add more

lucasmcdonald3 · lucasmcdonald3 · commit b37c64594ec3 · 2024-02-08T14:00:32.000-08:00
diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
@@ -174,6 +174,7 @@ Resources:
         - !Ref CodeBuildBatchPolicy
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicy
+        - !Ref CodeBuildCISTSAllow
 
   CodeBuildCIServiceRole:
     Type: "AWS::IAM::Role"
@@ -186,6 +187,7 @@ Resources:
         - !Ref CryptoToolsKMS
         - !Ref CodeBuildCIBatchPolicy
         - !Ref CodeBuildBasePolicy
+        - !Ref CodeBuildCISTSAllow
         
   CodeBuildBatchPolicy:
     Type: "AWS::IAM::ManagedPolicy"
@@ -350,9 +352,9 @@ Resources:
           "Version": "2012-10-17",
           "Statement": [
               {
-                  "Effect": "Allow",
-                  "Action": "sts:AssumeRole",
-                  "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2"
+                "Effect": "Allow",
+                "Action": "sts:AssumeRole",
+                "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2"
               }
           ]
         }
diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml
@@ -0,0 +1,67 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing"
+
+Parameters:
+  TableName:
+    Type: String
+    Description: Test Table Name
+    Default: HierarchicalKeyringTestTable
+  KeyStoreTable:
+    Type: String
+    Description: Key Store Test Table Name
+    Default: KeyStoreTestTable
+  ProjectName:
+    Type: String
+    Description: A prefix that will be applied to any names
+    Default: Public-ESDK-Python
+  GitHubRepo:
+    Type: String
+    Description: GitHub Repo that invokes CI
+    Default: aws/aws-encryption-sdk-python
+
+Resources:
+  GitHubCIRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}"
+      Description: "Access DDB, KMS, Resources for CI from GitHub"
+      ManagedPolicyArns:
+        - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2"
+        - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy"
+        - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access"
+        - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy"
+      AssumeRolePolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",   
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*"
+                }
+              }
+            },
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "*"
+              },
+              "Action": "sts:AssumeRole",
+              "Condition": {
+                "StringEquals": {
+                  "aws:PrincipalArn": [
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-python-esdk-CI-service-role",
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-python-esdk-service-role",
+                    "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+                  ]
+                }
+              }
+            }
+          ]
+        }
