chore(CFN): update CFN stack to add managed policies to ci and release role (#1856)

* chore: update CFN stack to add managed policies to ci and release role

* chore: add CFN template for non-prod account role

Author: imabhichow

cfn/Public-ESDK-Java-CI.yml

@@ -0,0 +1,67 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing"
+
+Parameters:
+  TableName:
+    Type: String
+    Description: Test Table Name
+    Default: HierarchicalKeyringTestTable
+  KeyStoreTable:
+    Type: String
+    Description: Key Store Test Table Name
+    Default: KeyStoreTestTable
+  ProjectName:
+    Type: String
+    Description: A prefix that will be applied to any names
+    Default: Public-ESDK-Java
+  GitHubRepo:
+    Type: String
+    Description: GitHub Repo that invokes CI
+    Default: aws/aws-encryption-sdk-java
+
+Resources:
+  GitHubCIRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}"
+      Description: "Access DDB, KMS, Resources for CI from GitHub"
+      ManagedPolicyArns:
+        - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2"
+        - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy"
+        - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access"
+        - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy"
+      AssumeRolePolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",   
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*"
+                }
+              }
+            },
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "*"
+              },
+              "Action": "sts:AssumeRole",
+              "Condition": {
+                "StringEquals": {
+                  "aws:PrincipalArn": [
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-ESDK-Java-service-role-ci",
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-ESDK-Java-service-role-release",
+                    "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+                  ]
+                }
+              }
+            }
+          ]
+        }

cfn/ci_cd.yml

@@ -141,6 +141,8 @@ Resources:
         - !Ref SecretsManagerPolicyCI
         - !Ref ParameterStorePolicy
         - !Ref CodeBuildBasePolicyCI
+        - !Ref HierarchicalKeyringTestTableUsage
+        - !Ref CodeBuildCISTSAllow
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
@@ -159,9 +161,28 @@ Resources:
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicyRelease
         - !Ref ParameterStorePolicy
+        - !Ref HierarchicalKeyringTestTableUsage
+        - !Ref CodeBuildCISTSAllow
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
+  CodeBuildCISTSAllow:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      ManagedPolicyName: !Sub CodeBuildCISTSAllow-${ProjectName}
+      Path: /service-role/
+      PolicyDocument: |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Effect": "Allow",
+                  "Action": "sts:AssumeRole",
+                  "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2"
+              }
+          ]
+        }
+
   CodeBuildBatchPolicy:
     Type: "AWS::IAM::ManagedPolicy"
     Properties:
@@ -382,12 +403,17 @@ Resources:
               "Effect": "Allow",
               "Resource": [
                 "arn:aws:kms:*:658956600833:key/*",
-                "arn:aws:kms:*:658956600833:alias/*"
+                "arn:aws:kms:*:658956600833:alias/*",
+                "arn:aws:kms:*:370957321024:key/*",
+                "arn:aws:kms:*:370957321024:alias/*"
               ],
               "Action": [
                 "kms:Encrypt",
                 "kms:Decrypt",
-                "kms:GenerateDataKey"
+                "kms:ReEncrypt*",
+                "kms:Generate*",
+                "kms:GetPublicKey",
+                "kms:DescribeKey"
               ]
             }
           ]