nakada0907/daisuke-iam-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
daisuke-iam-infra/roles/cloudformation-write-role.yaml

207 lines
7.7 KiB
YAML
Raw Blame History

AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role for CloudFormation Write operations via AssumeRole
Resources:
CloudFormationWriteRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudFormationWriteRole
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771
Action: sts:AssumeRole
Policies:
- PolicyName: ECRImport
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecr:DescribeRepositories
- ecr:GetRepositoryPolicy
- ecr:DeleteRepositoryPolicy
- ecr:PutImageScanningConfiguration
- ecr:SetRepositoryPolicy
- ecr:PutLifecyclePolicy
- ecr:DeleteLifecyclePolicy
Resource:
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
- PolicyName: RoleWrite
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:CreateRole
- iam:DeleteRole
- iam:UpdateRole
- iam:PutRolePolicy
- iam:DeleteRolePolicy
- iam:AttachRolePolicy
- iam:UpdateAssumeRolePolicy
- iam:PassRole
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
- PolicyName: PolicyWrite
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:CreatePolicy
- iam:CreatePolicyVersion
- iam:DeletePolicyVersion
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
- PolicyName: UserPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:DeleteAccessKey
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:user/*
- PolicyName: SecretPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource:
- !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
- PolicyName: S3Policies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:CreateBucket
- s3:DeleteBucket
- s3:TagResource
- s3:UntagResource
- s3:PutBucketNotification
- s3:PutBucketVersioning
Resource:
- arn:aws:s3:::*
- PolicyName: CodePipelinePolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- codepipeline:CreatePipeline
- codepipeline:UpdatePipeline
- codepipeline:DeletePipeline
Resource:
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
- PolicyName: CodeBuildPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- codebuild:CreateProject
- codebuild:UpdateProject
- codebuild:DeleteProject
Resource:
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*"
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*/*"
- PolicyName: EventPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- events:PutRule
- events:DeleteRule
- events:PutTargets
- events:RemoveTargets
- events:TagResource
- events:UntagResource
Resource:
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
- PolicyName: EbPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- elasticloadbalancing:ModifyTargetGroup
Resource:
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
- PolicyName: EcsTaskPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecs:RegisterTaskDefinition
- ecs:DeregisterTaskDefinition
- ecs:TagResource
Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
- PolicyName: EcsServicePolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecs:CreateService
- ecs:UpdateService
- ecs:DeleteService
- ecs:TagResource
Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*"
- PolicyName: EcsClusterPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecs:CreateCluster
- ecs:UpdateCluster
- ecs:DeleteCluster
- ecs:TagResource
Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/*"
- PolicyName: LambdaPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:UpdateFunctionCode
- lambda:PublishVersion
- lambda:CreateAlias
- lambda:UpdateAlias
- lambda:DeleteAlias
- lambda:TagResource
- lambda:UntagResource
- lambda:AddPermission
- lambda:RemovePermission
Resource:
- !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*"
- PolicyName: ApiGatewayPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- apigateway:PUT
- apigateway:PATCH
- apigateway:POST
- apigateway:DELETE
Resource:
- !Sub "arn:aws:apigateway:${AWS::Region}::/restapis/*"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
Reference in a new issue View git blame Copy permalink