-
Notifications
You must be signed in to change notification settings - Fork 13
/
cf-role-child-automation.sample.yaml
108 lines (106 loc) · 4.47 KB
/
cf-role-child-automation.sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#
# Child Automation Role
#
# This role would be typically managed via a Master CF automation stack itself (that has full admin / IAM permissions in
# the target accounts).
#
# This role defines what the child automation is allowed to do. Typically this role would lock a team down to only being
# able to manage resources for which they are approved to manage without additional review. (e.g. this team can merge
# their own CF stacks / templates for which this deployment of the CF automation creates)
#
# *** WARNING ***
# Many types of things need to be able to pass roles - EC2's, ECS Tasks, Lambdas, CodeBuild, etc. The automation
# must therefore have access to pass the roles those systems need to be able to create.. but, you need to avoid a team
# from passing someone else's role. This needs to be carefully managed if you allow iam:PassRole with a wildcard pattern
# Thoughtful consideration needs to be made to a role naming convention or using the IAM Path's feature for all of the
# roles merged into a Master repo for the main automation to create.
#
---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CFAutomationRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DeployerAccountId}:root"
Action:
- sts:AssumeRole
Path: "/"
RoleName: !Ref CFAccessRoleName
ManagedPolicyArns: !Ref ExecutionRoleManagedPolicies
Policies:
- PolicyName: "CFAccess"
PolicyDocument:
Statement:
#CloudFormation Bits for Automated Deployer - locked down to only stacks this team can manage.
- Effect: Allow
Resource: "*"
Action:
- "cloudformation:DescribeChangeSet"
- "cloudformation:DescribeStacks"
- Effect: Allow
Action:
- "cloudformation:CreateChangeSet"
Resource:
- "arn:aws:cloudformation:*:*:stack/*" #TODO: Lock this down to naming patterns that match this team's stack names.
- "arn:aws:cloudformation:*:aws:transform/Serverless-2016-10-31"
- Effect: Allow
Action:
- "cloudformation:DeleteChangeSet"
- "cloudformation:ExecuteChangeSet"
Resource: '*'
Condition:
StringLike:
cloudformation:ChangeSetName:
- "arn:aws:cloudformation:*:*:changeSet/*" #TODO: Lock this down to naming patterns that match this team's stack names.
- Action:
- "cloudformation:DeleteStack"
Effect: Allow
Resource:
- "arn:aws:cloudformation:*:*:stack/*" #TODO: Lock this down to naming patterns that match this team's stack names.
# Access to S3 bucket of templates for CloudFormation to pull
- Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Sub "arn:aws:s3:::${AutomationStackName}-cfstack-bucket/*"
- PolicyName: "PassRoleToCF"
PolicyDocument:
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
- !GetAtt CFServiceRole.Arn
CFServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RoleName: "cf-automation-for-TEAMNAME" #TODO: swap this rolename out for what makes the most sense for your org.
Policies:
- PolicyName: "CFAccess"
PolicyDocument:
Statement:
- Effect: Allow
Resource: "*"
Action:
- "lambda:*" # TODO: the list of services (with * access) that this team's automation can manage.
- PolicyName: "AllowedPassRoles"
PolicyDocument:
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
- "arn:aws:iam::*:role/TEAMNAME-*" #TODO: the naming pattern or path pattern that matches the roles this team can pass to resources created by CloudFormation.