From 4d8bc00994d62f9663784eaef1d089ba3b6d4a40 Mon Sep 17 00:00:00 2001
From: Simon Kok <mail@simonkok.com>
Date: Tue, 4 Oct 2022 14:27:45 +0200
Subject: [PATCH] Fix account bootstrap on OU move

**Why?**

When you move an account from the root to an OU, an event is emitted that should
trigger the Account Bootstrap state machine.

However, the task role that was configured did not have the necessary
permissions to invoke the state machine.

**What?**

A new role is created that will enable the event to trigger the Account
Bootstrap state machine.

While investigating the issue, it was also noticed that the original task role
had permissions that were no longer required. Those stale permissions are
removed too.
---
 src/template.yml | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/template.yml b/src/template.yml
index 4fdf1cc8e..b5cf9f4bc 100644
--- a/src/template.yml
+++ b/src/template.yml
@@ -1049,7 +1049,7 @@ Resources:
             - MoveAccount
       Targets:
         - Arn: !Ref AccountBootstrappingStateMachine
-          RoleArn: !GetAtt StatesExecutionRole.Arn
+          RoleArn: !GetAtt AccountBootstrapStartExecutionRole.Arn
           Id: CreateStackLinkedAccountV1
 
   CodeCommitRole:
@@ -1428,8 +1428,6 @@ Resources:
           - Effect: "Allow"
             Principal:
               Service:
-                - events.amazonaws.com
-                - lambda.amazonaws.com
                 - states.amazonaws.com
             Action: "sts:AssumeRole"
       Path: "/aws-deployment-framework/account-bootstrapping/"
@@ -1441,7 +1439,6 @@ Resources:
               - Effect: Allow
                 Action:
                   - "lambda:InvokeFunction"
-                  - "states:StartExecution"
                 Resource:
                   - !GetAtt DetermineEventFunction.Arn
                   - !GetAtt CrossAccountExecuteFunction.Arn
@@ -1450,6 +1447,29 @@ Resources:
                   - !GetAtt RoleStackDeploymentFunction.Arn
                   - !GetAtt UpdateResourcePoliciesFunction.Arn
 
+  AccountBootstrapStartExecutionRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - events.amazonaws.com
+            Action: "sts:AssumeRole"
+      Path: "/aws-deployment-framework/account-bootstrapping/"
+      Policies:
+        - PolicyName: "adf-start-state-machine"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "states:StartExecution"
+                Resource:
+                  - !Ref AccountBootstrappingStateMachine
+
   AccountBootstrappingStateMachine:
     Type: "AWS::StepFunctions::StateMachine"
     Properties: