-
Notifications
You must be signed in to change notification settings - Fork 0
/
management.yml
131 lines (124 loc) · 4.35 KB
/
management.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
AWSTemplateFormatVersion: "2010-09-09"
Description: Deployment Template - Management Account - Primary Region
Parameters:
SharedAccountId:
Type: String
Description: Shared AWS Account ID
AllowedPattern: "^[0-9]{12}"
ArtifactBucket:
Type: String
Description: Artifact S3 Bucket Name
ArtifactKeyArn:
Type: String
Description: Artifact KMS Key ARN
SigningProfileVersionArn:
Type: String
Description: Signing Profile Version ARN
Conditions:
NorthernVirginiaRegion: !Equals [!Ref "AWS::Region", "us-east-1"]
Resources:
DeploymentRole:
Type: "AWS::IAM::Role"
Condition: NorthernVirginiaRegion
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:${AWS::Partition}:iam::${SharedAccountId}:role/smoketurner/CodePipelineRole"
Action: "sts:AssumeRole"
Description: !Sub "DO NOT DELETE - Used by CodePipeline. Created by CloudFormation ${AWS::StackId}"
Path: "/smoketurner/"
Policies:
- PolicyName: DeploymentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:GetObjectVersion"
Resource: !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}/*"
- Effect: Allow
Action:
- "s3:GetBucketAcl"
- "s3:GetBucketLocation"
Resource: !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}"
- Effect: Allow
Action: "kms:Decrypt"
Resource: !Ref ArtifactKeyArn
- Effect: Allow
Action:
- "cloudformation:CreateStack"
- "cloudformation:UpdateStack"
Resource: !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
Condition:
ArnEquals:
"cloudformation:RoleArn": !GetAtt CloudFormationRole.Arn
- Effect: Allow
Action: "cloudformation:DescribeStacks"
Resource: !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
- Effect: Allow
Action: "iam:PassRole"
Resource: !GetAtt CloudFormationRole.Arn
RoleName: DeploymentRole
Tags:
- Key: Owner
Value: Smoke Turner
- Key: Environment
Value: PROD
- Key: "aws-cloudformation:stack-name"
Value: !Ref "AWS::StackName"
- Key: "aws-cloudformation:stack-id"
Value: !Ref "AWS::StackId"
- Key: "aws-cloudformation:logical-id"
Value: DeploymentRole
CloudFormationRole:
Type: "AWS::IAM::Role"
Condition: NorthernVirginiaRegion
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: !Sub "cloudformation.${AWS::URLSuffix}"
Action: "sts:AssumeRole"
Description: !Sub "DO NOT DELETE - Used by CloudFormation. Created by CloudFormation ${AWS::StackId}"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
Path: "/smoketurner/"
RoleName: CloudFormationRole
Tags:
- Key: Owner
Value: Smoke Turner
- Key: Environment
Value: PROD
- Key: "aws-cloudformation:stack-name"
Value: !Ref "AWS::StackName"
- Key: "aws-cloudformation:stack-id"
Value: !Ref "AWS::StackId"
- Key: "aws-cloudformation:logical-id"
Value: CloudFormationRole
CodeSigningConfig:
Type: "AWS::Lambda::CodeSigningConfig"
Properties:
Description: Smoke Turner Code Signing
AllowedPublishers:
SigningProfileVersionArns:
- !Ref SigningProfileVersionArn
CodeSigningPolicies:
UntrustedArtifactOnDeployment: Enforce
CodeSigningConfigArnParameter:
Type: "AWS::SSM::Parameter"
Properties:
Description: Code Signing Config ARN
Name: "/SmokeTurner/Lambda/CodeSigningConfigArn"
Tags:
Owner: Smoke Turner
Environment: PROD
Tier: Standard
Type: String
Value: !Ref CodeSigningConfig