From 0e6d022c3a206defb4bde7d9c5d6e35c81c5d1a6 Mon Sep 17 00:00:00 2001 From: andy Augustin Date: Mon, 24 Jul 2023 17:33:55 +0200 Subject: [PATCH] feat(adf-bootstrap): (#472) modify trust relations for roles :zap: (#526) * feat(adf-bootstrap): (#472) modify trust relations for roles :zap: * feat(adf-bootstrap): (#472) fix StringEquals to ArnEquals condition :zap: * Update merge fix * Add patch of #526 to other important roles too * Fix reference to deployment account id --------- Co-authored-by: AndreasAugustin Co-authored-by: Simon Kok Co-authored-by: Javy de Koning --- .../adf-bootstrap/deployment/global.yml | 9 +++-- .../adf-bootstrap/example-global-iam.yml | 22 ++++++++---- .../adf-bootstrap/global.yml | 36 +++++++++++++------ 3 files changed, 47 insertions(+), 20 deletions(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index 6b16518bb..fb93defbb 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -548,10 +548,13 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRole" + Condition: + ArnEquals: + "aws:PrincipalArn": + - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn + - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn Principal: - AWS: - - !GetAtt PipelineManagementApplication.Outputs.CreateRepositoryLambdaRoleArn - - !GetAtt PipelineManagementApplication.Outputs.CreateOrUpdateRuleLambdaRoleArn + AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root Action: - sts:AssumeRole Path: / diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml index f85d717ee..be971baec 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml @@ -60,9 +60,13 @@ Resources: # Statement: # - Effect: Allow # Sid: "AssumeRole" +# Condition: +# ArnEquals: +# 'aws:PrincipalArn': +# # This would allow all CodeBuild projects to be able to assume this role +# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role # Principal: -# AWS: -# - !Sub arn:aws:iam::${DeploymentAccountId}:role/adf-codebuild-role +# AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root # Action: # - sts:AssumeRole # Path: / @@ -103,12 +107,16 @@ Resources: # Statement: # - Effect: Allow # Sid: "AssumeRole" +# Condition: +# ArnEquals: +# 'aws:PrincipalArn': +# # This would allow all CodeBuild projects to be able to assume this role +# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role +# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role +# # The above role would be created on the deployment account +# # for the purpose deploying this custom resource via CodeBuild # Principal: -# AWS: -# # This would allow all codebuild projects to be able to assume this role -# # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role -# - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/my-custom-codebuild-role -# # The above role would be created on the deployment account for the purpose deploying this custom resource via codebuild +# AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root # Action: # - sts:AssumeRole # Path: / diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index f9aaba107..a323a94a8 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -34,8 +34,11 @@ Resources: Version: "2012-10-17" Statement: - Effect: Allow + Condition: + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role" Principal: - AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole - Effect: Allow @@ -154,9 +157,12 @@ Resources: Statement: - Effect: Allow Principal: - AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root + Condition: + ArnEquals: + "aws:PrincipalArn": + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-cloudformation-role Action: - sts:AssumeRole Path: / @@ -203,12 +209,13 @@ Resources: Sid: "AssumeRole" Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Condition: ArnEquals: "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role" Path: / UpdateCrossAccountAccessByDeploymentAccountRole: @@ -220,9 +227,11 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRoleByEnableCrossAccountLambda" + Condition: + ArnEquals: + "aws:PrincipalArn": !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role Principal: - AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-enable-cross-account-access-lambda-role + AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Path: / @@ -252,10 +261,14 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRole" + Condition: + ArnEquals: + "aws:PrincipalArn": + - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-update-rule" + - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-repository" Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-update-rule - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-automation/adf-pipeline-create-repository + - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:root" Action: - sts:AssumeRole Path: / @@ -356,9 +369,12 @@ Resources: Statement: - Effect: Allow Sid: "AssumeRole" + Condition: + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role" Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role + - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: - sts:AssumeRole Path: /