From 9c11d71a4ba158f272bc6d09d37b14e6b3726840 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Wed, 7 Sep 2022 16:59:18 +0200 Subject: [PATCH] feat(adf-bootstrap): (#472) fix StringEquals to ArnEquals condition :zap: --- .../adf-bootstrap/example-global-iam.yml | 2 +- .../adf-bootstrap/global.yml | 26 +++++++++---------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml index 3c3dc0d0c..ef6795d19 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/example-global-iam.yml @@ -51,7 +51,7 @@ Resources: # - Effect: Allow # Sid: "AssumeRole" # Condition: -# StringEquals: +# ArnEquals: # 'aws:PrincipalArn': # # This would allow all codebuild projects to be able to assume this role # # - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index 141ff06d9..c94b7ff8f 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -35,8 +35,8 @@ Resources: Statement: - Effect: Allow Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role" Principal: AWS: !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root Action: @@ -205,8 +205,8 @@ Resources: - Effect: Allow Sid: "AssumeRoleLambda" Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-lambda-role" Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root @@ -220,11 +220,9 @@ Resources: Action: - sts:AssumeRole Condition: - Fn::And: - - ArnEquals: - "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" - - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role + ArnEquals: + "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${DeploymentAccountId}:*" + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codepipeline-role" Path: / AdfAutomationRole: @@ -241,11 +239,11 @@ Resources: - Effect: Allow Sid: "AssumeRole" Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-pipeline-provisioner-codebuild-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-pipeline-provisioner-codebuild-role" Principal: AWS: - - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root + - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:root" Action: - sts:AssumeRole Path: / @@ -346,8 +344,8 @@ Resources: - Effect: Allow Sid: "AssumeRole" Condition: - StringEquals: - 'aws:PrincipalArn': !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role + ArnEquals: + "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${DeploymentAccountId}:role/adf-codebuild-role" Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${DeploymentAccountId}:root