add events permissions to default template and create new without eve…

.github/workflows/workflow.cli.yml

@@ -54,13 +54,13 @@ jobs:
         SOURCE_DIR: 'aws_safe_onboarding_template'
         DEST_DIR: 'terraform-redactor'
         AWS_S3_BUCKET: ${{ env.S3_BUCKET_CLI }}
-    - name: Upload AWS Eventdriven Boarding Template
+    - name: Upload AWS Fetching Template without events permissions
       uses: jakejarvis/s3-sync-action@master
       with:
         args: --acl public-read --follow-symlinks --exclude='*' --include='template.yml'
       env:
-        SOURCE_DIR: 'aws_fetching_with_events_permissions_template'
-        DEST_DIR: 'event-driven'
+        SOURCE_DIR: 'aws_fetching_readonly_template'
+        DEST_DIR: 'no-event-driven'
         AWS_S3_BUCKET: ${{ env.S3_BUCKET_CLI }}
     - name: Upload AWS Eventdriven Boarding Exist Integration Template
       uses: jakejarvis/s3-sync-action@master

aws_fetching_with_events_permissions_template/template.yml → aws_fetching_readonly_template/template.yml

@@ -184,52 +184,6 @@ Resources:
               - !Join ['/', [!Join ['-', ['arn:aws:s3:::aws-emr-resources', !Ref 'AWS::AccountId', '*']], '*']]
               - !Join ['', ['arn:aws:s3:::*/', !Ref 'AWS::AccountId', '*ConfigSnapshot*.json.gz']]
 
-  InvokeFireflyEventBusPolicy:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action:
-              - 'events:PutEvents'
-            Resource:
-              - !Join [ ':', [ 'arn:aws:events:us-east-1', !FindInMap [ FireflyEnvironment, env, organizationID ], 'event-bus/prod-stablefly-event-bus' ] ]
-
-  InvokeFireflyEventBusRole:
-      Type: 'AWS::IAM::Role'
-      Properties:
-        RoleName: 'invoke-firefly-remote-event-bus'
-        AssumeRolePolicyDocument:
-          Version: 2012-10-17
-          Statement:
-            - Action: 'sts:AssumeRole'
-              Effect: Allow
-              Principal:
-                Service: "events.amazonaws.com"
-        ManagedPolicyArns:
-          - !Ref InvokeFireflyEventBusPolicy
-
-  EventbridgePermissions:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action:
-              - 'events:*'
-            Resource:
-              - !Join [ ':', [ 'arn:aws:events:*', !Ref 'AWS::AccountId', 'rule/firefly-events-*' ] ]
-
-          - Effect: Allow
-            Action:
-              - 'iam:PassRole'
-            Resource:
-              - !Join [ ':', [ 'arn:aws:iam:', !Ref 'AWS::AccountId', 'role/invoke-firefly-remote-event-bus'] ]
-            Condition:
-              StringEquals:
-                "iam:PassedToService": "events.amazonaws.com"
 
   FireflyCrossAccountAccessRole:
     Type: 'AWS::IAM::Role'
@@ -257,7 +211,6 @@ Resources:
         - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
         - !Ref FireflyReadonlyDenylist
         - !Ref S3SpecificWritePermission
-        - !Ref EventbridgePermissions
 Outputs:
   RoleARN:
     Description: >-
@@ -266,12 +219,6 @@ Outputs:
     Value: !GetAtt
       - FireflyCrossAccountAccessRole
       - Arn
-  EventsRoleARN:
-    Description: >-
-      Access role ARN to invoke firefly event bus
-    Value: !GetAtt
-      - InvokeFireflyEventBusRole
-      - Arn
   ExternalID:
     Description: ExternalID to share with Firefly
     Value: !Ref ExternalID

aws_fetching_template/config_template.yml

@@ -163,7 +163,7 @@ Resources:
             Resource:
               - '*'
 
-  S3SpecificWritePermission:
+  S3Permissions:
     Type: 'AWS::IAM::ManagedPolicy'
     Properties:
       PolicyDocument:
@@ -183,8 +183,59 @@ Resources:
               - 'arn:aws:s3:::elasticbeanstalk-*/*'
               - !Join ['/', [!Join ['-', ['arn:aws:s3:::aws-emr-resources', !Ref 'AWS::AccountId', '*']], '*']]
               - !Join ['', ['arn:aws:s3:::*/', !Ref 'AWS::AccountId', '*ConfigSnapshot*.json.gz']]
-
-
+
+          - Effect: Allow
+              Action:
+                - 's3:PutBucketNotification'
+              Resource: "arn:aws:s3:::*"
+
+  InvokeFireflyEventBusPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - 'events:PutEvents'
+            Resource:
+              - !Join [ ':', [ 'arn:aws:events:us-east-1', !FindInMap [ FireflyEnvironment, env, organizationID ], 'event-bus/prod-stablefly-event-bus' ] ]
+
+  InvokeFireflyEventBusRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: 'invoke-firefly-remote-event-bus'
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: "events.amazonaws.com"
+      ManagedPolicyArns:
+        - !Ref InvokeFireflyEventBusPolicy
+
+  EventbridgePermissions:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - 'events:*'
+            Resource:
+              - !Join [ ':', [ 'arn:aws:events:*', !Ref 'AWS::AccountId', 'rule/firefly-events-*' ] ]
+
+          - Effect: Allow
+            Action:
+              - 'iam:PassRole'
+            Resource:
+              - !Join [ ':', [ 'arn:aws:iam:', !Ref 'AWS::AccountId', 'role/invoke-firefly-remote-event-bus'] ]
+            Condition:
+              StringEquals:
+                "iam:PassedToService": "events.amazonaws.com"
+
   FireflyCrossAccountAccessRole:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -210,7 +261,8 @@ Resources:
         - 'arn:aws:iam::aws:policy/SecurityAudit'
         - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
         - !Ref FireflyReadonlyDenylist
-        - !Ref S3SpecificWritePermission
+        - !Ref S3Permissions
+        - !Ref EventbridgePermissions
 Outputs:
   RoleARN:
     Description: >-
@@ -219,6 +271,12 @@ Outputs:
     Value: !GetAtt
       - FireflyCrossAccountAccessRole
       - Arn
+  EventsRoleARN:
+    Description: >-
+      Access role ARN to invoke firefly event bus
+    Value: !GetAtt
+      - InvokeFireflyEventBusRole
+      - Arn
   ExternalID:
     Description: ExternalID to share with Firefly
     Value: !Ref ExternalID