feat: Expand CloudFormation and ELB permissions for infrastructure management

- Add CloudFormation resource scanning permissions (DescribeResourceScan, ListResourceScans, StartResourceScan) - Add CloudFormation template generation permissions (CreateGeneratedTemplate, UpdateGeneratedTemplate) - Add S3 bucket encryption and public access block configuration permissions - Expand ELB target group management (create, delete, tag, remove tags) - Add ELB listener and rule management permissions (create, delete, modify) - Update commit message generator skill documentation with format guidelines
2026-01-10 19:46:55 +09:00 · 2026-01-10 19:46:55 +09:00 · b565fb3c4b
commit b565fb3c4b
parent 093489830d
4 changed files with 72 additions and 0 deletions
--- a/.github/skills/commit-message-generator/SKILL.md
+++ b/.github/skills/commit-message-generator/SKILL.md
@ -6,6 +6,7 @@ description: Generate appropriate commit messages based on Git diffs
 ## Prerequisites
 - This Skill retrieves Git diffs and suggests meaningful commit messages
 - Message format should follow Conventional Commits
+- Commit messages should have a one-line Conventional Commits header, an optional blank second line, and from the third line onward include a bulleted list summarizing the changes
 - Commit messages should be in English
 - **Never perform Git commit or Git push**

--- a/policies/cloudformation-write-policy.yaml
+++ b/policies/cloudformation-write-policy.yaml
@ -29,6 +29,29 @@ Resources:
              - cloudformation:ImportStacksToStackSet
              - cloudformation:ContinueUpdateRollback
            Resource: "*"
+          - Sid: ResourceScanningOperations
+            Effect: Allow
+            Action:
+              - cloudformation:DescribeResourceScan
+              - cloudformation:GetResource
+              - cloudformation:ListResources
+              - cloudformation:ListResourceScanRelatedResources
+              - cloudformation:ListResourceScanResources
+              - cloudformation:ListResourceScans
+              - cloudformation:ListTypes
+              - cloudformation:StartResourceScan
+            Resource: "*"
+          - Sid: TemplateGeneration
+            Effect: Allow
+            Action:
+              - cloudformation:CreateGeneratedTemplate
+              - cloudformation:DeleteGeneratedTemplate
+              - cloudformation:DescribeGeneratedTemplate
+              - cloudformation:GetResource
+              - cloudformation:GetGeneratedTemplate
+              - cloudformation:ListGeneratedTemplates
+              - cloudformation:UpdateGeneratedTemplate
+            Resource: "*"

          - Effect: Allow
            Action:
--- a/roles/cloudformation-write-role.yaml
+++ b/roles/cloudformation-write-role.yaml
@ -87,6 +87,8 @@ Resources:
                  - s3:UntagResource
                  - s3:PutBucketNotification
                  - s3:PutBucketVersioning
+                  - s3:PutEncryptionConfiguration
+                  - s3:PutBucketPublicAccessBlock
                Resource:
                  - arn:aws:s3:::*
        - PolicyName: CodePipelinePolicies
@ -134,8 +136,30 @@ Resources:
              - Effect: Allow
                Action:
                  - elasticloadbalancing:ModifyTargetGroup
+                  - elasticloadbalancing:CreateTargetGroup
+                  - elasticloadbalancing:DeleteTargetGroup
+                  - elasticloadbalancing:AddTags
+                  - elasticloadbalancing:RemoveTags
                Resource:
                  - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
+        - PolicyName: EbLoadbalancerPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - elasticloadbalancing:CreateRule
+                  - elasticloadbalancing:DeleteRule
+                  - elasticloadbalancing:ModifyRule
+                  - elasticloadbalancing:CreateListener
+                  - elasticloadbalancing:DeleteListener
+                  - elasticloadbalancing:AddTags
+                  - elasticloadbalancing:RemoveTags
+                  - elasticloadbalancing:ModifyListenerAttributes
+                Resource:
+                  - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/*"
+                  - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/*"
+                  - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/*"
        - PolicyName: EcsTaskPolicies
          PolicyDocument:
            Version: "2012-10-17"
--- a/roles/ecs-role.yaml
+++ b/roles/ecs-role.yaml
@ -0,0 +1,24 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: IAM Role allowing ECS service to assume the role (trust policy).
+Resources:
+  ECSForInfrastructureManagementRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowAccessToECSForInfrastructureManagement
+            Effect: Allow
+            Principal:
+              Service: ecs.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AmazonECSInfrastructureRolePolicyForLoadBalancers
+
+
+Outputs:
+  ECSForInfrastructureManagementRoleArn:
+    Description: ARN of the ECS role
+    Value: !GetAtt ECSForInfrastructureManagementRole.Arn
+    Export:
+      Name: ECSForInfrastructureManagementRoleArn