From 71482d3d5ab5a4c0176cfd41f30a7d11f9b45f57 Mon Sep 17 00:00:00 2001 From: rrigato Date: Sat, 23 Dec 2023 06:55:02 -0800 Subject: [PATCH] remove ProdCodeDeployRole --- templates/code_pipeline.yml | 95 ------------------------------------- 1 file changed, 95 deletions(-) diff --git a/templates/code_pipeline.yml b/templates/code_pipeline.yml index a940cef..9781e6d 100644 --- a/templates/code_pipeline.yml +++ b/templates/code_pipeline.yml @@ -50,101 +50,6 @@ Resources: !Ref RepositoryDescription]] RepositoryName: !Ref ProjectName -#################### -#Role assumed by cloudformation -#in stage 2 of the CodePipeline to -#create/update the templates/prod_resource_import.yml stack -#################### - ProdCodeDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: ['sts:AssumeRole'] - Effect: Allow - Principal: - Service: [cloudformation.amazonaws.com] - Version: '2012-10-17' - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonS3FullAccess - - arn:aws:iam::aws:policy/CloudFrontFullAccess - Path: / - #Ability to create record sets in Route53 - Policies: - - PolicyName: DeployRoute53 - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: RecordSetsOneHostedZone - Effect: Allow - Action: - - route53:GetHostedZone - - route53:ListResourceRecordSets - - route53:ListHostedZones - - route53:GetChange - Resource: - - "*" - - - Sid: RequestAcmCertificate - Effect: Allow - Action: - - acm:RequestCertificate - - acm:DeleteCertificate - - acm:DescribeCertificate - Resource: - - "*" - #Change Record Sets but limit - #to one hosted zone - - Sid: WriteRecordSetsOneHostedZone - Effect: Allow - Action: - - route53:ChangeResourceRecordSets - #Name of the hosted zone to allow Record - #sets to be changed on - Resource: - - "arn:aws:route53:::hostedzone/Z3K3UR6983C2YB" - #policy needed for serverless transform - - PolicyName: BackendDeployPolicy - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: RecordSetsOneHostedZone - Effect: Allow - Action: - - cloudformation:CreateChangeSet - #- cloudformation:ExecuteChangeSet - Resource: - - "*" - #secretsmanager creation privleges - - Sid: !Join ['', [!Ref ProjectName,'SecretsMangerDeploy']] - Effect: Allow - Action: - - secretsmanager:CreateSecret # pragma: allowlist secret - - secretsmanager:DeleteSecret # pragma: allowlist secret - - secretsmanager:TagResource # pragma: allowlist secret - - secretsmanager:UpdateSecret # pragma: allowlist secret - Resource: - - "*" - #create vpc privleges - - Sid: !Join ['', [!Ref ProjectName,'VpcDeploy']] - Effect: Allow - Action: - - ec2:CreateVpc - - ec2:CreateSubnet - - ec2:DeleteSubnet - - ec2:DeleteVpc - - ec2:DescribeVpcs - - ec2:ModifyVpcAttribute - - ec2:createTags - - ec2:DescribeAvailabilityZones - - ec2:DescribeAccountAttributes - - ec2:DescribeSubnets - - ec2:CreateRouteTable - - ec2:DeleteRouteTable - - ec2:DescribeRouteTables - Resource: - - "*" - CFNRole: Type: AWS::IAM::Role Properties: