Created
September 12, 2023 00:43
-
-
Save sbe-arg/b0631957ea6d8419e38b4fafd6ff0c7c to your computer and use it in GitHub Desktop.
oidc-hardened-cloudformation.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: CI OIDC for account. | |
| Parameters: | |
| GitHubOrg: | |
| Description: Name of GitHub organization/user (case sensitive) | |
| Default: "myorg" | |
| Type: String | |
| RepositoryName: | |
| Description: Name of GitHub repository (case sensitive) | |
| Default: "myrepo" | |
| Type: String | |
| OIDCProviderArn: | |
| Description: Arn if using and existing GitHub OIDC Provider. Run empty if setting the provider up. | |
| Default: "" | |
| Type: String | |
| OIDCAudience: | |
| Description: Audience supplied to configure-aws-credentials. | |
| Default: "sts.amazonaws.com" | |
| Type: String | |
| Conditions: | |
| CreateOIDCProvider: !Equals | |
| - !Ref OIDCProviderArn | |
| - "" | |
| Resources: | |
| Role: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: github-actions | |
| Path: / | |
| ManagedPolicyArns: | |
| - !Ref CIRolePolicy | |
| AssumeRolePolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: sts:AssumeRoleWithWebIdentity | |
| Principal: | |
| Federated: !If | |
| - CreateOIDCProvider | |
| - !Ref GithubOidc | |
| - !Ref OIDCProviderArn | |
| Condition: | |
| StringEquals: | |
| token.actions.githubusercontent.com:aud: !Ref OIDCAudience | |
| StringLike: | |
| # this probable needs locking from main branches only | |
| token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:* | |
| GithubOidc: | |
| Type: AWS::IAM::OIDCProvider | |
| Condition: CreateOIDCProvider | |
| Properties: | |
| Url: https://token.actions.githubusercontent.com | |
| ClientIdList: | |
| - sts.amazonaws.com | |
| ThumbprintList: | |
| - ffffffffffffffffffffffffffffffffffffffff # fake thumb required but uses gh certificates | |
| CIRolePolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| ManagedPolicyName: ci-policy | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - iam:PassRole | |
| Resource: !GetAtt CIExecRole.Arn | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "cloudformation:*" | |
| Resource: "*" | |
| - | |
| Effect: "Deny" | |
| Action: | |
| - "cloudformation:*" | |
| Resource: | |
| - "arn:*:cloudformation:*:*:StackSet-AWSControlTowerBP-*/*" | |
| - | |
| Effect: "Deny" | |
| Action: | |
| - "cloudformation:DeleteStack*" | |
| Resource: "*" | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "s3:List*" | |
| - "s3:Get*" | |
| Resource: "*" | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "ssm:PutParameter" | |
| - "ssm:GetParameter" | |
| - "ssm:GetParameters" | |
| Resource: | |
| - "*" | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "ecr:Get*" | |
| - "ecr:BatchGetImage" | |
| - "ecr:BatchCheckLayerAvailability" | |
| - "ecr:GetDownloadUrlForLayer" | |
| - "ecr:Describe*" | |
| - "ecr:List*" | |
| Resource: | |
| - "arn:aws:ecr:*:*:repository/*" # this is the central ecr repo? | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "ecr:PutImage" | |
| - "ecr:Tag*" | |
| - "ecr:UnTag*" | |
| - "ecr:InitiateLayerUpload" | |
| - "ecr:CompleteLayerUpload" | |
| - "ecr:UploadLayerPart" | |
| Resource: | |
| - "arn:aws:ecr:*:*:repository/*" | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "ecr:GetAuthorizationToken" | |
| Resource: "*" | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "ec2:DescribeImages" | |
| Resource: "*" | |
| CIExecRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: cfnexec-github | |
| Description: Role assumed by cloudformation service while creating the required resources | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - | |
| Effect: Allow | |
| Principal: | |
| Service: cloudformation.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| Path: / | |
| ManagedPolicyArns: | |
| - !Ref CIExecPolicy | |
| CIExecPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| ManagedPolicyName: cfnexec-github | |
| Description: Policy for cloudformation service while creating the required resources | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - | |
| Effect: "Allow" | |
| Action: | |
| - "acm:*" | |
| - "cloudwatch:*" | |
| - "cloudformation:*" | |
| - "logs:*" | |
| - "autoscaling:*" | |
| - "inspector:*" | |
| - "ec2:*" | |
| - "ecs:*" | |
| - "elasticache:*" | |
| - "elasticloadbalancing:*" | |
| - "application-autoscaling:*" | |
| - "iam:*" | |
| - "events:*" | |
| - "lambda:*" | |
| - "ses:*" | |
| - "rds:*" | |
| - "tag:*" | |
| - "resource-groups:*" | |
| - "route53:*" | |
| - "s3:*" | |
| - "secretsmanager:*" | |
| - "apigateway:*" | |
| - "sns:*" | |
| - "sqs:*" | |
| - "servicediscovery:*" | |
| - "ssm:*" | |
| - "waf-regional:*" | |
| - "waf:*" | |
| - "wafv2:*" | |
| - "states:*" | |
| - "securityhub:*" | |
| - "macie:*" | |
| - "macie2:*" | |
| - "kms:*" | |
| - "guardduty:*" | |
| - "backup:*" | |
| Resource: "*" | |
| - | |
| Effect: "Deny" | |
| Action: | |
| - "iam:Put*" | |
| - "iam:Update*" | |
| Resource: | |
| - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*" | |
| - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:mfa/*" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment