From 63459dfcafdf512484d0206eaecf39aa0b73eeb5 Mon Sep 17 00:00:00 2001
From: sungkkim <sungkkim@amazon.com>
Date: Fri, 28 Jan 2022 11:10:25 -0800
Subject: [PATCH] Scope down execution and logging role assume role policy
 (#860)

---
 src/rpdk/core/data/managed-upload-infrastructure.yaml | 4 ++++
 src/rpdk/core/project.py                              | 6 +++++-
 src/rpdk/core/templates/resource-role.yml             | 7 +++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/rpdk/core/data/managed-upload-infrastructure.yaml b/src/rpdk/core/data/managed-upload-infrastructure.yaml
index 3a383fa29..d2068f9da 100644
--- a/src/rpdk/core/data/managed-upload-infrastructure.yaml
+++ b/src/rpdk/core/data/managed-upload-infrastructure.yaml
@@ -91,6 +91,10 @@ Resources:
             Service:
               - resources.cloudformation.amazonaws.com
           Action: sts:AssumeRole
+          Condition:
+            StringEquals:
+              aws:SourceAccount:
+                Ref: AWS::AccountId
       Path: "/"
       Policies:
       - PolicyName: LogAndMetricsDeliveryRolePolicy
diff --git a/src/rpdk/core/project.py b/src/rpdk/core/project.py
index 149615450..318f2744b 100644
--- a/src/rpdk/core/project.py
+++ b/src/rpdk/core/project.py
@@ -163,6 +163,10 @@ def type_name(self, value):
     def hypenated_name(self):
         return "-".join(self.type_info).lower()
 
+    @property
+    def hyphenated_name_case_sensitive(self):
+        return "-".join(self.type_info)
+
     @property
     def schema_filename(self):
         return f"{self.hypenated_name}.json"
@@ -431,7 +435,7 @@ def generate(self):
                 permission = "Deny"
 
             contents = template.render(
-                type_name=self.hypenated_name,
+                type_name=self.hyphenated_name_case_sensitive,
                 actions=sorted(actions),
                 permission=permission,
                 role_session_timeout=role_session_timeout,
diff --git a/src/rpdk/core/templates/resource-role.yml b/src/rpdk/core/templates/resource-role.yml
index d36b5573b..5d1afbeff 100644
--- a/src/rpdk/core/templates/resource-role.yml
+++ b/src/rpdk/core/templates/resource-role.yml
@@ -15,6 +15,13 @@ Resources:
             Principal:
               Service: resources.cloudformation.amazonaws.com
             Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount:
+                  Ref: AWS::AccountId
+              StringLike:
+                aws:SourceArn:
+                  Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:type/resource/{{ type_name }}/*
       Path: "/"
       Policies:
         - PolicyName: ResourceTypePolicy