Last active
October 19, 2021 09:33
-
-
Save rakodev/a300b22d6af973ea6ca6e35c0c477d85 to your computer and use it in GitHub Desktop.
Give your deployment enough permission to deploy an AWS SAM application. <ACCOUNT_ID> has to be changed with the aws account ID that host the ci runners.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_iam_role" "aws_sam_api_deployment_role" { | |
name = "aws-sam-api-deployment-role" | |
assume_role_policy = data.aws_iam_policy_document.deployment_role.json | |
tags = local.tags | |
} | |
data "aws_iam_policy_document" "deployment_role" { | |
statement { | |
effect = "Allow" | |
actions = ["sts:AssumeRole"] | |
principals { | |
type = "AWS" | |
identifiers = [var.aws_account_ids["<ACCOUNT_ID>"]] | |
} | |
} | |
} | |
resource "aws_iam_role_policy" "aws_sam_deploy_policies" { | |
name = "aws-sam-deploy-policy" | |
policy = file("policies/sam-deploy.json") | |
role = aws_iam_role.aws_sam_api_deployment_role.id | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "CloudFormationTemplate", | |
"Effect": "Allow", | |
"Action": [ | |
"cloudformation:CreateChangeSet" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "CloudFormationStack", | |
"Effect": "Allow", | |
"Action": [ | |
"cloudformation:CreateChangeSet", | |
"cloudformation:DeleteStack", | |
"cloudformation:DescribeChangeSet", | |
"cloudformation:DescribeStackEvents", | |
"cloudformation:DescribeStacks", | |
"cloudformation:ExecuteChangeSet", | |
"cloudformation:GetTemplateSummary" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "S3", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:CreateBucket", | |
"s3:GetObject", | |
"s3:PutObject" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "ECRRepository", | |
"Effect": "Allow", | |
"Action": [ | |
"ecr:BatchCheckLayerAvailability", | |
"ecr:BatchGetImage", | |
"ecr:CompleteLayerUpload", | |
"ecr:DescribeImages", | |
"ecr:DescribeRepositories", | |
"ecr:GetDownloadUrlForLayer", | |
"ecr:GetRepositoryPolicy", | |
"ecr:InitiateLayerUpload", | |
"ecr:ListImages", | |
"ecr:PutImage", | |
"ecr:SetRepositoryPolicy", | |
"ecr:UploadLayerPart" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "STS", | |
"Action": [ | |
"sts:AssumeRole" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "ECRAuthToken", | |
"Effect": "Allow", | |
"Action": [ | |
"ecr:GetAuthorizationToken" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "Lambda", | |
"Effect": "Allow", | |
"Action": [ | |
"lambda:AddPermission", | |
"lambda:CreateFunction", | |
"lambda:DeleteFunction", | |
"lambda:GetFunction", | |
"lambda:GetFunctionConfiguration", | |
"lambda:ListTags", | |
"lambda:RemovePermission", | |
"lambda:TagResource", | |
"lambda:UntagResource", | |
"lambda:UpdateFunctionCode", | |
"lambda:UpdateFunctionConfiguration" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "IAM", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:AttachRolePolicy", | |
"iam:DeleteRole", | |
"iam:DetachRolePolicy", | |
"iam:GetRole", | |
"iam:PassRole", | |
"iam:PutRolePolicy", | |
"iam:TagRole", | |
"iam:CreateRole" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "APIGateway", | |
"Effect": "Allow", | |
"Action": [ | |
"apigateway:DELETE", | |
"apigateway:GET", | |
"apigateway:PATCH", | |
"apigateway:POST", | |
"apigateway:PUT" | |
], | |
"Resource": [ | |
"*" | |
] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment