private Role CreateBuildRole()
{
Role role = IamUtil.CreateRole(
"WakerUpperBuild",
"codebuild.amazonaws.com",
"arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess");
// add permissions not covered by the managed policies
Output <GetPolicyDocumentResult> policyDocument = Output.Create(GetPolicyDocument.InvokeAsync(new GetPolicyDocumentArgs
{
Statements =
{
new GetPolicyDocumentStatementArgs
{
Resources ={ "*" },
Actions =
{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
},
}
}
}));
RolePolicy policy = new RolePolicy("WakerUpperBuilder", new RolePolicyArgs
{
Role = role.Id,
Policy = policyDocument.Apply(p => p.Json),
});
return(role);
}
public static Role CreateRole(string name, string principal, params string[] managedPolicyArns)
{
Output <GetPolicyDocumentResult> policyDocument = Output.Create(GetPolicyDocument.InvokeAsync(new GetPolicyDocumentArgs
{
Statements =
{
new GetPolicyDocumentStatementArgs
{
Actions = { "sts:AssumeRole" },
Principals =
{
new GetPolicyDocumentStatementPrincipalArgs
{
Type = "Service",
Identifiers ={ principal },
}
}
}
}
}));
Role role = new Role(name, new RoleArgs
{
AssumeRolePolicy = policyDocument.Apply(p => p.Json),
Path = "/",
});
foreach (string policyArn in managedPolicyArns)
{
RolePolicyAttachment attachment = new RolePolicyAttachment($"{name}Attachment", new RolePolicyAttachmentArgs
{
Role = role.Name,
PolicyArn = policyArn,
});
}
return(role);
}
