nathanmalishev/roles-stack.yaml

## roles-stack.yaml
Parameters:
  Env:
    Description: An environment name that will be prefixed to resource names
    Type: String
    AllowedValues: ["development", "production"]

resources:
  NetworkRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "cloudformation.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonVPCFullAccess"
      RoleName: network_deploy_role

  WebAppRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              AWS:
              - !Sub "arn:aws:iam::${AWS::AccountId}:user/<ci_user>"
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: <policy_name>
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action:
                  - "s3:PutObject"
                  - "s3:PutObjectAcl"
                  - "s3:DeleteObject"
                  - "s3:ListObject"
                Resource:
                    - "arn:aws:s3:::<bucket_names>/*"
      RoleName: webapp_deploy_role

  BaseCloudFormationPolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: <ci_policy_name>
      Users:
        - !Ref <ci_user> ## attach to our ci_user
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "cloudformation:ValidateTemplate"
              - "cloudformation:GetTemplateSummary"
            Resource:
              - "*"
          - Effect: "Allow"
            Action:
              - "cloudformation:CreateChangeSet"
              - "cloudformation:DescribeChangeSet"
              - "cloudformation:ExecuteChangeSet"
              - "cloudformation:DescribeStacks"
            Resource:
              - !Sub "arn:aws:cloudformation:${AWS:Region}:${AWS:AccountId}:stack/<web-stack>/*"
              - !Sub "arn:aws:cloudformation:${AWS:Region}:${AWS:AccountId}:stack/<network-stack>/*"
          - ## here we define which roles <ci_user> is allowed to pass
            Effect: "Allow"
            Action:
              - "iam:GetRole"
              - "iam:PassRole"
            Resource:
            - !Sub "arn:aws:iam::${AWS:AccountId}:role/network_deploy_role" ## we pass to network role
          - Effect: "Allow"
            Action:
              - "sts:AssumeRole" ## we actually assume this role instead of pass. This is because we use
                                 ## s3 sync, instead of cloudformation cli & it doens't support --role-arn, only --profile
            Resource:
            - !Sub "arn:aws:iam::${AWS:AccountId}:role/webapp_deploy_role"
  CIUser:
    Type: "AWS::IAM::User"
    Properties:
      UserName: CI_User
  CIUserKey: ## export this key, as a matter of space i won't
    Type: "AWS::IAM::AccessKey"
    Properties:
      Serial: 1 ## used for rotating keys
      UserName: !Ref CIUser
	Parameters:
	Env:
	Description: An environment name that will be prefixed to resource names
	Type: String
	AllowedValues: ["development", "production"]

	resources:
	NetworkRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Principal:
	Service:
	- "cloudformation.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	ManagedPolicyArns:
	- "arn:aws:iam::aws:policy/AmazonVPCFullAccess"
	RoleName: network_deploy_role

	WebAppRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Principal:
	AWS:
	- !Sub "arn:aws:iam::${AWS::AccountId}:user/<ci_user>"
	Action:
	- "sts:AssumeRole"
	Policies:
	- PolicyName: <policy_name>
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	-
	Effect: "Allow"
	Action:
	- "s3:PutObject"
	- "s3:PutObjectAcl"
	- "s3:DeleteObject"
	- "s3:ListObject"
	Resource:
	- "arn:aws:s3:::<bucket_names>/*"
	RoleName: webapp_deploy_role

	BaseCloudFormationPolicy:
	Type: "AWS::IAM::Policy"
	Properties:
	PolicyName: <ci_policy_name>
	Users:
	- !Ref <ci_user> ## attach to our ci_user
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "cloudformation:ValidateTemplate"
	- "cloudformation:GetTemplateSummary"
	Resource:
	- "*"
	- Effect: "Allow"
	Action:
	- "cloudformation:CreateChangeSet"
	- "cloudformation:DescribeChangeSet"
	- "cloudformation:ExecuteChangeSet"
	- "cloudformation:DescribeStacks"
	Resource:
	- !Sub "arn:aws:cloudformation:${AWS:Region}:${AWS:AccountId}:stack/<web-stack>/*"
	- !Sub "arn:aws:cloudformation:${AWS:Region}:${AWS:AccountId}:stack/<network-stack>/*"
	- ## here we define which roles <ci_user> is allowed to pass
	Effect: "Allow"
	Action:
	- "iam:GetRole"
	- "iam:PassRole"
	Resource:
	- !Sub "arn:aws:iam::${AWS:AccountId}:role/network_deploy_role" ## we pass to network role
	- Effect: "Allow"
	Action:
	- "sts:AssumeRole" ## we actually assume this role instead of pass. This is because we use
	## s3 sync, instead of cloudformation cli & it doens't support --role-arn, only --profile
	Resource:
	- !Sub "arn:aws:iam::${AWS:AccountId}:role/webapp_deploy_role"
	CIUser:
	Type: "AWS::IAM::User"
	Properties:
	UserName: CI_User
	CIUserKey: ## export this key, as a matter of space i won't
	Type: "AWS::IAM::AccessKey"
	Properties:
	Serial: 1 ## used for rotating keys
	UserName: !Ref CIUser