-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathcf-role-master.stackset.yaml
108 lines (99 loc) · 3.97 KB
/
cf-role-master.stackset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#
# First Setup Stack / Master Automation ( creates any kind of resource )
#
# Typically used for Stack Set template - this creates the role that CloudGenesis will assume so that it can
# do the CloudFormation operations in that account.
#
# *** WARNING ****
# This role has access to create cloudformation stacks that can create anything. This stack is ideal for simple setups
# where you will only have a single repo that deploys CF automation across your accounts OR used for the repo that your
# Security team / CloudOps team carefully manages to create IAM or other sensitive resources.
#
# If you wish to have other, secondary repos that can deploy more limited stacks, then you would typically use the
# automation deployer itself to deploy those roles for other automated deployers! A sample stack for those setups is
# also provided as a "child" automation
#
#
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
CFDeployerRoleName:
Description: "The name of the IAM Role that will be created in each of the accounts. This name is provided to the deployer stack under the same parameter name"
Type: String
CFServiceRoleName:
Description: "The name of the CloudFormation Service Role that will be used by CloudFormation on each stack that the automation manages. This name is provided to the deployer stack under the same parameter name"
Type: String
DeployerAccountId:
Description: "The Account ID that the automated deployer is running in"
Type: Number
AutomationStackName:
Description: "The name you will launch the CloudFormation Automation stack as"
Type: String
ExternalS3BucketPathArns:
Description: "(Optional): A comma delimited list of S3 Bucket PATH ARNs to external buckets that can be used by stack templates. must be in this form: arn:aws:s3:::BUCKET_NAME/[optional-sub-path]*"
Type: CommaDelimitedList
Default: ""
Conditions:
HasExternalS3BucketSupport: !Not [!Equals [!Join ["", !Ref ExternalS3BucketPathArns], ""]]
Resources:
CFAutomationRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DeployerAccountId}:root"
Action:
- sts:AssumeRole
Path: "/"
RoleName: !Ref CFDeployerRoleName
Policies:
- PolicyName: "CFDeployer"
PolicyDocument:
Statement:
- Effect: Allow
Resource: "*"
Action:
- "cloudformation:CreateChangeSet"
- "cloudformation:DeleteChangeSet"
- "cloudformation:DeleteStack"
- "cloudformation:DescribeChangeSet"
- "cloudformation:DescribeStacks"
- "cloudformation:ExecuteChangeSet"
- Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Sub "arn:aws:s3:::${AutomationStackName}-cfstack-bucket/*"
#Rules for each bucket that a CloudGenesis Deployer is also allowed to deploy templates from.
- !If
- HasExternalS3BucketSupport
- Effect: Allow
Action:
- s3:GetObject
Resource: !Ref ExternalS3BucketPathArns
- !Ref "AWS::NoValue"
- PolicyName: "PassRoleToCF"
PolicyDocument:
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
- !GetAtt CFServiceRole.Arn
CFServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RoleName: !Ref CFServiceRoleName
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AdministratorAccess"