From 0f892b8b24af6b5b96591b4684f45cfbf8644f68 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Tue, 6 Sep 2022 22:14:50 +0200 Subject: [PATCH 1/5] feat(adf-bootstrap): (#472) modify trust relations for roles :zap: --- .../adf-bootstrap/example-global-iam.yml | 11 ++++--- .../adf-bootstrap/global.yml | 29 ++++++++++++++----- 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml index e2ec467fc..3c3dc0d0c 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml @@ -50,12 +50,15 @@ Resources: # Statement: # - Effect: Allow # Sid: "AssumeRole" -# Principal: -# AWS: +# Condition: +# StringEquals: +# 'aws:PrincipalArn': # # This would allow all codebuild projects to be able to assume this role -# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role -# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role +# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role +# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role # # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild +# Principal: +# AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root # Action: # - sts:AssumeRole # Path: / diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index dbb7596b4..141ff06d9 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -34,8 +34,11 @@ Resources: Version: "2012-10-17" Statement: - Effect: Allow + Condition: + StringEquals: + 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role Principal: - AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole - Effect: Allow @@ -201,21 +204,27 @@ Resources: - sts:AssumeRole - Effect: Allow Sid: "AssumeRoleLambda" + Condition: + StringEquals: + 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole - Effect: Allow Sid: "AssumeRole" Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Condition: - ArnEquals: - "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" + Fn::And: + - ArnEquals: + "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" + - StringEquals: + 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role Path: / AdfAutomationRole: @@ -231,9 +240,12 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRole" + Condition: + StringEquals: + 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-pipeline-provisioner-codebuild-role Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-pipeline-provisioner-codebuild-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Path: / @@ -333,9 +345,12 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRole" + Condition: + StringEquals: + 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Path: / From 9c11d71a4ba158f272bc6d09d37b14e6b3726840 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Wed, 7 Sep 2022 16:59:18 +0200 Subject: [PATCH 2/5] feat(adf-bootstrap): (#472) fix StringEquals to ArnEquals condition :zap: --- .../adf-bootstrap/example-global-iam.yml | 2 +- .../adf-bootstrap/global.yml | 26 +++++++++---------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml index 3c3dc0d0c..ef6795d19 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml @@ -51,7 +51,7 @@ Resources: # - Effect: Allow # Sid: "AssumeRole" # Condition: -# StringEquals: +# ArnEquals: # 'aws:PrincipalArn': # # This would allow all codebuild projects to be able to assume this role # # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index 141ff06d9..c94b7ff8f 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -35,8 +35,8 @@ Resources: Statement: - Effect: Allow Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role" Principal: AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: @@ -205,8 +205,8 @@ Resources: - Effect: Allow Sid: "AssumeRoleLambda" Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role" Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root @@ -220,11 +220,9 @@ Resources: Action: - sts:AssumeRole Condition: - Fn::And: - - ArnEquals: - "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" - - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + ArnEquals: + "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role" Path: / AdfAutomationRole: @@ -241,11 +239,11 @@ Resources: - Effect: Allow Sid: "AssumeRole" Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-pipeline-provisioner-codebuild-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-pipeline-provisioner-codebuild-role" Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root + - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:root" Action: - sts:AssumeRole Path: / @@ -346,8 +344,8 @@ Resources: - Effect: Allow Sid: "AssumeRole" Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role" Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root From 95a0731459d72f07781f96a5930b451cb2014010 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Mon, 24 Jul 2023 15:26:56 +0200 Subject: [PATCH 3/5] Update merge fix --- .../bootstrap_repository/adf-bootstrap/global.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index 87f661317..bd4c9ac19 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -202,16 +202,6 @@ Resources: - cloudformation.amazonaws.com Action: - sts:AssumeRole - - Effect: Allow - Sid: "AssumeRoleLambda" - Principal: - AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root - Action: - - sts:AssumeRole - Condition: - ArnEquals: - "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role" - Effect: Allow Sid: "AssumeRole" Principal: From b6330a145bf4bf9cd24ed778356eca5105aeba14 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Mon, 24 Jul 2023 15:57:04 +0200 Subject: [PATCH 4/5] Add patch of #526 to other important roles too --- .../adf-bootstrap/deployment/global.yml | 9 ++++++--- .../adf-bootstrap/example-global-iam.yml | 15 ++++++++++----- .../bootstrap_repository/adf-bootstrap/global.yml | 15 ++++++++++----- 3 files changed, 26 insertions(+), 13 deletions(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index 6b16518bb..f96c9ccf5 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -548,10 +548,13 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRole" + Condition: + ArnEquals: + "aws:PrincipalArn": + - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn + - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn Principal: - AWS: - - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn - - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Path: / diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml index 5af725d18..be971baec 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml @@ -60,9 +60,13 @@ Resources: # Statement: # - Effect: Allow # Sid: "AssumeRole" +# Condition: +# ArnEquals: +# 'aws:PrincipalArn': +# # This would allow all CodeBuild projects to be able to assume this role +# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role # Principal: -# AWS: -# - !Sub arn:aws:iam::${DeploymentAccountId}:role/adf-codebuild-role +# AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root # Action: # - sts:AssumeRole # Path: / @@ -106,10 +110,11 @@ Resources: # Condition: # ArnEquals: # 'aws:PrincipalArn': -# # This would allow all codebuild projects to be able to assume this role -# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role +# # This would allow all CodeBuild projects to be able to assume this role +# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role -# # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild +# # The above role would be created on the deployment account +# # for the purpose deploying this custom resource via CodeBuild # Principal: # AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root # Action: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index bd4c9ac19..a323a94a8 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -157,9 +157,12 @@ Resources: Statement: - Effect: Allow Principal: - AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root + Condition: + ArnEquals: + "aws:PrincipalArn": + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role Action: - sts:AssumeRole Path: / @@ -224,9 +227,11 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRoleByEnableCrossAccountLambda" + Condition: + ArnEquals: + "aws:PrincipalArn": !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role Principal: - AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Path: / From 15afb0a6bd6d514158bd8fe659c2e21641405c86 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Mon, 24 Jul 2023 16:22:50 +0200 Subject: [PATCH 5/5] Fix reference to deployment account id --- .../bootstrap_repository/adf-bootstrap/deployment/global.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index f96c9ccf5..fb93defbb 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -554,7 +554,7 @@ Resources: - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn Principal: - AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root + AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root Action: - sts:AssumeRole Path: /