-
Notifications
You must be signed in to change notification settings - Fork 2
/
CrossAccountCFNRole.yml
77 lines (76 loc) · 2.39 KB
/
CrossAccountCFNRole.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
AWSTemplateFormatVersion: 2010-09-09
Description: CovidSafe Example application pipeline
Parameters:
ProjectName:
Type: String
Description: Name for the Project
BuildAccountNo:
Type: String
Description: The ARN of the build account that will use this role to deploy the application
ArtefactKMSKeyArn:
Type: String
Description: The ARN of the CMK KMS Key used artefact encryption
Resources:
ProjectDeploymentRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
- codepipeline.amazonaws.com
- codebuild.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${BuildAccountNo}:root'
Action: sts:AssumeRole
RoleName: !Sub '${ProjectName}-${AWS::Region}-DeploymentRole'
Policies:
- PolicyName: Allow-Application-Infrastructure-Provisioning
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: lambda:*
Resource: '*'
- Effect: Allow
Action: cloudwatch:*
Resource: '*'
- Effect: Allow
Action: dynamodb:*
Resource: '*'
- Effect: Allow
Action: s3:*
Resource: '*'
- Effect: Allow
Action: codedeploy:*
Resource: '*'
- Effect: Allow
Action: xray:*
Resource: '*'
- Effect: Allow
Action: apigateway:*
Resource: '*'
- Effect: Allow
Action: iam:*
Resource: '*'
- Effect: Allow
Action: cloudformation:*
Resource: '*'
- PolicyName: Artefact-KMS-Key-Access
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: Allow
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: !Ref ArtefactKMSKeyArn