From e629c826054fdb6edef4f1b5229ac44d794f1e85 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 22 Jan 2024 11:14:07 -0800 Subject: [PATCH 1/5] chore(CFN): add CI Bot Template --- cfn/CI-Bot.yml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 cfn/CI-Bot.yml diff --git a/cfn/CI-Bot.yml b/cfn/CI-Bot.yml new file mode 100644 index 000000000..cfef8efa0 --- /dev/null +++ b/cfn/CI-Bot.yml @@ -0,0 +1,62 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "IAM Managed Policies/Role for CI Bot credentials in GitHub" + +Parameters: + ProjectName: + Type: String + Description: A prefix that will be applied to any names + Default: CI-Bot-Credential-Access + +Resources: + GetCIBotCredsPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + Description: "Allow Read access to GitHub CI Bot credentials Secret" + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - secretsmanager:ListSecrets + Resource: "*" + - Effect: Allow + Action: + - secretsmanager:GetSecretValue + Resource: "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" + + GitHubCIRole: + Type: "AWS::IAM::Role" + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access DDB, KMS, Resources for CI from GitHub, and Prod CodeBuild" + ManagedPolicyArns: + - !GetAtt GetCIBotCredsPolicy.Arn + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, + "StringLike": { + "token.actions.githubusercontent.com:sub": [ + "repo:aws/aws-cryptographic-material-providers-library:*", + "repo:aws/aws-database-encryption-sdk-dynamodb:*", + "repo:aws/aws-encryption-sdk-dafny:*", + ] + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole" + } + ] + } \ No newline at end of file From ffe4afec52636667f62b889442310288db1b92f4 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 22 Jan 2024 11:16:13 -0800 Subject: [PATCH 2/5] format --- cfn/CI-Bot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/CI-Bot.yml b/cfn/CI-Bot.yml index cfef8efa0..53c1a5535 100644 --- a/cfn/CI-Bot.yml +++ b/cfn/CI-Bot.yml @@ -59,4 +59,4 @@ Resources: "Action": "sts:AssumeRole" } ] - } \ No newline at end of file + } From 2eec45d2e2c1fa128526bdadddcbe1b62ab752d9 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 22 Jan 2024 11:34:47 -0800 Subject: [PATCH 3/5] update description --- cfn/CI-Bot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/CI-Bot.yml b/cfn/CI-Bot.yml index 53c1a5535..bdf698b67 100644 --- a/cfn/CI-Bot.yml +++ b/cfn/CI-Bot.yml @@ -29,7 +29,7 @@ Resources: Type: "AWS::IAM::Role" Properties: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" - Description: "Access DDB, KMS, Resources for CI from GitHub, and Prod CodeBuild" + Description: "Allow the Danfy repositories read access to CI Bot creds through GitHub OIDC" ManagedPolicyArns: - !GetAtt GetCIBotCredsPolicy.Arn AssumeRolePolicyDocument: !Sub | From 997cf81f5e5cf0121b86d6b857458846cc5f5b11 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 22 Jan 2024 11:46:25 -0800 Subject: [PATCH 4/5] fix --- cfn/CI-Bot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/CI-Bot.yml b/cfn/CI-Bot.yml index bdf698b67..db6116aaa 100644 --- a/cfn/CI-Bot.yml +++ b/cfn/CI-Bot.yml @@ -31,7 +31,7 @@ Resources: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" Description: "Allow the Danfy repositories read access to CI Bot creds through GitHub OIDC" ManagedPolicyArns: - - !GetAtt GetCIBotCredsPolicy.Arn + - !GetAtt GetCIBotCredsPolicy AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", From 14dd565d6b0a6ca165c191ad0ca0d73ddc8924ca Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 22 Jan 2024 12:02:20 -0800 Subject: [PATCH 5/5] fix json --- cfn/CI-Bot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cfn/CI-Bot.yml b/cfn/CI-Bot.yml index db6116aaa..d7f7ed6b7 100644 --- a/cfn/CI-Bot.yml +++ b/cfn/CI-Bot.yml @@ -31,7 +31,7 @@ Resources: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" Description: "Allow the Danfy repositories read access to CI Bot creds through GitHub OIDC" ManagedPolicyArns: - - !GetAtt GetCIBotCredsPolicy + - !Ref GetCIBotCredsPolicy AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", @@ -46,7 +46,7 @@ Resources: "token.actions.githubusercontent.com:sub": [ "repo:aws/aws-cryptographic-material-providers-library:*", "repo:aws/aws-database-encryption-sdk-dynamodb:*", - "repo:aws/aws-encryption-sdk-dafny:*", + "repo:aws/aws-encryption-sdk-dafny:*" ] } }