Daisuke
c4cc90881e
- allow setting ECR repository policies - add IAM role lifecycle and PassRole permissions - grant Secrets Manager read access - enable S3 bucket notification updates - allow CodePipeline updates - allow EventBridge rule and target management
101 lines
3.6 KiB
YAML
101 lines
3.6 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: IAM Role for CloudFormation Write operations via AssumeRole
|
|
|
|
Parameters:
|
|
AdminPrincipalArns:
|
|
Type: List<String>
|
|
Description: List of IAM Identity Center Role ARNs allowed to assume this role.
|
|
|
|
Resources:
|
|
CloudFormationWriteRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: CloudFormationWriteRole
|
|
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
AWS: !Ref AdminPrincipalArns
|
|
Action: sts:AssumeRole
|
|
Policies:
|
|
- PolicyName: ECRImport
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecr:DescribeRepositories
|
|
- ecr:GetRepositoryPolicy
|
|
- ecr:DeleteRepositoryPolicy
|
|
- ecr:PutImageScanningConfiguration
|
|
- ecr:SetRepositoryPolicy
|
|
Resource:
|
|
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
|
|
- PolicyName: RoleWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreateRole
|
|
- iam:DeleteRole
|
|
- iam:PutRolePolicy
|
|
- iam:DeleteRolePolicy
|
|
- iam:PassRole
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
|
|
- PolicyName: PolicyWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreatePolicyVersion
|
|
- iam:DeletePolicyVersion
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
|
|
- PolicyName: SecretPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- secretsmanager:GetSecretValue
|
|
Resource:
|
|
- !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
|
|
- PolicyName: S3Policies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- s3:PutBucketNotification
|
|
Resource:
|
|
- arn:aws:s3:::*
|
|
- PolicyName: CodePipelinePolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- codepipeline:UpdatePipeline
|
|
Resource:
|
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
|
|
- PolicyName: EventPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- events:PutRule
|
|
- events:DeleteRule
|
|
- events:PutTargets
|
|
- events:RemoveTargets
|
|
Resource:
|
|
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
|