forked from CheckPointSW/CloudGuardIaaS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcme-iam-role.yaml
executable file
·159 lines (159 loc) · 5.85 KB
/
cme-iam-role.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
AWSTemplateFormatVersion: 2010-09-09
Description: Creates an IAM role for selected permissions (20240507)
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: IAM
Parameters:
- Permissions
- Label:
default: Advanced Configuration (optional)
Parameters:
- STSRoles
- TrustedAccount
ParameterLabels:
Permissions:
default: IAM role
STSRoles:
default: STS roles
TrustedAccount:
default: Trusted Account ID
Parameters:
Permissions:
Type: String
Default: Create with read permissions
AllowedValues:
- Create with read permissions
- Create with read-write permissions
- Create with assume role permissions (specify an STS role ARN)
STSRoles:
Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces).
Type: String
Default: ''
TrustedAccount:
Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it.
Type: String
Default: ''
AllowedPattern: '^([0-9]{12})|$'
Conditions:
AllowReadPermissions: !Or
- !Equals [!Ref Permissions, Create with read permissions]
- !Equals [!Ref Permissions, Create with read-write permissions]
AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions]
ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']]
NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount]
ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount]
Resources:
CMEIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- !If
- ProvidedTrustedAccount
- Effect: Allow
Principal:
AWS: [!Ref TrustedAccount]
Action: ['sts:AssumeRole']
- !Ref 'AWS::NoValue'
- !If
- NotProvidedTrustedAccount
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
- !Ref 'AWS::NoValue'
Path: /
Policies:
- PolicyName: CMEPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- !If
- ProvidedSTSRoles
- Effect: Allow
Action: ['sts:AssumeRole']
Resource: !Split [',', !Ref STSRoles]
- !Ref 'AWS::NoValue'
- !If
- AllowReadPermissions
- Effect: Allow
Action:
- autoscaling:DescribeAutoScalingGroups
- ec2:DescribeRegions
- ec2:DescribeCustomerGateways
- ec2:DescribeInstances
- ec2:DescribeNetworkInterfaces
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeTransitGateways
- ec2:DescribeTransitGatewayAttachments
- ec2:DescribeTransitGatewayRouteTables
- ec2:DescribeVpcs
- ec2:DescribeVpnGateways
- ec2:DescribeVpnConnections
- ec2:GetTransitGatewayAttachmentPropagations
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTags
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DescribeTargetGroups
- elasticloadbalancing:DescribeRules
- elasticloadbalancing:DescribeTargetHealth
Resource: '*'
- !Ref 'AWS::NoValue'
- !If
- AllowWritePermissions
- Effect: Allow
Action:
- ec2:AssociateTransitGatewayRouteTable
- ec2:AttachVpnGateway
- ec2:CreateCustomerGateway
- ec2:CreateVpnConnection
- ec2:CreateVpnGateway
- ec2:DeleteCustomerGateway
- ec2:DeleteVpnConnection
- ec2:DeleteVpnGateway
- ec2:DetachVpnGateway
- ec2:DisableTransitGatewayRouteTablePropagation
- ec2:DisableVgwRoutePropagation
- ec2:DisassociateTransitGatewayRouteTable
- ec2:EnableTransitGatewayRouteTablePropagation
- ec2:EnableVgwRoutePropagation
Resource: '*'
- !Ref 'AWS::NoValue'
- !If
- AllowWritePermissions
- Effect: Allow
Action:
- cloudformation:DescribeStacks
- cloudformation:DescribeStackResources
- cloudformation:ListStacks
Resource: '*'
- !Ref 'AWS::NoValue'
- !If
- AllowWritePermissions
- Effect: Allow
Action:
- cloudformation:CreateStack
- cloudformation:DeleteStack
Resource: 'arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*'
- !Ref 'AWS::NoValue'
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: !Ref CMEIAMRole
Roles:
- !Ref CMEIAMRole
Outputs:
CMEIAMRole:
Description: The IAM role.
Value: !Ref CMEIAMRole
CMEARNRole:
Description: The IAM role ARN.
Value: !GetAtt CMEIAMRole.Arn
InstanceProfile:
Description: The Instance Profile ARN.
Value: !GetAtt InstanceProfile.Arn