AWS CloudFormation Git sync prerequisites
Git sync has the following prerequisites:
Git repository
Git sync supports GitHub
CloudFormation template
A CloudFormation template file must be checked into the repository and branch you intend to connect with Git sync. This template is referenced by the stack deployment file.
IAM role
Git sync requires an Identity and Access Management (IAM) role. You can choose to have an IAM role created for your stack when you configure Git sync, or you can supply an existing role.
Note
An automatically generated IAM role only applies permissions to the stack for which the role is generated. To reuse an automatically generated IAM role, you must edit the role for the new stack.
Required permissions
The IAM role that you provide for Git sync requires the following permissions:
Note
The preceding required permissions are automatically added to IAM roles that Git sync generates.
The following example IAM role includes the prerequisite permissions for Git sync.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SyncToCloudFormation", "Effect": "Allow", "Action": [ "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:ExecuteChangeSet", "cloudformation:GetTemplate", "cloudformation:ListChangeSets", "cloudformation:ListStacks", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "PolicyForManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": ["cloudformation.sync.codeconnections.amazonaws.com"] } } }, { "Sid": "PolicyForDescribingRule", "Effect": "Allow", "Action": "events:DescribeRule", "Resource": "*" } ] }
Trust policy
The following trust policy is required for Git sync to connect to your Git repository:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CfnGitSyncTrustPolicy", "Effect": "Allow", "Principal": { "Service": "cloudformation.sync.codeconnections.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }