codepipeline-access.yaml

AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  ToolsAccountId:
    AllowedPattern: ^[0-9]{12}$
    ConstraintDescription: Must be a valid AWS account ID
    Type: String
    Default: "TOOLS_ACCOUNT_ID"   # Replace with tools account id
  KMSKeyArn:
    Description: ARN of the KMS Key used by CodePipeline
    Type: String
    Default: "KMS_KEY_ARN"        # Replace with key arn as generated by codepipeline-base.yaml

Resources:
  PipelineCrossAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "PipelineCrossAccountRole"
      AssumeRolePolicyDocument:
        Statement:
        - Action: ["sts:AssumeRole"]
          Effect: Allow
          Principal:
            Service: [codepipeline.amazonaws.com]
        - Action: ["sts:AssumeRole"]
          Effect: Allow
          Principal:
            AWS: !Sub "arn:aws:iam::${ToolsAccountId}:root"
        Version: "2012-10-17"
      Path: /
      Policies:
        - PolicyName: PipelineCrossAccountDeployment
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowDeployment"
                Action:
                  - "ecs:DescribeServices",
                  - "ecs:DescribeTaskDefinition",
                  - "ecs:DescribeTasks",
                  - "ecs:ListTasks",
                  - "ecs:RegisterTaskDefinition",
                  - "ecs:UpdateService"
                Effect: Allow
                Resource: "*"
              - Action:
                  - "kms:Encrypt"
                  - "kms:Decrypt"
                  - "kms:ReEncrypt*"
                  - "kms:GenerateDataKey*"
                  - "kms:DescribeKey"
                Effect: Allow
                Resource: !Ref KMSKeyArn
                Sid: "AllowKMS"

Outputs:
  PipelineCrossAccountRole:
    Description: Pipeline Cross Account Role
    Value: !GetAtt [PipelineCrossAccountRole, Arn]