Daisuke
b565fb3c4b
- Add CloudFormation resource scanning permissions (DescribeResourceScan, ListResourceScans, StartResourceScan) - Add CloudFormation template generation permissions (CreateGeneratedTemplate, UpdateGeneratedTemplate) - Add S3 bucket encryption and public access block configuration permissions - Expand ELB target group management (create, delete, tag, remove tags) - Add ELB listener and rule management permissions (create, delete, modify) - Update commit message generator skill documentation with format guidelines
231 lines
8.9 KiB
YAML
231 lines
8.9 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: IAM Role for CloudFormation Write operations via AssumeRole
|
|
|
|
Resources:
|
|
CloudFormationWriteRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: CloudFormationWriteRole
|
|
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771
|
|
Action: sts:AssumeRole
|
|
Policies:
|
|
- PolicyName: ECRImport
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecr:DescribeRepositories
|
|
- ecr:GetRepositoryPolicy
|
|
- ecr:DeleteRepositoryPolicy
|
|
- ecr:PutImageScanningConfiguration
|
|
- ecr:SetRepositoryPolicy
|
|
- ecr:PutLifecyclePolicy
|
|
- ecr:DeleteLifecyclePolicy
|
|
Resource:
|
|
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
|
|
- PolicyName: RoleWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreateRole
|
|
- iam:DeleteRole
|
|
- iam:UpdateRole
|
|
- iam:PutRolePolicy
|
|
- iam:DeleteRolePolicy
|
|
- iam:AttachRolePolicy
|
|
- iam:UpdateAssumeRolePolicy
|
|
- iam:PassRole
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
|
|
- PolicyName: PolicyWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreatePolicy
|
|
- iam:CreatePolicyVersion
|
|
- iam:DeletePolicyVersion
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
|
|
- PolicyName: UserPolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:DeleteAccessKey
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:user/*
|
|
- PolicyName: SecretPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- secretsmanager:GetSecretValue
|
|
Resource:
|
|
- !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
|
|
- PolicyName: S3Policies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- s3:CreateBucket
|
|
- s3:DeleteBucket
|
|
- s3:TagResource
|
|
- s3:UntagResource
|
|
- s3:PutBucketNotification
|
|
- s3:PutBucketVersioning
|
|
- s3:PutEncryptionConfiguration
|
|
- s3:PutBucketPublicAccessBlock
|
|
Resource:
|
|
- arn:aws:s3:::*
|
|
- PolicyName: CodePipelinePolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- codepipeline:CreatePipeline
|
|
- codepipeline:UpdatePipeline
|
|
- codepipeline:DeletePipeline
|
|
Resource:
|
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
|
|
- PolicyName: CodeBuildPolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- codebuild:CreateProject
|
|
- codebuild:UpdateProject
|
|
- codebuild:DeleteProject
|
|
Resource:
|
|
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*"
|
|
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*/*"
|
|
- PolicyName: EventPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- events:PutRule
|
|
- events:DeleteRule
|
|
- events:PutTargets
|
|
- events:RemoveTargets
|
|
- events:TagResource
|
|
- events:UntagResource
|
|
Resource:
|
|
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
|
|
- PolicyName: EbPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- elasticloadbalancing:ModifyTargetGroup
|
|
- elasticloadbalancing:CreateTargetGroup
|
|
- elasticloadbalancing:DeleteTargetGroup
|
|
- elasticloadbalancing:AddTags
|
|
- elasticloadbalancing:RemoveTags
|
|
Resource:
|
|
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
|
|
- PolicyName: EbLoadbalancerPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- elasticloadbalancing:CreateRule
|
|
- elasticloadbalancing:DeleteRule
|
|
- elasticloadbalancing:ModifyRule
|
|
- elasticloadbalancing:CreateListener
|
|
- elasticloadbalancing:DeleteListener
|
|
- elasticloadbalancing:AddTags
|
|
- elasticloadbalancing:RemoveTags
|
|
- elasticloadbalancing:ModifyListenerAttributes
|
|
Resource:
|
|
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/*"
|
|
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/*"
|
|
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/*"
|
|
- PolicyName: EcsTaskPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecs:RegisterTaskDefinition
|
|
- ecs:DeregisterTaskDefinition
|
|
- ecs:TagResource
|
|
Resource:
|
|
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
|
|
- PolicyName: EcsServicePolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecs:CreateService
|
|
- ecs:UpdateService
|
|
- ecs:DeleteService
|
|
- ecs:TagResource
|
|
Resource:
|
|
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*"
|
|
- PolicyName: EcsClusterPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecs:CreateCluster
|
|
- ecs:UpdateCluster
|
|
- ecs:DeleteCluster
|
|
- ecs:TagResource
|
|
Resource:
|
|
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/*"
|
|
- PolicyName: LambdaPolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- lambda:CreateFunction
|
|
- lambda:DeleteFunction
|
|
- lambda:UpdateFunctionCode
|
|
- lambda:PublishVersion
|
|
- lambda:CreateAlias
|
|
- lambda:UpdateAlias
|
|
- lambda:DeleteAlias
|
|
- lambda:TagResource
|
|
- lambda:UntagResource
|
|
- lambda:AddPermission
|
|
- lambda:RemovePermission
|
|
Resource:
|
|
- !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*"
|
|
- PolicyName: ApiGatewayPolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- apigateway:PUT
|
|
- apigateway:PATCH
|
|
- apigateway:POST
|
|
- apigateway:DELETE
|
|
Resource:
|
|
- !Sub "arn:aws:apigateway:${AWS::Region}::/restapis/*"
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
|