Scope down execution and logging role assume role policy (#860)

Author: sungkkim

src/rpdk/core/data/managed-upload-infrastructure.yaml

@@ -91,6 +91,10 @@ Resources:
             Service:
               - resources.cloudformation.amazonaws.com
           Action: sts:AssumeRole
+          Condition:
+            StringEquals:
+              aws:SourceAccount:
+                Ref: AWS::AccountId
       Path: "/"
       Policies:
       - PolicyName: LogAndMetricsDeliveryRolePolicy

src/rpdk/core/project.py

@@ -160,6 +160,10 @@ def type_name(self, value):
     def hypenated_name(self):
         return "-".join(self.type_info).lower()
 
+    @property
+    def hyphenated_name_case_sensitive(self):
+        return "-".join(self.type_info)
+
     @property
     def schema_filename(self):
         return f"{self.hypenated_name}.json"
@@ -428,7 +432,7 @@ def generate(self):
                 permission = "Deny"
 
             contents = template.render(
-                type_name=self.hypenated_name,
+                type_name=self.hyphenated_name_case_sensitive,
                 actions=sorted(actions),
                 permission=permission,
                 role_session_timeout=role_session_timeout,

src/rpdk/core/templates/resource-role.yml

@@ -15,6 +15,13 @@ Resources:
             Principal:
               Service: resources.cloudformation.amazonaws.com
             Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount:
+                  Ref: AWS::AccountId
+              StringLike:
+                aws:SourceArn:
+                  Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:type/resource/{{ type_name }}/*
       Path: "/"
       Policies:
         - PolicyName: ResourceTypePolicy