Add CloudFormation write IAM role, managed policy, and repository README

2025-12-31 19:52:14 +09:00 · 2025-12-31 19:52:14 +09:00 · ef8bceff67
commit ef8bceff67
3 changed files with 111 additions and 0 deletions
--- a/policies/cloudformation-write-policy.yaml
+++ b/policies/cloudformation-write-policy.yaml
@ -0,0 +1,42 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: CloudFormation Write-Only Managed Policy for Deployment Operations
+
+Resources:
+  CloudFormationWritePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: CloudFormationWrite
+      Description: Minimal CloudFormation write permissions for deployment operations. Intended for use via AssumeRole, not attached to Permission Sets.
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - cloudformation:CreateStack
+              - cloudformation:UpdateStack
+              - cloudformation:DeleteStack
+              - cloudformation:CreateUploadBucket
+              - cloudformation:CreateChangeSet
+              - cloudformation:ExecuteChangeSet
+              - cloudformation:DescribeStacks
+              - cloudformation:DescribeStackEvents
+              - cloudformation:DescribeChangeSet
+              - cloudformation:ListStacks
+              - cloudformation:ListChangeSets
+              - cloudformation:DetectStackDrift
+              - cloudformation:DetectStackResourceDrift
+              - cloudformation:DescribeStackDriftDetectionStatus
+              - cloudformation:ImportStacksToStackSet
+              - cloudformation:ContinueUpdateRollback
+            Resource: "*"
+
+          - Effect: Allow
+            Action:
+              - tag:TagResources
+              - tag:UntagResources
+            Resource: "*"
+
+          - Effect: Allow
+            Action:
+              - s3:PutObject
+            Resource: "*"