-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathArm-AVH-CloudFormation-Template.yaml
159 lines (158 loc) · 4.67 KB
/
Arm-AVH-CloudFormation-Template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
############################################################
# This is a TEMPLATE code, please change it for your need
# See comments in the code
############################################################
AWSTemplateFormatVersion: 2010-09-09
Parameters:
S3BucketName:
Type: String
Description: AVH S3 Bucket. Name must be unique.
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID to be associated with the AVH Security Group (e.g. vpc-0dc320e47b6a8077f)
Resources:
AVHS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: Private
BucketName:
Ref: S3BucketName
Tags:
- Key: AVH
Value: true
AVHEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow ssh communication and outbound traffic
GroupName: AVHEC2SecurityGroup
VpcId:
Ref: VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
AVHIAMProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
InstanceProfileName: Proj-AVHInstanceRole
Path: "/"
Roles:
- Ref: "AVHInstanceRole"
DependsOn:
- AVHInstanceRole
AVHInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Description: Allows EC2 instances to call AWS services on AVH behalf.
Policies:
- PolicyName: Proj-AVHIAMProfileS3Policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:GetObject'
- 's3:DeleteObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3BucketName
- '/*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
RoleName: Proj-AVHInstanceRole
# Uncomment this line if you need to setup ARM LZ-based AWS Account
# PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/ProjAdminsPermBoundaryv2'
Tags:
- Key: AVH
Value: true
AVHRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated: !Sub 'arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
ForAnyValue:StringLike:
token.actions.githubusercontent.com:sub:
# PLEASE ADD YOUR GITHUB_ORGS AND GITHUB_REPOS
- repo:YOUR_GITHUB_ORG/YOUR_GITHUB_REPO:*
Description: Allow GitHub Runners to execute AVH.
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AmazonSSMFullAccess
Policies:
- PolicyName: Proj-PassRoleToAVHInstance
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource: !GetAtt AVHInstanceRole.Arn
RoleName: Proj-AVHRole
# Uncomment this line if you need to setup ARM LZ-based AWS Account
# PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/ProjAdminsPermBoundaryv2'
Tags:
- Key: AVH
Value: true
DependsOn:
- AVHGitHubOIDC
- AVHInstanceRole
AVHGitHubOIDC:
Type: AWS::IAM::OIDCProvider
Properties:
ClientIdList:
- sts.amazonaws.com
Tags:
- Key: AVH
Value: true
ThumbprintList:
- 6938fd4d98bab03faadb97b34396831e3780aea1
Url: https://token.actions.githubusercontent.com
Outputs:
AVHIAMProfile:
Value:
!GetAtt AVHIAMProfile.Arn
Description:
IAM Instance Profile ARN created in the stack
AVHS3BucketName:
Value:
!Ref S3BucketName
Description:
S3 Bucket created in the stack
AVHEC2SecurityGroupId:
Value:
!GetAtt AVHEC2SecurityGroup.GroupId
Description:
EC2 Security Group created in the stack
AVHGitHubOIDC:
Value:
!Ref AVHGitHubOIDC
Description:
AVHGitHubOIDC ARN
AVHRole:
Value:
!GetAtt AVHRole.Arn
Description:
AVH Role ARN