Skip to content

Fix pipeline generation policies #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sbkok merged 2 commits into from
Sep 23, 2022
Merged

Fix pipeline generation policies #533

sbkok merged 2 commits into from
Sep 23, 2022

Conversation

@sbkok
Copy link
Collaborator

@sbkok sbkok commented Sep 22, 2022

Why?

  1. With a recent PR, an attempt was made to restrict the iam:PassRole permissions for the pipeline generator. However, since ADF supports configuring which role to use, this would introduce a breaking change.
  2. The policy in the pipeline management attached to the CloudFormation role does not allow it to DeleteStack or UpdateTerminationProtection. As those were using the RequestTag condition that is not compatible with these API calls.
  3. Additionally, the iam:TagResource action does not exist.

What?

  1. Reverting to the previous policy of iam:PassRole. Plan is to address this in the next major ADF release.
  2. For the DeleteStack and UpdateTerminationProtection actions, it is updated to use the iam:ResourceTag condition instead.
  3. While the iam:TagResource action got replaced with iam:TagPolicy and iam:TagRole actions.

By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.

@sbkok
Reverting Pipeline Generation restrictions
0ba87c2 
**Why?**

With a recent PR, an attempt was made to restrict the `iam:PassRole`
permissions for the pipeline generator. However, since ADF supports configuring
which role to use, this would introduce a breaking change.

**What?**

Reverting to the previous policy of `iam:PassRole`.

Plan is to address this in the next major ADF release.
@sbkok
Fix CloudFormation permissions to protect and delete stacks and tag IAM
96f9d07 
**Why?**

The policy in the pipeline management attached to the CloudFormation role
does not allow it to DeleteStack or UpdateTerminationProtection.
As those were using the RequestTag condition that is not compatible
with these API calls.

Additionally, the `iam:TagResource` action does not exist.

**What?**

For the `DeleteStack` and `UpdateTerminationProtection` actions, it is
updated to use the `iam:ResourceTag` condition instead.

While the `iam:TagResource` action got replaced with `iam:TagPolicy` and
`iam:TagRole` actions.
@sbkok sbkok added the bug Something isn't working label Sep 22, 2022
@sbkok sbkok added this to the v3.2.0 milestone Sep 22, 2022
@sbkok sbkok merged commit 788d140 into awslabs:master Sep 23, 2022
@sbkok sbkok deleted the fix/pipeline-generation-policies branch September 23, 2022 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@javydekoning javydekoning javydekoning approved these changes

@StewartW StewartW StewartW approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

v3.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@sbkok @javydekoning @StewartW