-
Notifications
You must be signed in to change notification settings - Fork 2
/
user-github-deploy.yml
116 lines (105 loc) · 3.09 KB
/
user-github-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
---
AWSTemplateFormatVersion: "2010-09-09"
Description: GitHub Actions User - Deploy - Permissions for deploying resources
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: User Configuration
Parameters:
- UserName
- Label:
default: Bucket Configuration
Parameters:
- Bucket
ParameterLabels:
UserName:
default: User Name
Bucket:
default: Bucket Name
Parameters:
UserName:
Type: String
Description: Enter the name you would like for your IAM User
Default: github-deploy
Bucket:
Type: String
Description: Enter bucket this user can access
Resources:
User:
Type: 'AWS::IAM::User'
Metadata:
cfn_nag:
rules_to_suppress:
- id: F10
reason: "Allow Inline policy to be sure policy is not leveraged on other resources"
- id: F2000
reason: "Group membership not required to use as a specific service account"
Properties:
UserName: !Ref UserName
ManagedPolicyArns:
## Uncomment for POC / Testing
- arn:aws:iam::aws:policy/PowerUserAccess
Policies:
-
PolicyName: S3-Allow-Actions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: S3Actions
Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${Bucket}'
- !Sub 'arn:aws:s3:::${Bucket}/*'
-
PolicyName: S3-Allow-Buckets
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: S3BucketsAllowed
Effect: Deny
Action:
- s3:*
NotResource:
- !Sub 'arn:aws:s3:::${Bucket}'
- !Sub 'arn:aws:s3:::${Bucket}/*'
-
PolicyName: R53-Allow-Actions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: R53Allow
Effect: Allow
Action:
- route53:*
Resource: "*"
-
PolicyName: CFN-Allow-Actions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CFNAllowActions
Effect: Allow
Action:
- cloudformation:*
Resource: "*"
UserAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref User
UserSecret:
Type: AWS::SecretsManager::Secret
Metadata:
cfn_nag:
rules_to_suppress:
- id: W77
reason: "Secrets Manager Secret should explicitly specify KmsKeyId. Besides control of the key this will allow the secret to be shared cross-account"
Properties:
Name: !Ref UserName
Description: Access Keys for GitHub Actions User
SecretString: !Sub '{"AWS_ACCESS_KEY_ID":"${UserAccessKey}","AWS_SECRET_ACCESS_KEY":"${UserAccessKey.SecretAccessKey}"}'