forked from aws-samples/aws-serverless-samfarm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pipeline-roles.yaml
133 lines (133 loc) · 4.69 KB
/
pipeline-roles.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
AWSTemplateFormatVersion: "2010-09-09"
Description: Common resources for application deployed to Lambda
Parameters:
AppName:
Type: String
Description: Name of the application.
MinLength: "1"
MaxLength: "100"
Resources:
CodeBuildTrustRole:
Description: Creating service role in IAM for AWS CodeBuild
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AppName}-codebuild-role"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [codebuild.amazonaws.com]
Action: sts:AssumeRole
Path: /
CodeBuildRolePolicy:
Type: AWS::IAM::Policy
DependsOn: CodeBuildTrustRole
Description: Setting IAM policy for the service role for AWS CodeBuild
Properties:
PolicyName: CodeBuildRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action: ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
Resource: ["*"]
- Effect: Allow
Resource: ["*"]
Action: ["s3:*"]
- Effect: Allow
Resource: ["*"]
Action: ["kms:GenerateDataKey*", "kms:Encrypt", "kms:Decrypt"]
- Effect: Allow
Resource: ["*"]
Action: ["sns:SendMessage"]
Roles: [!Ref CodeBuildTrustRole]
CloudFormationTrustRole:
Description: Creating service role in IAM for AWS CloudFormation
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AppName}-cloudformation-role"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com]
Action: sts:AssumeRole
Path: /
CloudFormationRolePolicy:
Type: AWS::IAM::Policy
DependsOn: CloudFormationTrustRole
Description: Setting IAM policy for the service role for AWS CloudFormation
Properties:
PolicyName: CloudFormationRolePolicy
PolicyDocument:
Statement:
- Action: ["s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketVersioning"]
Resource: "*"
Effect: Allow
- Action: ["s3:PutObject"]
Resource: ["arn:aws:s3:::codepipeline*"]
Effect: Allow
- Action: ["lambda:*"]
Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*"
Effect: Allow
- Action: ["apigateway:*"]
Resource: !Sub "arn:aws:apigateway:${AWS::Region}::*"
Effect: Allow
- Action: ["iam:GetRole", "iam:CreateRole", "iam:DeleteRole"]
Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${AppName}-*"
Effect: Allow
- Action: ["iam:AttachRolePolicy", "iam:DetachRolePolicy"]
Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${AppName}-*"
Effect: Allow
- Action: ["iam:PassRole"]
Resource: ["*"]
Effect: Allow
- Action: ["cloudformation:CreateChangeSet"]
Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31"
Effect: Allow
Roles: [!Ref CloudFormationTrustRole]
CodePipelineTrustRole:
Description: Creating service role in IAM for AWS CodePipeline
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AppName}-codepipeline-role"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [codepipeline.amazonaws.com]
Action: sts:AssumeRole
Path: /
CodePipelineRolePolicy:
Type: AWS::IAM::Policy
DependsOn: CodePipelineTrustRole
Description: Setting IAM policy for the service role for AWS CodePipeline
Properties:
PolicyName: CodePipelineRolePolicy
PolicyDocument:
Statement:
- Action: ["s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketVersioning"]
Resource: "*"
Effect: Allow
- Action: ["s3:PutObject"]
Resource: ["arn:aws:s3:::codepipeline*"]
Effect: Allow
- Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds"]
Resource: "*"
Effect: Allow
- Action: ["cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "rds:*", "sqs:*", "iam:PassRole"]
Resource: "*"
Effect: Allow
- Action: ["lambda:InvokeFunction", "lambda:ListFunctions"]
Resource: "*"
Effect: Allow
Roles: [!Ref CodePipelineTrustRole]
Outputs:
CodePipelineRole:
Description: "Role for code pipeline"
Value: !GetAtt CodePipelineTrustRole.Arn
CloudformationDeployRole:
Description: "Role for cloudformation to deploy with."
Value: !GetAtt CloudFormationTrustRole.Arn
CodeBuildRole:
Description: "Role for code build to build"
Value: !GetAtt CodeBuildTrustRole.Arn