Skip to content

Commit

Permalink
Update pipeline to give more permissions, per v6.0.0 SWB mainline cic…
Browse files Browse the repository at this point in the history 
…d pipeline code.
  • Loading branch information
@srpiatt
srpiatt committed Aug 15, 2023
1 parent 401316a commit 1a13daf
Show file tree
Hide file tree
Showing 3 changed files with 186 additions and 13 deletions.
191 changes: 180 additions & 11 deletions main/cicd/cicd-pipeline/config/infra/cloudformation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,12 @@ Conditions:
UseCodeCommit: !Not
- !Equals ['${self:custom.settings.sourceAccountId}', '']
CreateStagingEnv: !Equals ['${self:custom.settings.createStagingEnv}', true]
RunTestsAgainstTargetEnv: !Equals ['${self:custom.settings.runTestsAgainstTargetEnv}', true]
RunTestsAgainstTargetEnv:
!Equals ['${self:custom.settings.runTestsAgainstTargetEnv}', true]
DeleteTargetEnv: !Equals ['${self:custom.settings.deleteAfterInstall}', true]
PreventCollision: !Equals ['${self:custom.settings.preventCollision}', true]
AddManualApproval: !Equals ['${self:custom.settings.requireManualApproval}', true]
AddManualApproval:
!Equals ['${self:custom.settings.requireManualApproval}', true]
SubscribeNotificationEmail: !Not
- !Equals ['${self:custom.settings.emailForNotifications}', '']

Expand Down Expand Up @@ -170,6 +172,7 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:TagLogGroup
Effect: Allow
Resource: '*'
- Action:
Expand Down Expand Up @@ -237,11 +240,15 @@ Resources:
- iam:UpdateRoleDescription
- iam:*TagRole*
Effect: Allow
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*'
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-edgeLambda-RoleCloudFrontInterceptor-*'
- Action:
- iam:PassRole
Effect: Allow
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*'
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-edgeLambda-RoleCloudFrontInterceptor-*'
- Action:
- iam:CreatePolicy
- iam:GetPolicy
Expand Down Expand Up @@ -277,6 +284,7 @@ Resources:
- logs:CreateLogGroup
- logs:DeleteLogGroup
- logs:DeleteLogStream
- logs:TagLogGroup
Resource:
- !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/*'
- !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/*:log-stream:*'
Expand All @@ -288,6 +296,8 @@ Resources:
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.namespace}*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.envName}-*:*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.envName}-*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-*:*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-*'
- Action:
- 's3:*'
Effect: Allow
Expand Down Expand Up @@ -362,6 +372,10 @@ Resources:
- cloudformation:GetTemplate
- cloudformation:ListStackResources
- cloudformation:DescribeStackEvents
- cloudformation:ExecuteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
Resource:
- !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${self:custom.settings.namespace}-*'
- !Sub 'arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-*'
Expand Down Expand Up @@ -433,6 +447,157 @@ Resources:
- !Sub 'arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*'
- !Ref AWS::NoValue

PolicyAppDeployerStaging:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Allows CodePipeline to create resources required for deploying SWB with staging env
PolicyDocument:
Version: '2012-10-17'
Statement:
- !If
- CreateStagingEnv
- Action:
- iam:GetRole
- iam:GetRolePolicy
- iam:CreateRole
- iam:PutRolePolicy
- iam:AttachRolePolicy
- iam:DeleteRole
- iam:DeleteRolePolicy
- iam:DetachRolePolicy
- iam:UpdateRoleDescription
- iam:*TagRole*
Effect: Allow
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-edgeLambda-RoleCloudFrontInterceptor-*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Action:
- iam:PassRole
Effect: Allow
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-edgeLambda-RoleCloudFrontInterceptor-*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Effect: Allow
Action:
- iam:CreatePolicy
- iam:GetPolicy
- iam:DeletePolicy
- iam:*PolicyVersion*
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Action:
- dynamodb:*
Effect: Allow
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Effect: Allow
Action:
- lambda:*
Resource:
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgNamespace}*:*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgNamespace}*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.stgEnvName}-*:*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.stgEnvName}-*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-*:*'
- !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Action:
- 's3:*'
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgNamespace}*
- !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgNamespace}*/*
- !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}*
- !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}*/*
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Effect: Allow
Action:
- ssm:GetParameter
- ssm:DeleteParameter
Resource:
- !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${self:custom.settings.stgEnvName}/*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Effect: Allow
Action:
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:GetTemplate
- cloudformation:ListStackResources
- cloudformation:DescribeStackEvents
- cloudformation:ExecuteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
Resource:
- !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${self:custom.settings.stgNamespace}-*'
- !Sub 'arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Effect: 'Allow'
Action:
- kms:DescribeKey
- kms:EnableKey
- kms:Encrypt
- kms:Decrypt
- kms:CreateAlias
- kms:DeleteAlias
- kms:ScheduleKeyDeletion
- kms:ListKeyPolicies
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:ListGrants
- kms:GenerateDataKeyWithoutPlaintext
- kms:CreateGrant
- kms:RevokeGrant
- kms:TagResource
- kms:UntagResource
- kms:GetKeyPolicy
- kms:EnableKeyRotation
Resource:
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*${self:custom.settings.stgNamespace}*'
- !Ref AWS::NoValue
- !If
- CreateStagingEnv
- Action:
- iam:PutRolePermissionsBoundary
- iam:DeleteRolePermissionsBoundary
Effect: Allow
Resource:
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*${self:custom.settings.stgNamespace}*'
- !Ref AWS::NoValue

- Action:
- iam:PutRolePermissionsBoundary
- iam:DeleteRolePermissionsBoundary
- iam:CreateRole
- iam:PutRolePolicy
- iam:AttachRolePolicy
- iam:DeleteRolePolicy
- iam:DetachRolePolicy
Effect: Deny
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.stgNamespace}-cicd-pipeline-PolicyAppDeployerStaging-*'
AppDeployerRole:
Type: AWS::IAM::Role
Properties:
Expand All @@ -449,6 +614,7 @@ Resources:
# The permissions required by stacks are very fluid and dependent on which resources are declared in those
# stacks
- !Ref PolicyAppDeployer
- !Ref PolicyAppDeployerStaging
PermissionsBoundary: !Ref PolicyAppDeployer

# Role that allows triggering the CodePipeline. This role is assumed by CloudWatch Events from the Source AWS Account
Expand Down Expand Up @@ -661,7 +827,7 @@ Resources:
Image: aws/codebuild/standard:5.0
EnvironmentVariables:
- Name: DEPLOYMENT_BUCKET
Value: ${self:provider.deploymentBucket}
Value: ${self:provider.deploymentBucket.name}
- Name: ENV_NAME
Value: ${self:custom.settings.stgEnvName}
ServiceRole: !GetAtt AppDeployerRole.Arn
Expand Down Expand Up @@ -691,7 +857,7 @@ Resources:
Image: aws/codebuild/standard:5.0
EnvironmentVariables:
- Name: DEPLOYMENT_BUCKET
Value: ${self:provider.deploymentBucket}
Value: ${self:provider.deploymentBucket.name}
- Name: ENV_NAME
Value: ${self:custom.settings.envName}
ServiceRole: !GetAtt AppDeployerRole.Arn
Expand All @@ -718,7 +884,7 @@ Resources:
Image: aws/codebuild/standard:5.0
EnvironmentVariables:
- Name: DEPLOYMENT_BUCKET
Value: ${self:provider.deploymentBucket}
Value: ${self:provider.deploymentBucket.name}
- Name: ENV_NAME
Value: ${self:custom.settings.stgEnvName}
ServiceRole: !GetAtt AppDeployerRole.Arn
Expand All @@ -745,7 +911,7 @@ Resources:
Image: aws/codebuild/standard:5.0
EnvironmentVariables:
- Name: DEPLOYMENT_BUCKET
Value: ${self:provider.deploymentBucket}
Value: ${self:provider.deploymentBucket.name}
- Name: ENV_NAME
Value: ${self:custom.settings.envName}
ServiceRole: !GetAtt AppDeployerRole.Arn
Expand Down Expand Up @@ -773,7 +939,7 @@ Resources:
Image: aws/codebuild/standard:5.0
EnvironmentVariables:
- Name: DEPLOYMENT_BUCKET
Value: ${self:provider.deploymentBucket}
Value: ${self:provider.deploymentBucket.name}
- Name: ENV_NAME
Value: ${self:custom.settings.envName}
ServiceRole: !GetAtt AppDeployerRole.Arn
Expand Down Expand Up @@ -891,5 +1057,8 @@ Outputs:
AppArtifactBucketArn: { Value: !GetAtt AppArtifactBucket.Arn }
ArtifactBucketKeyArn: { Value: !GetAtt ArtifactBucketKey.Arn }
AppPipelineName: { Value: !Ref AppPipeline }
AppPipelineArn: { Value: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${AppPipeline}' }
PipelineNotificationsTopic: { Value: !Ref PipelineNotificationsTopic }
AppPipelineArn:
{
Value: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${AppPipeline}',
}
PipelineNotificationsTopic: { Value: !Ref PipelineNotificationsTopic }
4 changes: 4 additions & 0 deletions main/cicd/cicd-pipeline/config/settings/.defaults.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ runTestsAgainstTargetEnv: true
# This setting is ignored when createStagingEnv is not true.
stgEnvName: ${self:custom.settings.envName}stg

# Name of the staging environment to run the integration tests against.
# This setting is ignored when createStagingEnv is not true.
stgNamespace: ${self:custom.settings.namespace}stg

# WARNING: Setting this to true deletes the installed Service Workbench environment at the end of the pipeline
# This can be used for testing the fresh install and uninstall experience of the product using CodePipeline
deleteAfterInstall: false
Expand Down
4 changes: 2 additions & 2 deletions main/cicd/cicd-pipeline/serverless.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ custom:
Name: ${self:custom.settings.envName}-${self:service}
hooks:
'aws:deploy:finalize:cleanup':
- scripts/upload-env-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
- scripts/upload-test-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
- scripts/upload-env-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket.name} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
- scripts/upload-test-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket.name} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}

resources:
- Description: Service-Workbench-on-AWS ${self:custom.settings.version} ${self:custom.settings.solutionName} ${self:custom.settings.envName} CICD-Pipeline
Expand Down

0 comments on commit 1a13daf

Please sign in to comment.