What do I need to deploy the template?

In order to deploy the CloudFormation template, you will need to be running with a role in the AWS CLI or Console that has the correct permissions. Broadly speaking, your role needs to be able to:

• Create CloudFormation templates
• Create IAM Roles
• Create and invoke Lambda resources

If you do not have the required permissions, the stack deployment will fail and rollback. If this occurs, you'll need to get a user with permission to perform the above actions.

How does it work?

The CloudFormation template that we provide creates resources in your account. These resources give GorillaStack's AWS account to perform actions on your behalf in your AWS account.

The GorillaStack IAM Role

The main resource is an IAM Role. Roles are typically assigned to principals (users or resources in an AWS account) to grant a set of permissions to that principal to perform actions in an AWS account. In this case, the principal is GorillaStack's AWS account, specified as part of the AssumeRole policy document in the Role.

Template Execution Steps

1. First, it creates an IAM Role with the permissions that GorillaStack needs in your account. It gives permission to GorillaStack's AWS account to use this role.
2. Then, it sets up a Lambda and associated IAM role. This lambda is used purely to notify GorillaStack of the successful deployment of the CloudFormation stack (it isn't used for any other purpose).
3. Lastly, the Lambda is invoked through the use of a Custom Resource. This lambda invokes a webhook in the GorillaStack application that indicates that the stack has been deployed correctly for your AWS account.