aws-quickstart · vsnyc · Jul 1, 2021 · Jul 1, 2021
diff --git a/templates/mongodb-atlas-main.template.yaml b/templates/mongodb-atlas-main.template.yaml
@@ -2,6 +2,10 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: "MongoDB Atlas AWS CloudFormation Quick Start (qs-1rkorhef6)."
 Metadata:
+ cfn-lint:
+ config:
+ ignore_checks:
+ - W9006 # temporary to get rid of warnings
  QuickStartDocumentation:
  EntrypointName: "Parameters for deploying MongoDB Atlas without VPC peering."
  Order: "1"
@@ -18,6 +22,7 @@ Metadata:
  Parameters:
  - RegisterMongoDBResources
  - ProjectName
+ - ClusterMongoDBMajorVersion
  - ClusterName
  - ClusterRegion
  - ClusterInstanceSize
@@ -38,6 +43,8 @@ Metadata:
  default: Register MongoDB Atlas CloudFormation resources
  ProjectName:
  default: Name of new Atlas project
+ ClusterMongoDBMajorVersion:
+ default: MongoDB version
  ClusterName:
  default: Name of new cluster
  ClusterRegion:

diff --git a/templates/mongodb-atlas-peering-existingvpc.template.yaml b/templates/mongodb-atlas-peering-existingvpc.template.yaml
@@ -2,6 +2,10 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: "MongoDB Atlas AWS CloudFormation Quick Start with VPC peering (qs-1rkorhefm)."
 Metadata:
+ cfn-lint:
+ config:
+ ignore_checks:
+ - W9006 # temporary to get rid of warnings
  QuickStartDocumentation:
  EntrypointName: "Parameters for deploying MongoDB Atlas with VPC peering into an existing VPC."
  Order: "3"
@@ -23,6 +27,7 @@ Metadata:
  Parameters:
  - RegisterMongoDBResources
  - ProjectName
+ - ClusterMongoDBMajorVersion
  - ClusterName
  - ClusterRegion
  - ClusterInstanceSize
@@ -53,6 +58,8 @@ Metadata:
  default: Register MongoDB Atlas CloudFormation resources
  ProjectName:
  default: Name of new Atlas project
+ ClusterMongoDBMajorVersion:
+ default: MongoDB version
  ClusterName:
  default: Name of new cluster
  ClusterRegion:

diff --git a/templates/mongodb-atlas-peering-newvpc.template.yaml b/templates/mongodb-atlas-peering-newvpc.template.yaml
@@ -2,6 +2,10 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: "MongoDB Atlas AWS CloudFormation Quick Start with VPC peering (qs-1rkorheg3)."
 Metadata:
+ cfn-lint:
+ config:
+ ignore_checks:
+ - W9006 # temporary to get rid of warnings
  QuickStartDocumentation:
  EntrypointName: Parameters for deploying MongoDB Atlas with VPC peering into a new VPC.
  Order: "2"
@@ -28,6 +32,7 @@ Metadata:
  Parameters:
  - RegisterMongoDBResources
  - ProjectName
+ - ClusterMongoDBMajorVersion
  - ClusterName
  - ClusterRegion
  - ClusterInstanceSize
@@ -46,14 +51,10 @@ Metadata:
  default: Private subnet 1 CIDR
  PrivateSubnet2CIDR:
  default: Private subnet 2 CIDR
- PrivateSubnet3CIDR:
- default: Private subnet 3 CIDR
  PublicSubnet1CIDR:
  default: Public subnet 1 CIDR
  PublicSubnet2CIDR:
  default: Public subnet 2 CIDR
- PublicSubnet3CIDR:
- default: Public subnet 3 CIDR
  QSS3BucketName:
  default: Quick Start S3 bucket name
  QSS3KeyPrefix:
@@ -72,6 +73,8 @@ Metadata:
  default: Register MongoDB Atlas CloudFormation resources
  ProjectName:
  default: Name of new Atlas project
+ ClusterMongoDBMajorVersion:
+ default: MongoDB version
  ClusterName:
  default: Name of new cluster
  ClusterRegion:
@@ -234,7 +237,6 @@ Parameters:
  Type: String
 Conditions:
  UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
- RegisterResources: !Equals [!Ref RegisterMongoDBResources, 'Yes']
 Resources:
  VPCStack:
  Type: AWS::CloudFormation::Stack
@@ -257,7 +259,6 @@ Resources:
  VPCCIDR: !Ref VPCCIDR
  Atlas:
  Type: AWS::CloudFormation::Stack
- DependsOn: VPCStack
  Properties:
  TemplateURL: !Sub
  - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/mongodb-atlas-peering-existingvpc.template.yaml'

diff --git a/templates/mongodb-atlas-peering.template.yaml b/templates/mongodb-atlas-peering.template.yaml
@@ -2,6 +2,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: MongoDB Atlas AWS CloudFormation Quickstart with VPC Peering. (qs-1rkorhefe)
 Metadata:
+ cfn-lint: { config: { ignore_checks: [ W9002, W9003, W9006, E3001, E1010 ] } }
  AWS::CloudFormation::Interface:
  ParameterGroups:
  - Label:
@@ -22,7 +23,6 @@ Metadata:
  - ClusterName
  - ClusterRegion
  - ClusterInstanceSize
- - AccessList
  - DatabaseUserRoleDatabaseName
  ParameterLabels:
  VPC:
@@ -176,7 +176,6 @@ Resources:
  Name: !Ref "ProjectName"
  AtlasProjectIPAccessList:
  Type: MongoDB::Atlas::ProjectIpAccessList
- DependsOn: AtlasProject
  Properties:
  ProjectId: !Ref "AtlasProject"
  ApiKeys:
@@ -187,7 +186,6 @@ Resources:
  Comment: "Testing open all ips"
  AtlasNetworkPeering: 
  Type: MongoDB::Atlas::NetworkPeering
- DependsOn: AtlasProject
  Properties:
  ProjectId: !Ref "AtlasProject"
  ApiKeys:
@@ -199,7 +197,6 @@ Resources:
  VpcId: !Ref "VPC"
  AtlasCluster:
  Type: MongoDB::Atlas::Cluster
- DependsOn: AtlasProject
  Properties:
  ApiKeys:
  PublicKey: !Ref "PublicKey"

diff --git a/templates/mongodb-atlas.template.yaml b/templates/mongodb-atlas.template.yaml
@@ -2,6 +2,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: MongoDB Atlas AWS CloudFormation Quickstart. (qs-1rkorhec7)
 Metadata:
+ cfn-lint: { config: { ignore_checks: [ W9002, W9003, W9006, E3001, E1010 ] } }
  AWS::CloudFormation::Interface:
  ParameterGroups:
  - Label:
@@ -17,7 +18,6 @@ Metadata:
  - ClusterName
  - ClusterRegion
  - ClusterInstanceSize
- - AccessList
  - DatabaseUserRoleDatabaseName
  ParameterLabels:
  PublicKey:
@@ -161,7 +161,6 @@ Resources:
  Name: !Ref "ProjectName"
  AtlasProjectIPAccessList:
  Type: MongoDB::Atlas::ProjectIpAccessList
- DependsOn: AtlasProject
  Properties:
  ProjectId: !Ref "AtlasProject"
  ApiKeys:
@@ -172,7 +171,6 @@ Resources:
  Comment: "Testing open all ips"
  AtlasCluster:
  Type: MongoDB::Atlas::Cluster
- DependsOn: AtlasProject
  Properties:
  ApiKeys:
  PublicKey: !Ref "PublicKey"
@@ -188,7 +186,6 @@ Resources:
  RegionName: !Ref "ClusterRegion"
  AtlasDatabaseUser:
  Type: MongoDB::Atlas::DatabaseUser
- DependsOn: AtlasCluster
  Properties:
  ProjectId: !Ref "AtlasProject"
  ApiKeys:

diff --git a/templates/register-mongodb-atlas-resources.yaml b/templates/register-mongodb-atlas-resources.yaml
@@ -2,37 +2,19 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: MongoDB Atlas CloudFormation resources. (qs-1rkorhegh)
 Metadata:
+ cfn-lint: { config: { ignore_checks: [ W9002, W9003, W9006 ] } }
  AWS::CloudFormation::Interface:
  ParameterGroups:
- - Label:
- default: DNS Configuration
- Parameters:
- - DomainName
- - SubDomainPrefix
- - HostedZoneID
- - Route53HostedSubdomainZone
  - Label:
  default: AWS Quick Start Configuration
  Parameters:
  - QSS3BucketName
  - QSS3KeyPrefix
- - Label:
- default: OpenShift Configuration
- Parameters:
- - RegistryBucket
  ParameterLabels:
- RegistryBucket:
- default: Registry Bucket
  QSS3BucketName:
  default: Quick Start S3 Bucket Name
  QSS3KeyPrefix:
  default: Quick Start S3 Key Prefix
- HostedZoneID:
- default: Route 53 Hosted Zone ID
- SubDomainPrefix:
- default: Subdomain Prefix
- Route53HostedSubdomainZone:
- default: Route 53 Subdomain Zone
 Parameters:
  QSS3BucketName:
  AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
@@ -76,21 +58,37 @@ Resources:
  PolicyDocument:
  Version: '2012-10-17'
  Statement:
+ - Effect: Allow
+ Action: ["cloudformation:TagResource", "cloudformation:DescribeTypeRegistration", "cloudformation:UpdateTerminationProtection", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DetectStackResourceDrift", "cloudformation:DeleteChangeSet", "cloudformation:ListStackResources", "cloudformation:ContinueUpdateRollback", "cloudformation:UpdateStackSet", "cloudformation:ListStackSetOperations", "cloudformation:DescribeStackEvents", "cloudformation:RegisterType", "cloudformation:ListExports", "cloudformation:DescribeStackSetOperation", "cloudformation:GetStackPolicy", "cloudformation:ListStackSetOperationResults", "cloudformation:SetStackPolicy", "cloudformation:ListChangeSets", "cloudformation:ValidateTemplate", "cloudformation:DescribeStackSet", "cloudformation:DeleteStackSet", "cloudformation:DetectStackSetDrift", "cloudformation:ListTypes", "cloudformation:DetectStackDrift", "cloudformation:UpdateStack", "cloudformation:UpdateStackInstances", "cloudformation:ListImports", "cloudformation:ExecuteChangeSet", "cloudformation:DeregisterType", "cloudformation:ListTypeVersions", "cloudformation:SetTypeDefaultVersion", "cloudformation:DescribeStacks", "cloudformation:CreateChangeSet", "cloudformation:ListTypeRegistrations", "cloudformation:DescribeType", "cloudformation:DescribeStackResources", "cloudformation:CancelUpdateStack", "cloudformation:GetTemplate", "cloudformation:ListStackInstances", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeChangeSet", "cloudformation:RecordHandlerProgress", "cloudformation:SignalResource", "cloudformation:ListStackSets", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:CreateStackInstances", "cloudformation:UntagResource", "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances", "cloudformation:CreateStack", "cloudformation:DescribeAccountLimits", "cloudformation:StopStackSetOperation", "cloudformation:CreateStackSet", "cloudformation:CreateUploadBucket", "cloudformation:EstimateTemplateCost", "cloudformation:DescribeStackResource"]
+ Resource: !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*
  - Effect: Allow
  Action:
- - "cloudformation:*"
  - "iam:PassRole"
  - "iam:CreateRole"
+ Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*
+ - Effect: Allow
+ Action:
  - "iam:CreatePolicy"
  - "iam:ListPolicyVersions"
  - "iam:DeletePolicyVersion"
  - "iam:CreatePolicyVersion"
  - "iam:AttachRolePolicy"
+ Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/*
+ - Effect: Allow
+ Action:
  - "ssm:GetParameter"
  - "ssm:PutParameter"
+ Resource: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*
+ - Effect: Allow
+ Action:
  - "sts:GetCallerIdentity"
- - "s3:GetObject"
  Resource: "*"
+ - Effect: Allow
+ Action:
+ - s3:GetObject
+ Resource:
+ - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*'
+ - !Sub 'arn:${AWS::Partition}:s3:::${LambdaZipsBucket}/${QSS3KeyPrefix}*'
  ArtifactCopyPolicy:
  Type: AWS::S3::BucketPolicy
  Properties:
@@ -133,7 +131,7 @@ Resources:
  Service: lambda.amazonaws.com
  Action: sts:AssumeRole
  ManagedPolicyArns:
- - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+ - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
  Path: /
  Policies:
  - PolicyName: lambda-copier
@@ -144,13 +142,13 @@ Resources:
  Action:
  - s3:GetObject
  Resource:
- - !Sub 'arn:aws:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*'
+ - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*'
  - Effect: Allow
  Action:
  - s3:PutObject
  - s3:DeleteObject
  Resource:
- - !Sub 'arn:aws:s3:::${LambdaZipsBucket}/${QSS3KeyPrefix}*'
+ - !Sub 'arn:${AWS::Partition}:s3:::${LambdaZipsBucket}/${QSS3KeyPrefix}*'
 
  CustomResourceLogDeliveryRole:
  Type: AWS::IAM::Role
@@ -177,10 +175,12 @@ Resources:
  - "logs:DescribeLogGroups"
  - "logs:DescribeLogStreams"
  - "logs:PutLogEvents"
+ Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*
+ - Effect: Allow
+ Action:
  - "cloudwatch:ListMetrics"
  - "cloudwatch:PutMetricData"
  Resource: "*"
-
  MongoDBCustomResourceExecutionRole:
  Type: AWS::IAM::Role
  Properties:
@@ -232,7 +232,7 @@ Resources:
  - "secretsmanager:ListSecrets"
  - "secretsmanager:PutSecretValue"
  - "secretsmanager:TagResource"
- Resource: "*"
+ Resource: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
 
  CopyZipsFunction:
  Type: AWS::Lambda::Function
@@ -394,7 +394,6 @@ Resources:
  cfnresponse.send(event, context, status, {}, physicalResourceId=physical_id)
 
  RegisterProjectType:
- DependsOn: RegisterTypeFunction
  Type: "AWS::CloudFormation::CustomResource"
  Properties:
  ServiceToken: !GetAtt RegisterTypeFunction.Arn
@@ -403,7 +402,6 @@ Resources:
  ExecutionRoleArn: !GetAtt MongoDBCustomResourceExecutionRole.Arn
 
  RegisterClusterType:
- DependsOn: RegisterTypeFunction
  Type: "AWS::CloudFormation::CustomResource"
  Properties:
  ServiceToken: !GetAtt RegisterTypeFunction.Arn
@@ -412,7 +410,6 @@ Resources:
  ExecutionRoleArn: !GetAtt MongoDBCustomResourceClusterExecutionRole.Arn
 
  RegisterDatabaseUserType:
- DependsOn: RegisterTypeFunction
  Type: "AWS::CloudFormation::CustomResource"
  Properties:
  ServiceToken: !GetAtt RegisterTypeFunction.Arn
@@ -422,7 +419,6 @@ Resources:
 
 
  RegisterNetworkPeeringType:
- DependsOn: RegisterTypeFunction
  Type: "AWS::CloudFormation::CustomResource"
  Properties:
  ServiceToken: !GetAtt RegisterTypeFunction.Arn
@@ -432,7 +428,6 @@ Resources:
 
 
  RegisterProjectIpAccessListType:
- DependsOn: RegisterTypeFunction
  Type: "AWS::CloudFormation::CustomResource"
  Properties:
  ServiceToken: !GetAtt RegisterTypeFunction.Arn