Add DevOps sharing role template and action

.github/workflows/deploy-role-PRX-DevOps-CrossAccountAccessRole.yml

@@ -0,0 +1,52 @@
+name: Deploy PRX-DevOps-CrossAccountAccessRole
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - iam-roles/PRX-DevOps-CrossAccountAccessRole/template.yml
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole
+          role-session-name: gha-deploy-devops-share-role
+
+      - name: Deploy to management account
+        working-directory: iam-roles/PRX-DevOps-CrossAccountAccessRole
+        run: |
+          aws cloudformation deploy \
+            --region us-east-2 \
+            --stack-name PRX-DevOps-CrossAccountAccessRole \
+            --template-file template.yml \
+            --capabilities CAPABILITY_NAMED_IAM \
+            --no-fail-on-empty-changeset \
+            --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation
+
+      # - name: Update stack set
+      #   working-directory: iam-roles/PRX-DevOps-CrossAccountAccessRole
+      #   run: |
+      #     template_body=$(cat template.yml)
+
+      #     aws cloudformation update-stack-set \
+      #       --stack-set-name PRX-DevOps-CrossAccountAccessRole \
+      #       --capabilities CAPABILITY_NAMED_IAM \
+      #       --template-body "$template_body" \
+      #       --operation-preferences FailureTolerancePercentage=100,MaxConcurrentPercentage=100,ConcurrencyMode=SOFT_FAILURE_TOLERANCE,RegionConcurrencyType=PARALLEL \
+      #       --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false

iam-roles/PRX-DevOps-CrossAccountAccessRole/template.yml

@@ -0,0 +1,161 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >-
+  Creates an IAM role that's intended to exist in each account within an AWS
+  Organization. This role provides specific, consistent access to various
+  resources and services within all accounts, so that they can be managed
+  centrally. By default and convention, the role's name is:
+  PRX-DevOps-CrossAccountAccessRole. This template is intended to be launched as
+  part of a service-managed StackSet that automatically deploys to all accounts
+  within an organization. Only needs to be launched once per account, since
+  roles are global within an account.
+
+Parameters:
+  CrossAccountAccessRoleName:
+    Type: String
+    Default: PRX-DevOps-CrossAccountAccessRole
+    Description: >-
+      The name of cross-account access role. The default value is
+      "PRX-DevOps-CrossAccountAccessRole", and generally that should be used so
+      that it's predictable by other users and services.
+
+# Creates a role with a known name, which will exist in all accounts within
+# the AWS Organization. This role can also be assumed by any other role within
+# the organization.
+#
+# Since we know the role will exist and can be assumed, we can use this role to
+# perform some common tasks against all accounts within the organization,
+# regardless of where those tasks are being performed or which IAM role is
+# otherwise being used to perform them. (I.e., a Lambda function in any account,
+# with any execution role, can assume this role and perform one of the allowed
+# IAM actions.)
+#
+# IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+#
+# The permissions given to this role through the actions and resources listed
+# in the following IAM policies should only include EXTREMELY safe permissions.
+# This role should never be used for CRUD operations of actual resources. It is
+# intended for things like read-only Get and List operations on some resource
+# types, or very safe maintenance tasks, like creating a CloudFront
+# invalidation.
+#
+# New permissions should be added to this role very deliberately andjudiciously.
+Resources:
+  CodePipelinePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: codepipeline:ListPipelines
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowListPipelines
+          - Action: codepipeline:StartPipelineExecution
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowStartExecution
+          - Action: codepipeline:PutApprovalResult
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowApprovalAction
+          - Action:
+              - codepipeline:DisableStageTransition
+              - codepipeline:EnableStageTransition
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowStageTransitionToggle
+          - Action:
+              - codepipeline:GetPipeline
+              - codepipeline:GetPipelineState
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowReadOnlyAccess
+        Version: "2012-10-17"
+
+  CloudFrontPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: cloudfront:ListDistributions
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowListDistributions
+          - Action: cloudfront:CreateInvalidation
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowInvalidations
+        Version: "2012-10-17"
+
+  S3ListVersionsPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: s3:ListBucketVersions
+            Effect: Allow
+            Resource: "*"
+        Version: "2012-10-17"
+  S3TemplateConfigCopyPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: s3:ListBucket
+            Effect: Allow
+            Resource: "*"
+          - Action:
+              - s3:GetObject
+              - s3:GetObjectVersion
+              - s3:GetObjectTagging
+              - s3:PutObject
+              - s3:PutObjectTagging
+            Effect: Allow
+            Resource: arn:aws:s3:::*/template-config-staging.zip
+        Version: "2012-10-17"
+
+  IamPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action:
+              - iam:Get*
+              - iam:List*
+            Effect: Allow
+            Resource: "*"
+            Sid: AllowReadOnlyAccess
+        Version: "2012-10-17"
+
+  CrossAccountAccessRole:
+    Type: AWS::IAM::Role
+    Properties:
+      # Allow any principal within the same AWS Organization to assume this
+      # role
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:ResourceOrgID: ${aws:PrincipalOrgID}
+            Effect: Allow
+            Principal:
+              AWS: "*"
+      # Include all the policies defined above
+      ManagedPolicyArns:
+        - !Ref CloudFrontPolicy
+        - !Ref CodePipelinePolicy
+        - !Ref IamPolicy
+        - !Ref S3ListVersionsPolicy
+        - !Ref S3TemplateConfigCopyPolicy
+      RoleName: !Sub ${CrossAccountAccessRoleName}
+      Tags:
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:ops:environment, Value: Production }
+        - { Key: prx:dev:application, Value: DevOps }
+
+Outputs:
+  RoleNamePattern:
+    Value: !Ref CrossAccountAccessRole