feat: bootstrap arguments for permissions boundary #22792
Conversation
|
|
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
corymhall
added
the
pr-linter/exempt-integ-test
|
@Mergifyio update Inbound execution ID: c68ef47b-c8a2-463a-8935-46febfe89681 |
✅ Branch has been successfully updated |
☑️ Nothing to do
|
Naumel
added
the
pr-linter/cli-integ-tested
|
@Mergifyio update |
✅ Branch has been successfully updated |
Missed one 😅
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
| return arn; | ||
| } | ||
|
|
||
| const policyDoc = JSON.parse(serializeStructure(template, true)).CdkBoostrapPermissionsBoundaryPolicy; |
There was a problem hiding this comment.
| const policyDoc = JSON.parse(serializeStructure(template, true)).CdkBoostrapPermissionsBoundaryPolicy; | |
| const policyDoc = JSON.parse(serializeStructure(template, true)).Resources.CdkBoostrapPermissionsBoundaryPolicy.Properties.PolicyDocument; |
Also, looks like the policy is valid from CloudFormations perspective because it
contains CloudFormation intrinsics which doesn't work with the IAM API. Not sure
if it would be easier to do a Regex replacement or just manage the policy in two
places? I would be fine managing it in two places if that is easier.
There was a problem hiding this comment.
do a Regex replacement
sounds more heavy-duty -- can I open a follow-up for that POC and switch back to the policy doc as string for now?
There was a problem hiding this comment.
sounds more heavy-duty -- can I open a follow-up for that POC and switch back to the policy doc as string for now?
Yeah sounds good to me
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
|
@Mergifyio update |
✅ Branch has been successfully updated |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
| Description: "Bootstrap Permission Boundary" | ||
| ManagedPolicyName: | ||
| Fn::Sub: cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region} | ||
| Path: / | ||
| # The SSM parameter is used in pipeline-deployed templates to verify the version | ||
| # of the bootstrap resources. | ||
| CdkBootstrapVersion: |
There was a problem hiding this comment.
Hi @Naumel @corymhall just curious, should the CdkBootstrapVersion be also updated as part of this change? (i.e. When do we increment this version?)
We're currently encountering an issue in our bootstrap stacks where:
- developers with CDK toolkit v.2.54.0 are creating changesets to our toolkit stack and updating the template; and
- developers with CDK toolkit less than v.2.54.0 creating changesets to our toolkit stack and downgrading the template.
Previously, we would encounter a warning:
Not downgrading existing bootstrap stack from version 'X+n' to version 'X'
that would prevent developers using an outdated CDK toolkit from downgrading the toolkit stack.
Wondering if this was the cause
#22744
Users can now specify in the CDK CLI a (permissions boundary) policy to be applied on the Execution Role and all subsequent IAM users and roles of their app.
If you want to try out the feature, a good starting point is having the
--example-permissions-boundary(or--epb) parameter for thecdk botstrap:This achieves a couple of things: a new policy will be created (if not already present) in the account being bootstrapped (
cdk-${qualifier}-permissions-boundary) and it will be referenced in the bootstrap template. In order for the bootstrap to be successful, the credentials use must includeiam:getPolicyandiam:createPolicypermissions.This works pairs with #22913, as permissions boundary needs propagation.
You can inspect the policy via the console, retrieve it via aws cli or sdk and you can copy the structure to use on your own from
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml: Resources.CdkBoostrapPermissionsBoundaryPolicyAt this point you can edit the policy, add restrictions and see what scope would match your requirements.
For non-dev work, the suggestion is to use
--custom-permissions-boundary(or--cpb):The policy must be created and accessible for the credentials used to perform the bootstrap.
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license