modules-${DeploymentAccountMainRegion}-*"
             - Effect: Allow
               Action: ssm:GetParameter
               Resource:
-                - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/shared_modules_bucket"
-                - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_region"
+                # Hardcoded name (instead of ${SharedModulesBucketName})to avoid a circular dependency.
+                # Converting this to an inline policy can break the circle
+                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/shared_modules_bucket"
+                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_region"
       FunctionName: CrossRegionBucketHandler
       Runtime: python3.8
       Timeout: 300
@@ -861,7 +859,7 @@ Resources:
               Resource: "*"
             - Effect: Allow
               Action: "iam:CreateServiceLinkedRole"
-              Resource: "arn:aws:iam::*:role/aws-service-role/*"
+              Resource: !Sub "arn:${AWS::Partition}:iam::*:role/aws-service-role/*"
       FunctionName: AwsOrganizationsHandler
       Runtime: python3.8
       Timeout: 300
@@ -914,7 +912,7 @@ Resources:
               Resource: "*"
             - Effect: Allow
               Action: ssm:GetParameter
-              Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_id"
+              Resource: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_id"
       FunctionName: AccountHandler
       Runtime: python3.8
       Timeout: 300
@@ -937,7 +935,7 @@ Resources:
               Statement:
                 - Effect: Allow
                   Action: codepipeline:StartPipelineExecution
-                  Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref CodePipeline ] ]
+                  Resource: !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}"
   PipelineCloudWatchEventRule:
     Type: AWS::Events::Rule
     Properties:
@@ -947,7 +945,7 @@ Resources:
         detail-type:
           - 'CodeCommit Repository State Change'
         resources:
-          - !Join [ '', [ 'arn:aws:codecommit:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !GetAtt CodeCommitRepository.Name ] ]
+          - !GetAtt CodeCommitRepository.Arn
         detail:
           event:
             - referenceCreated
@@ -958,7 +956,7 @@ Resources:
             - master
       Targets:
         - Arn:
-            !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref CodePipeline ] ]
+            !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}"
           RoleArn: !GetAtt PipelineCloudWatchEventRole.Arn
           Id: adf-codepipeline-trigger-bootstrap
 Outputs: