Skip to content

Commit

Permalink
Fix permissions boundaries + release 0.3.1 (#790)
Browse files Browse the repository at this point in the history
  • Loading branch information
@iakov-aws
iakov-aws authored Apr 19, 2024
1 parent db1b4fe commit 3dc152a
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 12 deletions.
17 changes: 9 additions & 8 deletions cfn-templates/cid-cfn.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: Deployment of Cloud Intelligence Dashboards v0.3.0
Description: Deployment of Cloud Intelligence Dashboards v0.3.1
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
Expand Down Expand Up @@ -281,6 +281,7 @@ Conditions:
Fn::And:
- !Condition NeedQuickSightDataSourceRole
- !Condition NeedDataBucketsKms
NeedPermissionsBoundary: !Not [!Equals [ !Ref PermissionsBoundary, "" ]]

Resources:
SpiceRefreshExecutionRole: #Role needed to schedule spice ingestion for the datasets not used by default
Expand All @@ -298,7 +299,7 @@ Resources:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
Policies:
- PolicyName: !Sub 'CidSpiceRefreshExecutionRole${Suffix}'
PolicyDocument:
Expand Down Expand Up @@ -677,7 +678,7 @@ Resources:
- Effect: Allow
Action: quicksight:DescribeUser
Resource: !Sub 'arn:${AWS::Partition}:quicksight:*:${AWS::AccountId}:user/default/${QuickSightUser}' # region=* as at this moment we do not know the Identity region where QS stores users
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Expand Down Expand Up @@ -765,7 +766,7 @@ Resources:
Action:
- sts:AssumeRole
Path: !Ref RolePath
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
CustomResourceProcessPath:
Expand Down Expand Up @@ -1037,7 +1038,7 @@ Resources:
Action:
- 'sts:AssumeRole'
Path: !Ref RolePath
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
ManagedPolicyArns:
- Fn::Sub: 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSGlueServiceRole'
Policies:
Expand Down Expand Up @@ -1098,7 +1099,7 @@ Resources:
- 'sts:AssumeRole'
Path: !Ref RolePath
RoleName: !Sub '${QuickSightDataSourceRoleName}${Suffix}'
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
Policies:
- PolicyName: AthenaAccess
PolicyDocument:
Expand Down Expand Up @@ -1247,7 +1248,7 @@ Resources:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
Expand Down Expand Up @@ -1567,7 +1568,7 @@ Resources:
Description: An AWS managed layer with a cid-cmd package installed
Content:
S3Bucket: !Sub '${LambdaLayerBucketPrefix}-${AWS::Region}'
S3Key: 'cid-resource-lambda-layer/cid-0.3.0.zip' #replace version here if needed
S3Key: 'cid-resource-lambda-layer/cid-0.3.1.zip' #replace version here if needed
CompatibleRuntimes:
- python3.10
- python3.11
Expand Down
7 changes: 4 additions & 3 deletions cfn-templates/cur-aggregation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ Conditions:
DeployCURViaCFNInDestination: !And [!Condition CUREnable, !Condition IsDestinationAccount, !Condition RegionSupportsCURviaCFN]
DeployCURViaLambda: !And [!Condition CUREnable, !Not [!Condition RegionSupportsCURviaCFN]]
EmptySourceAccountIds: !Equals [ !Ref SourceAccountIds, '']
NeedPermissionsBoundary: !Not [!Equals [ !Ref PermissionsBoundary, "" ]]

Resources:

Expand Down Expand Up @@ -344,7 +345,7 @@ Resources:
- "s3.amazonaws.com"
Action:
- "sts:AssumeRole"
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
Policies:
- PolicyName: CrossRegionPolicy
PolicyDocument:
Expand Down Expand Up @@ -457,7 +458,7 @@ Resources:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
Policies:
- PolicyName: "ExecutionDefault"
PolicyDocument:
Expand Down Expand Up @@ -600,7 +601,7 @@ Resources:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
PermissionsBoundary: !Ref PermissionsBoundary
PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue]
Policies:
- PolicyName: "ExecutionDefault"
PolicyDocument:
Expand Down
2 changes: 1 addition & 1 deletion cid/_version.py
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = '0.3.0'
__version__ = '0.3.1'

0 comments on commit 3dc152a

Please sign in to comment.