# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with # the License. A copy of the License is located at # http://aws.amazon.com/apache2.0/ # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and # limitations under the License. AWSTemplateFormatVersion: '2010-09-09' Description: Creates a CMK in KMS and grants access to other accounts Parameters: ServiceName: Description: Name of the microservice Type: String TestAccount: Description: AWS AccountNumber for test Type: Number ProductionAccount: Description: AWS AccountNumber for production Type: Number TemplateBucket: Type: String InfrastructureTemplateBucket: Type: String Resources: KMSKey: Type: AWS::KMS::Key DependsOn: BuildProjectRole Properties: Description: Used by Assumed Roles in Dev/Test/Prod accounts to Encrypt/Decrypt code EnableKeyRotation: true KeyPolicy: Version: "2012-10-17" Id: !Ref AWS::StackName Statement: - Sid: Allows admin of the key Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: - "kms:Create*" - "kms:Describe*" - "kms:Enable*" - "kms:List*" - "kms:Put*" - "kms:Update*" - "kms:Revoke*" - "kms:Disable*" - "kms:Get*" - "kms:Delete*" - "kms:ScheduleKeyDeletion" - "kms:CancelKeyDeletion" Resource: "*" - Sid: Allow use of the key for CryptoGraphy Lambda Effect: Allow Principal: AWS: - !Sub arn:aws:iam::${ProductionAccount}:root - !Sub arn:aws:iam::${TestAccount}:root - !Sub arn:aws:iam::${AWS::AccountId}:role/${Repository}-cb-role Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: "*" KMSAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub alias/codepipeline-${Repository}-crossaccounts TargetKeyId: !Ref KMSKey ArtifactBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Repository: Type: AWS::ECR::Repository Properties: RepositoryName: !Ref ServiceName RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: AllowPushPull Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${ProductionAccount}:root" Action: - "ecr:*" LambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Repository}-lambda-role AssumeRolePolicyDocument: Version: '2012-10-17' Statement: Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Path: "/" Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* CFDeployerRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Repository}-cfdeployer-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - sts:AssumeRole Path: / CFDeployerPolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${Repository}-cfdeployer-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - lambda:AddPermission - lambda:CreateFunction - lambda:DeleteFunction - lambda:InvokeFunction - lambda:RemovePermission - lambda:UpdateFunctionCode - lambda:GetFunctionConfiguration - lambda:GetFunction - lambda:UpdateFunctionConfiguration - events:* # Required for the sample lambda function to work - apigateway:* - cloudformation:* - ecs:* - ecr:* - iam:* - dynamodb:* - ec2:* - elasticloadbalancing:* - autoscaling:* - application-autoscaling:* - s3:* - ssm:GetParameters Resource: "*" - Effect: Allow Action: - s3:PutObject - s3:GetBucketPolicy - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - s3:ListBucket Resource: - !Join ['',['arn:aws:s3:::',!Ref ArtifactBucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref ArtifactBucket]] - Effect: Allow Action: - dynamodb:* Resource: - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${Repository}*' Roles: - !Ref CFDeployerRole BuildProjectRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Repository}-cb-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole Path: / BuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${Repository}-cb-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:PutObject - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket Resource: - !Join ['',['arn:aws:s3:::',!Ref ArtifactBucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref ArtifactBucket]] - Resource: !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${Repository} Effect: Allow Action: - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:BatchCheckLayerAvailability - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload - ecr:GetAuthorizationToken - Resource: "*" Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ecr:GetAuthorizationToken - cloudformation:Describe* - elasticloadbalancing:Describe* - codepipeline:Get* - codebuild:BatchGetBuilds - Effect: Allow Action: - kms:* Resource: !GetAtt [KMSKey,Arn] - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* Roles: - !Ref BuildProjectRole PipeLineRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Repository}-pipeline-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: - sts:AssumeRole Path: / PipelinePolicy: Type: AWS::IAM::Policy DependsOn: CodeCommitRole Properties: PolicyName: !Sub ${Repository}-pipeline-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - codepipeline:* - iam:ListRoles - cloudformation:Describe* - cloudFormation:List* - codecommit:List* - codecommit:Get* - codecommit:GitPull - codecommit:UploadArchive - codecommit:CancelUploadArchive - codebuild:BatchGetBuilds - codebuild:StartBuild - cloudformation:CreateStack - cloudformation:DeleteStack - cloudformation:DescribeStacks - cloudformation:UpdateStack - cloudformation:CreateChangeSet - cloudformation:DeleteChangeSet - cloudformation:DescribeChangeSet - cloudformation:ExecuteChangeSet - cloudformation:SetStackPolicy - cloudformation:ValidateTemplate - iam:PassRole - s3:ListAllMyBuckets - s3:GetBucketLocation - lambda:* - logs:* Resource: - "*" - Effect: Allow Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: !GetAtt [KMSKey,Arn] - Effect: Allow Action: - s3:PutObject - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket - s3:GetObjectVersion - s3:GetBucketVersioning Resource: - !Join ['',['arn:aws:s3:::',!Ref ArtifactBucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref ArtifactBucket]] - !Join ['',['arn:aws:s3:::',!Ref TemplateBucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref TemplateBucket]] - !Join ['',['arn:aws:s3:::',!Ref InfrastructureTemplateBucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref InfrastructureTemplateBucket]] - Effect: Allow Action: - sts:AssumeRole Resource: - !Sub arn:aws:iam::${ProductionAccount}:role/${Repository}-cc-role - !Sub arn:aws:iam::${ProductionAccount}:role/${Repository}-cfdeployer-role - !Sub arn:aws:iam::${TestAccount}:role/${Repository}-codecommit-role Roles: - !Ref PipeLineRole CodeCommitRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Repository}-codecommit-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Ref TestAccount Action: - sts:AssumeRole Path: / CodeCommitPolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${Repository}-codecommit-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - codecommit:BatchGetRepositories - codecommit:Get* - codecommit:GitPull - codecommit:List* - codecommit:CancelUploadArchive - codecommit:UploadArchive - s3:* Resource: "*" - Effect: Allow Action: - kms:* Resource: !GetAtt [KMSKey,Arn] Roles: - !Ref CodeCommitRole Outputs: CMK: Value: !GetAtt [KMSKey,Arn] ArtifactBucket: Value: !Ref ArtifactBucket Repository: Value: !Ref Repository BuildProjectRole: Value: !Ref BuildProjectRole PipeLineRole: Value: !GetAtt PipeLineRole.Arn CFDeployerRole: Value: !GetAtt CFDeployerRole.Arn