in lib/iam/iam.ts [30:90]
constructor(scope: Construct, name: string, props:role_details) {
super(scope, name, {
roleName: props.roleName,
assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal('codebuild.amazonaws.com'), new iam.ServicePrincipal('codepipeline.amazonaws.com')),
})
this.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AWSServiceCatalogAdminFullAccess'));
this.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions:[
"codebuild:StartBuild",
"codebuild:BatchGetBuilds",
"Lambda:List*"
],
resources: ["*"]
})
)
this.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions:[
"lambda:Invoke*",
],
resources: [props.lambdaarn]
})
)
this.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['sts:AssumeRole'],
resources: [props.crossAccountRoleArn]
})
)
this.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
's3:PutObject',
's3:ListBucket',
's3:GetObject',
's3:GetObjectVersion',
's3:GetBucketVersioning'
],
resources: ["arn:aws:s3:::sc-bucket-"+props.accountNumber,
"arn:aws:s3:::sc-bucket-"+props.accountNumber+"/*",
"arn:aws:s3:::sc-service-catalog-bucket-"+props.accountNumber+"/*",
"arn:aws:s3:::sc-service-catalog-bucket-"+props.accountNumber
]
})
)
}