Add org sink roles and deploy action

.github/workflows/deploy-roles-org-sink-bus-roles.yml

@@ -0,0 +1,51 @@
+name: Deploy org sink bus roles
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - iam-roles/org-sink-bus-roles/template.yml
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-org-sink-roles
+
+      - name: Deploy to management account
+        working-directory: iam-roles/org-sink-bus-roles
+        run: |
+          aws cloudformation deploy \
+            --region us-east-2 \
+            --stack-name org-sink-bus-roles \
+            --template-file template.yml \
+            --capabilities CAPABILITY_NAMED_IAM \
+            --no-fail-on-empty-changeset \
+            --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation
+
+      # - name: Update stack set
+      #   working-directory: iam-roles/org-sink-bus-roles
+      #   run: |
+      #     template_body=$(cat template.yml)
+
+      #     aws cloudformation update-stack-set \
+      #       --stack-set-name org-sink-bus-roles \
+      #       --capabilities CAPABILITY_NAMED_IAM \
+      #       --template-body "$template_body" \
+      #       --operation-preferences FailureTolerancePercentage=100,MaxConcurrentPercentage=100,ConcurrencyMode=SOFT_FAILURE_TOLERANCE,RegionConcurrencyType=PARALLEL \
+      #       --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false

iam-roles/org-sink-bus-roles/template.yml

@@ -0,0 +1,110 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+  CloudWatchOrgSinkRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+        Version: "2012-10-17"
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action: events:PutEvents
+                Effect: Allow
+                Resource: arn:aws:events:us-east-2:578003269847:event-bus/CloudWatch-org-sink
+                Sid: AllowSendingEventsToSinkBus
+            Version: "2012-10-17"
+          PolicyName: CloudWatchOrgSinkPolicy
+      RoleName: PRX-CloudWatchOrgSinkRole
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }
+
+  CloudFormationOrgSinkRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+        Version: "2012-10-17"
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action: events:PutEvents
+                Effect: Allow
+                Resource: arn:aws:events:us-east-2:578003269847:event-bus/CloudFormation-org-sink
+                Sid: AllowSendingEventsToSinkBus
+            Version: "2012-10-17"
+          PolicyName: CloudFormationOrgSinkPolicy
+      RoleName: PRX-CloudFormationOrgSinkRole
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }
+
+  CloudTrailOrgSinkRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+        Version: "2012-10-17"
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action: events:PutEvents
+                Effect: Allow
+                Resource: arn:aws:events:us-east-2:578003269847:event-bus/CloudTrail-org-sink
+                Sid: AllowSendingEventsToSinkBus
+            Version: "2012-10-17"
+          PolicyName: CloudTrailOrgSinkPolicy
+      RoleName: PRX-CloudTrailOrgSinkRole
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }
+
+  SlackOrgSinkRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+        Version: "2012-10-17"
+      Policies:
+        - PolicyDocument:
+            Statement:
+              - Action: events:PutEvents
+                Effect: Allow
+                Resource: arn:aws:events:us-east-2:578003269847:event-bus/Slack-org-sink
+                Sid: AllowSendingEventsToSinkBus
+            Version: "2012-10-17"
+          PolicyName: SlackBusPolicy
+      RoleName: PRX-SlackOrgSinkRole
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }