From e5668e0a1cafd77c4f01c8696d1e5310cc52163e Mon Sep 17 00:00:00 2001
From: Simon Kok <mail@simonkok.com>
Date: Fri, 27 Jan 2023 18:31:12 +0100
Subject: [PATCH] Fix management account config alias through ADF account
 management

Issue: #595

**Why?**

The management account alias cannot be configured by the account management
state machine, as the cross account access role does not have enough
permissions to create, list, or delete the aliases of the management account.

**What?**

The cross account management role that is deployed in the management account if
you adopt gets these permissions with this change.

It is assumes into the cross-account access role to list, create, and/or
delete the aliases. Hence, this change removes those policies from the
Lambda function itself. As those are not used and would only apply to the
deployment account.
---
 .../bootstrap_repository/adf-build/global.yml            | 3 +++
 src/template.yml                                         | 9 ---------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml
index 41ed78e70..ec598e675 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/global.yml
@@ -99,6 +99,9 @@ Resources:
           - Effect: Allow
             Action:
               - cloudformation:ValidateTemplate
+              - iam:CreateAccountAlias
+              - iam:DeleteAccountAlias
+              - iam:ListAccountAliases
               - ssm:PutParameter
               - ssm:GetParameters
               - ssm:GetParameter
diff --git a/src/template.yml b/src/template.yml
index d8d4edd55..73f8c49a7 100644
--- a/src/template.yml
+++ b/src/template.yml
@@ -359,15 +359,6 @@ Resources:
                 - lambda.amazonaws.com
             Action: "sts:AssumeRole"
       Path: "/aws-deployment-framework/account-management/"
-      Policies:
-        - PolicyName: "adf-lambda-create-account-alias-policy"
-          PolicyDocument:
-            Version: "2012-10-17"
-            Statement:
-              - Effect: Allow
-                Action:
-                  - "iam:CreateAccountAlias"
-                Resource: "*"
 
   AccountAliasConfigFunction:
     Type: 'AWS::Serverless::Function'