docs(readme): include deployment instruction for CFN

.github/bootstrap.yaml

@@ -0,0 +1,159 @@
+# Reference - https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  Maintainers Only: Used to provision access for Github actions to deploy the serverless application
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  GitHubOrg:
+    Type: String
+    Default: "Versent"
+  RepositoryName:
+    Type: String
+    Description: Github Repo name that has permissions to deploy this stack
+  OIDCProviderArn:
+    Type: String
+    Description: arn:aws:for the GitHub OIDC Provider.
+    Default: ""
+
+
+Conditions:
+  CreateOIDCProvider: !Equals
+    - !Ref OIDCProviderArn
+    - ""
+
+Resources:
+
+  GithubAssumeRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Allow github actions to assume this role to deploy resources to AWS
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !If
+                - CreateOIDCProvider
+                - !Ref GithubOidc
+                - !Ref OIDCProviderArn
+            Condition:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+      Policies:
+        - PolicyName: GithubActionsPolicy
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ssm:GetParameter
+                Resource:
+                  - !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/orchestrator/stax/*
+              - Effect: Allow
+                Action:
+                  - lambda:GetFunction
+                  - lambda:CreateFunction
+                  - lambda:DeleteFunction
+                  - lambda:GetFunctionConfiguration
+                  - lambda:AddPermission
+                  - lambda:RemovePermission
+                  - lambda:InvokeFunction
+                  - lambda:UpdateFunctionCode
+                  - lambda:UpdateFunctionConfiguration
+                  - lambda:ListTags
+                  - lambda:TagResource
+                  - lambda:UntagResource
+                  - lambda:PutFunctionEventInvokeConfig
+                  - lambda:DeleteFunctionEventInvokeConfig
+                Resource:
+                  - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:orchestrator-stax-*
+              - Effect: Allow
+                Action:
+                  - lambda:DeleteLayerVersion
+                  - lambda:GetLayerVersion
+                  - lambda:PublishLayerVersion
+                Resource:
+                  - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:orchestrator-stax-*
+                  - !Sub arn:aws:lambda:*:*:layer:orchestrator-stax-*
+              - Effect: Allow
+                Action:
+                  - cloudformation:*
+                Resource:
+                  - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/orchestrator-stax-*
+                  - !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/*
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                  - s3:PutObject*
+                  - s3:CreateMultipartUpload
+                Resource:
+                  - !Sub arn:aws:s3:::versent-stax-orchestrator-*
+              - Effect: Allow
+                Action:
+                  - iam:PassRole
+                  - iam:AttachRolePolicy
+                  - iam:CreateRole
+                  - iam:GetPolicy
+                  - iam:GetRole
+                  - iam:GetRolePolicy
+                  - iam:CreatePolicy
+                  - iam:DeleteRole
+                  - iam:DetachRolePolicy
+                  - iam:UpdateRole
+                  - iam:DeleteRolePolicy
+                  - iam:PutRolePolicy
+                  - iam:CreatePolicyVersion
+                  - iam:DeletePolicyVersion
+                  - iam:DeletePolicy
+                  - iam:ListPolicyVersions
+                  - iam:TagRole
+                  - iam:UntagRole
+                Resource:
+                  - !Sub arn:aws:iam::${AWS::AccountId}:role/orchestrator-stax-*
+                  - !Sub arn:aws:iam::${AWS::AccountId}:policy/orchestrator-stax-*
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogGroup
+                  - logs:DeleteLogGroup
+                  - logs:PutLogEvents
+                  - logs:TagResource
+                  - logs:PutRetentionPolicy
+                  - logs:DeleteRetentionPolicy
+                Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/orchestrator-stax-*
+              - Effect: Allow
+                Action:
+                  - states:DescribeStateMachine
+                  - states:DeleteStateMachine
+                  - states:ListExecutions
+                  - states:UpdateStateMachine
+                  - states:CreateStateMachine
+                  - states:ListTagsForResource
+                  - states:TagResource
+                  - states:UntagResource
+                  - states:StartExecution
+                Resource:
+                  - arn:aws:states:*:*:stateMachine:orchestrator-stax-*
+              - Effect: Allow
+                Action:
+                  - serverlessrepo:CreateApplication
+                Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*
+              - Effect: Allow
+                Action:
+                  - serverlessrepo:CreateApplicationVersion
+                  - serverlessrepo:UpdateApplication
+                Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/stax-orchestrator
+
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+        - 1c58a3a8518e8759bf075b76b750d4f2df264fcd
+
+Outputs:
+  GithubAssumeRoleArn:
+    Value: !GetAtt GithubAssumeRole.Arn

.github/bucket.yaml

@@ -0,0 +1,63 @@
+AWSTemplateFormatVersion: '2010-09-09'
+
+Description: |
+  Maintainers Only: Create a S3 bucket used for hosting the artifacts in the AWS SAM package process
+
+
+Resources:
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      AccessControl: Private
+      LifecycleConfiguration:
+        Rules:
+          - Id: BasicLifeCycle
+            Status: Enabled
+            Transitions:
+              - TransitionInDays: 1
+                StorageClass: INTELLIGENT_TIERING
+
+  ArtifactBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref ArtifactBucket
+      PolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+                Service: serverlessrepo.amazonaws.com
+            Action: s3:GetObject
+            Resource: !Sub arn:aws:s3:::${ArtifactBucket}/*
+            Condition:
+                StringEquals:
+                    aws:SourceAccount: !Ref AWS::AccountId
+
+          -
+            Sid: AllowSSLRequestsOnly
+            Action: s3:*
+            Effect: Deny
+            Resource:
+              - !Sub ${ArtifactBucket.Arn}
+              - !Sub ${ArtifactBucket.Arn}/*
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+            Principal: "*"
+
+
+  ArtifactBucketArn:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: /orchestrator/stax/artifact/bucket/name
+      Description: Bucket name used for artifact storage
+      Type: String
+      Value: !Ref ArtifactBucket

README.md

@@ -50,7 +50,34 @@ Follow this guide [here](docs/direct_deployment.md) to deploy directly.
 Deployment of the stax-orchestrator can be completed by the AWS Console, AWS CLI or AWS Cloudformation.
 Please following [Deploying Applications](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/serverlessrepo-consuming-applications.html) to use th AWS Console or AWS CLI.
 
-To deploy using AWS Cloudformation, find the serverless application in the AWS Serverless Repository in your AWS account and click "copy Cloudformation template".
+To deploy using AWS Cloudformation, find the serverless application (name: `stax-orchestrator`) in the AWS Serverless Repository in your AWS account and click "copy Cloudformation template".
+
+Example:
+~~~yaml
+Resources:
+  staxorchestrator:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location:
+        ApplicationId: arn:aws:serverlessrepo:ap-southeast-2:754868638956:applications/stax-orchestrator
+        SemanticVersion: 0.1.7 # any specific version required
+      Parameters: 
+        # Deploy workload cloudwatch dashboard to view stax orchestrator step function metrics and logs.
+        # DeployTaskWatcherCloudwatchDashboard: 'false' # Uncomment to override default value
+        # Deploy workload cloudwatch dashboard to view stax orchestrator step function metrics and logs.
+        # DeployWorkloadCloudwatchDashboard: 'false' # Uncomment to override default value
+        # Deploy workload state machine to CUD (create-update-delete) workloads.
+        # DeployWorkloadStateMachine: 'false' # Uncomment to override default value
+        # Enable X-Ray tracing for lambda functions
+        # EnableLambdaTracing: 'false' # Uncomment to override default value
+        # Enable X-Ray tracing for state machines
+        # EnableStateMachineTracing: 'false' # Uncomment to override default value
+        # Number of days to retain lambda function logs; applies to all lambda functions in this template
+        # LambdaLogGroupRetentionInDays: '60' # Uncomment to override default value
+        # Python logging level for Lambda functions
+        # PythonLoggingLevel: 'INFO' # Uncomment to override default value  
+
+~~~
 
 ### Using the Stax Orchestrator