# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with # the License. A copy of the License is located at # http://aws.amazon.com/apache2.0/ # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and # limitations under the License. AWSTemplateFormatVersion: '2010-09-09' Description: Roles to be assumed by CodePipeline service and Custom Lambda resource cross account Parameters: S3Bucket: Description: S3 Bucket in Tools Account, which holds the artifacts built by codebuild & codepipeline Type: String ToolsAccount: Description: AWS AccountNumber for Tools Account Type: Number NonProdAccount: Description: AWS AccountNumber for the Non Prod Account that needs to assume these role Type: Number CMKARN: Description: ARN of the KMS CMK created in Tools account; required to decrypt data in S3Bucket Type: String Resources: CodePipelineActionServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Ref ToolsAccount Action: - sts:AssumeRole Path: / CodePipelineActionServicePolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${AWS::StackName}-CodePipelineActionServicePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cloudformation:* - s3:* - iam:PassRole Resource: "*" - Effect: Allow Action: - kms:* Resource: !Ref CMKARN Roles: - !Ref CodePipelineActionServiceRole CloudFormationServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - sts:AssumeRole Path: / CloudFormationServicePolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${AWS::StackName}-CloudFormationServicePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - lambda:AddPermission - lambda:CreateFunction - lambda:DeleteFunction - lambda:InvokeFunction - lambda:RemovePermission - lambda:UpdateFunctionCode - lambda:GetFunctionConfiguration - lambda:GetFunction - lambda:UpdateFunctionConfiguration - events:* - iam:CreateRole - iam:CreatePolicy - iam:GetRole - iam:DeleteRole - iam:PassRole - iam:PutRolePolicy - iam:DeleteRolePolicy - iam:AttachRolePolicy - iam:DetachRolePolicy - cloudformation:* - sns:CreateTopic - sns:DeleteTopic - sns:Subscribe - sns:Unsubscribe - sns:GetTopicAttributes - sns:SetTopicAttributes - sns:ListSubscriptionsByTopic - dynamodb:CreateTable - dynamodb:DeleteTable - dynamodb:DescribeTable - apigateway:* - s3:* Resource: "*" - Effect: Allow Action: - s3:PutObject - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket Resource: - !Join ['',['arn:aws:s3:::',!Ref S3Bucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref S3Bucket]] - Effect: Allow Action: - sns:ListSubscriptionsByTopic Resource: - !Sub arn:aws:sns:${AWS::Region}:${NonProdAccount}:* Roles: - !Ref CloudFormationServiceRole CustomCrossAccountServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Sub arn:aws:iam::${NonProdAccount}:root Action: - sts:AssumeRole Path: / CustomCrossAccountServicePolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${AWS::StackName}-CustomCrossAccountServicePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cloudformation:* Resource: "*" - Effect: Allow Action: - logs:* Resource: "arn:aws:logs:*:*:*" Roles: - !Ref CustomCrossAccountServiceRole Outputs: CodePipelineActionServiceRole: Value: !GetAtt CodePipelineActionServiceRole.Arn Export: Name: !Sub ${AWS::StackName}-CodePipelineActionServiceRole CloudFormationServiceRole: Value: !GetAtt CloudFormationServiceRole.Arn Export: Name: !Sub ${AWS::StackName}-CloudFormationServiceRole CustomCrossAccountServiceRole: Value: !GetAtt CustomCrossAccountServiceRole.Arn Export: Name: !Sub ${AWS::StackName}-CustomCrossAccountServiceRole