feat(iam): extend CloudFormation write role permissions for pipeline and events

- allow setting ECR repository policies - add IAM role lifecycle and PassRole permissions - grant Secrets Manager read access - enable S3 bucket notification updates - allow CodePipeline updates - allow EventBridge rule and target management
2026-01-01 11:16:58 +09:00 · 2026-01-01 11:16:58 +09:00 · c4cc90881e
commit c4cc90881e
parent ef8bceff67
1 changed files with 44 additions and 1 deletions
--- a/roles/cloudformation-write-role.yaml
+++ b/roles/cloudformation-write-role.yaml
@ -30,6 +30,7 @@ Resources:
                  - ecr:GetRepositoryPolicy
                  - ecr:DeleteRepositoryPolicy
                  - ecr:PutImageScanningConfiguration
+                  - ecr:SetRepositoryPolicy
                Resource:
                  - !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
        - PolicyName: RoleWrite
@ -38,8 +39,11 @@ Resources:
            Statement:
              - Effect: Allow
                Action:
+                  - iam:CreateRole
+                  - iam:DeleteRole
                  - iam:PutRolePolicy
                  - iam:DeleteRolePolicy
+                  - iam:PassRole
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/*
        - PolicyName: PolicyWrite
@ -52,7 +56,46 @@ Resources:
                  - iam:DeletePolicyVersion
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:policy/*
-
+        - PolicyName: SecretPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - secretsmanager:GetSecretValue
+                Resource:
+                  - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
+        - PolicyName: S3Policies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - s3:PutBucketNotification
+                Resource:
+                  - arn:aws:s3:::*
+        - PolicyName: CodePipelinePolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - codepipeline:UpdatePipeline
+                Resource:
+                  - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
+                  - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
+        - PolicyName: EventPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - events:PutRule
+                  - events:DeleteRule
+                  - events:PutTargets
+                  - events:RemoveTargets
+                Resource:
+                  - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite