feat(bootstrap): policies as typed TypeScript with version and hash

cdk/bootstrap/BOOTSTRAP_HASH

@@ -0,0 +1 @@
+4892570024965c2e99ef0d9f7ef0a61e4b939ba69c5df52e4bc1647522dad283

cdk/bootstrap/BOOTSTRAP_VERSION

@@ -0,0 +1 @@
+1.0.0

cdk/bootstrap/policies/application.json

@@ -0,0 +1,169 @@
+{
+  "Statement": [
+    {
+      "Action": [
+        "dynamodb:CreateTable",
+        "dynamodb:DeleteTable",
+        "dynamodb:DescribeTable",
+        "dynamodb:DescribeTimeToLive",
+        "dynamodb:UpdateTimeToLive",
+        "dynamodb:UpdateTable",
+        "dynamodb:UpdateContinuousBackups",
+        "dynamodb:DescribeContinuousBackups",
+        "dynamodb:TagResource",
+        "dynamodb:UntagResource",
+        "dynamodb:ListTagsOfResource",
+        "dynamodb:PutItem",
+        "dynamodb:UpdateItem",
+        "dynamodb:DescribeContributorInsights",
+        "dynamodb:DescribeKinesisStreamingDestination",
+        "dynamodb:GetResourcePolicy"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:dynamodb:*:*:table/backgroundagent-dev-*",
+      "Sid": "DynamoDB"
+    },
+    {
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:GetFunctionConfiguration",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListTags",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:UpdateAlias",
+        "lambda:PutFunctionEventInvokeConfig",
+        "lambda:DeleteFunctionEventInvokeConfig",
+        "lambda:GetFunctionEventInvokeConfig",
+        "lambda:PutFunctionConcurrency",
+        "lambda:DeleteFunctionConcurrency",
+        "lambda:GetFunctionCodeSigningConfig",
+        "lambda:GetFunctionRecursionConfig",
+        "lambda:GetProvisionedConcurrencyConfig",
+        "lambda:GetRuntimeManagementConfig",
+        "lambda:ListVersionsByFunction",
+        "lambda:InvokeFunction"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:lambda:*:*:function:backgroundagent-dev-*",
+        "arn:aws:lambda:*:*:function:backgroundagent-dev-AWS*"
+      ],
+      "Sid": "Lambda"
+    },
+    {
+      "Action": [
+        "apigateway:POST",
+        "apigateway:GET",
+        "apigateway:PUT",
+        "apigateway:PATCH",
+        "apigateway:DELETE",
+        "apigateway:TagResource",
+        "apigateway:UntagResource",
+        "apigateway:SetWebACL",
+        "apigateway:UpdateRestApiPolicy"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/account",
+        "arn:aws:apigateway:*::/tags/*"
+      ],
+      "Sid": "APIGateway"
+    },
+    {
+      "Action": [
+        "cognito-idp:CreateUserPool",
+        "cognito-idp:DeleteUserPool",
+        "cognito-idp:DescribeUserPool",
+        "cognito-idp:UpdateUserPool",
+        "cognito-idp:CreateUserPoolClient",
+        "cognito-idp:DeleteUserPoolClient",
+        "cognito-idp:DescribeUserPoolClient",
+        "cognito-idp:UpdateUserPoolClient",
+        "cognito-idp:TagResource",
+        "cognito-idp:UntagResource",
+        "cognito-idp:ListTagsForResource",
+        "cognito-idp:GetUserPoolMfaConfig"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:cognito-idp:*:*:userpool/*",
+      "Sid": "Cognito"
+    },
+    {
+      "Action": [
+        "wafv2:CreateWebACL",
+        "wafv2:DeleteWebACL",
+        "wafv2:GetWebACL",
+        "wafv2:UpdateWebACL",
+        "wafv2:AssociateWebACL",
+        "wafv2:DisassociateWebACL",
+        "wafv2:ListTagsForResource",
+        "wafv2:TagResource",
+        "wafv2:UntagResource",
+        "wafv2:GetWebACLForResource"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:wafv2:*:*:regional/webacl/*",
+        "arn:aws:wafv2:*:*:regional/managedruleset/*"
+      ],
+      "Sid": "WAFv2"
+    },
+    {
+      "Action": [
+        "events:PutRule",
+        "events:DeleteRule",
+        "events:DescribeRule",
+        "events:PutTargets",
+        "events:RemoveTargets",
+        "events:ListTargetsByRule",
+        "events:TagResource",
+        "events:UntagResource",
+        "events:ListTagsForResource"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:events:*:*:rule/backgroundagent-dev-*",
+      "Sid": "EventBridge"
+    },
+    {
+      "Action": [
+        "secretsmanager:CreateSecret",
+        "secretsmanager:DeleteSecret",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:PutSecretValue",
+        "secretsmanager:UpdateSecret",
+        "secretsmanager:TagResource",
+        "secretsmanager:UntagResource",
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:PutResourcePolicy",
+        "secretsmanager:DeleteResourcePolicy"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:secretsmanager:*:*:secret:backgroundagent-*",
+        "arn:aws:secretsmanager:*:*:secret:GitHubTokenSecret*"
+      ],
+      "Sid": "SecretsManager"
+    },
+    {
+      "Action": "secretsmanager:GetRandomPassword",
+      "Effect": "Allow",
+      "Resource": "*",
+      "Sid": "SecretsManagerAccountLevel"
+    }
+  ],
+  "Version": "2012-10-17"
+}

cdk/bootstrap/policies/infrastructure.json

@@ -0,0 +1,177 @@
+{
+  "Statement": [
+    {
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:GetTemplateSummary",
+        "cloudformation:ListStackResources",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:ExecuteChangeSet",
+        "cloudformation:SetStackPolicy",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:ListChangeSets"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/backgroundagent-dev/*",
+        "arn:aws:cloudformation:*:*:stack/CDKToolkit/*"
+      ],
+      "Sid": "CloudFormationSelf"
+    },
+    {
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:UpdateRole",
+        "iam:TagRole",
+        "iam:UntagRole",
+        "iam:ListRoleTags",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:ListRolePolicies",
+        "iam:ListAttachedRolePolicies",
+        "iam:CreatePolicy",
+        "iam:DeletePolicy",
+        "iam:GetPolicy",
+        "iam:GetPolicyVersion",
+        "iam:CreatePolicyVersion",
+        "iam:DeletePolicyVersion",
+        "iam:ListPolicyVersions",
+        "iam:TagPolicy",
+        "iam:CreateServiceLinkedRole",
+        "iam:ListInstanceProfilesForRole"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:iam::*:role/backgroundagent-dev-*",
+        "arn:aws:iam::*:policy/backgroundagent-dev-*",
+        "arn:aws:iam::*:role/aws-service-role/*"
+      ],
+      "Sid": "IAMRolesAndPolicies"
+    },
+    {
+      "Action": "iam:PassRole",
+      "Condition": {
+        "StringEquals": {
+          "iam:PassedToService": [
+            "lambda.amazonaws.com",
+            "ecs-tasks.amazonaws.com",
+            "ecs.amazonaws.com",
+            "apigateway.amazonaws.com",
+            "logs.amazonaws.com",
+            "bedrock.amazonaws.com",
+            "bedrock-agentcore.amazonaws.com",
+            "events.amazonaws.com",
+            "vpc-flow-logs.amazonaws.com"
+          ]
+        }
+      },
+      "Effect": "Allow",
+      "Resource": "arn:aws:iam::*:role/backgroundagent-dev-*",
+      "Sid": "IAMPassRole"
+    },
+    {
+      "Action": [
+        "ec2:CreateVpc",
+        "ec2:DeleteVpc",
+        "ec2:DescribeVpcs",
+        "ec2:ModifyVpcAttribute",
+        "ec2:CreateSubnet",
+        "ec2:DeleteSubnet",
+        "ec2:DescribeSubnets",
+        "ec2:CreateInternetGateway",
+        "ec2:DeleteInternetGateway",
+        "ec2:AttachInternetGateway",
+        "ec2:DetachInternetGateway",
+        "ec2:DescribeInternetGateways",
+        "ec2:AllocateAddress",
+        "ec2:ReleaseAddress",
+        "ec2:DescribeAddresses",
+        "ec2:CreateNatGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DescribeNatGateways",
+        "ec2:CreateRouteTable",
+        "ec2:DeleteRouteTable",
+        "ec2:DescribeRouteTables",
+        "ec2:AssociateRouteTable",
+        "ec2:DisassociateRouteTable",
+        "ec2:CreateRoute",
+        "ec2:DeleteRoute",
+        "ec2:CreateSecurityGroup",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DescribeSecurityGroups",
+        "ec2:AuthorizeSecurityGroupEgress",
+        "ec2:RevokeSecurityGroupEgress",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:CreateVpcEndpoint",
+        "ec2:DeleteVpcEndpoints",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:ModifyVpcEndpoint",
+        "ec2:CreateFlowLogs",
+        "ec2:DeleteFlowLogs",
+        "ec2:DescribeFlowLogs",
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "ec2:DescribeTags",
+        "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribePrefixLists",
+        "ec2:DescribeNetworkAcls",
+        "ec2:DescribeVpcAttribute",
+        "ec2:ModifySubnetAttribute"
+      ],
+      "Effect": "Allow",
+      "Resource": "*",
+      "Sid": "VPCNetworking"
+    },
+    {
+      "Action": [
+        "route53resolver:CreateFirewallRuleGroup",
+        "route53resolver:DeleteFirewallRuleGroup",
+        "route53resolver:GetFirewallRuleGroup",
+        "route53resolver:CreateFirewallRule",
+        "route53resolver:DeleteFirewallRule",
+        "route53resolver:ListFirewallRules",
+        "route53resolver:UpdateFirewallRule",
+        "route53resolver:CreateFirewallDomainList",
+        "route53resolver:DeleteFirewallDomainList",
+        "route53resolver:GetFirewallDomainList",
+        "route53resolver:UpdateFirewallDomains",
+        "route53resolver:AssociateFirewallRuleGroup",
+        "route53resolver:DisassociateFirewallRuleGroup",
+        "route53resolver:GetFirewallRuleGroupAssociation",
+        "route53resolver:ListFirewallRuleGroupAssociations",
+        "route53resolver:UpdateFirewallConfig",
+        "route53resolver:GetFirewallConfig",
+        "route53resolver:TagResource",
+        "route53resolver:UntagResource",
+        "route53resolver:ListTagsForResource",
+        "route53resolver:CreateResolverQueryLogConfig",
+        "route53resolver:DeleteResolverQueryLogConfig",
+        "route53resolver:GetResolverQueryLogConfig",
+        "route53resolver:AssociateResolverQueryLogConfig",
+        "route53resolver:DisassociateResolverQueryLogConfig",
+        "route53resolver:GetResolverQueryLogConfigAssociation",
+        "route53resolver:ListResolverQueryLogConfigAssociations",
+        "route53resolver:ListResolverQueryLogConfigs"
+      ],
+      "Effect": "Allow",
+      "Resource": "*",
+      "Sid": "Route53ResolverDNSFirewall"
+    }
+  ],
+  "Version": "2012-10-17"
+}