{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Bluebricks AWS Connector - Resource discovery and infrastructure orchestration for your AWS account.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Bluebricks Connection" }, "Parameters": [ "ExternalId", "BluebricksDiscoveryRoleARN", "BluebricksRunnerRoleARN" ] }, { "Label": { "default": "Cloud Discovery (Read-Only)" }, "Parameters": [ "CloudDiscovery", "ResourceExplorer", "DiscoveryRoleName" ] }, { "Label": { "default": "Infrastructure Orchestration (Read-Write)" }, "Parameters": [ "Orchestration", "OrchestrationRoleName", "TerraformStateAccess" ] } ], "ParameterLabels": { "ExternalId": { "default": "Connector External ID" }, "BluebricksDiscoveryRoleARN": { "default": "Bluebricks Discovery Trust Role" }, "BluebricksRunnerRoleARN": { "default": "Bluebricks Runner Trust Role" }, "CloudDiscovery": { "default": "Enable Cloud Discovery" }, "ResourceExplorer": { "default": "Setup Resource Explorer Index" }, "DiscoveryRoleName": { "default": "Discovery Role Name" }, "Orchestration": { "default": "Enable Infrastructure Orchestration" }, "OrchestrationRoleName": { "default": "Orchestration Role Name" }, "TerraformStateAccess": { "default": "Enable Terraform State Access" } } }, "Version": "2.0.0", "LastUpdated": "2025-01-02" }, "Parameters": { "ExternalId": { "Type": "String", "AllowedPattern": "[a-zA-Z0-9_-]+", "ConstraintDescription": "External ID must contain only alphanumeric characters, hyphens, and underscores.", "Description": "Enter your Bluebricks External ID. You can find this in the Bluebricks console when adding a new AWS account." }, "BluebricksDiscoveryRoleARN": { "Type": "String", "Default": "arn:aws:iam::905418480443:role/bricks-cloud-controller", "AllowedPattern": "arn:aws(-us-gov|-cn)?:iam::[0-9]+:role/.+", "ConstraintDescription": "Must be a valid IAM role ARN.", "Description": "Bluebricks service role for cloud discovery. Do not modify unless instructed." }, "BluebricksRunnerRoleARN": { "Type": "String", "Default": "arn:aws:iam::905418480443:role/bdc-runner", "AllowedPattern": "arn:aws(-us-gov|-cn)?:iam::[0-9]+:role/.+", "ConstraintDescription": "Must be a valid IAM role ARN.", "Description": "Bluebricks service role for infrastructure orchestration. Do not modify unless instructed." }, "CloudDiscovery": { "Type": "String", "AllowedValues": [ "Enabled", "Disabled" ], "Default": "Enabled", "Description": "Enable read-only access to discover and visualize your AWS resources. This creates a role with ReadOnlyAccess policy." }, "ResourceExplorer": { "Type": "String", "AllowedValues": [ "Aggregator", "Local", "Disabled" ], "Default": "Aggregator", "Description": "Setup AWS Resource Explorer index. Aggregator provides cross-region discovery (recommended). Local for single region. Disabled if you have an existing index." }, "DiscoveryRoleName": { "Type": "String", "Default": "BluebricksDiscovery", "AllowedPattern": "[a-zA-Z0-9+=,.@_-]+", "ConstraintDescription": "Role name must be valid IAM role name.", "Description": "Name for the discovery IAM role that will be created." }, "Orchestration": { "Type": "String", "AllowedValues": [ "Enabled", "Disabled" ], "Default": "Enabled", "Description": "Enable read-write access to deploy and manage infrastructure via Terraform. This creates a role with PowerUserAccess and IAMFullAccess policies." }, "OrchestrationRoleName": { "Type": "String", "Default": "BluebricksRole", "AllowedPattern": "[a-zA-Z0-9+=,.@_-]+", "ConstraintDescription": "Role name must be valid IAM role name.", "Description": "Name for the orchestration IAM role that will be created." }, "TerraformStateAccess": { "Type": "String", "AllowedValues": [ "Enabled", "Disabled" ], "Default": "Enabled", "Description": "Enable access to S3 buckets containing Terraform state files. Only applies when Orchestration is enabled." } }, "Conditions": { "DiscoveryEnabled": { "Fn::Equals": [ { "Ref": "CloudDiscovery" }, "Enabled" ] }, "OrchestrationEnabled": { "Fn::Equals": [ { "Ref": "Orchestration" }, "Enabled" ] }, "TerraformStateAccessEnabled": { "Fn::And": [ { "Condition": "OrchestrationEnabled" }, { "Fn::Equals": [ { "Ref": "TerraformStateAccess" }, "Enabled" ] } ] }, "CreateAggregatorIndex": { "Fn::And": [ { "Condition": "DiscoveryEnabled" }, { "Fn::Equals": [ { "Ref": "ResourceExplorer" }, "Aggregator" ] } ] }, "CreateLocalIndex": { "Fn::And": [ { "Condition": "DiscoveryEnabled" }, { "Fn::Equals": [ { "Ref": "ResourceExplorer" }, "Local" ] } ] } }, "Resources": { "BluebricksDiscoveryRole": { "Type": "AWS::IAM::Role", "Condition": "DiscoveryEnabled", "Properties": { "RoleName": { "Ref": "DiscoveryRoleName" }, "Description": "Bluebricks read-only access for resource discovery and visibility", "MaxSessionDuration": 3600, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowBluebricksDiscoveryAssume", "Effect": "Allow", "Principal": { "AWS": { "Ref": "BluebricksDiscoveryRoleARN" } }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } } }, { "Sid": "AllowBluebricksDiscoveryTagSession", "Effect": "Allow", "Principal": { "AWS": { "Ref": "BluebricksDiscoveryRoleARN" } }, "Action": "sts:TagSession" } ] }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" } ], "Tags": [ { "Key": "bluebricks:managed", "Value": "true" }, { "Key": "bluebricks:purpose", "Value": "discovery" } ] } }, "BluebricksOrchestrationRole": { "Type": "AWS::IAM::Role", "Condition": "OrchestrationEnabled", "Properties": { "RoleName": { "Ref": "OrchestrationRoleName" }, "Description": "Bluebricks read-write access for infrastructure deployment and management", "MaxSessionDuration": 3600, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowBluebricksRunnerAssume", "Effect": "Allow", "Principal": { "AWS": { "Ref": "BluebricksRunnerRoleARN" } }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } } }, { "Sid": "AllowBluebricksRunnerTagSession", "Effect": "Allow", "Principal": { "AWS": { "Ref": "BluebricksRunnerRoleARN" } }, "Action": "sts:TagSession" } ] }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/PowerUserAccess" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/IAMFullAccess" } ], "Tags": [ { "Key": "bluebricks:managed", "Value": "true" }, { "Key": "bluebricks:purpose", "Value": "orchestration" } ] } }, "BluebricksTerraformStatePolicy": { "Type": "AWS::IAM::Policy", "Condition": "TerraformStateAccessEnabled", "Properties": { "PolicyName": "BluebricksTerraformStateAccess", "Roles": [ { "Ref": "BluebricksOrchestrationRole" } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "TerraformStateBucketAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*terraform*", "arn:aws:s3:::*terraform*/*", "arn:aws:s3:::*tfstate*", "arn:aws:s3:::*tfstate*/*" ] }, { "Sid": "CloudFormationStackAccess", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:GetTemplate", "cloudformation:ListStackResources" ], "Resource": "*" }, { "Sid": "DynamoDBStateLocking", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem" ], "Resource": [ "arn:aws:dynamodb:*:*:table/*terraform*", "arn:aws:dynamodb:*:*:table/*tfstate*" ] } ] } } }, "ResourceExplorerAggregatorIndex": { "Type": "AWS::ResourceExplorer2::Index", "Condition": "CreateAggregatorIndex", "Properties": { "Type": "AGGREGATOR", "Tags": { "bluebricks:managed": "true" } } }, "ResourceExplorerLocalIndex": { "Type": "AWS::ResourceExplorer2::Index", "Condition": "CreateLocalIndex", "Properties": { "Type": "LOCAL", "Tags": { "bluebricks:managed": "true" } } } }, "Outputs": { "DiscoveryRoleArn": { "Condition": "DiscoveryEnabled", "Description": "ARN of the Bluebricks Discovery role (read-only). Copy this to the Bluebricks console.", "Value": { "Fn::GetAtt": [ "BluebricksDiscoveryRole", "Arn" ] }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-DiscoveryRoleArn" } } }, "OrchestrationRoleArn": { "Condition": "OrchestrationEnabled", "Description": "ARN of the Bluebricks Orchestration role (read-write). Copy this to enable deployments.", "Value": { "Fn::GetAtt": [ "BluebricksOrchestrationRole", "Arn" ] }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-OrchestrationRoleArn" } } }, "ExternalId": { "Description": "Your Bluebricks External ID", "Value": { "Ref": "ExternalId" } }, "AWSAccountId": { "Description": "AWS Account ID where this connector is deployed", "Value": { "Ref": "AWS::AccountId" } }, "StackRegion": { "Description": "Region where this stack was deployed", "Value": { "Ref": "AWS::Region" } }, "DiscoveryEnabled": { "Description": "Whether Cloud Discovery is enabled", "Value": { "Ref": "CloudDiscovery" } }, "OrchestrationEnabled": { "Description": "Whether Infrastructure Orchestration is enabled", "Value": { "Ref": "Orchestration" } } } }