@friggframework/devtools 2.0.0--canary.398.e2147f7.0 → 2.0.0--canary.398.c9e5d61.0

package/infrastructure/frigg-deployment-iam-stack.yaml

@@ -0,0 +1,370 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'IAM roles and policies for Frigg application deployment pipeline'
+
+Parameters:
+  DeploymentUserName:
+    Type: String
+    Default: 'frigg-deployment-user'
+    Description: 'Name for the IAM user that will deploy Frigg applications'
+  
+  EnableVPCSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable VPC-related permissions for Frigg applications'
+  
+  EnableKMSSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable KMS encryption permissions for Frigg applications'
+  
+  EnableSSMSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable SSM Parameter Store permissions for Frigg applications'
+
+Conditions:
+  CreateVPCPermissions: !Equals [!Ref EnableVPCSupport, 'true']
+  CreateKMSPermissions: !Equals [!Ref EnableKMSSupport, 'true']
+  CreateSSMPermissions: !Equals [!Ref EnableSSMSupport, 'true']
+
+Resources:
+  # IAM User for deployment
+  FriggDeploymentUser:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Ref DeploymentUserName
+      ManagedPolicyArns:
+        - !Ref FriggDiscoveryPolicy
+        - !Ref FriggCoreDeploymentPolicy
+        - !If [CreateVPCPermissions, !Ref FriggVPCPolicy, !Ref 'AWS::NoValue']
+        - !If [CreateKMSPermissions, !Ref FriggKMSPolicy, !Ref 'AWS::NoValue']
+        - !If [CreateSSMPermissions, !Ref FriggSSMPolicy, !Ref 'AWS::NoValue']
+
+  # Access key for the deployment user
+  FriggDeploymentAccessKey:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      UserName: !Ref FriggDeploymentUser
+
+  # Discovery-time permissions (required for build process)
+  FriggDiscoveryPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: 'FriggDiscoveryPolicy'
+      Description: 'Permissions for AWS resource discovery during Frigg build process'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'AWSDiscoveryPermissions'
+            Effect: Allow
+            Action:
+              - 'sts:GetCallerIdentity'
+              - 'ec2:DescribeVpcs'
+              - 'ec2:DescribeSubnets'
+              - 'ec2:DescribeSecurityGroups'
+              - 'ec2:DescribeRouteTables'
+              - 'kms:ListKeys'
+              - 'kms:DescribeKey'
+            Resource: '*'
+
+  # Core deployment permissions
+  FriggCoreDeploymentPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: 'FriggCoreDeploymentPolicy'
+      Description: 'Core permissions for deploying Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          # CloudFormation permissions
+          - Sid: 'CloudFormationFriggStacks'
+            Effect: Allow
+            Action:
+              - 'cloudformation:CreateStack'
+              - 'cloudformation:UpdateStack'
+              - 'cloudformation:DeleteStack'
+              - 'cloudformation:DescribeStacks'
+              - 'cloudformation:DescribeStackEvents'
+              - 'cloudformation:DescribeStackResources'
+              - 'cloudformation:DescribeStackResource'
+              - 'cloudformation:ListStackResources'
+              - 'cloudformation:GetTemplate'
+              - 'cloudformation:DescribeChangeSet'
+              - 'cloudformation:CreateChangeSet'
+              - 'cloudformation:DeleteChangeSet'
+              - 'cloudformation:ExecuteChangeSet'
+            Resource:
+              - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*'
+          
+          # ValidateTemplate needs to be allowed on all resources
+          - Sid: 'CloudFormationValidateTemplate'
+            Effect: Allow
+            Action:
+              - 'cloudformation:ValidateTemplate'
+            Resource: '*'
+          
+          # S3 deployment bucket permissions
+          - Sid: 'S3DeploymentBucket'
+            Effect: Allow
+            Action:
+              - 's3:CreateBucket'
+              - 's3:PutObject'
+              - 's3:GetObject'
+              - 's3:DeleteObject'
+              - 's3:PutBucketPolicy'
+              - 's3:PutBucketVersioning'
+              - 's3:PutBucketPublicAccessBlock'
+              - 's3:GetBucketLocation'
+              - 's3:ListBucket'
+            Resource:
+              - 'arn:aws:s3:::*serverless*'
+              - 'arn:aws:s3:::*serverless*/*'
+          
+          # Lambda function permissions
+          - Sid: 'LambdaFriggFunctions'
+            Effect: Allow
+            Action:
+              - 'lambda:CreateFunction'
+              - 'lambda:UpdateFunctionCode'
+              - 'lambda:UpdateFunctionConfiguration'
+              - 'lambda:DeleteFunction'
+              - 'lambda:GetFunction'
+              - 'lambda:ListFunctions'
+              - 'lambda:PublishVersion'
+              - 'lambda:CreateAlias'
+              - 'lambda:UpdateAlias'
+              - 'lambda:DeleteAlias'
+              - 'lambda:GetAlias'
+              - 'lambda:AddPermission'
+              - 'lambda:RemovePermission'
+              - 'lambda:GetPolicy'
+              - 'lambda:PutProvisionedConcurrencyConfig'
+              - 'lambda:DeleteProvisionedConcurrencyConfig'
+              - 'lambda:PutConcurrency'
+              - 'lambda:DeleteConcurrency'
+              - 'lambda:TagResource'
+              - 'lambda:UntagResource'
+              - 'lambda:ListVersionsByFunction'
+            Resource:
+              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*'
+          
+          # IAM role permissions
+          - Sid: 'IAMRolesForFriggLambda'
+            Effect: Allow
+            Action:
+              - 'iam:CreateRole'
+              - 'iam:DeleteRole'
+              - 'iam:GetRole'
+              - 'iam:PassRole'
+              - 'iam:PutRolePolicy'
+              - 'iam:DeleteRolePolicy'
+              - 'iam:GetRolePolicy'
+              - 'iam:AttachRolePolicy'
+              - 'iam:DetachRolePolicy'
+              - 'iam:TagRole'
+              - 'iam:UntagRole'
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*'
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*LambdaRole*'
+          
+          # IAM policy permissions
+          - Sid: 'IAMPolicyVersionPermissions'
+            Effect: Allow
+            Action:
+              - 'iam:ListPolicyVersions'
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/*'
+          
+          # SQS permissions
+          - Sid: 'FriggMessagingServices'
+            Effect: Allow
+            Action:
+              - 'sqs:CreateQueue'
+              - 'sqs:DeleteQueue'
+              - 'sqs:GetQueueAttributes'
+              - 'sqs:SetQueueAttributes'
+              - 'sqs:GetQueueUrl'
+              - 'sqs:TagQueue'
+              - 'sqs:UntagQueue'
+            Resource:
+              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*frigg*'
+              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:internal-error-queue-*'
+          
+          # SNS permissions
+          - Sid: 'FriggSNSTopics'
+            Effect: Allow
+            Action:
+              - 'sns:CreateTopic'
+              - 'sns:DeleteTopic'
+              - 'sns:GetTopicAttributes'
+              - 'sns:SetTopicAttributes'
+              - 'sns:Subscribe'
+              - 'sns:Unsubscribe'
+              - 'sns:ListSubscriptionsByTopic'
+              - 'sns:TagResource'
+              - 'sns:UntagResource'
+            Resource:
+              - !Sub 'arn:aws:sns:*:${AWS::AccountId}:*frigg*'
+          
+          # CloudWatch and Logs permissions
+          - Sid: 'FriggMonitoringAndLogs'
+            Effect: Allow
+            Action:
+              - 'cloudwatch:PutMetricAlarm'
+              - 'cloudwatch:DeleteAlarms'
+              - 'cloudwatch:DescribeAlarms'
+              - 'logs:CreateLogGroup'
+              - 'logs:CreateLogStream'
+              - 'logs:DeleteLogGroup'
+              - 'logs:DescribeLogGroups'
+              - 'logs:DescribeLogStreams'
+              - 'logs:FilterLogEvents'
+              - 'logs:PutLogEvents'
+              - 'logs:PutRetentionPolicy'
+            Resource:
+              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*'
+              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*:*'
+              - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:alarm:*frigg*'
+          
+          # API Gateway permissions
+          - Sid: 'FriggAPIGateway'
+            Effect: Allow
+            Action:
+              - 'apigateway:POST'
+              - 'apigateway:PUT'
+              - 'apigateway:DELETE'
+              - 'apigateway:GET'
+              - 'apigateway:PATCH'
+            Resource:
+              - 'arn:aws:apigateway:*::/restapis'
+              - 'arn:aws:apigateway:*::/restapis/*'
+              - 'arn:aws:apigateway:*::/domainnames'
+              - 'arn:aws:apigateway:*::/domainnames/*'
+
+  # VPC-specific permissions
+  FriggVPCPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateVPCPermissions
+    Properties:
+      ManagedPolicyName: 'FriggVPCPolicy'
+      Description: 'VPC-related permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggVPCEndpointManagement'
+            Effect: Allow
+            Action:
+              - 'ec2:CreateVpcEndpoint'
+              - 'ec2:DeleteVpcEndpoint'
+              - 'ec2:DescribeVpcEndpoints'
+              - 'ec2:ModifyVpcEndpoint'
+              - 'ec2:CreateNatGateway'
+              - 'ec2:DeleteNatGateway'
+              - 'ec2:DescribeNatGateways'
+              - 'ec2:AllocateAddress'
+              - 'ec2:ReleaseAddress'
+              - 'ec2:DescribeAddresses'
+              - 'ec2:CreateRouteTable'
+              - 'ec2:DeleteRouteTable'
+              - 'ec2:DescribeRouteTables'
+              - 'ec2:CreateRoute'
+              - 'ec2:DeleteRoute'
+              - 'ec2:AssociateRouteTable'
+              - 'ec2:DisassociateRouteTable'
+              - 'ec2:CreateSecurityGroup'
+              - 'ec2:DeleteSecurityGroup'
+              - 'ec2:AuthorizeSecurityGroupEgress'
+              - 'ec2:AuthorizeSecurityGroupIngress'
+              - 'ec2:RevokeSecurityGroupEgress'
+              - 'ec2:RevokeSecurityGroupIngress'
+            Resource: '*'
+            Condition:
+              StringLike:
+                'ec2:CreateAction':
+                  - 'CreateVpcEndpoint'
+                  - 'CreateNatGateway'
+                  - 'CreateRouteTable'
+                  - 'CreateRoute'
+                  - 'CreateSecurityGroup'
+
+  # KMS permissions
+  FriggKMSPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateKMSPermissions
+    Properties:
+      ManagedPolicyName: 'FriggKMSPolicy'
+      Description: 'KMS encryption permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggKMSEncryptionRuntime'
+            Effect: Allow
+            Action:
+              - 'kms:GenerateDataKey'
+              - 'kms:Decrypt'
+            Resource:
+              - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/*'
+            Condition:
+              StringEquals:
+                'kms:ViaService':
+                  - 'lambda.*.amazonaws.com'
+                  - 's3.*.amazonaws.com'
+
+  # SSM Parameter Store permissions
+  FriggSSMPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateSSMPermissions
+    Properties:
+      ManagedPolicyName: 'FriggSSMPolicy'
+      Description: 'SSM Parameter Store permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggSSMParameterAccess'
+            Effect: Allow
+            Action:
+              - 'ssm:GetParameter'
+              - 'ssm:GetParameters'
+              - 'ssm:GetParametersByPath'
+            Resource:
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*'
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*/*'
+
+  # Store access key in Secrets Manager
+  FriggDeploymentCredentials:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: 'frigg-deployment-credentials'
+      Description: 'Access credentials for Frigg deployment user'
+      SecretString: !Sub |
+        {
+          "AccessKeyId": "${FriggDeploymentAccessKey}",
+          "SecretAccessKey": "${FriggDeploymentAccessKey.SecretAccessKey}"
+        }
+
+Outputs:
+  DeploymentUserArn:
+    Description: 'ARN of the Frigg deployment user'
+    Value: !GetAtt FriggDeploymentUser.Arn
+    Export:
+      Name: !Sub '${AWS::StackName}-UserArn'
+  
+  AccessKeyId:
+    Description: 'Access Key ID for the deployment user'
+    Value: !Ref FriggDeploymentAccessKey
+    Export:
+      Name: !Sub '${AWS::StackName}-AccessKeyId'
+  
+  SecretAccessKeyCommand:
+    Description: 'Command to retrieve the secret access key'
+    Value: !Sub |
+      aws secretsmanager get-secret-value --secret-id frigg-deployment-credentials --query SecretString --output text | jq -r .SecretAccessKey
+  
+  CredentialsSecretArn:
+    Description: 'ARN of the secret containing deployment credentials'
+    Value: !Ref FriggDeploymentCredentials
+    Export:
+      Name: !Sub '${AWS::StackName}-CredentialsSecretArn'