Created
March 22, 2022 13:47
-
-
Save markilott/64b64b25c7cbf8a67980a540df97a7a4 to your computer and use it in GitHub Desktop.
AWS CDK Pipeline Cross Account Role
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // PipelinePrepStack in the Tools Account =================== | |
| // Base Role for pipelines. Created here as it is required outside of the pipeline stack for cross-region deployments. | |
| const pipelineBaseRole = new Role(this, 'pipelineBaseRole', { | |
| assumedBy: new ServicePrincipal('codepipeline.amazonaws.com'), | |
| roleName: codeCommitAccessRoleName, // We use this fixed name to attach the role in the pipeline stack | |
| description: 'Role used by CodePipelines to allow for cross-account deployments', | |
| }); | |
| pipelineBaseRole.addToPolicy(new PolicyStatement({ | |
| sid: 'AssumeRoles', | |
| effect: Effect.ALLOW, | |
| actions: [ | |
| 'sts:AssumeRole', | |
| ], | |
| resources: [ | |
| // Roles that the Pipelines will need to assume during source, build and deploy. | |
| // The resource Arn's are created using params that are shared with the Pipeline stacks, so we have predictable Arn's. | |
| // Destination accounts CDK deploy role | |
| `arn:aws:iam::*:role/cdk-${cdkBootstrapQualifier}-deploy-role-*`, | |
| // Helper stacks in the pipeline account | |
| `arn:aws:iam::${this.account}:role/${pipelineName}*`, | |
| // All of the CodeBuild assets roles required by the pipeline | |
| // 'pipelineBaseResourceName' is used in: | |
| // const pipelineBase = new Pipeline(this, pipelineBaseResourceName, {}) | |
| // 'pipelineResourceName' is used in: | |
| // new CodePipeline(this, pipelineResourceName, { codePipeline: pipelineBase, ...}) | |
| `arn:aws:iam::${this.account}:role/*${pipelineResourceName}Assets*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineResourceName}Update*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineResourceName}Build*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineResourceName}${deployStageResourceName}*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineBaseResourceName}Assets*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineBaseResourceName}Update*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineBaseResourceName}Build*`, | |
| `arn:aws:iam::${this.account}:role/*${pipelineBaseResourceName}${deployStageResourceName}*`, | |
| // The helper role created by CDK Pipelines in the CodeCommit Account (CDK creates this role in lowercase only) | |
| // 'stackNamePrefix' is used to create the Pipeline stack names | |
| `arn:aws:iam::${codeCommitAccount}:role/${stackNamePrefix.toLowerCase()}*`, | |
| ], | |
| })); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment