AWSTemplateFormatVersion: '2010-09-09' Description: The AWS CloudFormation template that creates the CodePipeline resources in the tooling account Parameters: CodePipelineCrossAccountRoleName: Type: String Default: "CodePipelineCrossAccountRole" CloudFormationCrossAccountRoleName: Type: String Default: "CloudFormationCrossAccountRole" ToolAccountID: Description: Account ID of the TOOLS AWS Account that initiates code deployment to this account. Type: String ConstraintDescription: Must be a valid AWS Account ID without hyphens. AllowedPattern: '\d{12}' MinLength: 12 MaxLength: 12 ArtifactsBucketArn: Type: String Default: '' ImageRepositoryArn: Type: String Default: '' Conditions: DeployPipelinePolicy: !Not [!Equals [!Ref ArtifactsBucketArn, '']] Resources: CloudFormationCrossAccountRole: Type: AWS::IAM::Role Properties: RoleName: !Ref CloudFormationCrossAccountRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: - 'sts:AssumeRole' Policies: - PolicyName: GrantCloudFormationFullAccess PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: '*' Resource: '*' CodePipelineCrossAccountRole: Type: AWS::IAM::Role Properties: RoleName: !Ref CodePipelineCrossAccountRoleName Tags: - Key: Role Value: pipeline-execution-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${ToolAccountID}:root Action: - 'sts:AssumeRole' Condition: StringEquals: aws:PrincipalTag/Role: pipeline-codebuild-service-role CodePipelineCrossAccountPermissionPolicy: Condition: DeployPipelinePolicy Type: AWS::IAM::Policy Properties: PolicyName: CodePipelineCrossAccountPermission PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'iam:PassRole' Resource: !GetAtt CloudFormationCrossAccountRole.Arn - Effect: Allow Action: - "cloudformation:CreateChangeSet" - "cloudformation:DescribeChangeSet" - "cloudformation:ExecuteChangeSet" - "cloudformation:DeleteStack" - "cloudformation:DescribeStackEvents" - "cloudformation:DescribeStacks" - "cloudformation:GetTemplate" - "cloudformation:GetTemplateSummary" - "cloudformation:DescribeStackResource" Resource: '*' - Effect: Allow Action: - 's3:DeleteObject' - 's3:GetObject*' - 's3:PutObject*' - 's3:GetBucket*' - 's3:List*' Resource: - !Join [ '',[ !Ref ArtifactsBucketArn, '/*' ] ] - !Ref ArtifactsBucketArn - Effect: "Allow" Action: "ecr:GetAuthorizationToken" Resource: "*" - Effect: "Allow" Action: - "ecr:GetDownloadUrlForLayer" - "ecr:BatchDeleteImage" - "ecr:BatchGetImage" - "ecr:BatchCheckLayerAvailability" - "ecr:PutImage" - "ecr:InitiateLayerUpload" - "ecr:UploadLayerPart" - "ecr:CompleteLayerUpload" Resource: - !Ref ImageRepositoryArn Roles: - !Ref CodePipelineCrossAccountRole Outputs: CloudFormationCrossAccountRole: Description: ARN of the IAM Role(CloudFormationCrossAccountRole) Value: !GetAtt CloudFormationCrossAccountRole.Arn CodePipelineCrossAccountRole: Description: ARN of the IAM Role(CodePipelineCrossAccountRole) Value: !GetAtt CodePipelineCrossAccountRole.Arn