search

awslabs / aws-refarch-cross-account-pipeline

The Cloudformation Templates guides the users to setup a codepipeline in Account-A, CodeCommit in Account-B and Deployment of a Sample Lambda in Account-C. Provides a reference for customers to use AWS CodePipeline as a centralized product to enable CI/CD across multiple accounts.
https://aws.amazon.com/blogs/devops/aws-building-a-secure-cross-account-continuous-delivery-pipeline
Apache License 2.0
227 stars 130 forks source link

Question - where is the ToolsAcctCodePipelineCodeCommitRole created? #17

Open matwerber1 opened 3 years ago

matwerber1 commented 3 years ago

Per link below:

https://github.com/awslabs/aws-refarch-cross-account-pipeline/blob/4f075e88cd5111a77a07d1e48a9ae625985f22cf/ToolsAcct/code-pipeline.yaml#L202

I can't find where this role is actually created, e.g. AWS::IAM::Role in CloudFormation. Where is this coming from?

hannonq commented 3 years ago

Maybe a bit late, but if anyone else comes here with the same question, it is created here

In aws-refarch-cross-account-pipeline/DevAccount/toolsacct-codepipeline-codecommit.yaml:

Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ToolsAcctCodePipelineCodeCommitRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              AWS:
                - !Ref ToolsAccount
            Action:
              - sts:AssumeRole
      Path: /

The !Sub there is actually irrelevant (cfn-linter even gives this warning), since there is no variable to substitute. So the !Sub can be removed.