-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathsetup.yaml
More file actions
160 lines (153 loc) · 5.98 KB
/
Copy pathsetup.yaml
File metadata and controls
160 lines (153 loc) · 5.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
AWSTemplateFormatVersion: 2010-09-09
Description: Initial setup for Terraform and GitHub Actions
Parameters:
TerraformBackendBucketName:
Type: String
Description: The name of the S3 bucket to use as the Terraform backend
Resources:
TerraformBackendBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref TerraformBackendBucketName
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
# Related: https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-5
TerraformBackendBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref TerraformBackendBucket
PolicyDocument:
Version: 2012-10-17
Statement:
Sid: AllowSSLRequestsOnly
Action: s3:*
Effect: Deny
Resource:
- !Sub "arn:aws:s3:::${TerraformBackendBucket}"
- !Sub "arn:aws:s3:::${TerraformBackendBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
OIDCProviderGitHub:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
# The following thumbprints aren't required as AWS writes: "AWS secures communication with this
# OIDC identity provider (IdP) using our library of trusted CAs rather than using a certificate
# thumbprint to verify the server certificate of your IdP. Your legacy thumbprint(s) will remain
# in your configuration but will no longer be needed for validation."
#
# Source for the thumbprints:
# https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
- 6938fd4d98bab03faadb97b34396831e3780aea1
- 1c58a3a8518e8759bf075b76b750d4f2df264fcd
GitHubActionsRole:
Type: AWS::IAM::Role
Properties:
RoleName: github-actions
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Action: sts:AssumeRoleWithWebIdentity
Effect: Allow
Principal:
Federated: !Ref OIDCProviderGitHub
Condition:
StringEquals:
token.actions.githubusercontent.com:aud: sts.amazonaws.com
StringLike:
token.actions.githubusercontent.com:sub:
- repo:simonknittel/sam:*
Policies:
- PolicyName: terraform-plan
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
# https://github.com/iann0036/iamlive
Action:
- acm:DescribeCertificate
- acm:ListCertificates
- acm:GetCertificate
- acm:ListTagsForCertificate
- budgets:ViewBudget
- cloudfront:GetCachePolicy
- cloudfront:GetDistribution
- cloudfront:GetOriginAccessControl
- cloudfront:GetOriginRequestPolicy
- cloudfront:ListCachePolicies
- cloudfront:ListOriginRequestPolicies
- cloudfront:ListTagsForResource
- cloudwatch:DescribeAlarms
- cloudwatch:ListTagsForResource
- config:DescribeConfigurationRecorderStatus
- config:DescribeConfigurationRecorders
- config:DescribeDeliveryChannels
- dynamodb:DescribeContinuousBackups
- dynamodb:DescribeTable
- dynamodb:DescribeTimeToLive
- dynamodb:ListTagsOfResource
- events:DescribeEventBus
- events:DescribeRule
- events:ListTagsForResource
- events:ListTargetsByRule
- iam:GetOpenIDConnectProvider
- iam:GetRole
- iam:GetRolePolicy
- iam:GetUserPolicy
- iam:ListAccessKeys
- iam:ListAttachedRolePolicies
- iam:ListOpenIDConnectProviders
- iam:ListRolePolicies
- iam:GetUser
- kms:DescribeKey
- kms:ListAliases
- lambda:GetEventSourceMapping
- lambda:GetFunction
- lambda:GetFunctionCodeSigningConfig
- lambda:GetPolicy
- lambda:ListVersionsByFunction
- logs:DescribeLogGroups
- logs:ListTagsLogGroup
- s3:GetAccelerateConfiguration
- s3:GetAccountPublicAccessBlock
- s3:GetBucketAcl
- s3:GetBucketCORS
- s3:GetBucketLogging
- s3:GetBucketObjectLockConfiguration
- s3:GetBucketPolicy
- s3:GetBucketRequestPayment
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetEncryptionConfiguration
- s3:GetLifecycleConfiguration
- s3:GetObject
- s3:GetObjectTagging
- s3:GetObjectVersion
- s3:GetReplicationConfiguration
- s3:ListBucket
- schemas:DescribeDiscoverer
- schemas:ListTagsForResource
- sqs:GetQueueAttributes
- sqs:ListQueueTags
- ssm:GetParameter
- sts:GetCallerIdentity
Resource: "*"
- PolicyName: terraform-apply
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: "*" # TODO: Don't do this
Resource: "*"
Outputs:
TerraformBackendBucketName:
Value: !Ref TerraformBackendBucket
GitHubActionsRoleArn:
Value: !GetAtt GitHubActionsRole.Arn