AWSTemplateFormatVersion: '2010-09-09' Description: IAM Role for CloudFormation Write operations via AssumeRole Parameters: AdminPrincipalArns: Type: List Description: List of IAM Identity Center Role ARNs allowed to assume this role. Resources: CloudFormationWriteRole: Type: AWS::IAM::Role Properties: RoleName: CloudFormationWriteRole Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets. AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Ref AdminPrincipalArns Action: sts:AssumeRole Policies: - PolicyName: ECRImport PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ecr:DescribeRepositories - ecr:GetRepositoryPolicy - ecr:DeleteRepositoryPolicy - ecr:PutImageScanningConfiguration - ecr:SetRepositoryPolicy Resource: - !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/* - PolicyName: RoleWrite PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - iam:CreateRole - iam:DeleteRole - iam:PutRolePolicy - iam:DeleteRolePolicy - iam:AttachRolePolicy - iam:PassRole Resource: - !Sub arn:aws:iam::${AWS::AccountId}:role/* - PolicyName: PolicyWrite PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - iam:CreatePolicy - iam:CreatePolicyVersion - iam:DeletePolicyVersion Resource: - !Sub arn:aws:iam::${AWS::AccountId}:policy/* - PolicyName: SecretPolicies PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue Resource: - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:* - PolicyName: S3Policies PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:PutBucketNotification Resource: - arn:aws:s3:::* - PolicyName: CodePipelinePolicies PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - codepipeline:UpdatePipeline Resource: - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*" - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*" - PolicyName: EventPolicies PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - events:PutRule - events:DeleteRule - events:PutTargets - events:RemoveTargets Resource: - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*" - PolicyName: EbPolicies PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - elasticloadbalancing:ModifyTargetGroup Resource: - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*" - PolicyName: EcsPolicies PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ecs:RegisterTaskDefinition - ecs:DeregisterTaskDefinition - ecs:TagResource Resource: - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*" ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite