Migrate Github SES role to CDK

cdk/lib/__snapshots__/identity-gateway.test.ts.snap

@@ -52,7 +52,9 @@ exports[`The IdentityGateway stack matches the snapshot 1`] = `
     },
   },
   "Metadata": {
-    "gu:cdk:constructs": [],
+    "gu:cdk:constructs": [
+      "GuRole",
+    ],
     "gu:cdk:version": "TEST",
   },
   "Parameters": {
@@ -819,28 +821,35 @@ exports[`The IdentityGateway stack matches the snapshot 1`] = `
       },
       "Type": "AWS::CloudWatch::Alarm",
     },
-    "GithubActionsSESSendEmailsRole": {
-      "Condition": "NotIsProd",
+    "GithubActionsSESSendEmailsRole3ACDD4F9": {
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [
             {
               "Action": "sts:AssumeRoleWithWebIdentity",
               "Condition": {
                 "StringLike": {
-                  "token.actions.githubusercontent.com:sub": {
-                    "Fn::Sub": "repo:guardian/gateway:*",
-                  },
+                  "actions.githubusercontent.com:sub": "repo:guardian/gateway:*",
                 },
               },
               "Effect": "Allow",
               "Principal": {
                 "Federated": {
-                  "Fn::Sub": "arn:aws:iam::\${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com",
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:iam::",
+                      {
+                        "Ref": "AWS::AccountId",
+                      },
+                      ":oidc-provider/token.actions.githubusercontent.com",
+                    ],
+                  ],
                 },
               },
             },
           ],
+          "Version": "2012-10-17",
         },
         "Policies": [
           {

cdk/lib/identity-gateway.ts

@@ -2,6 +2,13 @@ import type { GuStackProps } from '@guardian/cdk/lib/constructs/core';
 import { GuStack } from '@guardian/cdk/lib/constructs/core';
 import type { App } from 'aws-cdk-lib';
 import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
+import { GuRole } from '@guardian/cdk/lib/constructs/iam';
+import {
+	Effect,
+	PolicyDocument,
+	PolicyStatement,
+	WebIdentityPrincipal,
+} from 'aws-cdk-lib/aws-iam';
 
 export class IdentityGateway extends GuStack {
 	constructor(scope: App, id: string, props: GuStackProps) {
@@ -10,5 +17,30 @@ export class IdentityGateway extends GuStack {
 		new CfnInclude(this, 'IdentityGateway', {
 			templateFile: '../cloudformation.yaml',
 		});
+
+		if (['CODE', 'TEST'].includes(props.stage)) {
+			new GuRole(this, 'GithubActionsSESSendEmailsRole', {
+				roleName: 'GithubActionsSESSendEmailsRole',
+				assumedBy: new WebIdentityPrincipal(
+					`arn:aws:iam::${this.account}:oidc-provider/token.actions.githubusercontent.com`,
+					{
+						StringLike: {
+							'actions.githubusercontent.com:sub': 'repo:guardian/gateway:*',
+						},
+					},
+				),
+				inlinePolicies: {
+					SendEmailSES: new PolicyDocument({
+						statements: [
+							new PolicyStatement({
+								actions: ['ses:SendEmail'],
+								resources: ['*'],
+								effect: Effect.ALLOW,
+							}),
+						],
+					}),
+				},
+			});
+		}
 	}
 }

cloudformation.yaml

@@ -191,29 +191,6 @@ Resources:
                   - ssmmessages:OpenControlChannel
                   - ssmmessages:OpenDataChannel
                 Resource: '*'
-  GithubActionsSESSendEmailsRole:
-    Type: AWS::IAM::Role
-    Condition: NotIsProd
-    Properties:
-      RoleName: GithubActionsSESSendEmailsRole
-      AssumeRolePolicyDocument:
-        Statement:
-          - Effect: Allow
-            Action: sts:AssumeRoleWithWebIdentity
-            Principal:
-              Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
-            Condition:
-              StringLike:
-                # All GitHub Actions running from the guardian/gateway repository.
-                token.actions.githubusercontent.com:sub: !Sub repo:guardian/gateway:*
-      Policies:
-        - PolicyName: SendEmailSES
-          PolicyDocument:
-            Version: '2012-10-17'
-            Statement:
-              - Effect: Allow
-                Action: ses:SendEmail
-                Resource: '*'
   AutoScalingGroup:
     Type: AWS::AutoScaling::AutoScalingGroup
     Properties: