sbe-arg/gist:b0631957ea6d8419e38b4fafd6ff0c7c

## gistfile1.txt
---
AWSTemplateFormatVersion: 2010-09-09
Description: CI OIDC for account.

Parameters:
  GitHubOrg:
    Description: Name of GitHub organization/user (case sensitive)
    Default: "myorg"
    Type: String
  RepositoryName:
    Description: Name of GitHub repository (case sensitive)
    Default: "myrepo"
    Type: String
  OIDCProviderArn:
    Description: Arn if using and existing GitHub OIDC Provider. Run empty if setting the provider up.
    Default: ""
    Type: String
  OIDCAudience:
    Description: Audience supplied to configure-aws-credentials.
    Default: "sts.amazonaws.com"
    Type: String

Conditions:
  CreateOIDCProvider: !Equals
    - !Ref OIDCProviderArn
    - ""

Resources:

  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: github-actions
      Path: /
      ManagedPolicyArns:
        - !Ref CIRolePolicy
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !If
                - CreateOIDCProvider
                - !Ref GithubOidc
                - !Ref OIDCProviderArn
            Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
              StringLike:
                # this probable needs locking from main branches only
                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*

  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Condition: CreateOIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - sts.amazonaws.com
      ThumbprintList:
        - ffffffffffffffffffffffffffffffffffffffff # fake thumb required but uses gh certificates

  CIRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: ci-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: "Allow"
            Action:
              - iam:PassRole
            Resource: !GetAtt CIExecRole.Arn
          -
            Effect: "Allow"
            Action:
              - "cloudformation:*"
            Resource: "*"
          -
            Effect: "Deny"
            Action:
              - "cloudformation:*"
            Resource:
              - "arn:*:cloudformation:*:*:StackSet-AWSControlTowerBP-*/*"
          -
            Effect: "Deny"
            Action:
              - "cloudformation:DeleteStack*"
            Resource: "*"
          -
            Effect: "Allow"
            Action:
              - "s3:List*"
              - "s3:Get*"
            Resource: "*"
          -
            Effect: "Allow"
            Action:
              - "ssm:PutParameter"
              - "ssm:GetParameter"
              - "ssm:GetParameters"
            Resource:
              - "*"
          -
            Effect: "Allow"
            Action:
              - "ecr:Get*"
              - "ecr:BatchGetImage"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:Describe*"
              - "ecr:List*"
            Resource:
              - "arn:aws:ecr:*:*:repository/*" # this is the central ecr repo?
          -
            Effect: "Allow"
            Action:
              - "ecr:PutImage"
              - "ecr:Tag*"
              - "ecr:UnTag*"
              - "ecr:InitiateLayerUpload"
              - "ecr:CompleteLayerUpload"
              - "ecr:UploadLayerPart"
            Resource:
              - "arn:aws:ecr:*:*:repository/*"
          -
            Effect: "Allow"
            Action:
              - "ecr:GetAuthorizationToken"
            Resource: "*"
          -
            Effect: "Allow"
            Action:
              - "ec2:DescribeImages"
            Resource: "*"

  CIExecRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: cfnexec-github
      Description: Role assumed by cloudformation service while creating the required resources
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        -  !Ref CIExecPolicy

  CIExecPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: cfnexec-github
      Description: Policy for cloudformation service while creating the required resources
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: "Allow"
            Action:
              - "acm:*"
              - "cloudwatch:*"
              - "cloudformation:*"
              - "logs:*"
              - "autoscaling:*"
              - "inspector:*"
              - "ec2:*"
              - "ecs:*"
              - "elasticache:*"
              - "elasticloadbalancing:*"
              - "application-autoscaling:*"
              - "iam:*"
              - "events:*"
              - "lambda:*"
              - "ses:*"
              - "rds:*"
              - "tag:*"
              - "resource-groups:*"
              - "route53:*"
              - "s3:*"
              - "secretsmanager:*"
              - "apigateway:*"
              - "sns:*"
              - "sqs:*"
              - "servicediscovery:*"
              - "ssm:*"
              - "waf-regional:*"
              - "waf:*"
              - "wafv2:*"
              - "states:*"
              - "securityhub:*"
              - "macie:*"
              - "macie2:*"
              - "kms:*"
              - "guardduty:*"
              - "backup:*"
            Resource: "*"
          -
            Effect: "Deny"
            Action:
              - "iam:Put*"
              - "iam:Update*"
            Resource:
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:mfa/*"
	---
	AWSTemplateFormatVersion: 2010-09-09
	Description: CI OIDC for account.

	Parameters:
	GitHubOrg:
	Description: Name of GitHub organization/user (case sensitive)
	Default: "myorg"
	Type: String
	RepositoryName:
	Description: Name of GitHub repository (case sensitive)
	Default: "myrepo"
	Type: String
	OIDCProviderArn:
	Description: Arn if using and existing GitHub OIDC Provider. Run empty if setting the provider up.
	Default: ""
	Type: String
	OIDCAudience:
	Description: Audience supplied to configure-aws-credentials.
	Default: "sts.amazonaws.com"
	Type: String

	Conditions:
	CreateOIDCProvider: !Equals
	- !Ref OIDCProviderArn
	- ""

	Resources:

	Role:
	Type: AWS::IAM::Role
	Properties:
	RoleName: github-actions
	Path: /
	ManagedPolicyArns:
	- !Ref CIRolePolicy
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Action: sts:AssumeRoleWithWebIdentity
	Principal:
	Federated: !If
	- CreateOIDCProvider
	- !Ref GithubOidc
	- !Ref OIDCProviderArn
	Condition:
	StringEquals:
	token.actions.githubusercontent.com:aud: !Ref OIDCAudience
	StringLike:
	# this probable needs locking from main branches only
	token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*

	GithubOidc:
	Type: AWS::IAM::OIDCProvider
	Condition: CreateOIDCProvider
	Properties:
	Url: https://token.actions.githubusercontent.com
	ClientIdList:
	- sts.amazonaws.com
	ThumbprintList:
	- ffffffffffffffffffffffffffffffffffffffff # fake thumb required but uses gh certificates

	CIRolePolicy:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	ManagedPolicyName: ci-policy
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	-
	Effect: "Allow"
	Action:
	- iam:PassRole
	Resource: !GetAtt CIExecRole.Arn
	-
	Effect: "Allow"
	Action:
	- "cloudformation:*"
	Resource: "*"
	-
	Effect: "Deny"
	Action:
	- "cloudformation:*"
	Resource:
	- "arn::cloudformation:::StackSet-AWSControlTowerBP-/*"
	-
	Effect: "Deny"
	Action:
	- "cloudformation:DeleteStack*"
	Resource: "*"
	-
	Effect: "Allow"
	Action:
	- "s3:List*"
	- "s3:Get*"
	Resource: "*"
	-
	Effect: "Allow"
	Action:
	- "ssm:PutParameter"
	- "ssm:GetParameter"
	- "ssm:GetParameters"
	Resource:
	- "*"
	-
	Effect: "Allow"
	Action:
	- "ecr:Get*"
	- "ecr:BatchGetImage"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:Describe*"
	- "ecr:List*"
	Resource:
	- "arn:aws:ecr:::repository/*" # this is the central ecr repo?
	-
	Effect: "Allow"
	Action:
	- "ecr:PutImage"
	- "ecr:Tag*"
	- "ecr:UnTag*"
	- "ecr:InitiateLayerUpload"
	- "ecr:CompleteLayerUpload"
	- "ecr:UploadLayerPart"
	Resource:
	- "arn:aws:ecr:::repository/*"
	-
	Effect: "Allow"
	Action:
	- "ecr:GetAuthorizationToken"
	Resource: "*"
	-
	Effect: "Allow"
	Action:
	- "ec2:DescribeImages"
	Resource: "*"

	CIExecRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: cfnexec-github
	Description: Role assumed by cloudformation service while creating the required resources
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	-
	Effect: Allow
	Principal:
	Service: cloudformation.amazonaws.com
	Action:
	- sts:AssumeRole
	Path: /
	ManagedPolicyArns:
	- !Ref CIExecPolicy

	CIExecPolicy:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	ManagedPolicyName: cfnexec-github
	Description: Policy for cloudformation service while creating the required resources
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	-
	Effect: "Allow"
	Action:
	- "acm:*"
	- "cloudwatch:*"
	- "cloudformation:*"
	- "logs:*"
	- "autoscaling:*"
	- "inspector:*"
	- "ec2:*"
	- "ecs:*"
	- "elasticache:*"
	- "elasticloadbalancing:*"
	- "application-autoscaling:*"
	- "iam:*"
	- "events:*"
	- "lambda:*"
	- "ses:*"
	- "rds:*"
	- "tag:*"
	- "resource-groups:*"
	- "route53:*"
	- "s3:*"
	- "secretsmanager:*"
	- "apigateway:*"
	- "sns:*"
	- "sqs:*"
	- "servicediscovery:*"
	- "ssm:*"
	- "waf-regional:*"
	- "waf:*"
	- "wafv2:*"
	- "states:*"
	- "securityhub:*"
	- "macie:*"
	- "macie2:*"
	- "kms:*"
	- "guardduty:*"
	- "backup:*"
	Resource: "*"
	-
	Effect: "Deny"
	Action:
	- "iam:Put*"
	- "iam:Update*"
	Resource:
	- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*"
	- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:mfa/*"