Description
Creates the specified resource.
Input Schema
| Property | Type | Description | Required |
|---|---|---|---|
| accountId | string | The AWS account ID to create the resource. | |
| region | string | The AWS region to create the resource. | |
| typeName | string | The name of the resource type. | |
| desiredState | string | Structured data format representing the desired state of the resource, consisting of that resource's properties and their desired values. | |
| clientToken | string | A unique identifier to ensure the idempotency of the resource request. | |
| roleArn | string | IAM role for Cloud Control API to use when performing this resource operation. | |
| typeVersionId | string | For private resource types, the type version to use in this resource operation. | |
| wait | boolean | Whether the action should wait until the requested resource is created. | |
| maxWaitTime | number | If this action is configured to wait this is the maximum time in seconds it will wait before failing. |
Output Schema
| Property | Type | Description | Required |
|---|---|---|---|
| identifier | string | The primary identifier for the resource (only available if wait is enabled). |
Usage Examples
Create a secure S3 bucket with versioning and KMS encryption
Creates an S3 bucket with public access blocked, versioning enabled, and KMS encryption. Use this when provisioning an application bucket in a specific account and region as part of a template workflow after a fetch:template step.
steps:
- id: fetch-template
action: fetch:template
input:
url: ./skeleton
targetPath: ./workspace
- id: create-s3-bucket
action: aws:cloudcontrol:create
input:
region: ${{ parameters.awsRegion }}
accountId: ${{ parameters.awsAccountId }}
typeName: AWS::S3::Bucket
desiredState: |
{
"BucketName": "acme-${{ parameters.serviceName }}-${{ parameters.env }}",
"VersioningConfiguration": { "Status": "Enabled" },
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:${{ parameters.awsRegion }}:${{ parameters.awsAccountId }}:key/abcd1234-abcd-1234-abcd-1234abcd5678"
}
}
]
},
"Tags": [
{ "Key": "app", "Value": "${{ parameters.serviceName }}" },
{ "Key": "env", "Value": "${{ parameters.env }}" }
]
}
clientToken: "s3-${{ parameters.serviceName }}-${{ parameters.env }}-create"
wait: true
maxWaitTime: 900Create an IAM role for EKS with managed policies using a cross account execution role
Creates an IAM role with a trust policy for EKS and EC2 and attaches a managed policy. Use this to create roles in a target account by having Cloud Control assume an execution role in that account.
steps:
- id: create-iam-role
action: aws:cloudcontrol:create
input:
region: us-west-2
accountId: "222222222222"
roleArn: "arn:aws:iam::222222222222:role/BackstageCloudControlExecution"
typeName: AWS::IAM::Role
desiredState: |
{
"RoleName": "acme-${{ parameters.serviceName }}-node-role",
"Description": "Node role for ${ { parameters.serviceName } } on EKS",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": ["ec2.amazonaws.com", "eks.amazonaws.com"] },
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
],
"Tags": [
{ "Key": "app", "Value": "${{ parameters.serviceName }}" },
{ "Key": "env", "Value": "${{ parameters.env }}" }
],
"Path": "/acme/"
}
clientToken: "iam-${{ parameters.serviceName }}-${{ parameters.env }}-v1"
wait: true
maxWaitTime: 600Provision a DynamoDB table with on demand billing and log the identifier
Creates a DynamoDB table with a composite primary key and streams enabled and waits until creation is complete. Use a follow up debug:log step to record the resource identifier for later steps.
steps:
- id: create-dynamodb-table
action: aws:cloudcontrol:create
input:
region: ${{ parameters.awsRegion }}
typeName: AWS::DynamoDB::Table
desiredState: |
{
"TableName": "acme-${{ parameters.serviceName }}-${{ parameters.env }}",
"BillingMode": "PAY_PER_REQUEST",
"AttributeDefinitions": [
{ "AttributeName": "pk", "AttributeType": "S" },
{ "AttributeName": "sk", "AttributeType": "S" }
],
"KeySchema": [
{ "AttributeName": "pk", "KeyType": "HASH" },
{ "AttributeName": "sk", "KeyType": "RANGE" }
],
"StreamSpecification": { "StreamViewType": "NEW_AND_OLD_IMAGES" },
"Tags": [
{ "Key": "app", "Value": "${{ parameters.serviceName }}" },
{ "Key": "env", "Value": "${{ parameters.env }}" }
]
}
clientToken: "ddb-${{ parameters.serviceName }}-${{ parameters.env }}-init"
wait: true
maxWaitTime: 1200
- id: log-table-id
action: debug:log
input:
message: "Created DynamoDB table identifier: ${{ steps.create-dynamodb-table.output.identifier }}"Create an SNS FIFO topic without waiting for completion
Creates an SNS FIFO topic with content based deduplication and KMS encryption. Use this when you want the scaffolder to proceed without blocking on resource stabilization.
steps:
- id: create-sns-topic
action: aws:cloudcontrol:create
input:
region: us-east-2
accountId: ${{ parameters.awsAccountId }}
typeName: AWS::SNS::Topic
desiredState: |
{
"TopicName": "acme-${{ parameters.serviceName }}-${{ parameters.env }}.fifo",
"FifoTopic": true,
"ContentBasedDeduplication": true,
"KmsMasterKeyId": "alias/aws/sns",
"Tags": [
{ "Key": "app", "Value": "${{ parameters.serviceName }}" },
{ "Key": "env", "Value": "${{ parameters.env }}" }
]
}
clientToken: "sns-${{ parameters.serviceName }}-${{ parameters.env }}-fifo"
wait: falseCreate an ECR repository in a different account with KMS encryption
Creates an ECR repository with KMS encryption, immutable tags, and scan on push in a target account by assuming an execution role. Use this for centralized image repositories.
steps:
- id: create-ecr-repo
action: aws:cloudcontrol:create
input:
region: ${{ parameters.awsRegion }}
accountId: "333333333333"
roleArn: "arn:aws:iam::333333333333:role/BackstageCloudControlExecution"
typeName: AWS::ECR::Repository
desiredState: |
{
"RepositoryName": "acme/${{ parameters.serviceName }}",
"ImageTagMutability": "IMMUTABLE",
"ImageScanningConfiguration": { "ScanOnPush": true },
"EncryptionConfiguration": {
"EncryptionType": "KMS",
"KmsKey": "arn:aws:kms:${{ parameters.awsRegion }}:333333333333:key/11112222-3333-4444-5555-666677778888"
},
"Tags": [
{ "Key": "app", "Value": "${{ parameters.serviceName }}" },
{ "Key": "env", "Value": "${{ parameters.env }}" }
]
}
clientToken: "ecr-${{ parameters.serviceName }}-${{ parameters.env }}-create"
wait: true
maxWaitTime: 600