CloudFormation

Creating a CloudTruth Access IAM Role via CloudFormation

Prerequisites

• AWS CLI with an appropriate AWS credential Access Key

• User-provided AWS_INTEGRATION_ROLE_NAME (IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.

AWS CloudTruth Integration

Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a pending state until the CloudFormation stack is created.

Log into CloudTruth and go to Integrations --> AWS

Click the blue Add AWS Account button.

Add in the following information:

• AWS Account ID: The ID of your organizations AWS account

• Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).

• Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.

Copy the External ID from the pending CloudTruth AWS Integration. You'll use the External ID in the next section when running the CloudFormation stack.

CloudFormation Stack Creation

The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.

Execute the following aws cloudformation create-stack command:

• Update the EXTERNAL_ID_FROM_CLOUDTRUTH from the pending CloudTruth AWS account creation.

• Update the integration AWS_INTEGRATION_ROLE_NAME value.

aws cloudformation create-stack --stack-name CloudTruthIntegration \
--template-url https://cloudtruth-production-packages.s3.amazonaws.com/cloudformation/cloudtruth-access/cloudTruth_AWS_access.json \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=CloudTruthExternalId,ParameterValue=EXTERNAL_ID_FROM_CLOUDTRUTH ParameterKey=CloudTruthRoleName,ParameterValue=AWS_INTEGRATION_ROLE_NAME

CloudFormation Template Repo