andreidiaconu90/codepipeline-service-role

## codepipeline-service-role
MyCodePipelineServiceRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "my-pipeline-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
                - codebuild.amazonaws.com
            Action: "sts:AssumeRole"
      Path: /
      Policies:
        - PolicyName: my-pipeline-policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow #this will be needed if you use CodeCommit as a repo provider
                Action:
                  - "codecommit:CancelUploadArchive"
                  - "codecommit:GetBranch"
                  - "codecommit:GetCommit"
                  - "codecommit:GetUploadArchiveStatus"
                  - "codecommit:UploadArchive"
                Resource: !Sub "arn:aws:codecommit:*:${AWS::AccountId}:<your-stack-name>"
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource:
                  - !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/codebuild/*"
                  - !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/codebuild/*:log-stream:*"
              - Effect: Allow
                Action:
                  - "codebuild:BatchGetBuilds"
                  - "codebuild:StartBuild"
                Resource:
                  - !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/Deploy-to-staging" #CodeBuild project we've created earlier
                  - !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/Deploy-to-production" #CodeBuild project we've created earlier
              - Effect: Allow
                Action:
                  - "iam:GetRole"
                  - "iam:GetRolePolicy"
                Resource: !Sub "arn:aws:iam::${AWS::AccountId}*"
              - Effect: Allow
                Action:
                  - "cloudformation:CreateStack"
                  - "cloudformation:UpdateStack"
                  - "cloudformation:DeleteStack"
                  - "cloudformation:Describe*"
                  - "cloudformation:List*"
                  - "cloudformation:Get*"
                  - "cloudformation:PreviewStackUpdate"
                  - "cloudformation:ValidateTemplate"
                Resource: !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/*"
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:DeleteLogGroup"
                  - "logs:DeleteLogStream"
                  - "logs:DescribeLog*"
                  - "logs:FilterLogEvents"
                Resource:
                  - !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group::log-stream*"
	MyCodePipelineServiceRole:
	Type: "AWS::IAM::Role"
	Properties:
	RoleName: "my-pipeline-role"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- codepipeline.amazonaws.com
	- codebuild.amazonaws.com
	Action: "sts:AssumeRole"
	Path: /
	Policies:
	- PolicyName: my-pipeline-policy
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow #this will be needed if you use CodeCommit as a repo provider
	Action:
	- "codecommit:CancelUploadArchive"
	- "codecommit:GetBranch"
	- "codecommit:GetCommit"
	- "codecommit:GetUploadArchiveStatus"
	- "codecommit:UploadArchive"
	Resource: !Sub "arn:aws:codecommit:*:${AWS::AccountId}:<your-stack-name>"
	- Effect: Allow
	Action:
	- "logs:CreateLogGroup"
	- "logs:CreateLogStream"
	- "logs:PutLogEvents"
	Resource:
	- !Sub "arn:aws:logs::${AWS::AccountId}:log-group:/aws/codebuild/"
	- !Sub "arn:aws:logs::${AWS::AccountId}:log-group:/aws/codebuild/:log-stream:*"
	- Effect: Allow
	Action:
	- "codebuild:BatchGetBuilds"
	- "codebuild:StartBuild"
	Resource:
	- !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/Deploy-to-staging" #CodeBuild project we've created earlier
	- !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/Deploy-to-production" #CodeBuild project we've created earlier
	- Effect: Allow
	Action:
	- "iam:GetRole"
	- "iam:GetRolePolicy"
	Resource: !Sub "arn:aws:iam::${AWS::AccountId}*"
	- Effect: Allow
	Action:
	- "cloudformation:CreateStack"
	- "cloudformation:UpdateStack"
	- "cloudformation:DeleteStack"
	- "cloudformation:Describe*"
	- "cloudformation:List*"
	- "cloudformation:Get*"
	- "cloudformation:PreviewStackUpdate"
	- "cloudformation:ValidateTemplate"
	Resource: !Sub "arn:aws:cloudformation::${AWS::AccountId}:stack/"
	- Effect: Allow
	Action:
	- "logs:CreateLogGroup"
	- "logs:CreateLogStream"
	- "logs:DeleteLogGroup"
	- "logs:DeleteLogStream"
	- "logs:DescribeLog*"
	- "logs:FilterLogEvents"
	Resource:
	- !Sub "arn:aws:logs::${AWS::AccountId}:log-group::log-stream"