Merge pull request #56 from codeguru42/55-limit-github-role

codeguru42 · web-flow · commit 367c4138c260 · 2023-06-02T20:33:13.000-06:00
55 limit GitHub role
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -16,18 +16,9 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
-          role-to-assume: arn:aws:iam::200049542062:role/gocapture/GithubRole
+          role-to-assume: arn:aws:iam::200049542062:role/go_capture/GithubRole
           aws-region: us-west-1
 
-      - name: Deploy Github Role
-        uses: aws-actions/aws-cloudformation-github-deploy@v1
-        with:
-          name: GoCaptureGithubRole
-          template: cloud-formation/github-role.yaml
-          parameter-overrides: "Repository=${{ github.repository }}"
-          capabilities: CAPABILITY_NAMED_IAM
-          no-fail-on-empty-changeset: 1
-
       - name: Set ECR Stack Name
         id: ecr-stack-name
         run: echo ECR_STACK_NAME=GoCaptureECR >> $GITHUB_OUTPUT
diff --git a/README.md b/README.md
@@ -21,3 +21,8 @@ pre-commit install
 ```shell
 docker compose -f docker-compose-dev.yml -p go-capture-api up -d --build
 ```
+
+## Deploy GithubRole
+```shell
+aws cloudformation create-stack --stack-name GoCaptureGithubRole --parameters ParameterKey=Repository,ParameterValue=<github-repo> --template-body "$(cat cloud-formation/github-role.yaml)" --capabilities CAPABILITY_NAMED_IAM
+```
diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml
@@ -16,7 +16,7 @@ Resources:
             Condition:
               StringLike:
                 token.actions.githubusercontent.com:sub: !Sub repo:${Repository}:*
-      Path: /gocapture/
+      Path: /go_capture/
       Policies:
         - PolicyName: CloudFormationPolicy
           PolicyDocument: {
@@ -37,6 +37,21 @@ Resources:
             ]
           }
         - PolicyName: IamPolicy
+          PolicyDocument: {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": Allow,
+                "Action": [
+                  iam:GetRole,
+                  iam:GetUser,
+                  iam:ListAccessKeys,
+                ],
+                "Resource": "arn:aws:iam::200049542062:user/go_capture/*"
+              },
+            ]
+          }
+        - PolicyName: IamDeployUserPolicy
           PolicyDocument: {
             "Version": "2012-10-17",
             "Statement": [
@@ -48,13 +63,13 @@ Resources:
                   iam:DeleteUserPolicy,
                   iam:GetRole,
                   iam:GetUser,
-                  iam:ListAccessKeys,
                   iam:PutRolePolicy,
                   iam:PutRoleRole,
                   iam:PutUserPolicy,
                   iam:UpdateAssumeRolePolicy,
+                  iam:ListAccessKeys,
                 ],
-                "Resource": "*"
+                "Resource": "arn:aws:iam::200049542062:user/go_capture/beta_deploy"
               },
             ]
           }
