diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml index 3e0983c63..dae486463 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml @@ -688,12 +688,24 @@ Resources: Action: - cloudformation:CreateStack - cloudformation:UpdateStack - - cloudformation:UpdateTerminationProtection Resource: - "*" Condition: StringEquals: 'aws:RequestTag/createdBy': "ADF" + - PolicyName: "adf-deploy-cloudformation-delete" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - cloudformation:DeleteStack + - cloudformation:UpdateTerminationProtection + Resource: + - "*" + Condition: + StringEquals: + 'aws:ResourceTag/createdBy': "ADF" - PolicyName: "adf-deploy-cloudformation-template" PolicyDocument: Version: "2012-10-17" @@ -783,6 +795,12 @@ Resources: - "iam:PutRolePolicy" Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-* + - Effect: Allow + Sid: "AllowPassRole" + Action: + - "iam:PassRole" + Resource: + - !Sub arn:${AWS::Partition}:iam::*:role/* - Effect: Allow Action: - "events:PutRule" @@ -807,7 +825,8 @@ Resources: Resource: "*" - Effect: Allow Action: - - "iam:TagResource" + - "iam:TagPolicy" + - "iam:TagRole" Resource: "*" DeploymentMapProcessingFunction: