-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprimary-stack.yml
82 lines (75 loc) · 2.21 KB
/
primary-stack.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS requirements for github and terraform automation
Parameters:
TfBucketName:
Type: String
Description: Terraform states new bucket name
GitHubOrg:
Type: String
Description: Github organization or username (case sensitive).
GitHubRepositoryName:
Type: String
Description: Github repository name (case sensitive).
GithubRoleName:
Type: String
Description: IAM Role for github actions
Default: "github-actions-requirements"
OIDCProviderArn:
Type: String
Description: (Optional) Github OIDC provider arn.
Default: ""
OIDCAudience:
Type: String
Description: configure-aws-credentials audience.
Default: "sts.amazonaws.com"
Conditions:
CreateOIDCProvider: !Equals
- !Ref OIDCProviderArn
- ""
Resources:
TfBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Ref TfBucketName
GithubRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref GithubRoleName
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !If
- CreateOIDCProvider
- !Ref GithubOidc
- !Ref OIDCProviderArn
Condition:
StringEquals:
token.actions.githubusercontent.com:aud: !Ref OIDCAudience
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${GitHubRepositoryName}:*
GithubRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AdminPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Roles:
- !Ref GithubRole
GithubOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- ffffffffffffffffffffffffffffffffffffffff
Outputs:
GithubRole:
Value: !GetAtt GithubRole.Arn