diff --git a/.github/workflows/deploy-roles-org-sink-bus-roles.yml b/.github/workflows/deploy-roles-org-sink-bus-roles.yml new file mode 100644 index 000000000..e44f467b7 --- /dev/null +++ b/.github/workflows/deploy-roles-org-sink-bus-roles.yml @@ -0,0 +1,51 @@ +name: Deploy org sink bus roles + +on: + push: + branches: + - main + paths: + - iam-roles/org-sink-bus-roles/template.yml + +concurrency: + group: ${{ github.workflow }} + +permissions: + id-token: write + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-2 + role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-org-sink-roles + + - name: Deploy to management account + working-directory: iam-roles/org-sink-bus-roles + run: | + aws cloudformation deploy \ + --region us-east-2 \ + --stack-name org-sink-bus-roles \ + --template-file template.yml \ + --capabilities CAPABILITY_NAMED_IAM \ + --no-fail-on-empty-changeset \ + --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation + + # - name: Update stack set + # working-directory: iam-roles/org-sink-bus-roles + # run: | + # template_body=$(cat template.yml) + + # aws cloudformation update-stack-set \ + # --stack-set-name org-sink-bus-roles \ + # --capabilities CAPABILITY_NAMED_IAM \ + # --template-body "$template_body" \ + # --operation-preferences FailureTolerancePercentage=100,MaxConcurrentPercentage=100,ConcurrencyMode=SOFT_FAILURE_TOLERANCE,RegionConcurrencyType=PARALLEL \ + # --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false diff --git a/iam-roles/org-sink-bus-roles/template.yml b/iam-roles/org-sink-bus-roles/template.yml new file mode 100644 index 000000000..21983f15c --- /dev/null +++ b/iam-roles/org-sink-bus-roles/template.yml @@ -0,0 +1,110 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Resources: + CloudWatchOrgSinkRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: events.amazonaws.com + Version: "2012-10-17" + Policies: + - PolicyDocument: + Statement: + - Action: events:PutEvents + Effect: Allow + Resource: arn:aws:events:us-east-2:578003269847:event-bus/CloudWatch-org-sink + Sid: AllowSendingEventsToSinkBus + Version: "2012-10-17" + PolicyName: CloudWatchOrgSinkPolicy + RoleName: PRX-CloudWatchOrgSinkRole + Tags: + - { Key: prx:meta:tagging-version, Value: "2021-04-07" } + - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } + - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } + - { Key: prx:ops:environment, Value: Production } + - { Key: prx:dev:application, Value: DevOps } + + CloudFormationOrgSinkRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: events.amazonaws.com + Version: "2012-10-17" + Policies: + - PolicyDocument: + Statement: + - Action: events:PutEvents + Effect: Allow + Resource: arn:aws:events:us-east-2:578003269847:event-bus/CloudFormation-org-sink + Sid: AllowSendingEventsToSinkBus + Version: "2012-10-17" + PolicyName: CloudFormationOrgSinkPolicy + RoleName: PRX-CloudFormationOrgSinkRole + Tags: + - { Key: prx:meta:tagging-version, Value: "2021-04-07" } + - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } + - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } + - { Key: prx:ops:environment, Value: Production } + - { Key: prx:dev:application, Value: DevOps } + + CloudTrailOrgSinkRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: events.amazonaws.com + Version: "2012-10-17" + Policies: + - PolicyDocument: + Statement: + - Action: events:PutEvents + Effect: Allow + Resource: arn:aws:events:us-east-2:578003269847:event-bus/CloudTrail-org-sink + Sid: AllowSendingEventsToSinkBus + Version: "2012-10-17" + PolicyName: CloudTrailOrgSinkPolicy + RoleName: PRX-CloudTrailOrgSinkRole + Tags: + - { Key: prx:meta:tagging-version, Value: "2021-04-07" } + - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } + - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } + - { Key: prx:ops:environment, Value: Production } + - { Key: prx:dev:application, Value: DevOps } + + SlackOrgSinkRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: events.amazonaws.com + Version: "2012-10-17" + Policies: + - PolicyDocument: + Statement: + - Action: events:PutEvents + Effect: Allow + Resource: arn:aws:events:us-east-2:578003269847:event-bus/Slack-org-sink + Sid: AllowSendingEventsToSinkBus + Version: "2012-10-17" + PolicyName: SlackBusPolicy + RoleName: PRX-SlackOrgSinkRole + Tags: + - { Key: prx:meta:tagging-version, Value: "2021-04-07" } + - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } + - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } + - { Key: prx:ops:environment, Value: Production } + - { Key: prx:dev:application, Value: DevOps }