AWSTemplateFormatVersion: '2010-09-09' Parameters: GitHubOrg: Type: String Default: aws RepositoryName: Type: String Default: aws-parallelcluster-ui OIDCProviderArn: Description: Arn for the GitHub OIDC Provider. If left empty a new OIDCProvider will be created. Default: "" Type: String Conditions: CreateOIDCProvider: !Equals - !Ref OIDCProviderArn - "" Resources: InfrastructureBucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PrivateDeployRole: Type: AWS::IAM::Role Properties: Description: "Role used to deploy PCM to a private environment (for example, demo)" AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !If - CreateOIDCProvider - !Ref GithubOidc - !Ref OIDCProviderArn Condition: StringEquals: token.actions.githubusercontent.com:aud: sts.amazonaws.com token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:ref:refs/heads/main Policies: - PolicyName: UpdateLambdaFromPrivateECR PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - lambda:UpdateFunctionCode - ecr:DescribeRepositories - cloudformation:DescribeStackResources Resource: - !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:ParallelClusterUIFunction* - !Sub arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/* - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*/* - Effect: Allow Action: - lambda:ListFunctions - ecr:GetAuthorizationToken - sts:GetCallerIdentity Resource: "*" - Effect: Allow Action: - ecr:CompleteLayerUpload - ecr:UploadLayerPart - ecr:InitiateLayerUpload - ecr:BatchCheckLayerAvailability - ecr:PutImage Resource: !Sub arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/parallelcluster-ui* GithubOidc: Type: AWS::IAM::OIDCProvider Condition: CreateOIDCProvider Properties: Url: https://token.actions.githubusercontent.com ClientIdList: - sts.amazonaws.com ThumbprintList: - 6938fd4d98bab03faadb97b34396831e3780aea1 PrivateInfrastructureUpdateRole: Type: AWS::IAM::Role Properties: Description: "Role used to update the infrastructure of a private environment (for example, demo)" AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !If - CreateOIDCProvider - !Ref GithubOidc - !Ref OIDCProviderArn Condition: StringEquals: token.actions.githubusercontent.com:aud: sts.amazonaws.com token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:ref:refs/heads/main Policies: - PolicyName: UpdateInfrastructurePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cloudformation:DescribeStacks - cloudformation:DescribeStackResources - cloudformation:UpdateStack - cloudformation:CreateChangeSet Resource: - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/parallelcluster-ui-demo* - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}* - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:aws:transform/* - Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:ListBucket - s3:DeleteObject - s3:GetBucketLocation - s3:GetObjectTagging - s3:GetObjectAcl - s3:PutObjectAcl Resource: - !GetAtt 'InfrastructureBucket.Arn' - !Join ['', [!GetAtt 'InfrastructureBucket.Arn', '/*']] - !Sub arn:${AWS::Partition}:s3:::${AWS::Region}-aws-parallelcluster - !Sub arn:${AWS::Partition}:s3:::${AWS::Region}-aws-parallelcluster/* - Effect: Allow Action: - iam:GetRole - iam:CreatePolicy - iam:DeletePolicy - iam:GetPolicy - iam:ListPolicyVersions - iam:DeletePolicyVersion - iam:DetachRolePolicy - iam:AttachRolePolicy - iam:PassRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/parallelcluster-ui-demo* - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/parallelcluster-ui-demo* - Effect: Allow Action: - lambda:UpdateFunctionConfiguration Resource: - !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:ParallelClusterUIFunction-* - Effect: Allow Action: - cognito-idp:UpdateGroup - cognito-idp:DeleteGroup Resource: - !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/* - PolicyName: ImageBuilderPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - imagebuilder:UpdateInfrastructureConfiguration Resource: - !Sub arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:infrastructure-configuration/parallelclusteruiimagebuilderinfrastructureconfiguration-* - PolicyName: PassRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - iam:PassRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/executionServiceEC2Role/parallelcluster-ui-demo-ImageBuilderInstanceRole* E2ETestExecution: Type: AWS::IAM::Role Properties: Description: "Role used to run PCM E2E test suite" AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !If - CreateOIDCProvider - !Ref GithubOidc - !Ref OIDCProviderArn Condition: StringEquals: token.actions.githubusercontent.com:aud: sts.amazonaws.com token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:ref:refs/heads/main Policies: - PolicyName: SecretsManagerRead PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: secretsmanager:ListSecrets Resource: "*" - Effect: Allow Action: secretsmanager:GetSecretValue Resource: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:e2e/test1-AUsDgk Outputs: PrivateDeployRole: Value: !GetAtt PrivateDeployRole.Arn PrivateInfrastructureUpdateRole: Value: !GetAtt PrivateInfrastructureUpdateRole.Arn E2ETestExecutionRole: Value: !GetAtt E2ETestExecution.Arn