feat(adf-bootstrap): (#472) modify trust relations for roles ⚡ (#526)

* feat(adf-bootstrap): (#472) modify trust relations for roles ⚡

* feat(adf-bootstrap): (#472) fix StringEquals to ArnEquals condition ⚡

* Update merge fix

* Add patch of #526 to other important roles too

* Fix reference to deployment account id

---------

Co-authored-by: AndreasAugustin
Co-authored-by: Simon Kok
Co-authored-by: Javy de Koning

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml

@@ -548,10 +548,13 @@ Resources:
         Statement:
           - Effect: Allow
             Sid: "AssumeRole"
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn":
+                  - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn
+                  - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn
             Principal:
-              AWS:
-                - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn
-                - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn
+              AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
             Action:
               - sts:AssumeRole
       Path: /

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml

@@ -60,9 +60,13 @@ Resources:
 #       Statement:
 #         - Effect: Allow
 #           Sid: "AssumeRole"
+#           Condition:
+#             ArnEquals:
+#               'aws:PrincipalArn':
+#                 # This would allow all CodeBuild projects to be able to assume this role
+#                 - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
 #           Principal:
-#             AWS:
-#               - !Sub arn:aws:iam::${DeploymentAccountId}:role/adf-codebuild-role
+#             AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
 #           Action:
 #             - sts:AssumeRole
 #     Path: /
@@ -103,12 +107,16 @@ Resources:
 #       Statement:
 #         - Effect: Allow
 #           Sid: "AssumeRole"
+#           Condition:
+#             ArnEquals:
+#               'aws:PrincipalArn':
+#                 # This would allow all CodeBuild projects to be able to assume this role
+#                 # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
+#                 - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role
+#                 # The above role would be created on the deployment account
+#                 # for the purpose deploying this custom resource via CodeBuild
 #           Principal:
-#             AWS:
-#               # This would allow all codebuild projects to be able to assume this role
-#               # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
-#               - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role
-#               # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild
+#             AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
 #           Action:
 #             - sts:AssumeRole
 #     Path: /

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml

@@ -34,8 +34,11 @@ Resources:
         Version: "2012-10-17"
         Statement:
           - Effect: Allow
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role"
             Principal:
-              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role
+              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
             Action:
               - sts:AssumeRole
           - Effect: Allow
@@ -154,9 +157,12 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role
+              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn":
+                  - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role
+                  - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role
             Action:
               - sts:AssumeRole
       Path: /
@@ -203,12 +209,13 @@ Resources:
             Sid: "AssumeRole"
             Principal:
               AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role
+                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
             Action:
               - sts:AssumeRole
             Condition:
               ArnEquals:
                 "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*"
+                "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role"
       Path: /
 
   UpdateCrossAccountAccessByDeploymentAccountRole:
@@ -220,9 +227,11 @@ Resources:
         Statement:
           - Effect: Allow
             Sid: "AssumeRoleByEnableCrossAccountLambda"
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn": !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role
             Principal:
-              AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role
+              AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
             Action:
               - sts:AssumeRole
       Path: /
@@ -252,10 +261,14 @@ Resources:
         Statement:
           - Effect: Allow
             Sid: "AssumeRole"
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn":
+                  - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-update-rule"
+                  - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-repository"
             Principal:
               AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-update-rule
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-repository
+                - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:root"
             Action:
               - sts:AssumeRole
       Path: /
@@ -356,9 +369,12 @@ Resources:
         Statement:
           - Effect: Allow
             Sid: "AssumeRole"
+            Condition:
+              ArnEquals:
+                "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role"
             Principal:
               AWS:
-                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role
+                - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root
             Action:
               - sts:AssumeRole
       Path: /