Add patch of #526 to other important roles too

awslabs · Jul 24, 2023 · b6330a1 · b6330a1
1 parent 95a0731
commit b6330a1
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 13 deletions.
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -548,10 +548,13 @@ Resources:
         Statement:
           - Effect: Allow
             Sid: "AssumeRole"
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn":
+                  - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn
+                  - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn
             Principal:
-              AWS:
-                - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn
-                - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn
+              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
             Action:
               - sts:AssumeRole
       Path: /

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml
@@ -60,9 +60,13 @@ Resources:
 #       Statement:
 #         - Effect: Allow
 #           Sid: "AssumeRole"
+#           Condition:
+#             ArnEquals:
+#               'aws:PrincipalArn':
+#                 # This would allow all CodeBuild projects to be able to assume this role
+#                 - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
 #           Principal:
-#             AWS:
-#               - !Sub arn:aws:iam::${DeploymentAccountId}:role/adf-codebuild-role
+#             AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
 #           Action:
 #             - sts:AssumeRole
 #     Path: /
@@ -106,10 +110,11 @@ Resources:
 #           Condition:
 #             ArnEquals:
 #               'aws:PrincipalArn':
-#               # This would allow all codebuild projects to be able to assume this role
-#               #  - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
+#                 # This would allow all CodeBuild projects to be able to assume this role
+#                 # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
 #                 - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role
-#               # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild
+#                 # The above role would be created on the deployment account
+#                 # for the purpose deploying this custom resource via CodeBuild
 #           Principal:
 #             AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
 #           Action:

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml
@@ -157,9 +157,12 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role
+              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn":
+                  - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role
+                  - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role
             Action:
               - sts:AssumeRole
       Path: /
@@ -224,9 +227,11 @@ Resources:
         Statement:
           - Effect: Allow
             Sid: "AssumeRoleByEnableCrossAccountLambda"
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn": !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role
             Principal:
-              AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role
+              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
             Action:
               - sts:AssumeRole
       Path: /