{ "Description": "(SO0284-IdcStack) innovation-sandbox-on-aws v1.2.10", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterLabels": { "Namespace": { "default": "Namespace" }, "OrgMgtAccountId": { "default": "Org Management Account Id" }, "HubAccountId": { "default": "Hub Account Id" }, "IdentityStoreId": { "default": "Identity Store Id" }, "SsoInstanceArn": { "default": "SSO Instance ARN" }, "AdminGroupName": { "default": "Admin Group Name (Optional)" }, "ManagerGroupName": { "default": "Manager Group Name (Optional)" }, "UserGroupName": { "default": "User Group Name (Optional)" } }, "ParameterGroups": [ { "Label": { "default": "IDC Stack Configuration" }, "Parameters": [ "Namespace", "OrgMgtAccountId", "HubAccountId", "IdentityStoreId", "SsoInstanceArn", "AdminGroupName", "ManagerGroupName", "UserGroupName" ] } ] } }, "Parameters": { "Namespace": { "Type": "String", "Default": "myisb", "AllowedPattern": "^[0-9a-zA-Z]{3,8}$", "Description": "The namespace for this deployment of Innovation Sandbox (must be the same for all member stacks). Alphanumeric characters of length between 3 and 8" }, "OrgMgtAccountId": { "Type": "String", "AllowedPattern": "^[0-9]{12}$", "Description": "The AWS Account Id of the org's management account where the account pool stack is deployed" }, "HubAccountId": { "Type": "String", "AllowedPattern": "^[0-9]{12}$", "Description": "The AWS Account Id where the Innovation Sandbox hub application is (to be) deployed" }, "IdentityStoreId": { "Type": "String", "AllowedPattern": "^d-[0-9a-f]{10}|[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "Description": "The Identity Store Id of the Identity Source in IAM Identity Center (d-xxxxxxxxxx)" }, "SsoInstanceArn": { "Type": "String", "AllowedPattern": "^arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}$", "Description": "The ARN of the SSO instance in IAM Identity Center (arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx)" }, "AdminGroupName": { "Type": "String", "Default": "", "Description": "A custom name to provide for the admin group (value if left empty: _IsbAdminsGroup)." }, "ManagerGroupName": { "Type": "String", "Default": "", "Description": "A custom name to provide for the manager group (value if left empty: _IsbManagersGroup)." }, "UserGroupName": { "Type": "String", "Default": "", "Description": "A custom name to provide for the user group (value if left empty: _IsbUsersGroup)." } }, "Conditions": { "AdminGroupNameEmptyCondition": { "Fn::Equals": [ { "Ref": "AdminGroupName" }, "" ] }, "ManagerGroupNameEmptyCondition": { "Fn::Equals": [ { "Ref": "ManagerGroupName" }, "" ] }, "UserGroupNameEmptyCondition": { "Fn::Equals": [ { "Ref": "UserGroupName" }, "" ] }, "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-3" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-4" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "il-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] } ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } }, "Mappings": { "Mapping": { "context": { "solutionName": "innovation-sandbox-on-aws", "solutionId": "SO0284", "version": "v1.2.10", "distOutputBucket": "solutions", "publicEcrRegistry": "public.ecr.aws/aws-solutions", "publicEcrTag": "v1.2.10", "logLevel": "INFO", "deploymentMode": "prod", "cloudWatchLogRetentionInDays": 90, "s3LogsArchiveRetentionInDays": 365, "s3LogsGlacierRetentionInDays": 2555, "apiThrottlingRateLimit": 100, "apiThrottlingBurstLimit": 200, "bucketPrefix": "innovation-sandbox-on-aws/v1.2.10/asset." } } }, "Resources": { "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRole63CCE63C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/FunctionRole/Resource" } }, "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRoleDefaultPolicyC0DF290A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "ISBLogGroupCustomResources63629E09", "Arn" ] } }, { "Action": "identitystore:CreateGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore::", { "Ref": "OrgMgtAccountId" }, ":identitystore/", { "Ref": "IdentityStoreId" } ] ] } }, { "Action": "identitystore:GetGroupId", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore::", { "Ref": "OrgMgtAccountId" }, ":identitystore/", { "Ref": "IdentityStoreId" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore:::group/*" ] ] } ] }, { "Action": [ "sso:ListPermissionSets", "sso:DescribePermissionSet" ], "Effect": "Allow", "Resource": [ { "Ref": "SsoInstanceArn" }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sso:::permissionSet/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Ref": "SsoInstanceArn" } ] } ] }, "/*" ] ] } ] }, { "Action": [ "sso:CreatePermissionSet", "sso:AttachManagedPolicyToPermissionSet" ], "Effect": "Allow", "Resource": [ { "Ref": "SsoInstanceArn" }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sso:::permissionSet/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Ref": "SsoInstanceArn" } ] } ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRoleDefaultPolicyC0DF290A", "Roles": [ { "Ref": "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRole63CCE63C" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/FunctionRole/DefaultPolicy/Resource" } }, "IdcConfigurerIdcConfigurerLambdaFunctionA54B49F3": { "Type": "AWS::Lambda::Function", "Properties": { "Architectures": [ "arm64" ], "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.10/asset.0bbeb2308d802260ccaec2101cfcbb58b1ad78fdc59656dd460bf7ae245f5521.zip" }, "Description": "Custom resource lambda that configures the IDC instance", "Environment": { "Variables": { "NODE_OPTIONS": "--enable-source-maps", "USER_AGENT_EXTRA": "AwsSolution/SO0284/v1.2.10", "POWERTOOLS_LOG_LEVEL": { "Fn::FindInMap": [ "Mapping", "context", "logLevel", { "DefaultValue": "" } ] }, "POWERTOOLS_SERVICE_NAME": "IdcConfigurer", "AWS_XRAY_CONTEXT_MISSING": "IGNORE_ERROR" } }, "FunctionName": { "Fn::Join": [ "", [ "ISB-IdcConfigurerLambdaFunction-", { "Ref": "Namespace" } ] ] }, "Handler": "index.handler", "Layers": [ { "Ref": "IdcConfigurerISBLambdaLayerInnovationSandboxIDCDependenciesLayerVersion815492B9" }, { "Ref": "IdcConfigurerISBLambdaLayerInnovationSandboxIDCCommonLayerVersion5D232105" } ], "LoggingConfig": { "LogFormat": "JSON", "LogGroup": { "Ref": "ISBLogGroupCustomResources63629E09" }, "SystemLogLevel": "INFO" }, "MemorySize": 1024, "Role": { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRole63CCE63C", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "Timeout": 900, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRoleDefaultPolicyC0DF290A", "IdcConfigurerIdcConfigurerLambdaFunctionFunctionRole63CCE63C" ], "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/Function/Resource", "aws:asset:path": "asset.0bbeb2308d802260ccaec2101cfcbb58b1ad78fdc59656dd460bf7ae245f5521", "aws:asset:is-bundled": true, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRole37F107B0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/IsbProvider/framework-onEvent/ServiceRole/Resource" } }, "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRoleDefaultPolicyC0DE13CC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionA54B49F3", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionA54B49F3", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:GetFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionA54B49F3", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRoleDefaultPolicyC0DE13CC", "Roles": [ { "Ref": "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRole37F107B0" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/IsbProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource" } }, "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEvent40CCC6DC": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.10/asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57.zip" }, "Description": "AWS CDK resource provider framework - onEvent (InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/IsbProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionA54B49F3", "Arn" ] } } }, "Handler": "framework.onEvent", "LoggingConfig": { "ApplicationLogLevel": "FATAL", "LogFormat": "JSON", "LogGroup": { "Ref": "ISBLogGroupCustomResources63629E09" } }, "Role": { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRole37F107B0", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "Timeout": 900 }, "DependsOn": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRoleDefaultPolicyC0DE13CC", "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEventServiceRole37F107B0" ], "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/IsbProvider/framework-onEvent/Resource", "aws:asset:path": "asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C": { "Type": "Custom::IdcConfigurer", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbProviderframeworkonEvent40CCC6DC", "Arn" ] }, "namespace": { "Ref": "Namespace" }, "identityStoreId": { "Ref": "IdentityStoreId" }, "ssoInstanceArn": { "Ref": "SsoInstanceArn" }, "adminGroupName": { "Fn::If": [ "AdminGroupNameEmptyCondition", { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_IsbAdminsGroup" ] ] }, { "Ref": "AdminGroupName" } ] }, "managerGroupName": { "Fn::If": [ "ManagerGroupNameEmptyCondition", { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_IsbManagersGroup" ] ] }, { "Ref": "ManagerGroupName" } ] }, "userGroupName": { "Fn::If": [ "UserGroupNameEmptyCondition", { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_IsbUsersGroup" ] ] }, { "Ref": "UserGroupName" } ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/IdcConfigurerLambdaFunction/IsbCustomResource/Default" } }, "IdcConfigurerISBLambdaLayerInnovationSandboxIDCCommonLayerVersion5D232105": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleArchitectures": [ "arm64" ], "CompatibleRuntimes": [ "nodejs22.x" ], "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.10/asset.be66239ebab0664a3c57f67fcb0312cea30f3c2c0ca18185b40a20eddfb14839.zip" }, "Description": "Common lib for Innovation Sandbox on AWS" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/ISB-Lambda-Layer-InnovationSandbox-IDC/CommonLayerVersion/Resource", "aws:asset:path": "asset.be66239ebab0664a3c57f67fcb0312cea30f3c2c0ca18185b40a20eddfb14839", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "IdcConfigurerISBLambdaLayerInnovationSandboxIDCDependenciesLayerVersion815492B9": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleArchitectures": [ "arm64" ], "CompatibleRuntimes": [ "nodejs22.x" ], "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.10/asset.c7d00fc345bd60a22b888b0ca89c3c5f738129af96eb9de99735a3bfec1317e0.zip" }, "Description": "Third party runtime dependencies for Innovation Sandbox on AWS" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigurer/ISB-Lambda-Layer-InnovationSandbox-IDC/DependenciesLayerVersion/Resource", "aws:asset:path": "asset.c7d00fc345bd60a22b888b0ca89c3c5f738129af96eb9de99735a3bfec1317e0", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "IsbKmsKeyInnovationSandboxIDCE735883A": { "Type": "AWS::KMS::Key", "Properties": { "Description": "Encryption Key for Innovation Sandbox: InnovationSandbox-IDC", "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Principal": { "Service": "logs.amazonaws.com" }, "Resource": "*" } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IsbKmsKey-InnovationSandbox-IDC/Resource" } }, "IsbKmsKeyInnovationSandboxIDCAliasAABC4D5F": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Join": [ "", [ "alias/AwsSolutions/InnovationSandbox/", { "Ref": "Namespace" }, "/InnovationSandbox-IDC" ] ] }, "TargetKeyId": { "Fn::GetAtt": [ "IsbKmsKeyInnovationSandboxIDCE735883A", "Arn" ] } }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IsbKmsKey-InnovationSandbox-IDC/Alias/Resource" } }, "ISBLogGroupCustomResources63629E09": { "Type": "AWS::Logs::LogGroup", "Properties": { "KmsKeyId": { "Fn::GetAtt": [ "IsbKmsKeyInnovationSandboxIDCE735883A", "Arn" ] }, "RetentionInDays": { "Fn::FindInMap": [ "Mapping", "context", "cloudWatchLogRetentionInDays", { "DefaultValue": "" } ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/ISBLogGroup-CustomResources/Resource", "guard": { "SuppressedRules": [ "CW_LOGGROUP_RETENTION_PERIOD_CHECK" ] } } }, "IdcRoleF5AE7C04": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:PrincipalArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "HubAccountId" }, ":role/InnovationSandbox-", { "Ref": "Namespace" }, "-IntermediateRole" ] ] } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "HubAccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Role to be assumed for IDC operations", "RoleName": { "Fn::Join": [ "", [ "InnovationSandbox-", { "Ref": "Namespace" }, "-IdcRole" ] ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "IdcRolePolicy71BEA32D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "identitystore:GetUserId", "identitystore:DescribeUser" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore::", { "Ref": "OrgMgtAccountId" }, ":identitystore/", { "Ref": "IdentityStoreId" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore:::user/*" ] ] } ] }, { "Action": "identitystore:ListGroups", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore::", { "Ref": "OrgMgtAccountId" }, ":identitystore/", { "Ref": "IdentityStoreId" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore:::group/*" ] ] } ] }, { "Action": [ "identitystore:ListGroupMembershipsForMember", "identitystore:ListGroupMemberships" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore::", { "Ref": "OrgMgtAccountId" }, ":identitystore/", { "Ref": "IdentityStoreId" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore:::group/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore:::membership/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":identitystore:::user/*" ] ] } ] }, { "Action": [ "sso:ListPermissionSets", "sso:DescribePermissionSet" ], "Effect": "Allow", "Resource": [ { "Ref": "SsoInstanceArn" }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sso:::permissionSet/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Ref": "SsoInstanceArn" } ] } ] }, "/*" ] ] } ] }, { "Action": [ "sso:CreateAccountAssignment", "sso:DeleteAccountAssignment", "sso:ListAccountAssignments" ], "Effect": "Allow", "Resource": [ { "Ref": "SsoInstanceArn" }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sso:::account/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sso:::permissionSet/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Ref": "SsoInstanceArn" } ] } ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "IdcRolePolicy71BEA32D", "Roles": [ { "Ref": "IdcRoleF5AE7C04" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcRolePolicy/Resource" } }, "IdcConfiguration94B4F37E": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "The IDC configuration for Innovation Sandbox", "Name": { "Fn::Join": [ "", [ "InnovationSandbox_", { "Ref": "Namespace" }, "_Idc_Configuration" ] ] }, "Tags": { "aws-solutions:isb-id": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } }, "Tier": "Advanced", "Type": "String", "Value": { "Fn::Join": [ "", [ "{\"identityStoreId\":\"", { "Ref": "IdentityStoreId" }, "\",\"ssoInstanceArn\":\"", { "Ref": "SsoInstanceArn" }, "\",\"adminGroupId\":\"", { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C", "adminGroupId" ] }, "\",\"adminPermissionSetArn\":\"", { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C", "adminPermissionSetArn" ] }, "\",\"managerGroupId\":\"", { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C", "managerGroupId" ] }, "\",\"managerPermissionSetArn\":\"", { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C", "managerPermissionSetArn" ] }, "\",\"userGroupId\":\"", { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C", "userGroupId" ] }, "\",\"userPermissionSetArn\":\"", { "Fn::GetAtt": [ "IdcConfigurerIdcConfigurerLambdaFunctionIsbCustomResourceECB8735C", "userPermissionSetArn" ] }, "\",\"solutionVersion\":\"", { "Fn::FindInMap": [ "Mapping", "context", "version", { "DefaultValue": "" } ] }, "\",\"supportedSchemas\":\"[\\\"1\\\"]\"}" ] ] } }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfiguration/Resource" } }, "IdcConfigParameterShare": { "Type": "AWS::RAM::ResourceShare", "Properties": { "AllowExternalPrincipals": false, "Name": { "Fn::Join": [ "", [ "Isb-", { "Ref": "Namespace" }, "-IdcConfigShare" ] ] }, "PermissionArns": [ "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMParameterReadOnly" ], "Principals": [ { "Ref": "HubAccountId" } ], "ResourceArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/", { "Ref": "IdcConfiguration94B4F37E" } ] ] } ], "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/IdcConfigParameterShare" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/1VQ0WrDMAz8lr47WkkZe24D28O6ERrYa1AdNXMS28FyWkrwvw97Weie7g7pDulyyJ9fYLvBG2ey6bNBnWGuPMpeFBdTokNNnlwUhTWN8sqaKD5wHJVpBd64nhVqmE92oDhJWNpByXuKSCyIAfW5wdrYhjqGzwSvk5EpkHc1MpNn2EcQvIPDJHvyB2RarDAXF7M6VnLEO7kvcrwc9qiD6DXD/E7pkgj7QSFHkUgQg20Z5qNt35ydxuRfeBDMOlbhlGn/9bCKIBxqiC8T28lJqr7RURDph8pjGwuSE3ura7esMJTOXlUTo9LkzysecoKINUHHT9c8hzyH7aZjpTI3Ga80wekXfwA/N5UwvAEAAA==" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-IDC/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } } }