diff --git a/roles/cloudformation-write-role.yaml b/roles/cloudformation-write-role.yaml index 1cf0eb4..ebee1cd 100644 --- a/roles/cloudformation-write-role.yaml +++ b/roles/cloudformation-write-role.yaml @@ -30,6 +30,7 @@ Resources: - ecr:GetRepositoryPolicy - ecr:DeleteRepositoryPolicy - ecr:PutImageScanningConfiguration + - ecr:SetRepositoryPolicy Resource: - !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/* - PolicyName: RoleWrite @@ -38,8 +39,11 @@ Resources: Statement: - Effect: Allow Action: + - iam:CreateRole + - iam:DeleteRole - iam:PutRolePolicy - iam:DeleteRolePolicy + - iam:PassRole Resource: - !Sub arn:aws:iam::${AWS::AccountId}:role/* - PolicyName: PolicyWrite @@ -52,7 +56,46 @@ Resources: - iam:DeletePolicyVersion Resource: - !Sub arn:aws:iam::${AWS::AccountId}:policy/* - + - PolicyName: SecretPolicies + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - secretsmanager:GetSecretValue + Resource: + - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:* + - PolicyName: S3Policies + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:PutBucketNotification + Resource: + - arn:aws:s3:::* + - PolicyName: CodePipelinePolicies + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - codepipeline:UpdatePipeline + Resource: + - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*" + - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*" + - PolicyName: EventPolicies + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - events:PutRule + - events:DeleteRule + - events:PutTargets + - events:RemoveTargets + Resource: + - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*" ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite