WebGoat/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codepipeline.json

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "IAM Role for Code Pipeline WebGoat IaaS Quickstart",
    "Parameters": {
        "qsS3BucketName": {
            "Description": "Name of the S3 Bucket for artifacts",
            "Type": "String",
            "MinLength": "1"
        },
        "qsRoleName": {
            "Description": "Name of the IAM role that CodePipeline Will Use",
            "Type": "String",
            "Default": "SimpleCodePipelineRole",
            "MinLength": "1"
        }
    },
    "Resources": {
        "qsCodePipelineRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "codepipeline.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
                },
                "Path": "/webgoat/",
                "RoleName": {
                    "Ref": "qsRoleName"
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess",
                    "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess",
                    "arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess"
                ],
                "Policies": [
                    {
                        "PolicyName": "CloudWatchLogsPipeline",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Resource": [
                                       {"Fn::Join": [ "",["arn:aws:logs:*:", { "Ref": "AWS::AccountId"  }, ":log-group:/aws/*"  ]    ]}
                                    ],
                                    "Action": [
                                        "logs:CreateLogGroup",
                                        "logs:CreateLogStream",
                                        "logs:PutLogEvents"
                                    ]
                                }
                            ]
                        }
                    },
                    {
                        "PolicyName": "MiscComputeOpen",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Resource": "*",
                                    "Action": [
                                        "lambda:InvokeFunction",
                                        "lambda:ListFunctions",
                                        "elasticbeanstalk:*",
                                        "ec2:*",
                                        "elasticloadbalancing:*",
                                        "autoscaling:*",
                                        "cloudwatch:*",
                                        "s3:*",
                                        "sns:*",
                                        "cloudformation:*",
                                        "rds:*",
                                        "sqs:*",
                                        "ecs:*",
                                        "iam:PassRole"
                                    ]
                                }
                            ]
                        }
                    },
                    {
                        "PolicyName": "S3buckets",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Resource": [
                                        {
                                            "Fn::Join": [
                                                "",
                                                [
                                                    "arn:aws:s3:::",
                                                    {
                                                        "Ref": "qsS3BucketName"
                                                    },
                                                    "*"
                                                ]
                                            ]
                                        },
                                        "arn:aws:s3:::codepipeline-*",
                                        "arn:aws:s3:::elasticbeanstalk*"
                                    ],
                                    "Action": [
                                        "s3:Put*",
                                        "s3:Get*",
                                        "s3:List*"
                                    ]
                                }
                            ]
                        }
                    }
                ]
            }
        }
    }
}