Skip to content

Instantly share code, notes, and snippets.

@rakodev

rakodev/iam.tf

Last active October 19, 2021 09:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rakodev/a300b22d6af973ea6ca6e35c0c477d85 to your computer and use it in GitHub Desktop.
Save rakodev/a300b22d6af973ea6ca6e35c0c477d85 to your computer and use it in GitHub Desktop.
Download ZIP
Give your deployment enough permission to deploy an AWS SAM application. <ACCOUNT_ID> has to be changed with the aws account ID that host the ci runners.
Raw
iam.tf
resource "aws_iam_role" "aws_sam_api_deployment_role" {
name = "aws-sam-api-deployment-role"
assume_role_policy = data.aws_iam_policy_document.deployment_role.json
tags = local.tags
}
data "aws_iam_policy_document" "deployment_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [var.aws_account_ids["<ACCOUNT_ID>"]]
}
}
}
resource "aws_iam_role_policy" "aws_sam_deploy_policies" {
name = "aws-sam-deploy-policy"
policy = file("policies/sam-deploy.json")
role = aws_iam_role.aws_sam_api_deployment_role.id
}
Raw
sam-deploy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudFormationTemplate",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudFormationStack",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplateSummary"
],
"Resource": [
"*"
]
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
},
{
"Sid": "ECRRepository",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:SetRepositoryPolicy",
"ecr:UploadLayerPart"
],
"Resource": [
"*"
]
},
{
"Sid": "STS",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "ECRAuthToken",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"*"
]
},
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagRole",
"iam:CreateRole"
],
"Resource": [
"*"
]
},
{
"Sid": "APIGateway",
"Effect": "Allow",
"Action": [
"apigateway:DELETE",
"apigateway:GET",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"*"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment