This repository has been archived by the owner on Dec 29, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
iam-global.yml
138 lines (130 loc) · 4.41 KB
/
iam-global.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
---
AWSTemplateFormatVersion: 2010-09-09
Description: IAM Resources for Spoptimize
Parameters:
StackBasename:
Description: Base name of Spoptimize resources
Type: String
Default: spoptimize
RolePath:
Description: Path to pass to IAM resources
Type: String
Default: /
Resources:
StateMachineManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: IAM Policy for Spoptimize State Machine
Path: !Ref RolePath
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: InvokeLambda
Effect: Allow
Action: lambda:InvokeFunction
Resource: !Sub "arn:aws:lambda:*:${AWS::AccountId}:function:${StackBasename}*"
StateMachineRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${StackBasename}-iam-global-state-machine"
Path: !Ref RolePath
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: states.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Ref StateMachineManagedPolicy
LambdaManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: IAM Policy for Spoptimize Lambdas
Path: !Ref RolePath
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AutoScaling
Effect: Allow
Action:
- autoscaling:Describe*
- autoscaling:SetDesiredCapacity
- autoscaling:AttachInstances
- autoscaling:TerminateInstanceInAutoScalingGroup
- autoscaling:SetInstanceProtection
Resource: "*"
- Sid: SpotRequests
Effect: Allow
Action:
# - ec2:RunInstances
- ec2:CancelSpotInstanceRequests
- ec2:CreateTags
- ec2:DescribeSpotInstanceRequests
- ec2:DescribeSpotPriceHistory
- ec2:DescribeSecurityGroups
- ec2:DescribeInstances
- ec2:DescribeTags
- ec2:RequestSpotInstances
- ec2:TerminateInstances
Resource: "*"
- Sid: StepFnStart
Effect: Allow
Action:
- states:StartExecution
Resource: !Sub "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${StackBasename}-*"
- Sid: StepFnDescribeExec
Effect: Allow
Action:
- states:DescribeExecution
Resource: !Sub "arn:aws:states:${AWS::Region}:${AWS::AccountId}:execution:${StackBasename}-*"
- Sid: DynamoDbLockTable
Effect: Allow
Action:
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:PutItem
Resource: !Sub "arn:aws:dynamodb:*:${AWS::AccountId}:table/${StackBasename}-autoscaling-group-locks"
- Sid: PassEc2IamRole
Effect: Allow
Action: iam:PassRole
Resource: "*"
Condition:
StringEquals:
iam:PassedToService:
- ec2.amazonaws.com
- ec2.amazonaws.com.cn
- Sid: GetIamInstanceProfiles
Effect: Allow
Action: iam:GetInstanceProfile
Resource: "*"
- Sid: CreateSpotServiceRole
Effect: Allow
Action: iam:CreateServiceLinkedRole
Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
LambdaExecRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
Path: !Ref RolePath
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- !Ref LambdaManagedPolicy
Outputs:
StateMachineManagedPolicy:
Description: ARN of State Machine Managed Policy
Value: !Ref StateMachineManagedPolicy
StateMachineRoleArn:
Description: ARN of State Machine IAM Role
Value: !GetAtt StateMachineRole.Arn
LambdaManagedPolicy:
Description: ARN of Lambda Managed Policy
Value: !Ref LambdaManagedPolicy
LambdaRoleArn:
Description: ARN of State Machine IAM Role
Value: !GetAtt LambdaExecRole.Arn