Skip to content

Commit 02cf25f

Browse files
sbkoksbkok
committed
Fix deployment bootstrap IAM PassRole permissions
Issue: #755 ## Why? When an update is performed in the bootstrap repository, it will run `sam build` to generate the bootstrap stack for the deployment account. This, however, includes new versions of some of its dependencies and therefore requires the Lambda Functions to update. While updating, it requires the `iam:PassRole` permission to pass the role to the new Lambda Function version. This was not permitted, as reported in the above issue. ## What? Updated the update deployment bootstrap role to include the required permissions to pass those roles as required. Unfortunately, some of the Lambda functions relied on the `Policies` feature of SAM. This would auto generate a name for the role, thereby making it impossible to lock down permissions to the bare minimum. Hence, those functions now rely on dedicated Roles such that we can list the ARNs properly. Half of the policies for the updated bootstrap deployment role have been relocated to an IAM Managed Policy to work around the 10k inline-policy limit. Additionally, the permission to perform the `codebuild:BatchGetProjects` on the pipeline management CodeBuild project was missing.
1 parent 325ae13 commit 02cf25f

File tree

2 files changed

+186
-94
lines changed

2 files changed

+186
-94
lines changed

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml

+180-94
Original file line numberDiff line numberDiff line change
@@ -1620,19 +1620,38 @@ Resources:
16201620
Version: !Ref ADFVersion
16211621
RepositoryArn: !GetAtt CodeCommitRepository.Arn
16221622

1623+
DetermineDefaultBranchFunctionRole:
1624+
Type: "AWS::IAM::Role"
1625+
Properties:
1626+
Path: /adf/bootstrap/
1627+
RoleName: "adf-determine-default-branch-lambda"
1628+
AssumeRolePolicyDocument:
1629+
Version: "2012-10-17"
1630+
Statement:
1631+
- Effect: "Allow"
1632+
Principal:
1633+
Service:
1634+
- "lambda.amazonaws.com"
1635+
Action:
1636+
- "sts:AssumeRole"
1637+
Policies:
1638+
- PolicyName: "adf-send-slack-notification"
1639+
PolicyDocument:
1640+
Version: "2012-10-17"
1641+
Statement:
1642+
- Effect: Allow
1643+
Action:
1644+
- "codecommit:GetRepository"
1645+
Resource:
1646+
- !GetAtt CodeCommitRepository.Arn
1647+
16231648
DetermineDefaultBranchNameHandler:
16241649
Type: AWS::Serverless::Function
16251650
Properties:
16261651
Handler: handler.lambda_handler
16271652
CodeUri: lambda_codebase/determine_default_branch
16281653
Description: "ADF Lambda Function - BootstrapDetermineDefaultBranchName"
1629-
Policies:
1630-
- Version: "2012-10-17"
1631-
Statement:
1632-
- Effect: Allow
1633-
Action:
1634-
- codecommit:GetRepository
1635-
Resource: !GetAtt CodeCommitRepository.Arn
1654+
Role: !GetAtt DetermineDefaultBranchFunctionRole.Arn
16361655
FunctionName: ADFPipelinesDetermineDefaultBranchName
16371656
Metadata:
16381657
BuildMethod: python3.12
@@ -1646,26 +1665,45 @@ Resources:
16461665
DirectoryName: pipelines_repository
16471666
DefaultBranchName: !GetAtt DetermineDefaultBranchName.DefaultBranchName
16481667

1668+
InitialCommitFunctionRole:
1669+
Type: "AWS::IAM::Role"
1670+
Properties:
1671+
Path: /adf/bootstrap/
1672+
RoleName: "adf-initial-commit"
1673+
AssumeRolePolicyDocument:
1674+
Version: "2012-10-17"
1675+
Statement:
1676+
- Effect: "Allow"
1677+
Principal:
1678+
Service:
1679+
- "lambda.amazonaws.com"
1680+
Action:
1681+
- "sts:AssumeRole"
1682+
Policies:
1683+
- PolicyName: "adf-send-slack-notification"
1684+
PolicyDocument:
1685+
Version: "2012-10-17"
1686+
Statement:
1687+
- Effect: Allow
1688+
Action:
1689+
- "codecommit:GetDifferences"
1690+
- "codecommit:CreateCommit"
1691+
- "codecommit:CreatePullRequest"
1692+
- "codecommit:DeleteBranch"
1693+
- "codecommit:GetBranch"
1694+
- "codecommit:CreateBranch"
1695+
- "codecommit:CreatePullRequest"
1696+
- "codecommit:DeleteBranch"
1697+
Resource:
1698+
- !GetAtt CodeCommitRepository.Arn
1699+
16491700
InitialCommitHandler:
16501701
Type: AWS::Serverless::Function
16511702
Properties:
16521703
Handler: handler.lambda_handler
16531704
CodeUri: lambda_codebase/initial_commit
16541705
Description: "ADF Lambda Function - PipelinesCreateInitialCommitFunction"
1655-
Policies:
1656-
- Version: "2012-10-17"
1657-
Statement:
1658-
- Effect: Allow
1659-
Action:
1660-
- codecommit:GetDifferences
1661-
- codecommit:CreateCommit
1662-
- codecommit:CreatePullRequest
1663-
- codecommit:DeleteBranch
1664-
- codecommit:GetBranch
1665-
- codecommit:CreateBranch
1666-
- codecommit:CreatePullRequest
1667-
- codecommit:DeleteBranch
1668-
Resource: !GetAtt CodeCommitRepository.Arn
1706+
Role: !GetAtt InitialCommitFunctionRole.Arn
16691707
FunctionName: PipelinesCreateInitialCommitFunction
16701708
Timeout: 300
16711709
Metadata:
@@ -1885,6 +1923,42 @@ Resources:
18851923
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-identify-out-of-date-pipelines:*"
18861924
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-store-pipeline-definition"
18871925
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-store-pipeline-definition:*"
1926+
- Effect: "Allow"
1927+
Action:
1928+
- "iam:PassRole"
1929+
Resource:
1930+
- !GetAtt DetermineDefaultBranchFunctionRole.Arn
1931+
- !GetAtt CheckPipelineStatusLambdaRole.Arn
1932+
- !GetAtt InitialCommitFunctionRole.Arn
1933+
- !GetAtt SendSlackNotificationLambdaRole.Arn
1934+
- !GetAtt EnableCrossAccountAccessLambdaRole.Arn
1935+
Condition:
1936+
ArnEquals:
1937+
iam:AssociatedResourceArn:
1938+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:ADFPipelinesDetermineDefaultBranchName"
1939+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:CheckPipelineStatus"
1940+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:PipelinesCreateInitialCommitFunction"
1941+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:SendSlackNotification"
1942+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:UpdateCrossAccountIAM"
1943+
- Effect: "Allow"
1944+
Action:
1945+
- "iam:PassRole"
1946+
Resource:
1947+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-create-repository"
1948+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-create-update-rule"
1949+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-deployment-map-processor"
1950+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-generate-inputs"
1951+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-identify-out-of-date-pipelines"
1952+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-store-pipeline-definition"
1953+
Condition:
1954+
ArnEquals:
1955+
iam:AssociatedResourceArn:
1956+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-create-repository"
1957+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-create-update-rule"
1958+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-deployment-map-processor"
1959+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-generate-pipeline-inputs"
1960+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-identify-out-of-date-pipelines"
1961+
- !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:adf-pipeline-management-store-pipeline-definition"
18881962
- Effect: "Allow"
18891963
Action:
18901964
- "lambda:DeleteLayerVersion"
@@ -1978,79 +2052,91 @@ Resources:
19782052
- "iam:DeleteRole"
19792053
Resource:
19802054
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
1981-
- Sid: "IAMFullPathOnlyTag"
1982-
Effect: "Allow"
1983-
Action:
1984-
- "iam:TagRole"
1985-
- "iam:UntagRole"
1986-
Resource:
1987-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-deployment-role"
1988-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-role"
1989-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codebuild-role"
1990-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codecommit-role"
1991-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codepipeline-role"
1992-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-readonly-automation-role"
1993-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
1994-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-codepipeline"
1995-
- Sid: "IAMFullPathAndNameOnly"
1996-
Effect: "Allow"
1997-
Action:
1998-
- "iam:DeleteRolePolicy"
1999-
- "iam:GetRole"
2000-
- "iam:GetRolePolicy"
2001-
- "iam:PutRolePolicy"
2002-
- "iam:UpdateAssumeRolePolicy"
2003-
Resource:
2004-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-deployment-role"
2005-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-role"
2006-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codebuild-role"
2007-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codecommit-role"
2008-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codepipeline-role"
2009-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-check-pipeline-status-lambda"
2010-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-management-codepipeline"
2011-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-send-slack-notification-lambda"
2012-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-readonly-automation-role"
2013-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
2014-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-pipeline-check-pipeline-status-lambda"
2015-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-pipeline-send-slack-notification-lambda"
2016-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-codepipeline"
2017-
- Sid: "IAMGetOnly"
2018-
Effect: "Allow"
2019-
Action:
2020-
- "iam:GetRole"
2021-
- "iam:GetRolePolicy"
2022-
Resource:
2023-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-*"
2024-
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/*"
2025-
- Effect: "Allow"
2026-
Action:
2027-
- "s3:GetObject"
2028-
Resource:
2029-
- !Sub "arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucketName}/adf-bootstrap/*"
2030-
- !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket}/adf-bootstrap/*"
2031-
- Effect: "Allow"
2032-
Action:
2033-
- "codecommit:GetRepository"
2034-
Resource:
2035-
- !GetAtt CodeCommitRepository.Arn
2036-
- Effect: "Allow"
2037-
Action:
2038-
- "codebuild:BatchGetProjects"
2039-
Resource:
2040-
- !GetAtt CodeBuildProject.Arn
2041-
- Effect: "Allow"
2042-
Action:
2043-
- "sns:GetTopicAttributes"
2044-
Resource:
2045-
- !Ref PipelineSNSTopic
2046-
- Effect: Allow
2047-
Sid: "KickOffPipelineManagement"
2048-
Action:
2049-
- "states:DescribeExecution"
2050-
- "states:StartExecution"
2051-
Resource:
2052-
- !Sub arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:adf-bootstrap-enable-cross-account
2053-
- !Sub arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:adf-bootstrap-enable-cross-account:*
2055+
2056+
BootstrapUpdateDeploymentPolicy:
2057+
Type: "AWS::IAM::ManagedPolicy"
2058+
Properties:
2059+
Description: "Policy to perform simple bootstrap updates"
2060+
Path: /adf/bootstrap/
2061+
Roles:
2062+
- !Ref BootstrapUpdateDeploymentRole
2063+
PolicyDocument:
2064+
Version: "2012-10-17"
2065+
Statement:
2066+
- Sid: "IAMFullPathOnlyTag"
2067+
Effect: "Allow"
2068+
Action:
2069+
- "iam:TagRole"
2070+
- "iam:UntagRole"
2071+
Resource:
2072+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-deployment-role"
2073+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-role"
2074+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codebuild-role"
2075+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codecommit-role"
2076+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codepipeline-role"
2077+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-readonly-automation-role"
2078+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
2079+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-codepipeline"
2080+
- Sid: "IAMFullPathAndNameOnly"
2081+
Effect: "Allow"
2082+
Action:
2083+
- "iam:DeleteRolePolicy"
2084+
- "iam:GetRole"
2085+
- "iam:GetRolePolicy"
2086+
- "iam:PutRolePolicy"
2087+
- "iam:UpdateAssumeRolePolicy"
2088+
Resource:
2089+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-deployment-role"
2090+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-role"
2091+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codebuild-role"
2092+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codecommit-role"
2093+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codepipeline-role"
2094+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-check-pipeline-status-lambda"
2095+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-management-codepipeline"
2096+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-pipeline-send-slack-notification-lambda"
2097+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-readonly-automation-role"
2098+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
2099+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-pipeline-check-pipeline-status-lambda"
2100+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-pipeline-send-slack-notification-lambda"
2101+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/pipeline-management/adf-pipeline-management-codepipeline"
2102+
- Sid: "IAMGetOnly"
2103+
Effect: "Allow"
2104+
Action:
2105+
- "iam:GetRole"
2106+
- "iam:GetRolePolicy"
2107+
Resource:
2108+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-*"
2109+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/*"
2110+
- Effect: "Allow"
2111+
Action:
2112+
- "s3:GetObject"
2113+
Resource:
2114+
- !Sub "arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucketName}/adf-bootstrap/*"
2115+
- !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket}/adf-bootstrap/*"
2116+
- Effect: "Allow"
2117+
Action:
2118+
- "codecommit:GetRepository"
2119+
Resource:
2120+
- !GetAtt CodeCommitRepository.Arn
2121+
- Effect: "Allow"
2122+
Action:
2123+
- "codebuild:BatchGetProjects"
2124+
Resource:
2125+
- !GetAtt CodeBuildProject.Arn
2126+
- !GetAtt PipelineManagementApplication.Outputs.PipelineManagementCodeBuildProjectArn
2127+
- Effect: "Allow"
2128+
Action:
2129+
- "sns:GetTopicAttributes"
2130+
Resource:
2131+
- !Ref PipelineSNSTopic
2132+
- Effect: Allow
2133+
Sid: "KickOffPipelineManagement"
2134+
Action:
2135+
- "states:DescribeExecution"
2136+
- "states:StartExecution"
2137+
Resource:
2138+
- !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:adf-bootstrap-enable-cross-account"
2139+
- !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:adf-bootstrap-enable-cross-account:*"
20542140

20552141
Outputs:
20562142
ADFVersionNumber:

src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml

+6
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,7 @@ Resources:
113113
Type: "AWS::IAM::Role"
114114
Properties:
115115
Path: "/adf/pipeline-management/"
116+
RoleName: "adf-pipeline-management-deployment-map-processor"
116117
AssumeRolePolicyDocument:
117118
Version: "2012-10-17"
118119
Statement:
@@ -226,6 +227,7 @@ Resources:
226227
Type: "AWS::IAM::Role"
227228
Properties:
228229
Path: "/adf/pipeline-management/"
230+
RoleName: "adf-pipeline-management-store-pipeline-definition"
229231
AssumeRolePolicyDocument:
230232
Version: "2012-10-17"
231233
Statement:
@@ -252,6 +254,7 @@ Resources:
252254
Type: "AWS::IAM::Role"
253255
Properties:
254256
Path: "/adf/pipeline-management/"
257+
RoleName: "adf-pipeline-management-identify-out-of-date-pipelines"
255258
AssumeRolePolicyDocument:
256259
Version: "2012-10-17"
257260
Statement:
@@ -1227,3 +1230,6 @@ Outputs:
12271230

12281231
CreateRepositoryLambdaRoleArn:
12291232
Value: !GetAtt CreateRepositoryLambdaRole.Arn
1233+
1234+
PipelineManagementCodeBuildProjectArn:
1235+
Value: !GetAtt PipelineManagementCodeBuildProject.Arn

0 commit comments

Comments
 (0)