Created
August 16, 2017 21:16
-
-
Save ncloward/de2f73b78e09eb3d6dd6282be28fb4ff to your computer and use it in GitHub Desktop.
Serverless Deploy Bot Permissions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: 'Cloudformation stack to manage permission to deploy a serverless service' | |
| Parameters: | |
| ServiceName: | |
| Description: Name of the Service you want to deploy | |
| Type: String | |
| Resources: | |
| ## Users | |
| ServerlessDeployBot: | |
| Type: AWS::IAM::User | |
| Properties: | |
| ManagedPolicyArns: # Max 10 policies | |
| - !Ref ServelessDeployCFPolicy | |
| - !Ref ServelessDeployS3Policy | |
| - !Ref ServelessDeployLogsPolicy | |
| - !Ref ServelessDeployIAMPolicy | |
| - !Ref ServelessDeploySNSPolicy | |
| - !Ref ServelessDeployDynamoDbPolicy | |
| - !Ref ServelessDeployLambdaPolicy | |
| ServerlessDeployBotAccessKey: | |
| Type: AWS::IAM::AccessKey | |
| Properties: | |
| UserName: !Ref ServerlessDeployBot | |
| ## Managed policies | |
| ServelessDeployCFPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: 'cloudformation:ValidateTemplate' | |
| Resource: '*' | |
| - Effect: Allow | |
| Action: | |
| - 'cloudformation:Describe*' | |
| - 'cloudformation:List*' | |
| - 'cloudformation:Get*' | |
| - 'cloudformation:PreviewStackUpdate' | |
| - 'cloudformation:CreateStack' | |
| - 'cloudformation:UpdateStack' | |
| Resource: | |
| - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${ServiceName}-*' | |
| ServelessDeployS3Policy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 's3:Get*' | |
| - 's3:List*' | |
| - 's3:Create*' | |
| Resource: | |
| - !Sub 'arn:aws:s3:::${ServiceName}-*' | |
| - Effect: Allow | |
| Action: | |
| - 's3:*' | |
| Resource: | |
| - !Sub 'arn:aws:s3:::${ServiceName}-*/*' | |
| ServelessDeployLogsPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'logs:DescribeLogGroups' | |
| Resource: | |
| - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group::log-stream:*' | |
| - Effect: Allow | |
| Action: | |
| - 'logs:CreateLogGroup' | |
| - 'logs:CreateLogStream' | |
| - 'logs:DeleteLogGroup' | |
| - 'logs:DeleteLogStream' | |
| - 'logs:DescribeLogStreams' | |
| - 'logs:FilterLogEvents' | |
| Resource: | |
| - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*:log-stream:*' | |
| ServelessDeployIAMPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'iam:GetRole' | |
| - 'iam:PassRole' | |
| - 'iam:CreateRole' | |
| - 'iam:DeleteRole' | |
| - 'iam:DetachRolePolicy' | |
| - 'iam:PutRolePolicy' | |
| - 'iam:AttachRolePolicy' | |
| - 'iam:DeleteRolePolicy' | |
| Resource: | |
| - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${ServiceName}-*-lambdaRole' | |
| ServelessDeployLambdaPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'apigateway:GET' | |
| - 'apigateway:POST' | |
| - 'apigateway:PUT' | |
| - 'apigateway:DELETE' | |
| Resource: | |
| - !Sub 'arn:aws:apigateway:${AWS::Region}::/restapis' | |
| - Effect: Allow | |
| Action: | |
| - 'apigateway:GET' | |
| - 'apigateway:POST' | |
| - 'apigateway:PUT' | |
| - 'apigateway:DELETE' | |
| Resource: | |
| - !Sub 'arn:aws:apigateway:${AWS::Region}::/restapis/*' | |
| - Effect: Allow | |
| Action: | |
| - 'lambda:*' | |
| Resource: | |
| - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${ServiceName}-*' | |
| - Effect: Allow | |
| Action: | |
| - 'events:Put*' | |
| - 'events:Remove*' | |
| - 'events:Delete*' | |
| - 'events:Describe*' | |
| Resource: | |
| - !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${ServiceName}-*' | |
| ServelessDeploySNSPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'sns:Get*' | |
| - 'sns:List*' | |
| Resource: | |
| - !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:*' | |
| - Effect: Allow | |
| Action: | |
| - 'sns:Add*' | |
| - 'sns:Create*' | |
| - 'sns:Delete*' | |
| - 'sns:Subscribe' | |
| Resource: | |
| - !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${ServiceName}-*' | |
| ServelessDeployDynamoDbPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'dynamodb:Create*' | |
| - 'dynamodb:Describe*' | |
| - 'dynamodb:List*' | |
| - 'dynamodb:Update*' | |
| Resource: | |
| - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ServiceName}-*' | |
| Outputs: | |
| ServerlessDeployBotAccessKey: | |
| Value: !Ref ServerlessDeployBotAccessKey | |
| Export: | |
| Name: !Sub '${AWS::StackName}-ServerlessDeployBotAccessKey' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment