feat: add stack refactoring permissions to the bootstrap stack (#471)

otaviomacedo · iliapolo · web-flow · commit 7adb867384a8 · 2025-05-13T17:41:09.000Z
Closes #139. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license Co-authored-by: Eli Polonsky <Eli.polonsky@gmail.com>
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -575,6 +575,17 @@ Resources:
                   - ssm:GetParameters # CreateChangeSet uses this to evaluate any SSM parameters (like `CdkBootstrapVersion`)
                 Resource:
                   - Fn::Sub: "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${CdkBootstrapVersion}"
+              - Sid: Refactor
+                Effect: Allow
+                Action:
+                  # Permissions needed to use the CDK CLI with stack refactor
+                  - cloudformation:CreateStackRefactor
+                  - cloudformation:DescribeStackRefactor
+                  - cloudformation:ExecuteStackRefactor
+                  - cloudformation:ListStackRefactorActions
+                  - cloudformation:ListStackRefactors
+                  - cloudformation:ListStacks
+                Resource: "*"
             Version: '2012-10-17'
           PolicyName: default
       RoleName:
@@ -672,7 +683,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '27'
+      Value: '28'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack
