Last active
May 14, 2024 18:46
-
-
Save mandarjog/cf0ab120e00edbfcfeff25f54a142d97 to your computer and use it in GitHub Desktop.
avx-secondary-account.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "AWSTemplateFormatVersion": "2010-09-09", | |
| "Description": "Aviatrix Systems - Create IAM roles and policies to grant primary account access", | |
| "Metadata": { | |
| "AWS::CloudFormation::Interface": { | |
| "ParameterGroups": [ | |
| { | |
| "Label": { | |
| "default": "Aviatrix Controller's AWS account ID" | |
| }, | |
| "Parameters": [ | |
| "OtherAccountNumber" | |
| ] | |
| } | |
| ], | |
| "ParameterLabels": { | |
| "OtherAccountNumber": { | |
| "default": "Input the Aviatrix Controller's AWS account ID" | |
| } | |
| } | |
| } | |
| }, | |
| "Parameters": { | |
| "OtherAccountNumber": { | |
| "AllowedPattern": "[0-9]+", | |
| "Description": "The 12 digit AWS account number to grant access to.", | |
| "MaxLength": "12", | |
| "MinLength": "12", | |
| "Type": "String" | |
| } | |
| }, | |
| "Resources": { | |
| "AviatrixRoleEC2": { | |
| "Type": "AWS::IAM::Role", | |
| "DeletionPolicy" : "Retain", | |
| "Properties": { | |
| "RoleName": "aviatrix-role-ec2", | |
| "AssumeRolePolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": [ | |
| "ec2.amazonaws.com" | |
| ] | |
| }, | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ] | |
| } | |
| ] | |
| }, | |
| "Path": "/" | |
| } | |
| }, | |
| "AviatrixRoleApp": { | |
| "Type": "AWS::IAM::Role", | |
| "DeletionPolicy" : "Retain", | |
| "Properties": { | |
| "RoleName": "aviatrix-role-app-${AWS::Random}", | |
| "AssumeRolePolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": [ | |
| { | |
| "Fn::Join": [ | |
| "", | |
| [ | |
| "arn:", | |
| { "Ref" : "AWS::Partition" }, | |
| ":iam::", | |
| { | |
| "Ref": "AWS::AccountId" | |
| }, | |
| ":root" | |
| ] | |
| ] | |
| }, | |
| { | |
| "Fn::Join": [ | |
| "", | |
| [ | |
| "arn:", | |
| { "Ref" : "AWS::Partition" }, | |
| ":iam::", | |
| { | |
| "Ref": "OtherAccountNumber" | |
| }, | |
| ":root" | |
| ] | |
| ] | |
| } | |
| ] | |
| }, | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ] | |
| } | |
| ] | |
| }, | |
| "Path": "/" | |
| } | |
| }, | |
| "CreateAviatrixAssumeRolePolicy": { | |
| "Type": "AWS::IAM::ManagedPolicy", | |
| "DeletionPolicy" : "Retain", | |
| "Properties": { | |
| "ManagedPolicyName": "aviatrix-assume-role-policy", | |
| "Description": "Policy for creating aviatrix-assume-role-policy", | |
| "Path": "/", | |
| "PolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ], | |
| "Resource": { "Fn::Join" : [ | |
| "", [ | |
| "arn:", | |
| { "Ref" : "AWS::Partition" }, | |
| ":iam::*:role/aviatrix-*"] ] | |
| } | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "aws-marketplace:MeterUsage", | |
| "s3:GetBucketLocation" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| }, | |
| "Roles": [ | |
| { | |
| "Ref": "AviatrixRoleEC2" | |
| } | |
| ] | |
| } | |
| }, | |
| "CreateAviatrixAppPolicy": { | |
| "Type": "AWS::IAM::ManagedPolicy", | |
| "DeletionPolicy" : "Retain", | |
| "Properties": { | |
| "ManagedPolicyName": "aviatrix-app-policy", | |
| "Description": "Policy for creating aviatrix-app-policy", | |
| "Path": "/", | |
| "PolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:Describe*", | |
| "ec2:Get*", | |
| "ec2:Search*", | |
| "elasticloadbalancing:Describe*", | |
| "route53:List*", | |
| "route53:Get*", | |
| "sqs:Get*", | |
| "sqs:List*", | |
| "sns:List*", | |
| "s3:List*", | |
| "s3:Get*", | |
| "iam:List*", | |
| "iam:Get*", | |
| "directconnect:Describe*", | |
| "guardduty:Get*", | |
| "guardduty:List*", | |
| "ram:Get*", | |
| "ram:List*", | |
| "networkmanager:Get*", | |
| "networkmanager:List*" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:CreateVpc", | |
| "ec2:DeleteVpc", | |
| "ec2:ModifyVpcAttribute", | |
| "ec2:CreateNetworkAclEntry", | |
| "ec2:ReplaceNetworkAclEntry", | |
| "ec2:DeleteNetworkAclEntry", | |
| "ec2:AssociateVpcCidrBlock", | |
| "ec2:AssociateSubnetCidrBlock", | |
| "ec2:CreateSubnet", | |
| "ec2:DeleteSubnet", | |
| "ec2:ModifySubnetAttribute", | |
| "ec2:*InternetGateway*", | |
| "ec2:*Route*", | |
| "ec2:*Instance*", | |
| "ec2:*SecurityGroup*", | |
| "ec2:*Address*", | |
| "ec2:*NetworkInterface*", | |
| "ec2:CreateKeyPair", | |
| "ec2:DeleteKeyPair", | |
| "ec2:CreateTags", | |
| "ec2:DeleteTags", | |
| "ec2:DeleteFlowLogs", | |
| "ec2:CreateFlowLogs", | |
| "ec2:DescribeFlowLogs", | |
| "ec2:AssociateIamInstanceProfile", | |
| "ec2:DisassociateIamInstanceProfile", | |
| "ec2:DescribeIamInstanceProfileAssociations" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:CreateCustomerGateway", | |
| "ec2:DeleteCustomerGateway", | |
| "ec2:CreateVpnConnection", | |
| "ec2:DeleteVpnConnection", | |
| "ec2:CreateVpcPeeringConnection", | |
| "ec2:AcceptVpcPeeringConnection", | |
| "ec2:DeleteVpcPeeringConnection", | |
| "ec2:EnableVgwRoutePropagation", | |
| "ec2:DisableVgwRoutePropagation" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AssociateTransitGatewayRouteTable", | |
| "ec2:AcceptTransitGatewayVpcAttachment", | |
| "ec2:CreateTransitGateway", | |
| "ec2:CreateTransitGatewayRoute", | |
| "ec2:CreateTransitGatewayRouteTable", | |
| "ec2:CreateTransitGatewayVpcAttachment", | |
| "ec2:DeleteTransitGateway", | |
| "ec2:DeleteTransitGatewayRoute", | |
| "ec2:DeleteTransitGatewayRouteTable", | |
| "ec2:DeleteTransitGatewayVpcAttachment", | |
| "ec2:DisableTransitGatewayRouteTablePropagation", | |
| "ec2:DisassociateTransitGatewayRouteTable", | |
| "ec2:EnableTransitGatewayRouteTablePropagation", | |
| "ec2:ExportTransitGatewayRoutes", | |
| "ec2:ModifyTransitGatewayVpcAttachment", | |
| "ec2:RejectTransitGatewayVpcAttachment", | |
| "ec2:ReplaceTransitGatewayRoute", | |
| "ec2:ModifyTransitGateway", | |
| "ec2:CreateTransitGatewayConnect", | |
| "ec2:DeleteTransitGatewayConnect", | |
| "ec2:CreateTransitGatewayConnectPeer", | |
| "ec2:DeleteTransitGatewayConnectPeer", | |
| "ec2:CreateVpcEndpoint", | |
| "ec2:DeleteVpcEndpoints", | |
| "ec2:CreateVpcEndpointServiceConfiguration", | |
| "ec2:DeleteVpcEndpointServiceConfigurations", | |
| "ec2:CreateNatGateway", | |
| "ec2:DeleteNatGateway" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ram:CreateResourceShare", | |
| "ram:DeleteResourceShare", | |
| "ram:UpdateResourceShare", | |
| "ram:AssociateResourceShare", | |
| "ram:DisassociateResourceShare", | |
| "ram:TagResource", | |
| "ram:UntagResource", | |
| "ram:AcceptResourceShareInvitation", | |
| "ram:EnableSharingWithAwsOrganization" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "directconnect:CreateDirectConnectGateway", | |
| "directconnect:CreateDirectConnectGatewayAssociation", | |
| "directconnect:CreateDirectConnectGatewayAssociationProposal", | |
| "directconnect:DeleteDirectConnectGateway", | |
| "directconnect:DeleteDirectConnectGatewayAssociation", | |
| "directconnect:DeleteDirectConnectGatewayAssociationProposal", | |
| "directconnect:AcceptDirectConnectGatewayAssociationProposal" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "sqs:AddPermission", | |
| "sqs:ChangeMessageVisibility", | |
| "sqs:CreateQueue", | |
| "sqs:DeleteMessage", | |
| "sqs:DeleteQueue", | |
| "sqs:PurgeQueue", | |
| "sqs:ReceiveMessage", | |
| "sqs:RemovePermission", | |
| "sqs:SendMessage", | |
| "sqs:SetQueueAttributes", | |
| "sqs:TagQueue" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:CreateBucket", | |
| "s3:DeleteBucket", | |
| "s3:ListBucket", | |
| "s3:PutObject", | |
| "s3:DeleteObject", | |
| "s3:PutBucketPolicy", | |
| "s3:DeleteBucketPolicy" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "logs:CreateLogDelivery", | |
| "logs:DeleteLogDelivery" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "servicequotas:GetAWSDefaultServiceQuota", | |
| "servicequotas:GetServiceQuota", | |
| "servicequotas:ListAWSDefaultServiceQuotas", | |
| "servicequotas:ListServiceQuotas", | |
| "servicequotas:ListServices" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:PassRole", | |
| "iam:AddRoleToInstanceProfile", | |
| "iam:CreateInstanceProfile", | |
| "iam:DeleteInstanceProfile", | |
| "iam:RemoveRoleFromInstanceProfile", | |
| "iam:CreateServiceLinkedRole", | |
| "iam:TagInstanceProfile" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:DeletePolicyVersion", | |
| "iam:CreatePolicyVersion" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "elasticloadbalancing:*", | |
| "route53:ChangeResourceRecordSets", | |
| "ec2:*Volume*", | |
| "ec2:*Snapshot*", | |
| "ec2:*TransitGatewayPeeringAttachment", | |
| "guardduty:*", | |
| "globalaccelerator:*", | |
| "networkmanager:*" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| }, | |
| "Roles": [ | |
| { | |
| "Ref": "AviatrixRoleApp" | |
| } | |
| ] | |
| } | |
| }, | |
| "AviatrixInstanceProfile": { | |
| "Type": "AWS::IAM::InstanceProfile", | |
| "DeletionPolicy" : "Retain", | |
| "Properties": { | |
| "Path": "/", | |
| "InstanceProfileName": "aviatrix-role-ec2", | |
| "Roles": [ | |
| { | |
| "Ref": "AviatrixRoleEC2" | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "Outputs": { | |
| "AccountId": { | |
| "Description": "Amazon Account ID", | |
| "Value": { | |
| "Ref": "AWS::AccountId" | |
| } | |
| }, | |
| "AviatrixRoleAppARN": { | |
| "Description": "AviatrixRoleApp ARN", | |
| "Value": { | |
| "Fn::GetAtt": [ | |
| "AviatrixRoleApp", | |
| "Arn" | |
| ] | |
| } | |
| }, | |
| "AviatrixRoleEC2ARN": { | |
| "Description": "AviatrixRoleEC2 ARN", | |
| "Value": { | |
| "Fn::GetAtt": [ | |
| "AviatrixRoleEC2", | |
| "Arn" | |
| ] | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment