Add org data sharing role template and deploy action

.github/workflows/deploy-role-PRX-Organization-CrossAccountSharingRole.yml

@@ -0,0 +1,39 @@
+name: Deploy PRX-Organization-CrossAccountSharingRole
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - iam-roles/PRX-Organization-CrossAccountSharingRole/template.yml
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-org-share-role
+
+      - name: Deploy to management account
+        working-directory: iam-roles/PRX-Organization-CrossAccountSharingRole
+        run: |
+          aws cloudformation deploy \
+            --region us-east-2 \
+            --stack-name PRX-Organization-CrossAccountSharingRole \
+            --template-file template.yml \
+            --capabilities CAPABILITY_NAMED_IAM \
+            --no-fail-on-empty-changeset \
+            --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation

iam-roles/PRX-Organization-CrossAccountSharingRole/template.yml

@@ -0,0 +1,52 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Description: >-
+  Creates the specially named PRX-Organization-CrossAccountSharingRole, which
+  has read-only access to information about an AWS Organization. It is intended
+  to be launched only in an Organization's management account, but can be
+  assumed by any other account within the Organization.
+
+Resources:
+  # The main purpose of this role is to allow management tooling to fetch basic
+  # information about the AWS Organization it exists within, such as getting a
+  # list of all accounts within the organization. It has limited utility
+  # otherwise, and should not be granted any additional permissions.
+  CrossAccountSharingRole:
+    Type: AWS::IAM::Role
+    Properties:
+      # Allow all principals in the same AWS organization as this role to
+      # assume this role.
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:ResourceOrgID: ${aws:PrincipalOrgID}
+            Effect: Allow
+            Principal:
+              AWS: "*"
+        Version: "2012-10-17"
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action:
+                  - organizations:Describe*
+                  - organizations:List*
+                Effect: Allow
+                Resource: "*"
+                Sid: AllowOrganizationsReadOnly
+            Version: "2012-10-17"
+          PolicyName: OrganizationsAccess
+      RoleName: PRX-Organization-CrossAccountSharingRole
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }
+
+Outputs:
+  RoleName:
+    Value: !Ref CrossAccountSharingRole
+  RoleArn:
+    Value: !GetAtt CrossAccountSharingRole.Arn