Merge pull request #5 from egut/aws

Fixed permissions and parameters
egut · Feb 23, 2025 · 430ab27 · 430ab27
2 parents fed617e + 71fa9e3
commit 430ab27
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 25 deletions.
diff --git a/.github/workflows/deploy-s3.yml b/.github/workflows/deploy-s3.yml
@@ -18,7 +18,7 @@ permissions:
   contents: 'read'
 
 jobs:
-  deploy:
+  deploy-s3-buckets:
     runs-on: 'ubuntu-latest'
     if: "${{ github.event.workflow_run.conclusion == 'success' }}"
     steps:
@@ -45,5 +45,5 @@ jobs:
           name: '${{ env.BUCKET_STACK_NAME }}'
           template: 'aws/cloudformation/s3-bucket.yml'
           parameter-overrides: |
-            AccessLogsStackName=${{ env.USE_LOG_BUCKET == 'true' && env.LOG_STACK_NAME || 'no-set' }}
+            AccessLogsBucket=${{ env.USE_LOG_BUCKET == 'true' && env.LOG_STACK_NAME || 'no-set' }}
           no-fail-on-empty-changeset: '1'
diff --git a/aws/cloudformation/pre-github-connection.yml b/aws/cloudformation/pre-github-connection.yml
@@ -101,45 +101,27 @@ Resources:
           - Effect: 'Allow'
             Action:
               - 'cloudformation:CreateStack'
-              - 'cloudformation:UpdateStack'
               - 'cloudformation:DeleteStack'
-              - 'cloudformation:DescribeStacks'
               - 'cloudformation:DescribeStackEvents'
               - 'cloudformation:DescribeStackResource'
               - 'cloudformation:DescribeStackResources'
+              - 'cloudformation:DescribeStacks'
+              - 'cloudformation:UpdateStack'
             Resource: !Sub
               'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${StackNamePrefix}-*/*'
 
           - Effect: 'Allow'
             Action:
-              - 'cloudformation:ListStacks'
               - 'cloudformation:DescribeStacks'
               - 'cloudformation:ListStackResources'
+              - 'cloudformation:ListStacks'
             Resource: '*'
 
+          # All S3 actions for resources with the stack prefix
           - Effect: 'Allow'
-            Action:
-              - 's3:CreateBucket'
-              - 's3:DeleteBucket'
-              - 's3:PutBucketPolicy'
-              - 's3:DeleteBucketPolicy'
-              - 's3:GetBucketPolicy'
-              - 's3:PutBucketVersioning'
-              - 's3:GetBucketVersioning'
-              - 's3:PutBucketPublicAccessBlock'
-              - 's3:GetBucketPublicAccessBlock'
-              - 's3:PutBucketLogging'
-              - 's3:GetBucketLogging'
-              - 's3:PutLifecycleConfiguration'
-              - 's3:GetLifecycleConfiguration'
+            Action: 's3:*'
             Resource:
               - !Sub 'arn:${AWS::Partition}:s3:::${StackNamePrefix}-*'
-            Condition:
-              StringEquals:
-                'aws:CalledVia': ['cloudformation.amazonaws.com']
-              StringLike:
-                'aws:CalledViaFirst': 'cloudformation.amazonaws.com'
-                'aws:ResourceTag/aws:cloudformation:stack-name': !Sub '${StackNamePrefix}-*'
 
           - Effect: 'Allow'
             NotAction: