ReadonlyaccountOptional ReadonlyblueprintExternally-defined IAM roles for blueprint provisioning in the associated account. A base blueprint provisioning policy is attached; blueprint-specific permissions must be attached directly to the role. Must be referenced by name or ARN (no SSM refs).
Use cases: Custom blueprint provisioning roles; Cross-account environment deployment
AWS: IAM roles for DataZone blueprint provisioning in associated accounts
Validation: Optional; array of valid MdaaRoleRef
Optional ReadonlycdkCDK deployment role ARN for cross-account infrastructure provisioning in the associated account.
Use cases: Cross-account CDK deployments; Automated infrastructure provisioning
AWS: IAM role for CDK cross-account deployment
Validation: Optional; valid IAM role ARN with CDK deployment permissions
Optional ReadonlycreateWhen true, creates a DataZone domain user for CDK-based deployments in the associated account.
Use cases: Automated CDK deployments within DataZone; Programmatic project management
AWS: DataZone user profile for CDK automation
Validation: Optional; boolean
Optional ReadonlyenabledCustom blueprints to enable in the associated account with optional parameter values and domain unit authorization.
Use cases: Custom blueprint deployment in associated accounts
AWS: DataZone custom blueprint configurations
Validation: Optional; map of blueprint name to EnabledBlueprintProps
Optional ReadonlyenabledAdditional managed blueprints to enable in the associated account with optional parameter values and domain unit authorization.
Use cases: LakehouseCatalog, CustomAwsService, or other managed blueprints in associated accounts
AWS: DataZone managed blueprint configurations
Validation: Optional; map of blueprint name to EnabledBlueprintProps
Optional ReadonlyglueKMS key ARN for Glue catalog encryption in the associated account. If omitted, looked up from a standard SSM parameter created by the Glue Catalog Settings module and RAM-shared to associated accounts.
Use cases: Cross-account catalog encryption; Customer-managed key for associated account Glue catalog
AWS: KMS key for Glue Data Catalog encryption in the associated account
Validation: Optional; valid KMS key ARN; key must be accessible from the associated account
Optional ReadonlylakeformationIAM role ARN for Lake Formation access management in the associated account. Should be an LF Admin role, likely created by the LF Settings module. If omitted, looked up from the standard LF Settings SSM parameter.
Use cases: Cross-account Lake Formation governance; Fine-grained data permissions in associated accounts
AWS: IAM role for Lake Formation permission management in the associated account
Validation: Optional; valid IAM role ARN with Lake Formation admin permissions
Optional ReadonlyregionAWS region for the associated account resources. Defaults to the deploying stack's region if omitted.
Use cases: Multi-region domain association; Regional resource targeting
AWS: Target region for cross-account DataZone resources
Validation: Optional; valid AWS region identifier
ReadonlytoolingRequired Tooling blueprint configuration for the associated account, including VPC and subnet settings for SageMaker environment provisioning.
Use cases: Associated account Tooling blueprint setup; VPC-based environment provisioning
AWS: SageMaker Tooling blueprint with VPC configuration
Validation: Required; valid ToolingBlueprintProps
AWS account ID of the associated account. Must also be configured as an additional_account on the MDAA module in mdaa.yaml.
Use cases: Cross-account domain association; Multi-account data governance
AWS: DataZone cross-account association target
Validation: Required; valid 12-digit AWS account ID