Get Roadie in your IDE with our new MCP Servers
Roadie
Backstage Scaffolder Actions

Create AWS CloudControl Resource

Action ID: aws:cloudcontrol:create
NPM Package:

@aws/aws-core-plugin-for-backstage-scaffolder-actions

Description

Creates the specified resource.

Input Schema

PropertyTypeDescriptionRequired
accountIdstringThe AWS account ID to create the resource.
regionstringThe AWS region to create the resource.
typeNamestringThe name of the resource type.
desiredStatestringStructured data format representing the desired state of the resource, consisting of that resource's properties and their desired values.
clientTokenstringA unique identifier to ensure the idempotency of the resource request.
roleArnstringIAM role for Cloud Control API to use when performing this resource operation.
typeVersionIdstringFor private resource types, the type version to use in this resource operation.
waitbooleanWhether the action should wait until the requested resource is created.
maxWaitTimenumberIf this action is configured to wait this is the maximum time in seconds it will wait before failing.

Output Schema

PropertyTypeDescriptionRequired
identifierstringThe primary identifier for the resource (only available if wait is enabled).

Usage Examples

Create a secure S3 bucket with versioning and KMS encryption

Creates an S3 bucket with public access blocked, versioning enabled, and KMS encryption. Use this when provisioning an application bucket in a specific account and region as part of a template workflow after a fetch:template step.

Copy 
steps:
  - id: fetch-template
    action: fetch:template
    input:
      url: ./skeleton
      targetPath: ./workspace

  - id: create-s3-bucket
    action: aws:cloudcontrol:create
    input:
      region: ${{ parameters.awsRegion }}
      accountId: ${{ parameters.awsAccountId }}
      typeName: AWS::S3::Bucket
      desiredState: |
        {
          "BucketName": "acme-${{ parameters.serviceName }}-${{ parameters.env }}",
          "VersioningConfiguration": { "Status": "Enabled" },
          "PublicAccessBlockConfiguration": {
            "BlockPublicAcls": true,
            "BlockPublicPolicy": true,
            "IgnorePublicAcls": true,
            "RestrictPublicBuckets": true
          },
          "BucketEncryption": {
            "ServerSideEncryptionConfiguration": [
              {
                "ServerSideEncryptionByDefault": {
                  "SSEAlgorithm": "aws:kms",
                  "KMSMasterKeyID": "arn:aws:kms:${{ parameters.awsRegion }}:${{ parameters.awsAccountId }}:key/abcd1234-abcd-1234-abcd-1234abcd5678"
                }
              }
            ]
          },
          "Tags": [
            { "Key": "app", "Value": "${{ parameters.serviceName }}" },
            { "Key": "env", "Value": "${{ parameters.env }}" }
          ]
        }
      clientToken: "s3-${{ parameters.serviceName }}-${{ parameters.env }}-create"
      wait: true
      maxWaitTime: 900

Create an IAM role for EKS with managed policies using a cross account execution role

Creates an IAM role with a trust policy for EKS and EC2 and attaches a managed policy. Use this to create roles in a target account by having Cloud Control assume an execution role in that account.

Copy 
steps:
  - id: create-iam-role
    action: aws:cloudcontrol:create
    input:
      region: us-west-2
      accountId: "222222222222"
      roleArn: "arn:aws:iam::222222222222:role/BackstageCloudControlExecution"
      typeName: AWS::IAM::Role
      desiredState: |
        {
          "RoleName": "acme-${{ parameters.serviceName }}-node-role",
          "Description": "Node role for ${ { parameters.serviceName } } on EKS",
          "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": { "Service": ["ec2.amazonaws.com", "eks.amazonaws.com"] },
                "Action": "sts:AssumeRole"
              }
            ]
          },
          "ManagedPolicyArns": [
            "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
          ],
          "Tags": [
            { "Key": "app", "Value": "${{ parameters.serviceName }}" },
            { "Key": "env", "Value": "${{ parameters.env }}" }
          ],
          "Path": "/acme/"
        }
      clientToken: "iam-${{ parameters.serviceName }}-${{ parameters.env }}-v1"
      wait: true
      maxWaitTime: 600

Provision a DynamoDB table with on demand billing and log the identifier

Creates a DynamoDB table with a composite primary key and streams enabled and waits until creation is complete. Use a follow up debug:log step to record the resource identifier for later steps.

Copy 
steps:
  - id: create-dynamodb-table
    action: aws:cloudcontrol:create
    input:
      region: ${{ parameters.awsRegion }}
      typeName: AWS::DynamoDB::Table
      desiredState: |
        {
          "TableName": "acme-${{ parameters.serviceName }}-${{ parameters.env }}",
          "BillingMode": "PAY_PER_REQUEST",
          "AttributeDefinitions": [
            { "AttributeName": "pk", "AttributeType": "S" },
            { "AttributeName": "sk", "AttributeType": "S" }
          ],
          "KeySchema": [
            { "AttributeName": "pk", "KeyType": "HASH" },
            { "AttributeName": "sk", "KeyType": "RANGE" }
          ],
          "StreamSpecification": { "StreamViewType": "NEW_AND_OLD_IMAGES" },
          "Tags": [
            { "Key": "app", "Value": "${{ parameters.serviceName }}" },
            { "Key": "env", "Value": "${{ parameters.env }}" }
          ]
        }
      clientToken: "ddb-${{ parameters.serviceName }}-${{ parameters.env }}-init"
      wait: true
      maxWaitTime: 1200

  - id: log-table-id
    action: debug:log
    input:
      message: "Created DynamoDB table identifier: ${{ steps.create-dynamodb-table.output.identifier }}"

Create an SNS FIFO topic without waiting for completion

Creates an SNS FIFO topic with content based deduplication and KMS encryption. Use this when you want the scaffolder to proceed without blocking on resource stabilization.

Copy 
steps:
  - id: create-sns-topic
    action: aws:cloudcontrol:create
    input:
      region: us-east-2
      accountId: ${{ parameters.awsAccountId }}
      typeName: AWS::SNS::Topic
      desiredState: |
        {
          "TopicName": "acme-${{ parameters.serviceName }}-${{ parameters.env }}.fifo",
          "FifoTopic": true,
          "ContentBasedDeduplication": true,
          "KmsMasterKeyId": "alias/aws/sns",
          "Tags": [
            { "Key": "app", "Value": "${{ parameters.serviceName }}" },
            { "Key": "env", "Value": "${{ parameters.env }}" }
          ]
        }
      clientToken: "sns-${{ parameters.serviceName }}-${{ parameters.env }}-fifo"
      wait: false

Create an ECR repository in a different account with KMS encryption

Creates an ECR repository with KMS encryption, immutable tags, and scan on push in a target account by assuming an execution role. Use this for centralized image repositories.

Copy 
steps:
  - id: create-ecr-repo
    action: aws:cloudcontrol:create
    input:
      region: ${{ parameters.awsRegion }}
      accountId: "333333333333"
      roleArn: "arn:aws:iam::333333333333:role/BackstageCloudControlExecution"
      typeName: AWS::ECR::Repository
      desiredState: |
        {
          "RepositoryName": "acme/${{ parameters.serviceName }}",
          "ImageTagMutability": "IMMUTABLE",
          "ImageScanningConfiguration": { "ScanOnPush": true },
          "EncryptionConfiguration": {
            "EncryptionType": "KMS",
            "KmsKey": "arn:aws:kms:${{ parameters.awsRegion }}:333333333333:key/11112222-3333-4444-5555-666677778888"
          },
          "Tags": [
            { "Key": "app", "Value": "${{ parameters.serviceName }}" },
            { "Key": "env", "Value": "${{ parameters.env }}" }
          ]
        }
      clientToken: "ecr-${{ parameters.serviceName }}-${{ parameters.env }}-create"
      wait: true
      maxWaitTime: 600

Other actions in @aws/aws-core-plugin-for-backstage-scaffolder-actions

Publish To AWS CodeCommit

Initializes a git repository of the content in the workspace, and publishes it to AWS CodeCommit.

8 inputs, 5 outputs

Publish EventBridge Event

Posts an AWS EventBridge event matching the provided details.

6 inputs, 0 outputs

Copy Files To S3

Copies files to an Amazon S3 bucket

5 inputs, 0 outputs