Description: IaCBlog IAM Roles Resources: CodePipelineRole: Type: "AWS::IAM::Role" Properties: RoleName: Fn::Sub: CodePipelineRole-${AWS::StackName} AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "codepipeline.amazonaws.com" Action: - "sts:AssumeRole" Path: / Policies: - PolicyName: "CodePipelineNestedCFNAccessPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "s3:DeleteObject" - "s3:GetObject" - "s3:GetObjectVersion" - "s3:ListBucket" - "s3:PutObject" - "s3:GetBucketPolicy" Resource: - Fn::Sub: arn:aws:s3:::* - Fn::Sub: arn:aws:s3:::* - Effect: "Allow" Action: - "sns:Publish" Resource: - "*" - Effect: "Allow" Action: - "codecommit:ListBranches" - "codecommit:ListRepositories" - "codecommit:BatchGetRepositories" - "codecommit:Get*" - "codecommit:GitPull" - "codecommit:UploadArchive" Resource: - "*" - Effect: "Allow" Action: - "cloudformation:CreateChangeSet" - "cloudformation:CreateStack" - "cloudformation:CreateUploadBucket" - "cloudformation:DeleteStack" - "cloudformation:Describe*" - "cloudformation:List*" - "cloudformation:UpdateStack" - "cloudformation:ValidateTemplate" - "cloudformation:ExecuteChangeSet" - "cloudformation:DeleteChangeSet" Resource: - "*" - Effect: "Allow" Action: - "iam:PassRole" Resource: - Fn::Sub: arn:aws:iam::${AWS::AccountId}:role/CloudFormationRole-${AWS::StackName} CloudFormationRole: Type: "AWS::IAM::Role" Properties: RoleName: Fn::Sub: CloudFormationRole-${AWS::StackName} AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cloudformation.amazonaws.com" Action: - "sts:AssumeRole" Path: / Policies: - PolicyName: "CloudFormationNestedCFNAccessPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "iam:AddRoleToInstanceProfile" - "iam:AttachRolePolicy" - "iam:CreateInstanceProfile" - "iam:CreatePolicy" - "iam:CreateRole" - "iam:DeleteInstanceProfile" - "iam:DeletePolicy" - "iam:DeleteRole" - "iam:DeleteRolePolicy" - "iam:DetachRolePolicy" - "iam:GetInstanceProfile" - "iam:GetPolicy" - "iam:GetRole" - "iam:GetRolePolicy" - "iam:ListAttachedRolePolicies" - "iam:ListInstanceProfiles" - "iam:ListInstanceProfilesForRole" - "iam:ListRolePolicies" - "iam:ListRoles" - "iam:PassRole" - "iam:PutRolePolicy" - "iam:RemoveRoleFromInstanceProfile" Resource: - Fn::Sub: arn:aws:iam::${AWS::AccountId}:role/* - Effect: "Allow" Action: - "ec2:Describe*" - "ec2:CreateSecurityGroup" - "autoscaling:Describe*" - "elasticloadbalancing:Describe*" - "elasticloadbalancing:CreateLoadBalancer" - "autoscaling:CreateAutoScalingGroup" - "autoscaling:CreateLaunchConfiguration" Resource: - "*" - Effect: "Allow" Action: - "iam:CreateServiceLinkedRole" - "iam:UpdateRoleDescription" - "iam:DeleteServiceLinkedRole" - "iam:GetServiceLinkedRoleDeletionStatus" Resource: - "*" - Effect: "Allow" Action: - "ec2:AttachNetworkInterface" - "ec2:AttachVolume" - "ec2:AuthorizeSecurityGroupIngress" - "ec2:CreateNetworkInterface" - "ec2:CreateTags" - "ec2:CreateVolume" - "ec2:DeleteSecurityGroup" - "ec2:DeleteTags" - "ec2:DeleteVolume" - "ec2:DetachNetworkInterface" - "ec2:DetachVolume" - "ec2:MonitorInstances" - "ec2:RebootInstances" - "ec2:ReleaseAddress" - "ec2:RunInstances" - "ec2:StartInstances" - "ec2:StopInstances" - "ec2:TerminateInstances" - "ec2:UnmonitorInstances" Resource: - "*" - Effect: "Allow" Action: - "elasticloadbalancing:AddTags" - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer" - "elasticloadbalancing:AttachLoadBalancerToSubnets" - "elasticloadbalancing:ConfigureHealthCheck" - "elasticloadbalancing:CreateListener" - "elasticloadbalancing:CreateLoadBalancerListeners" - "elasticloadbalancing:CreateLoadBalancerPolicy" - "elasticloadbalancing:DeleteListener" - "elasticloadbalancing:DeleteLoadBalancer" - "elasticloadbalancing:DeleteLoadBalancerListeners" - "elasticloadbalancing:DeleteLoadBalancerPolicy" - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer" - "elasticloadbalancing:DetachLoadBalancerFromSubnets" - "elasticloadbalancing:ModifyListener" - "elasticloadbalancing:ModifyLoadBalancerAttributes" - "elasticloadbalancing:RegisterInstancesWithLoadBalancer" - "elasticloadbalancing:RemoveTags" - "elasticloadbalancing:SetSecurityGroups" - "elasticloadbalancing:SetSubnets" - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" - "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer" - "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer" Resource: - Fn::Sub: arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/* - Effect: "Allow" Action: - "autoscaling:AttachInstances" - "autoscaling:AttachLoadBalancers" - "autoscaling:CreateOrUpdateTags" - "autoscaling:DeleteAutoScalingGroup" - "autoscaling:DeleteLaunchConfiguration" - "autoscaling:DeleteTags" - "autoscaling:SetDesiredCapacity" - "autoscaling:SetInstanceHealth" - "autoscaling:TerminateInstanceInAutoScalingGroup" - "autoscaling:UpdateAutoScalingGroup" Resource: - "*" - Effect: "Allow" Action: - "s3:GetObject" - "s3:ListBucket" Resource: - Fn::Sub: arn:aws:s3:::* - Fn::Sub: arn:aws:s3:::* - Effect: Allow Action: - autoscaling:Describe*" - ec2:AllocateAddress - ec2:AssignPrivateIpAddresses - ec2:AssociateAddress - ec2:AssociateDhcpOptions - ec2:AssociateRouteTable - ec2:AttachInternetGateway - ec2:AttachNetworkInterface - ec2:AttachVpnGateway - ec2:CreateCustomerGateway - ec2:CreateDhcpOptions - ec2:CreateFlowLogs - ec2:CreateInternetGateway - ec2:CreateNatGateway - ec2:CreateNetworkAcl - ec2:CreateNetworkAcl - ec2:CreateNetworkAclEntry - ec2:CreateNetworkInterface - ec2:CreateRoute - ec2:CreateRouteTable - ec2:CreateSecurityGroup - ec2:CreateSubnet - ec2:CreateTags - ec2:CreateVpc - ec2:CreateVpcEndpoint - ec2:CreateVpnConnection - ec2:CreateVpnConnectionRoute - ec2:CreateVpnGateway - ec2:CreatePlacementGroup - ec2:DeletePlacementGroup - ec2:DescribePlacementGroups - ec2:DeleteFlowLogs - ec2:DeleteNatGateway - ec2:DeleteNetworkInterface - ec2:DeleteSubnet - ec2:DeleteTags - ec2:DeleteVpc - ec2:DeleteVpcEndpoints - ec2:DeleteVpnConnection - ec2:DeleteVpnConnectionRoute - ec2:DeleteVpnGateway - ec2:DescribeAddresses - ec2:DescribeAvailabilityZones - ec2:DescribeClassicLinkInstances - ec2:DescribeCustomerGateways - ec2:DescribeVpcClassicLinkDnsSupport - ec2:DescribeDhcpOptions - ec2:DescribeFlowLogs - ec2:DescribeInstances - ec2:DescribeInternetGateways - ec2:DescribeKeyPairs - ec2:DescribeMovingAddresses - ec2:DescribeNatGateways - ec2:DescribeNetworkAcls - ec2:DescribeNetworkInterfaceAttribute - ec2:DescribeNetworkInterfaces - ec2:DescribePrefixLists - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeTags - ec2:DescribeVpcAttribute - ec2:DescribeVpcClassicLink - ec2:DescribeVpcEndpoints - ec2:DescribeVpcEndpointServices - ec2:DescribeVpcPeeringConnections - ec2:DescribeVpcs - ec2:DescribeVpnConnections - ec2:DescribeVpnGateways - ec2:DetachInternetGateway - ec2:DetachNetworkInterface - ec2:DetachVpnGateway - ec2:DisableVgwRoutePropagation - ec2:DisassociateAddress - ec2:DisassociateRouteTable - ec2:EnableVgwRoutePropagation - ec2:ModifyNetworkInterfaceAttribute - ec2:ModifySubnetAttribute - ec2:ModifyVpcAttribute - ec2:ModifyVpcEndpoint - ec2:MoveAddressToVpc - ec2:ReleaseAddress - ec2:ReplaceNetworkAclAssociation - ec2:ReplaceNetworkAclEntry - ec2:ReplaceRoute - ec2:ReplaceRouteTableAssociation - ec2:ResetNetworkInterfaceAttribute - ec2:RestoreAddressToClassic - ec2:UnassignPrivateIpAddresses - directconnect:* - route53:* - route53domains:* - cloudfront:ListDistributions - elasticloadbalancing:* - elasticbeanstalk:Describe* - elasticbeanstalk:List* - elasticbeanstalk:RetrieveEnvironmentInfo - elasticbeanstalk:RequestEnvironmentInfo - sns:* - cloudwatch:DescribeAlarms - cloudwatch:PutMetricAlarm - cloudwatch:DeleteAlarms - cloudwatch:GetMetricStatistics - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:GetLogEvents Resource: "*" - Effect: Allow Action: - ec2:* - ec2:AcceptVpcPeeringConnection - ec2:AttachClassicLinkVpc - ec2:AuthorizeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress - ec2:CreateVpcPeeringConnection - ec2:DeleteCustomerGateway - ec2:DeleteDhcpOptions - ec2:DeleteInternetGateway - ec2:DeleteNetworkAcl - ec2:DeleteNetworkAclEntry - ec2:DeleteRoute - ec2:DeleteRouteTable - ec2:DeleteSecurityGroup - ec2:DeleteVolume - ec2:DeleteVpcPeeringConnection - ec2:DetachClassicLinkVpc - ec2:DisableVpcClassicLink - ec2:EnableVpcClassicLink - ec2:GetConsoleScreenshot - ec2:RejectVpcPeeringConnection - ec2:RevokeSecurityGroupEgress - ec2:RevokeSecurityGroupIngress Resource: - "*" - Effect: Allow Action: - s3:ListBucket - s3:GetBucketLocation - s3:GetBucketWebsiteConfiguration - s3:CreateBucket Resource: - "*" - Effect: Allow Action: - iam:GetRole - iam:ListRoles - iam:PassRole Resource: arn:aws:iam::*:role/flow-logs-* Outputs: CodePipelineRole: Description: CodePipelineRole Value: Ref: CodePipelineRole Export: Name: Fn::Sub: "${AWS::StackName}-CodePipelineRole" CloudFormationRole: Description: CloudFormationRole Value: Ref: CloudFormationRole Export: Name: Fn::Sub: "${AWS::StackName}-CloudFormationRole"