1Parameters: 2 GitHubOrg: 3 Type: String 4 Default: "aws" 5 Description: The GitHub organization to use for the repository. 6 GitHubRepositoryName: 7 Description: The name of the GitHub repository to create the role template in and to use for the CodeBuild. 8 Type: String 9 Default: "aws-sdk-java-v2" 10 OIDCProviderArn: 11 Description: Arn for the GitHub OIDC Provider. 12 Default: "" 13 Type: String 14 OidcRoleRoleName: 15 Description: Name of the role to use for the OIDC provider. 16 Default: "aws-sdk-for-java-v2-ci-role" 17 Type: String 18 19 20Conditions: 21 CreateOIDCProvider: !Equals 22 - !Ref OIDCProviderArn 23 - "" 24 25Resources: 26 OidcRole: 27 Type: AWS::IAM::Role 28 Properties: 29 RoleName: !Ref OidcRoleRoleName 30 AssumeRolePolicyDocument: 31 Statement: 32 - Effect: Allow 33 Action: sts:AssumeRoleWithWebIdentity 34 Principal: 35 Federated: !If 36 - CreateOIDCProvider 37 - !Ref GithubOidc 38 - !Ref OIDCProviderArn 39 Condition: 40 StringLike: 41 token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${GitHubRepositoryName}:* 42 Policies: 43 - PolicyName: !Sub "${AWS::StackName}-OIDC-Policy" 44 PolicyDocument: 45 Version: "2012-10-17" 46 Statement: 47 - Effect: Allow 48 Action: 49 - codebuild:StartBuild 50 - codebuild:BatchGetBuilds 51 Resource: 52 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2 53 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-JDK11 54 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-JDK17 55 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-java-sdk-v2-JDK21 56 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-JDK8-windows 57 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-native-image-test 58 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-sonar 59 - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-endpoints-test 60 - Effect: Allow 61 Action: 62 - logs:GetLogEvents 63 Resource: 64 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2:* 65 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-JDK11:* 66 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-JDK17:* 67 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-java-sdk-v2-JDK21:* 68 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-JDK8-windows:* 69 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-native-image-test:* 70 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-sonar:* 71 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-endpoints-test:* 72 73 GithubOidc: 74 Type: AWS::IAM::OIDCProvider 75 Condition: CreateOIDCProvider 76 Properties: 77 Url: https://token.actions.githubusercontent.com 78 ClientIdList: 79 - sts.amazonaws.com 80 ThumbprintList: 81 - 6938fd4d98bab03faadb97b34396831e3780aea1 82 83Outputs: 84 OidcRole: 85 Value: !GetAtt OidcRole.Arn