in security-and-compliance-account/stacks/cross_account_role_stack/cdk_stack.py [0:0]
def __init__(self, scope: core.Construct, id: str, source_repo_arn, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
#####################################---START---##########################################
# List of principals to have access for code pull
principal_list = []
for account in params['TERRAFORM_APPLICATION_WORKLOAD_ACCOUNTS']:
principal_list.append(iam.AccountPrincipal(account['AWS_ACCOUNT_ID']))
print(principal_list)
# IAM Role for Cross Account Access to the security and compliance account
cross_account_role = iam.Role(
self,
'CrossAccountRole',
assumed_by = iam.CompositePrincipal(*principal_list),
description = "Cross Account role that allows application accounts to pull compliance checks from securituy and compliance account",
role_name = 'allow-compliance-code-pull'
)
# IAM Policy for cross account role
cross_account_policy = iam.Policy(
self,
'CrossAccountPolicy',
roles = [
cross_account_role
],
statements = [
iam.PolicyStatement(
sid = 'KmsAllowKeyUsage',
actions = [
'codecommit:GitPull'
],
effect = iam.Effect.ALLOW,
resources = [
source_repo_arn
]
)
]
)
#####################################---END---##########################################
########################### List of Outputs ##########################
core.CfnOutput(
self,
'OutCrossAccountRoleArn',
value = cross_account_role.role_arn,
description = 'Cross Account Role ARN',
export_name = 'GOLDMINE-CROSS-ACCOUNT-CODE-PULL-ROLE-ARN'
)