diff --git a/.github/workflows/deploy-role-PRX-DevOps-CrossAccountAccessRole.yml b/.github/workflows/deploy-role-PRX-DevOps-CrossAccountAccessRole.yml new file mode 100644 index 000000000..0506094d2 --- /dev/null +++ b/.github/workflows/deploy-role-PRX-DevOps-CrossAccountAccessRole.yml @@ -0,0 +1,52 @@ +name: Deploy PRX-DevOps-CrossAccountAccessRole + +on: + workflow_dispatch: + push: + branches: + - main + paths: + - iam-roles/PRX-DevOps-CrossAccountAccessRole/template.yml + +concurrency: + group: ${{ github.workflow }} + +permissions: + id-token: write + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-2 + role-to-assume: arn:aws:iam::048723829744:role/PRX-GHA-AccessRole + role-session-name: gha-deploy-devops-share-role + + - name: Deploy to management account + working-directory: iam-roles/PRX-DevOps-CrossAccountAccessRole + run: | + aws cloudformation deploy \ + --region us-east-2 \ + --stack-name PRX-DevOps-CrossAccountAccessRole \ + --template-file template.yml \ + --capabilities CAPABILITY_NAMED_IAM \ + --no-fail-on-empty-changeset \ + --role-arn arn:aws:iam::048723829744:role/PRX-GHA-ServiceRoleForCloudFormation + + # - name: Update stack set + # working-directory: iam-roles/PRX-DevOps-CrossAccountAccessRole + # run: | + # template_body=$(cat template.yml) + + # aws cloudformation update-stack-set \ + # --stack-set-name PRX-DevOps-CrossAccountAccessRole \ + # --capabilities CAPABILITY_NAMED_IAM \ + # --template-body "$template_body" \ + # --operation-preferences FailureTolerancePercentage=100,MaxConcurrentPercentage=100,ConcurrencyMode=SOFT_FAILURE_TOLERANCE,RegionConcurrencyType=PARALLEL \ + # --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false diff --git a/iam-roles/PRX-DevOps-CrossAccountAccessRole/template.yml b/iam-roles/PRX-DevOps-CrossAccountAccessRole/template.yml new file mode 100644 index 000000000..8bd7f1c55 --- /dev/null +++ b/iam-roles/PRX-DevOps-CrossAccountAccessRole/template.yml @@ -0,0 +1,161 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: >- + Creates an IAM role that's intended to exist in each account within an AWS + Organization. This role provides specific, consistent access to various + resources and services within all accounts, so that they can be managed + centrally. By default and convention, the role's name is: + PRX-DevOps-CrossAccountAccessRole. This template is intended to be launched as + part of a service-managed StackSet that automatically deploys to all accounts + within an organization. Only needs to be launched once per account, since + roles are global within an account. + +Parameters: + CrossAccountAccessRoleName: + Type: String + Default: PRX-DevOps-CrossAccountAccessRole + Description: >- + The name of cross-account access role. The default value is + "PRX-DevOps-CrossAccountAccessRole", and generally that should be used so + that it's predictable by other users and services. + +# Creates a role with a known name, which will exist in all accounts within +# the AWS Organization. This role can also be assumed by any other role within +# the organization. +# +# Since we know the role will exist and can be assumed, we can use this role to +# perform some common tasks against all accounts within the organization, +# regardless of where those tasks are being performed or which IAM role is +# otherwise being used to perform them. (I.e., a Lambda function in any account, +# with any execution role, can assume this role and perform one of the allowed +# IAM actions.) +# +# IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# The permissions given to this role through the actions and resources listed +# in the following IAM policies should only include EXTREMELY safe permissions. +# This role should never be used for CRUD operations of actual resources. It is +# intended for things like read-only Get and List operations on some resource +# types, or very safe maintenance tasks, like creating a CloudFront +# invalidation. +# +# New permissions should be added to this role very deliberately andjudiciously. +Resources: + CodePipelinePolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + PolicyDocument: + Statement: + - Action: codepipeline:ListPipelines + Effect: Allow + Resource: "*" + Sid: AllowListPipelines + - Action: codepipeline:StartPipelineExecution + Effect: Allow + Resource: "*" + Sid: AllowStartExecution + - Action: codepipeline:PutApprovalResult + Effect: Allow + Resource: "*" + Sid: AllowApprovalAction + - Action: + - codepipeline:DisableStageTransition + - codepipeline:EnableStageTransition + Effect: Allow + Resource: "*" + Sid: AllowStageTransitionToggle + - Action: + - codepipeline:GetPipeline + - codepipeline:GetPipelineState + Effect: Allow + Resource: "*" + Sid: AllowReadOnlyAccess + Version: "2012-10-17" + + CloudFrontPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + PolicyDocument: + Statement: + - Action: cloudfront:ListDistributions + Effect: Allow + Resource: "*" + Sid: AllowListDistributions + - Action: cloudfront:CreateInvalidation + Effect: Allow + Resource: "*" + Sid: AllowInvalidations + Version: "2012-10-17" + + S3ListVersionsPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + PolicyDocument: + Statement: + - Action: s3:ListBucketVersions + Effect: Allow + Resource: "*" + Version: "2012-10-17" + S3TemplateConfigCopyPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + PolicyDocument: + Statement: + - Action: s3:ListBucket + Effect: Allow + Resource: "*" + - Action: + - s3:GetObject + - s3:GetObjectVersion + - s3:GetObjectTagging + - s3:PutObject + - s3:PutObjectTagging + Effect: Allow + Resource: arn:aws:s3:::*/template-config-staging.zip + Version: "2012-10-17" + + IamPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + PolicyDocument: + Statement: + - Action: + - iam:Get* + - iam:List* + Effect: Allow + Resource: "*" + Sid: AllowReadOnlyAccess + Version: "2012-10-17" + + CrossAccountAccessRole: + Type: AWS::IAM::Role + Properties: + # Allow any principal within the same AWS Organization to assume this + # role + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Action: sts:AssumeRole + Condition: + StringEquals: + aws:ResourceOrgID: ${aws:PrincipalOrgID} + Effect: Allow + Principal: + AWS: "*" + # Include all the policies defined above + ManagedPolicyArns: + - !Ref CloudFrontPolicy + - !Ref CodePipelinePolicy + - !Ref IamPolicy + - !Ref S3ListVersionsPolicy + - !Ref S3TemplateConfigCopyPolicy + RoleName: !Sub ${CrossAccountAccessRoleName} + Tags: + - { Key: prx:meta:tagging-version, Value: "2021-04-07" } + - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } + - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } + - { Key: prx:ops:environment, Value: Production } + - { Key: prx:dev:application, Value: DevOps } + +Outputs: + RoleNamePattern: + Value: !Ref CrossAccountAccessRole