in workload-account/stacks/cross_account_role_stack/cdk_stack.py [0:0]
def __init__(self, scope: core.Construct, id: str, source_repo_arn, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
#####################################---START---##########################################
# IAM Role for Cross Account Access to the tools account
cross_account_role = iam.Role(
self,
'CrossAccountRole',
assumed_by = iam.AccountPrincipal(params['COMPLIANCE_ACCOUNT']['AWS_ACCOUNT_ID']),
description = "Cross Account role that allows Security and Compliance accounts to pull terraform workload from tools account",
role_name = 'allow-terraform-workload-pull'
)
# IAM Policy for cross account role
cross_account_policy = iam.Policy(
self,
'CrossAccountPolicy',
roles = [
cross_account_role
],
statements = [
iam.PolicyStatement(
sid = 'KmsAllowKeyUsage',
actions = [
'codecommit:GitPull'
],
effect = iam.Effect.ALLOW,
resources = [
source_repo_arn
]
)
]
)
#####################################---END---##########################################
########################### List of Outputs ##########################
core.CfnOutput(
self,
'OutCrossAccountRoleArn',
value = cross_account_role.role_arn,
description = 'Cross Account Role ARN',
export_name = 'GOLDMINE-CROSS-ACCOUNT-CODE-PULL-ROLE-ARN'
)