Also deploy VPC

egut · Feb 23, 2025 · e736d8d · e736d8d
1 parent 71fa9e3
commit e736d8d
Show file tree

Hide file tree

Showing 5 changed files with 454 additions and 206 deletions.
diff --git a/.github/workflows/aws-deploy.yml b/.github/workflows/aws-deploy.yml
@@ -0,0 +1,91 @@
+---
+name: 'Deploy AWS resources'
+
+on:
+  workflow_run:
+    workflows: ["Static Code Tests"]
+    types:
+      - 'completed'
+    branches: ['main']
+
+  pull_request:
+    branches: [ 'main' ]
+
+env:
+  SERVER_NAME: 'rubik'
+  SERVER_PORT: '25565'
+  STACK_NAME_PREFIX: 'minecraft'
+  USE_LOG_BUCKET: 'true'
+
+permissions:
+  id-token: 'write'
+  contents: 'read'
+
+jobs:
+  deploy-s3-logs-bucket:
+    runs-on: 'ubuntu-latest'
+    if: "${{ github.event.workflow_run.conclusion == 'success' }}"
+    steps:
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Configure AWS credentials'
+        uses: 'aws-actions/configure-aws-credentials@v4'
+        with:
+          role-to-assume: '${{ secrets.AWS_ROLE_ARN }}'
+          aws-region: '${{ secrets.AWS_REGION }}'
+
+      - name: 'Deploy Access Logs Bucket'
+        if: "${{ env.USE_LOG_BUCKET == 'true' }}"
+        uses: 'aws-actions/aws-cloudformation-github-deploy@v1'
+        with:
+          name: '${{ env.STACK_NAME_PREFIX }}-${{ env.SERVER_NAME }}-logging'
+          template: 'aws/cloudformation/s3-log-bucket.yml'
+          no-fail-on-empty-changeset: '1'
+
+  deploy-s3-buckets:
+    runs-on: 'ubuntu-latest'
+    needs: 'deploy-s3-logs-bucket'
+    if: "${{ github.event.workflow_run.conclusion == 'success' }}"
+    steps:
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Configure AWS credentials'
+        uses: 'aws-actions/configure-aws-credentials@v4'
+        with:
+          role-to-assume: '${{ secrets.AWS_ROLE_ARN }}'
+          aws-region: '${{ secrets.AWS_REGION }}'
+
+      - name: 'Deploy Minecraft Bucket'
+        uses: 'aws-actions/aws-cloudformation-github-deploy@v1'
+        with:
+          name: '${{ env.STACK_NAME_PREFIX }}-${{ env.SERVER_NAME }}-deploy'
+          template: 'aws/cloudformation/s3-bucket.yml'
+          parameter-overrides: |
+            AccessLogsBucket=${{ env.USE_LOG_BUCKET == 'true' && env.LOG_STACK_NAME || 'no-set' }}
+          no-fail-on-empty-changeset: '1'
+
+  deploy-vpc:
+    runs-on: 'ubuntu-latest'
+    if: "${{ github.event.workflow_run.conclusion == 'success' }}"
+    steps:
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Configure AWS credentials'
+        uses: 'aws-actions/configure-aws-credentials@v4'
+        with:
+          role-to-assume: '${{ secrets.AWS_ROLE_ARN }}'
+          aws-region: '${{ secrets.AWS_REGION }}'
+
+      - name: 'Deploy VPC'
+        uses: 'aws-actions/aws-cloudformation-github-deploy@v1'
+        with:
+          name: '${{ env.STACK_NAME_PREFIX }}-${{ env.SERVER_NAME }}-vpc'
+          template: 'aws/cloudformation/vpc.yml'
+          parameter-overrides: |
+              VpcCidrBlock=10.0.50.0/24
+              ServerName=${{ env.SERVER_NAME }}
+              MinecraftPort=${{ env.SERVER_PORT }}
+          no-fail-on-empty-changeset: '1'
diff --git a/.github/workflows/deploy-s3.yml b/.github/workflows/deploy-s3.yml
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
diff --git a/aws/cloudformation/pre-github-connection.yml b/aws/cloudformation/pre-github-connection.yml
@@ -98,50 +98,154 @@ Resources:
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
+          # CloudFormation permissions
           - Effect: 'Allow'
             Action:
+              - 'cloudformation:CreateChangeSet'
               - 'cloudformation:CreateStack'
+              - 'cloudformation:DeleteChangeSet'
               - 'cloudformation:DeleteStack'
+              - 'cloudformation:DescribeChangeSet'
               - 'cloudformation:DescribeStackEvents'
               - 'cloudformation:DescribeStackResource'
               - 'cloudformation:DescribeStackResources'
               - 'cloudformation:DescribeStacks'
+              - 'cloudformation:ExecuteChangeSet'
+              - 'cloudformation:GetTemplateSummary'
+              - 'cloudformation:SetStackPolicy'
               - 'cloudformation:UpdateStack'
+              - 'cloudformation:ValidateTemplate'
             Resource: !Sub
               'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${StackNamePrefix}-*/*'
 
+          # Global CloudFormation list/describe permissions
           - Effect: 'Allow'
             Action:
               - 'cloudformation:DescribeStacks'
               - 'cloudformation:ListStackResources'
               - 'cloudformation:ListStacks'
             Resource: '*'
 
-          # All S3 actions for resources with the stack prefix
+          - Effect: 'Allow'
+            NotAction:
+              - 'cloudformation:*'
+            Resource: '*'
+            Condition:
+              StringEquals:
+                'aws:RequestTag/Application': 'Minecraft'
+
+          # S3 permissions
           - Effect: 'Allow'
             Action: 's3:*'
             Resource:
               - !Sub 'arn:${AWS::Partition}:s3:::${StackNamePrefix}-*'
+              - !Sub 'arn:${AWS::Partition}:s3:::${StackNamePrefix}-*/*'
 
+          # VPC/EC2 read-only permissions
           - Effect: 'Allow'
-            NotAction:
-              - 'organizations:*'
-              - 'account:*'
+            Action:
+              - 'ec2:Describe*'
+            Resource: '*'
+
+          # VPC/EC2 write permissions with constraints
+          - Effect: 'Allow'
+            Action:
+              - 'ec2:AllocateAddress'
+              - 'ec2:AssociateAddress'
+              - 'ec2:AssociateRouteTable'
+              - 'ec2:AttachInternetGateway'
+              - 'ec2:CreateInternetGateway'
+              - 'ec2:CreateNatGateway'
+              - 'ec2:CreateRoute'
+              - 'ec2:CreateRouteTable'
+              - 'ec2:CreateSubnet'
+              - 'ec2:CreateTags'
+              - 'ec2:CreateVpc'
+              - 'ec2:DeleteInternetGateway'
+              - 'ec2:DeleteNatGateway'
+              - 'ec2:DeleteRoute'
+              - 'ec2:DeleteRouteTable'
+              - 'ec2:DeleteSubnet'
+              - 'ec2:DeleteTags'
+              - 'ec2:DeleteVpc'
+              - 'ec2:DetachInternetGateway'
+              - 'ec2:DisassociateAddress'
+              - 'ec2:DisassociateRouteTable'
+              - 'ec2:ModifySubnetAttribute'
+              - 'ec2:ModifyVpcAttribute'
+              - 'ec2:ReleaseAddress'
+            Resource: '*'
+            Condition:
+              StringEquals:
+                'aws:CalledVia': ['cloudformation.amazonaws.com']
+              StringLike:
+                'aws:ResourceTag/aws:cloudformation:stack-name':
+                  !Sub '${StackNamePrefix}-*'
+
+          # Allow tagging during resource creation
+          - Effect: 'Allow'
+            Action:
+              - 'ec2:CreateTags'
             Resource: '*'
             Condition:
               StringEquals:
                 'aws:CalledVia': ['cloudformation.amazonaws.com']
+
+          # Allow passing roles to CloudFormation
+          - Effect: 'Allow'
+            Action: 'iam:PassRole'
+            Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${StackNamePrefix}-*'
+            Condition:
+              StringEquals:
+                'iam:PassedToService': 'cloudformation.amazonaws.com'
+
+          # Lambda permissions
+          - Effect: 'Allow'
+            Action:
+              - 'lambda:CreateFunction'
+              - 'lambda:DeleteFunction'
+              - 'lambda:DeleteFunctionConcurrency'
+              - 'lambda:GetFunction'
+              - 'lambda:InvokeFunction'
+              - 'lambda:PutFunctionConcurrency'
+              - 'lambda:UpdateFunctionCode'
+              - 'lambda:UpdateFunctionConfiguration'
+            Resource: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackNamePrefix}-*'
+
+          # IAM permissions for Lambda role
+          - Effect: 'Allow'
+            Action:
+              - 'iam:CreateRole'
+              - 'iam:DeleteRole'
+              - 'iam:GetRole'
+              - 'iam:PutRolePolicy'
+              - 'iam:DeleteRolePolicy'
+              - 'iam:AttachRolePolicy'
+              - 'iam:DetachRolePolicy'
+            Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${StackNamePrefix}-*'
+            Condition:
+              StringEquals:
+                'aws:CalledVia': ['cloudformation.amazonaws.com']
+
+          # Allow Lambda to assume role
+          - Effect: 'Allow'
+            Action: 'iam:PassRole'
+            Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${StackNamePrefix}-*'
+            Condition:
               StringLike:
-                'aws:CalledViaFirst': 'cloudformation.amazonaws.com'
-                'aws:ResourceTag/aws:cloudformation:stack-name': !Sub '${StackNamePrefix}-*'
+                'iam:PassedToService': 'lambda.amazonaws.com'
 
           - Effect: 'Allow'
             NotAction:
-              - 'cloudformation:*'
+              - 'organizations:*'
+              - 'account:*'
             Resource: '*'
             Condition:
               StringEquals:
-                'aws:RequestTag/Application': 'Minecraft'
+                'aws:CalledVia': ['cloudformation.amazonaws.com']
+              StringLike:
+                'aws:ResourceTag/aws:cloudformation:stack-name':
+                  !Sub '${StackNamePrefix}-*'
 
           - Effect: 'Deny'
             NotAction: