AWSTemplateFormatVersion: "2010-09-09" Description: Common resources for application deployed to Lambda Parameters: AppName: Type: String Description: Name of the application. MinLength: "1" MaxLength: "100" Resources: CodeBuildTrustRole: Description: Creating service role in IAM for AWS CodeBuild Type: AWS::IAM::Role Properties: RoleName: !Sub "${AppName}-codebuild-role" AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [codebuild.amazonaws.com] Action: sts:AssumeRole Path: / CodeBuildRolePolicy: Type: AWS::IAM::Policy DependsOn: CodeBuildTrustRole Description: Setting IAM policy for the service role for AWS CodeBuild Properties: PolicyName: CodeBuildRolePolicy PolicyDocument: Statement: - Effect: Allow Action: ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"] Resource: ["*"] - Effect: Allow Resource: ["*"] Action: ["s3:*"] - Effect: Allow Resource: ["*"] Action: ["kms:GenerateDataKey*", "kms:Encrypt", "kms:Decrypt"] - Effect: Allow Resource: ["*"] Action: ["sns:SendMessage"] Roles: [!Ref CodeBuildTrustRole] CloudFormationTrustRole: Description: Creating service role in IAM for AWS CloudFormation Type: AWS::IAM::Role Properties: RoleName: !Sub "${AppName}-cloudformation-role" AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [cloudformation.amazonaws.com] Action: sts:AssumeRole Path: / CloudFormationRolePolicy: Type: AWS::IAM::Policy DependsOn: CloudFormationTrustRole Description: Setting IAM policy for the service role for AWS CloudFormation Properties: PolicyName: CloudFormationRolePolicy PolicyDocument: Statement: - Action: ["s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketVersioning"] Resource: "*" Effect: Allow - Action: ["s3:PutObject"] Resource: ["arn:aws:s3:::codepipeline*"] Effect: Allow - Action: ["lambda:*"] Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*" Effect: Allow - Action: ["apigateway:*"] Resource: !Sub "arn:aws:apigateway:${AWS::Region}::*" Effect: Allow - Action: ["iam:GetRole", "iam:CreateRole", "iam:DeleteRole"] Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${AppName}-*" Effect: Allow - Action: ["iam:AttachRolePolicy", "iam:DetachRolePolicy"] Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${AppName}-*" Effect: Allow - Action: ["iam:PassRole"] Resource: ["*"] Effect: Allow - Action: ["cloudformation:CreateChangeSet"] Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31" Effect: Allow Roles: [!Ref CloudFormationTrustRole] CodePipelineTrustRole: Description: Creating service role in IAM for AWS CodePipeline Type: AWS::IAM::Role Properties: RoleName: !Sub "${AppName}-codepipeline-role" AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [codepipeline.amazonaws.com] Action: sts:AssumeRole Path: / CodePipelineRolePolicy: Type: AWS::IAM::Policy DependsOn: CodePipelineTrustRole Description: Setting IAM policy for the service role for AWS CodePipeline Properties: PolicyName: CodePipelineRolePolicy PolicyDocument: Statement: - Action: ["s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketVersioning"] Resource: "*" Effect: Allow - Action: ["s3:PutObject"] Resource: ["arn:aws:s3:::codepipeline*"] Effect: Allow - Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds"] Resource: "*" Effect: Allow - Action: ["cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "rds:*", "sqs:*", "iam:PassRole"] Resource: "*" Effect: Allow - Action: ["lambda:InvokeFunction", "lambda:ListFunctions"] Resource: "*" Effect: Allow Roles: [!Ref CodePipelineTrustRole] Outputs: CodePipelineRole: Description: "Role for code pipeline" Value: !GetAtt CodePipelineTrustRole.Arn CloudformationDeployRole: Description: "Role for cloudformation to deploy with." Value: !GetAtt CloudFormationTrustRole.Arn CodeBuildRole: Description: "Role for code build to build" Value: !GetAtt CodeBuildTrustRole.Arn