Skip to content

Commit 7dc8512

Browse files
author
John Preston
committed
Working cross account for pipeline
1 parent 3fd33b6 commit 7dc8512

3 files changed

Lines changed: 112 additions & 64 deletions

File tree

cicd-pipeline-ecs-composex/cfn-templates/cd_pipeline.yml

Lines changed: 39 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,16 @@ Parameters:
1414
Type: AWS::SSM::Parameter::Value<String>
1515
Default: /cicd/shared/s3/templates/name
1616

17-
DevAccountCloudFormationRoleArn:
17+
DevAccountCfnRoleArn:
1818
Type: String
1919

20-
ProdAccountCloudFormationRoleArn:
20+
DevAccountPipelineRoleArn:
21+
Type: String
22+
23+
ProdAccountCfnRoleArn:
24+
Type: String
25+
26+
ProdAccountPipelineRoleArn:
2127
Type: String
2228

2329
ComposeRepositoryName:
@@ -110,16 +116,33 @@ Resources:
110116
Type: AWS::IAM::Role
111117
Properties:
112118
AssumeRolePolicyDocument:
119+
Version: 2012-10-17
113120
Statement:
114121
- Action:
115122
- sts:AssumeRole
116123
Effect: Allow
117124
Principal:
118125
Service:
119126
- !Sub 'codepipeline.${AWS::URLSuffix}'
120-
Version: '2012-10-17'
127+
Condition:
128+
Bool:
129+
aws:SecureTransport: true
121130
Policies:
122-
- PolicyDocument:
131+
- PolicyName: CrossAccountAssume
132+
PolicyDocument:
133+
Version: 2012-10-17
134+
Statement:
135+
- Effect: Allow
136+
Action:
137+
- sts:AssumeRole
138+
Resource:
139+
- !Ref ProdAccountPipelineRoleArn
140+
- !Ref DevAccountPipelineRoleArn
141+
Condition:
142+
Bool:
143+
aws:SecureTransport: true
144+
- PolicyName: S3Access
145+
PolicyDocument:
123146
Version: '2012-10-17'
124147
Statement:
125148
- Action:
@@ -130,7 +153,6 @@ Resources:
130153
Effect: Allow
131154
Resource:
132155
- !Sub 'arn:${AWS::Partition}:s3:::${ArtifactsBucketName}/*'
133-
PolicyName: S3Access
134156
- PolicyName: CodecommitAccess
135157
PolicyDocument:
136158
Version: 2012-10-17
@@ -155,35 +177,6 @@ Resources:
155177
Effect: Allow
156178
Resource: '*'
157179
PolicyName: CodeBuildAccess
158-
- PolicyName: AccessForCloudFormation
159-
PolicyDocument:
160-
Version: '2012-10-17'
161-
Statement:
162-
- Action:
163-
- iam:PassRole
164-
Condition:
165-
StringEqualsIfExists:
166-
iam:PassedToService:
167-
- !Sub 'cloudformation.${AWS::URLSuffix}'
168-
Effect: Allow
169-
Resource:
170-
- !Ref DevAccountCloudFormationRoleArn
171-
- !Ref ProdAccountCloudFormationRoleArn
172-
Sid: AllowsPipelineToPassRoleToCfn
173-
- Action:
174-
- cloudformation:CreateStack
175-
- cloudformation:DeleteStack
176-
- cloudformation:DescribeStacks
177-
- cloudformation:UpdateStack
178-
- cloudformation:CreateChangeSet
179-
- cloudformation:DeleteChangeSet
180-
- cloudformation:DescribeChangeSet
181-
- cloudformation:ExecuteChangeSet
182-
- cloudformation:SetStackPolicy
183-
- cloudformation:ValidateTemplate
184-
Effect: Allow
185-
Resource: '*'
186-
Sid: AllowsCloudFormationAccess
187180
- PolicyName: KmsAccess
188181
PolicyDocument:
189182
Version: 2012-10-17
@@ -228,8 +221,10 @@ Resources:
228221
RestartExecutionOnUpdate: true
229222
RoleArn: !GetAtt 'CodePipelineRole.Arn'
230223
Stages:
231-
- Actions:
232-
- ActionTypeId:
224+
- Name: PipelineSource
225+
Actions:
226+
- Name: DockerComposeSource
227+
ActionTypeId:
233228
Category: Source
234229
Owner: AWS
235230
Provider: CodeCommit
@@ -238,14 +233,13 @@ Resources:
238233
BranchName: !Ref BranchName
239234
PollForSourceChanges: false
240235
RepositoryName: !Ref ComposeRepositoryName
241-
Name: DockerComposeSource
242236
OutputArtifacts:
243237
- Name: DockerComposeSource
244238
RunOrder: '1'
245-
Name: PipelineSource
246239
- Name: !Sub 'GenerateCfnTemplates'
247240
Actions:
248-
- ActionTypeId:
241+
- Name: EcsComposeXGenerate
242+
ActionTypeId:
249243
Category: Build
250244
Owner: AWS
251245
Provider: CodeBuild
@@ -254,20 +248,20 @@ Resources:
254248
ProjectName: !Ref EcsComposeXGenerate
255249
InputArtifacts:
256250
- Name: DockerComposeSource
257-
Name: EcsComposeX
258251
OutputArtifacts:
259252
- Name: ComposeXOutput
260253
RunOrder: '1'
261254
- Name: !Sub 'DeployToDev'
262255
Actions:
263-
- ActionTypeId:
256+
- Name: DeployToDev
257+
ActionTypeId:
264258
Category: Deploy
265259
Owner: AWS
266260
Provider: CloudFormation
267261
Version: '1'
268262
Configuration:
269263
ActionMode: CREATE_UPDATE
270-
RoleArn: !Ref DevAccountCloudFormationRoleArn
264+
RoleArn: !Ref DevAccountCfnRoleArn
271265
StackName: !Sub 'dev'
272266
TemplatePath: !Sub 'ComposeXOutput::composex_root.yml'
273267
# TemplateConfiguration: !Sub 'ComposeXOutput::composex_root.params.json'
@@ -276,8 +270,8 @@ Resources:
276270
- Name: ComposeXOutput
277271
OutputArtifacts:
278272
- Name: DevStackOutputs
279-
Name: DeployToDev
280273
RunOrder: '1'
274+
RoleArn: !Ref DevAccountPipelineRoleArn
281275
- Name: !Sub 'DestroyDev'
282276
Actions:
283277
- ActionTypeId:
@@ -287,7 +281,8 @@ Resources:
287281
Version: '1'
288282
Configuration:
289283
ActionMode: DELETE_ONLY
290-
RoleArn: !Ref DevAccountCloudFormationRoleArn
284+
RoleArn: !Ref DevAccountCfnRoleArn
291285
StackName: !Sub 'dev'
292286
Name: DeployToDev
293287
RunOrder: '1'
288+
RoleArn: !Ref DevAccountPipelineRoleArn

cicd-pipeline-ecs-composex/cfn-templates/crossaccount-roles.yml

Lines changed: 70 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,39 @@ Resources:
4949
- iam:UpdateRole
5050
- iam:ListRolePolicies
5151
- iam:GetRolePolicy
52+
- PolicyName: KmsDecryptData
53+
PolicyDocument:
54+
Version: 2012-10-17
55+
Statement:
56+
- Sid: DecryptEncryptArtifacts
57+
Effect: Allow
58+
Action:
59+
- kms:Decrypt
60+
- kms:DescribeKey
61+
Resource:
62+
- !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${CiAccountId}:key/${CiKmsKeyId}'
63+
- PolicyName: S3Access
64+
PolicyDocument:
65+
Version: '2012-10-17'
66+
Statement:
67+
- Action:
68+
- s3:GetObject*
69+
- s3:ListBucket
70+
- s3:GetBucket*
71+
Effect: Allow
72+
Resource:
73+
- !Sub 'arn:${AWS::Partition}:s3:::${ArtifactsBucketName}'
74+
- !Sub 'arn:${AWS::Partition}:s3:::${ArtifactsBucketName}/*'
75+
Sid: AllowRwToArtifactsBucket
76+
- Action:
77+
- s3:GetObject*
78+
- s3:ListBucket
79+
- s3:GetBucket*
80+
Effect: Allow
81+
Sid: GetCloudformationTemplates
82+
Resource:
83+
- !Sub 'arn:${AWS::Partition}:s3:::${CloudformationTemplatesBucketName}'
84+
- !Sub 'arn:${AWS::Partition}:s3:::${CloudformationTemplatesBucketName}/*'
5285
ManagedPolicyArns:
5386
- arn:aws:iam::aws:policy/PowerUserAccess
5487
AssumeRolePolicyDocument:
@@ -68,53 +101,71 @@ Resources:
68101
Type: AWS::IAM::Role
69102
Properties:
70103
Policies:
71-
- PolicyName: PassRole
72-
PolicyDocument:
73-
Version: 2012-10-17
74-
Statement:
75-
- Action:
76-
- iam:PassRole
77-
Resource:
78-
- !GetAtt 'CloudformationRole.Arn'
79-
Effect: Allow
80-
Sid: PassRoleToCloudFormation
81104
- PolicyName: KmsDecryptData
82105
PolicyDocument:
83106
Version: 2012-10-17
84107
Statement:
85108
- Sid: DecryptEncryptArtifacts
86109
Effect: Allow
87110
Action:
88-
- kms:DescribeKey
89-
- kms:GenerateDataKey*
111+
- kms:Encrypt
90112
- kms:Decrypt
113+
- kms:ReEncrypt*
114+
- kms:GenerateDataKey*
115+
- kms:DescribeKey
91116
Resource:
92-
- !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${CiKmsKeyId}'
117+
- !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${CiAccountId}:key/${CiKmsKeyId}'
93118
- PolicyName: S3Access
94119
PolicyDocument:
95120
Version: '2012-10-17'
96121
Statement:
97122
- Action:
98123
- s3:PutObject*
99-
- s3:GetObject
100-
- s3:GetObjectVersion
101-
- s3:HeadBucket
124+
- s3:GetObject*
125+
- s3:ListBucket
102126
- s3:GetBucketLocation
103127
Effect: Allow
104128
Resource:
105129
- !Sub 'arn:${AWS::Partition}:s3:::${ArtifactsBucketName}'
106130
- !Sub 'arn:${AWS::Partition}:s3:::${ArtifactsBucketName}/*'
107131
Sid: AllowRwToArtifactsBucket
108132
- Action:
109-
- s3:GetObject
110-
- s3:GetObjectVersion
111-
- s3:HeadBucket
133+
- s3:GetObject*
134+
- s3:ListBucket
112135
- s3:GetBucketLocation
113136
Effect: Allow
114137
Sid: GetCloudformationTemplates
115138
Resource:
116139
- !Sub 'arn:${AWS::Partition}:s3:::${CloudformationTemplatesBucketName}'
117140
- !Sub 'arn:${AWS::Partition}:s3:::${CloudformationTemplatesBucketName}/*'
141+
- PolicyName: AccessForCloudFormation
142+
PolicyDocument:
143+
Version: '2012-10-17'
144+
Statement:
145+
- Action:
146+
- iam:PassRole
147+
Condition:
148+
StringEqualsIfExists:
149+
iam:PassedToService:
150+
- !Sub 'cloudformation.${AWS::URLSuffix}'
151+
Effect: Allow
152+
Resource:
153+
- !GetAtt 'CloudformationRole.Arn'
154+
Sid: AllowsPipelineToPassRoleToCfn
155+
- Action:
156+
- cloudformation:CreateStack
157+
- cloudformation:DeleteStack
158+
- cloudformation:DescribeStacks
159+
- cloudformation:UpdateStack
160+
- cloudformation:CreateChangeSet
161+
- cloudformation:DeleteChangeSet
162+
- cloudformation:DescribeChangeSet
163+
- cloudformation:ExecuteChangeSet
164+
- cloudformation:SetStackPolicy
165+
- cloudformation:ValidateTemplate
166+
Effect: Allow
167+
Resource: '*'
168+
Sid: AllowsCloudFormationAccess
118169
AssumeRolePolicyDocument:
119170
Version: '2012-10-17'
120171
Statement:

cicd-pipeline-ecs-composex/cfn-templates/shared-buckets.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,7 @@ Resources:
9494
Resource: !Sub '${ArtifactsBucket.Arn}'
9595
Action:
9696
- s3:ListBucket
97+
- s3:GetBucket*
9798
Principal:
9899
AWS:
99100
- !Ref ProdAccountPipelineRoleId
@@ -138,6 +139,7 @@ Resources:
138139
- !Ref DevAccountCfnRoleId
139140
- Action:
140141
- s3:ListBucket
142+
- s3:GetBucket*
141143
Effect: Allow
142144
Resource:
143145
- !Sub '${CloudformationTemplatesBucket.Arn}'
@@ -158,7 +160,7 @@ Resources:
158160
Type: AWS::SSM::Parameter
159161
Properties:
160162
Name: !Sub '${SsmParameterPrefixShared}/s3/templates/name'
161-
Value: !Ref ArtifactsBucket
163+
Value: !Ref CloudformationTemplatesBucket
162164
Type: String
163165

164166
Outputs:

0 commit comments

Comments
 (0)