Merge branch 'master' into m-plfm-8102-use-cdk-bootstrap-role

Author: xschildw

org-formation/300-account-defaults/_tasks.yaml

@@ -55,3 +55,13 @@ ItKmsKey:
     IncludeMasterAccount: true
     Account: '*'
     Region: !Ref primaryRegion
+
+BedrockAgentRole:
+  Type: update-stacks
+  Template: ./bedrock-agent-role.yaml
+  StackName: bedrock-agent-role
+  DefaultOrganizationBindingRegion: !Ref primaryRegion
+  DefaultOrganizationBinding:
+    IncludeMasterAccount: false
+    Account: '*'
+    Region: !Ref primaryRegion

org-formation/300-account-defaults/bedrock-agent-role.yaml

@@ -0,0 +1,36 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Enables executing a Bedrock model
+
+Resources:
+# https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html
+  bedrockAgentRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: bedrock.amazonaws.com
+            Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+              ArnLike:
+                aws:SourceArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"
+      Policies:
+        - PolicyName: bedrockAgentPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: "bedrock:InvokeModel"
+                Resource:
+                  - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*"
+
+Outputs:
+  BedrockAgentRoleArn:
+    Description: The ARN of the Bedrock Agent Role
+    Value: !GetAtt bedrockAgentRole.Arn
+    Export:
+      Name: !Sub '${AWS::StackName}-BedrockAgentRoleArn'

org-formation/600-access/_tasks.yaml

@@ -388,3 +388,32 @@ SynapseAthenaUserAccessPolicy:
         ]
       }
     PolicyName: SynapseAthenaUserAccessPolicy
+
+#   https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file
+SynapseLlmDeveloperPolicy:
+  Type: update-stacks
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml
+  StackName: synapsellm-developer-policy
+  DefaultOrganizationBinding:
+    IncludeMasterAccount: true
+    Account:
+      - !Ref SynapseLlmProdAccount
+    Region: !Ref primaryRegion
+  Parameters:
+    PolicyDocument: >-
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": "arn:aws:s3:::cf-template*"
+          },
+          {
+            "Effect": "Allow",
+            "Action": "iam:PassRole",
+            "Resource": "*"
+          }
+        ]
+      }
+    PolicyName: SynapseLlmDeveloperPolicy

org-formation/650-identity-providers/_tasks.yaml

@@ -122,6 +122,28 @@ GithubOidcSageBionetworksSchematicInfra:
       - !Ref DCAProdAccount
     Region: us-east-1
 
+GithubOidcSageBionetworksItSchematicInfraV2:
+  Type: update-stacks
+  DependsOn: GithubOidcSageBionetworks
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.7.6/templates/IAM/github-oidc-provider.j2
+  StackName: !Sub ${resourcePrefix}-${appName}-sage-bionetworks-it-schematic-infra-v2
+  Parameters:
+    ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ]
+    ProviderRoleName: !Sub ${resourcePrefix}-${appName}-sage-bionetworks-it-schematic-infra-v2
+    ManagedPolicyArns:
+      - "arn:aws:iam::aws:policy/AdministratorAccess"
+      - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
+  TemplatingContext:
+    GitHubOrg: "Sage-Bionetworks-IT"
+    Repositories:
+      - name: "schematic-infra-v2"
+        branches: ["dev", "stage", "prod"]
+  DefaultOrganizationBinding:
+    Account:
+      - !Ref DnTDevAccount
+      - !Ref DCAProdAccount
+    Region: us-east-1
+
 GithubOidcSageBionetworksSynapseDockerRegistry:
   Type: update-stacks
   DependsOn: GithubOidcSageBionetworks
@@ -782,6 +804,29 @@ GithubOidcAgoraInfraDeploy:
       - !Ref AgoraProdAccount
     Region: us-east-1
 
+GithubOidcAgoraInfraV3:
+  Type: update-stacks
+  DependsOn: GithubOidcSageBionetworks
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.7.6/templates/IAM/github-oidc-provider.j2
+  StackName: !Sub ${resourcePrefix}-${appName}-agora-infra-v3
+  Parameters:
+    ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ]
+    ProviderRoleName: !Sub ${resourcePrefix}-${appName}-agora-infra-v3
+    MaxSessionDuration: 7200
+    ManagedPolicyArns:
+      - "arn:aws:iam::aws:policy/AdministratorAccess"
+      - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
+  TemplatingContext:
+    GitHubOrg: "Sage-Bionetworks-IT"
+    Repositories:
+      - name: "agora-infra-v3"
+        branches: ["dev","stage","prod"]
+  DefaultOrganizationBinding:
+    Account:
+      - !Ref AgoraDevAccount
+      - !Ref AgoraProdAccount
+    Region: us-east-1
+
 GithubOidcAgoraEBDeploy:
   Type: update-stacks
   DependsOn: GithubOidcSageBionetworks
@@ -882,9 +927,7 @@ SynapseMonorepoBucketAccessPolicy:
               "Effect": "Allow",
               "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads" ],
               "Resource": [
-                            "arn:aws:s3:::prod.accounts.sagebionetworks.org",
-                            "arn:aws:s3:::staging.accounts.sagebionetworks.org",
-                            "arn:aws:s3:::dev.accounts.sagebionetworks.org",
+                            "arn:aws:s3:::dev.accounts.synapse.org",
                             "arn:aws:s3:::prod.accounts.synapse.org",
                             "arn:aws:s3:::staging.accounts.synapse.org",
                             "arn:aws:s3:::prod-adknowledgeportalsynapse-org-websitebucket-1wcys549ufmd",
@@ -935,9 +978,7 @@ SynapseMonorepoFileAccessPolicy:
               "Effect": "Allow",
               "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:*Multipart*" ],
               "Resource": [
-                            "arn:aws:s3:::prod.accounts.sagebionetworks.org/*",
-                            "arn:aws:s3:::staging.accounts.sagebionetworks.org/*",
-                            "arn:aws:s3:::dev.accounts.sagebionetworks.org/*",
+                            "arn:aws:s3:::dev.accounts.synapse.org/*",
                             "arn:aws:s3:::prod.accounts.synapse.org/*",
                             "arn:aws:s3:::staging.accounts.synapse.org/*",
                             "arn:aws:s3:::prod-adknowledgeportalsynapse-org-websitebucket-1wcys549ufmd/*",
@@ -1005,8 +1046,6 @@ SynapseMonorepoCloudfrontAccessPolicy:
                             "arn:aws:cloudfront::797640923903:distribution/E10U4765KQQW5P",
                             "arn:aws:cloudfront::797640923903:distribution/E1FILQHG8BTWIL",
                             "arn:aws:cloudfront::797640923903:distribution/E14P60CJ0I6G7Y",
-                            "arn:aws:cloudfront::797640923903:distribution/E2656IE63W1MXI",
-                            "arn:aws:cloudfront::797640923903:distribution/EY52HOUGKDP1F",
                             "arn:aws:cloudfront::797640923903:distribution/E14F656YEGR4P3",
                             "arn:aws:cloudfront::797640923903:distribution/E1CB47ERU70VWV",
                             "arn:aws:cloudfront::797640923903:distribution/E2K9BYXQN2MM76",

org-formation/700-aws-sso/_tasks.yaml

@@ -343,6 +343,10 @@ Parameters:
     Type: String
     Default: '143894c8-1031-70c4-b98a-9d2a9aec59bd'
 
+  MkPreYnAdminGroup:             #JC aws-MkPreYn-admins
+    Type: String
+    Default: 'd4284428-6061-70b8-191c-37e390b2a596'
+
 #----------------------------------------------------------------------------------------------
 
 SsoAdministrator:
@@ -624,7 +628,7 @@ SsoLlmDeveloper:
   Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.7.7/templates/SSO/aws-sso.njk
   TemplatingContext:
     customerManagedPolicies:
-      - Name: !Ref CostExplorerPolicyName
+      - Name: SynapseLlmDeveloperPolicy
   StackName: !Sub '${resourcePrefix}-${appName}-llmdeveloper'
   StackDescription: 'Permission set used by an Large Language Model developer'
   TerminationProtection: false
@@ -639,17 +643,15 @@ SsoLlmDeveloper:
     principalId: !Ref llmDeveloperGroup
     permissionSetName: 'LlmDeveloper'
     managedPolicies:
-      - 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess'
-      - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess'
-#   https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file
+      - 'arn:aws:iam::aws:policy/PowerUserAccess'
     inlinePolicy: >-
       {
           "Version": "2012-10-17",
           "Statement": [
               {
-                  "Effect": "Allow",
-                  "Action": "s3:*",
-                  "Resource": "arn:aws:s3:::cf-template*"
+                  "Effect": "Deny",
+                  "Action": "sts:AssumeRole",
+                  "Resource": "*"
               }
           ]
       }
@@ -1716,6 +1718,23 @@ SsoBWmErzkAdmin:
     principalId: !Ref BWmErzkAdminGroup
     permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-admin-permission-set-arn' ]
 
+SsoMkPreYnAdmin:
+  Type: update-stacks
+  DependsOn: SsoAdministrator
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.2.11/templates/SSO/aws-sso.yaml
+  StackName: !Sub '${resourcePrefix}-${appName}-MkPreYn-admin'
+  StackDescription: 'SSO: admin role used by MkPreYn admin group'
+  DefaultOrganizationBindingRegion: !Ref primaryRegion
+  DefaultOrganizationBinding:
+    IncludeMasterAccount: true
+  OrganizationBindings:
+    TargetBinding:
+      Account: !Ref  MkPreYnAccount
+  Parameters:
+    instanceArn: !Ref instanceArn
+    principalId: !Ref MkPreYnAdminGroup
+    permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-admin-permission-set-arn' ]
+
 SsoRecoverDevAdmin:
   Type: update-stacks
   DependsOn: SsoAdministrator