Don't allow GithubRole to modify its own permissions

Author: codeguru42

cloud-formation/github-role.yaml

@@ -16,7 +16,7 @@ Resources:
             Condition:
               StringLike:
                 token.actions.githubusercontent.com:sub: !Sub repo:${Repository}:*
-      Path: /gocapture/
+      Path: /go_capture/
       Policies:
         - PolicyName: CloudFormationPolicy
           PolicyDocument: {
@@ -37,6 +37,21 @@ Resources:
             ]
           }
         - PolicyName: IamPolicy
+          PolicyDocument: {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": Allow,
+                "Action": [
+                  iam:GetRole,
+                  iam:GetUser,
+                  iam:ListAccessKeys,
+                ],
+                "Resource": "arn:aws:iam::200049542062:user/go_capture/*"
+              },
+            ]
+          }
+        - PolicyName: IamDeployUserPolicy
           PolicyDocument: {
             "Version": "2012-10-17",
             "Statement": [
@@ -48,13 +63,13 @@ Resources:
                   iam:DeleteUserPolicy,
                   iam:GetRole,
                   iam:GetUser,
-                  iam:ListAccessKeys,
                   iam:PutRolePolicy,
                   iam:PutRoleRole,
                   iam:PutUserPolicy,
                   iam:UpdateAssumeRolePolicy,
+                  iam:ListAccessKeys,
                 ],
-                "Resource": "*"
+                "Resource": "arn:aws:iam::200049542062:user/go_capture/beta_deploy"
               },
             ]
           }