Fix account bootstrap on OU move (#539)

**Why?** When you move an account from the root to an OU, an event is emitted that should trigger the Account Bootstrap state machine. However, the task role that was configured did not have the necessary permissions to invoke the state machine. **What?** A new role is created that will enable the event to trigger the Account Bootstrap state machine. While investigating the issue, it was also noticed that the original task role had permissions that were no longer required. Those stale permissions are removed too.
awslabs · Oct 7, 2022 · 9e1c0a2 · 9e1c0a2
1 parent fffe524
commit 9e1c0a2
Showing 1 changed file with 24 additions and 4 deletions.
diff --git a/src/template.yml b/src/template.yml
@@ -1049,7 +1049,7 @@ Resources:
             - MoveAccount
       Targets:
         - Arn: !Ref AccountBootstrappingStateMachine
-          RoleArn: !GetAtt StatesExecutionRole.Arn
+          RoleArn: !GetAtt AccountBootstrapStartExecutionRole.Arn
           Id: CreateStackLinkedAccountV1
 
   CodeCommitRole:
@@ -1428,8 +1428,6 @@ Resources:
           - Effect: "Allow"
             Principal:
               Service:
-                - events.amazonaws.com
-                - lambda.amazonaws.com
                 - states.amazonaws.com
             Action: "sts:AssumeRole"
       Path: "/aws-deployment-framework/account-bootstrapping/"
@@ -1441,7 +1439,6 @@ Resources:
               - Effect: Allow
                 Action:
                   - "lambda:InvokeFunction"
-                  - "states:StartExecution"
                 Resource:
                   - !GetAtt DetermineEventFunction.Arn
                   - !GetAtt CrossAccountExecuteFunction.Arn
@@ -1450,6 +1447,29 @@ Resources:
                   - !GetAtt RoleStackDeploymentFunction.Arn
                   - !GetAtt UpdateResourcePoliciesFunction.Arn
 
+  AccountBootstrapStartExecutionRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - events.amazonaws.com
+            Action: "sts:AssumeRole"
+      Path: "/aws-deployment-framework/account-bootstrapping/"
+      Policies:
+        - PolicyName: "adf-start-state-machine"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "states:StartExecution"
+                Resource:
+                  - !Ref AccountBootstrappingStateMachine
+
   AccountBootstrappingStateMachine:
     Type: "AWS::StepFunctions::StateMachine"
     Properties: