From 3aff0f3edf3fc35946526bf73e874293052bd367 Mon Sep 17 00:00:00 2001
From: Zack Mullaly <zmullaly@mozilla.com>
Date: Mon, 27 Aug 2018 12:27:21 -0400
Subject: [PATCH] Cloudtrail stack for creating an IAM user with a managed
 policy that we can safely use to let Travis push to S3. Courtesy of Andrew
 Krug

---
 aws/releases-cloudtrail-build-user.yml | 35 ++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 aws/releases-cloudtrail-build-user.yml

diff --git a/aws/releases-cloudtrail-build-user.yml b/aws/releases-cloudtrail-build-user.yml
new file mode 100644
index 00000000..4821044d
--- /dev/null
+++ b/aws/releases-cloudtrail-build-user.yml
@@ -0,0 +1,35 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "Sets up a managed policy for Mig to build and deploy to s3."
+Parameters:
+  S3BucketMigBuilds:
+    Type: "String"
+    Description: "The S3 bucket that your build job will be writing out to. (arn:aws:s3:::mig-agent-releases)"
+Resources:
+  PutBuildstoS3:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: "Managed policy for travis-ci to put builds to s3."
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          -
+            Effect: "Allow"
+            Action: "s3:PutObject"
+            Resource:
+              - !Ref S3BucketMigBuilds
+          -
+            Effect: "Allow"
+            Action: "s3:GetObject"
+            Resource:
+              - !Ref S3BucketMigBuilds
+          -
+            Effect: "Allow"
+            Action: "s3:DeleteObject"
+            Resource:
+              - !Ref S3BucketMigBuilds
+  BuildUser:
+    Type: AWS::IAM::User
+    Properties:
+      ManagedPolicyArns:
+        - !Ref PutBuildstoS3
+      UserName: mig-build-user