[sdlf-cicd] handle crossaccount role trust relationship

Author: cnfait

sdlf-cicd/deploy-cicd.sh

@@ -182,6 +182,14 @@ aws cloudformation deploy \
     ${REGION:+--region "$REGION"} \
     ${PROFILE:+--profile "$PROFILE"} || exit 1
 
+if ! "$dflag"
+then
+    CODEBUILD_ROLE=$(aws codebuild batch-get-projects --names "sdlf-cicd-$1" --query "projects[0].serviceRole" --output text ${REGION:+--region "$REGION"} ${PROFILE:+--profile "$PROFILE"} | cut -d'/' -f2)
+    CODEBUILD_ROLE_BOOTSTRAP=$(aws codebuild batch-get-projects --names "sdlf-cicd-bootstrap" --query "projects[0].serviceRole" --output text ${REGION:+--region "$REGION"} ${PROFILE:+--profile "$PROFILE"} | cut -d'/' -f2)
+    echo "Role names to provide to ./deploy-role.sh:"
+    echo "$CODEBUILD_ROLE $CODEBUILD_ROLE_BOOTSTRAP"
+fi
+
 if "$cflag"
 then
     echo "The list ${CONSTRUCTS[*]} will be used in a future release to restrict CodeBuild permissions to the set of permissions required by the constructs it can deploy."

sdlf-cicd/deploy-role.sh

@@ -23,6 +23,7 @@ Options
   -V, --version -- Print the SDLF version
   -h, --help -- Show this help message
   -p -- Name of the AWS profile to use
+  -b -- AWS account ID of the CodeBuild project
   -c -- Name of the SDLF construct that will be used
   <name> -- Name to uniquely identify this deployment
 
@@ -149,6 +150,15 @@ if ! "$bflag"
 then
     echo "CodeBuild project is assumed to be in the same AWS account" >&2
     CODEBUILD_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text ${REGION:+--region "$REGION"} ${PROFILE:+--profile "$PROFILE"})
+
+    CODEBUILD_ROLE=$(aws codebuild batch-get-projects --names "sdlf-cicd-$1" --query "projects[0].serviceRole" --output text ${REGION:+--region "$REGION"} ${PROFILE:+--profile "$PROFILE"} | cut -d'/' -f2)
+    CODEBUILD_ROLE_BOOTSTRAP=$(aws codebuild batch-get-projects --names "sdlf-cicd-bootstrap" --query "projects[0].serviceRole" --output text ${REGION:+--region "$REGION"} ${PROFILE:+--profile "$PROFILE"} | cut -d'/' -f2)
+else
+    if [ -z ${2+x} ]; then die 'ERROR: "./deploy-role.sh" requires a second non-option argument providing the CodeBuild project IAM role name.'; fi
+    if [ -z ${3+x} ]; then die 'ERROR: "./deploy-role.sh" requires a third non-option argument providing the boostrap CodeBuild project IAM role name.'; fi
+
+    CODEBUILD_ROLE=$2
+    CODEBUILD_ROLE_BOOTSTRAP=$3
 fi
 
 STACK_NAME="sdlf-cicd-role-$CODEBUILD_ACCOUNT_ID-$1"
@@ -159,6 +169,8 @@ aws cloudformation deploy \
     --parameter-overrides \
         pCodeBuildAccountId="$CODEBUILD_ACCOUNT_ID" \
         pCodeBuildSuffix="$1" \
+        pCodeBuildBootstrapRole="$CODEBUILD_ROLE_BOOTSTRAP" \
+        pCodeBuildUserRepositoryRole="$CODEBUILD_ROLE" \
     --tags Framework=sdlf \
     --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
     ${REGION:+--region "$REGION"} \

sdlf-cicd/template-cicd-generic-role.yaml

@@ -11,6 +11,12 @@ Parameters:
     Type: String
     AllowedPattern: (\d{12}|^$)
     ConstraintDescription: Must be an AWS account ID
+  pCodeBuildBootstrapRole:
+    Description: "sdlf-cicd-bootstrap CodeBuild IAM role name"
+    Type: String
+  pCodeBuildUserRepositoryRole:
+    Description: "sdlf-cicd-CodeBuildSuffix CodeBuild IAM role name"
+    Type: String
 
 Resources:
   rSdlfCicdCodeBuildRole:
@@ -25,12 +31,11 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Service: codebuild.amazonaws.com
+              AWS:
+                - !Sub arn:${AWS::Partition}:iam::${pCodeBuildAccountId}:role/${pCodeBuildBootstrapRole}
+                - !Sub arn:${AWS::Partition}:iam::${pCodeBuildAccountId}:role/${pCodeBuildUserRepositoryRole}
             Action:
               - sts:AssumeRole
-            Condition:
-              StringEquals:
-                "aws:SourceAccount": "111111111111"
       Policies:
         - PolicyName: sdlf-codebuild
           PolicyDocument: