ToolsAccount
AWSTemplateFormatVersion: 2010-09-09
Description: >-
bld account role/policy deployment
Parameters:
BldAccountID:
Description: 'Account ID to register Gitlab runner'
Type: String
RoleName:
Description: 'Bld account role name'
Type: String
AllowedValues:
- test
- poc
StgAccountID:
Description: 'Account ID to conduct testing'
Type: String
Resources:
BldAccountRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${RoleName}'
Description: allow ec2 and sagemaker services to assume the role # allow stg/prd to assume the role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action: sts:AssumeRole
-
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${StgAccountID}:role/${RoleName}'
Action: sts:AssumeRole
Policies:
- PolicyName: gitlab-runner-and-deployment
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
- Effect: Allow
Action:
- 'ecr:*'
Resource: '*'
- Effect: Allow
Action:
- 'ec2:DescribeKeyPairs'
- 'ec2:TerminateInstances'
- 'ec2:StopInstances'
- 'ec2:StartInstances'
- 'ec2:RunInstances'
- 'ec2:RebootInstances'
- 'ec2:CreateKeyPair'
- 'ec2:DeleteKeyPair'
- 'ec2:ImportKeyPair'
- 'ec2:Describe*'
- 'ec2:CreateTags'
- 'ec2:RequestSpotInstances'
- 'ec2:CancelSpotInstanceRequests'
- 'ec2:DescribeSubnets'
- 'ec2:AssociateIamInstanceProfile'
- 'iam:PassRole'
Resource: "*"
Outputs:
BldAccountRoleArn:
Value: !GetAtt BldAccountRole.Arn
AssumeAccount(stg)
AWSTemplateFormatVersion: 2010-09-09
Description: >-
environment specific account IAM role/policy deployment
Parameters:
BldAccountID:
Description: 'Account ID to register Gitlab runner'
Type: String
RoleName:
Description: 'Bld account role name'
Type: String
Default: test
AllowedValues:
- test
- poc
Environment:
Description: 'Current environment'
Type: String
AllowedValues:
- stg
- prd
Resources:
CrossAccountAssumeRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
Description: allow bld role to assume the role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${BldAccountID}:role/Admin'
- !Sub 'arn:aws:iam::${BldAccountID}:role/Staff'
- !Sub 'arn:aws:iam::${BldAccountID}:role/${RoleName}'
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub ${Environment}-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
- Effect: Allow
Action:
- 'cloudformation:CreateStack'
- 'cloudformation:UpdateStack'
- 'cloudformation:DeleteStack'
- 'cloudformation:DescribeStacks'
Resource: "*"
- Effect: Allow
Action:
- 's3:CreateBucket'
- 's3:DeleteBucket'
- 's3:DeleteBucket*'
- 's3:PutBucket*'
Resource: "*"
Outputs:
AssumeRoleAccountRoleArn:
Value: !GetAtt CrossAccountAssumeRole.Arn
No comments:
Post a Comment