Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: bootstrap arguments for permissions boundary #22792

Merged
merged 41 commits into from
Nov 23, 2022
Merged

feat: bootstrap arguments for permissions boundary #22792

merged 41 commits into from
Nov 23, 2022

Conversation

Naumel
Copy link
Contributor

@Naumel Naumel commented Nov 4, 2022

#22744

Users can now specify in the CDK CLI a (permissions boundary) policy to be applied on the Execution Role and all subsequent IAM users and roles of their app.

If you want to try out the feature, a good starting point is having the--example-permissions-boundary(or --epb) parameter for the cdk botstrap:

cdk boostrap --epb

This achieves a couple of things: a new policy will be created (if not already present) in the account being bootstrapped (cdk-${qualifier}-permissions-boundary) and it will be referenced in the bootstrap template. In order for the bootstrap to be successful, the credentials use must include iam:getPolicy and iam:createPolicy permissions.
This works pairs with #22913, as permissions boundary needs propagation.
You can inspect the policy via the console, retrieve it via aws cli or sdk and you can copy the structure to use on your own from packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml: Resources.CdkBoostrapPermissionsBoundaryPolicy

At this point you can edit the policy, add restrictions and see what scope would match your requirements.

For non-dev work, the suggestion is to use --custom-permissions-boundary (or --cpb):

cdk bootstrap --cpb "custom-policy-name"

The policy must be created and accessible for the credentials used to perform the bootstrap.


All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Nov 4, 2022

@aws-cdk-automation aws-cdk-automation requested a review from a team November 4, 2022 20:23
@github-actions github-actions bot added the p2 label Nov 4, 2022
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 4, 2022
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of comments

packages/aws-cdk/README.md Outdated Show resolved Hide resolved
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Outdated Show resolved Hide resolved
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Outdated Show resolved Hide resolved
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Outdated Show resolved Hide resolved
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Outdated Show resolved Hide resolved
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@corymhall corymhall added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Nov 10, 2022
@Naumel
Copy link
Contributor Author

Naumel commented Nov 15, 2022

@Mergifyio update

Inbound execution ID: c68ef47b-c8a2-463a-8935-46febfe89681

@mergify
Copy link
Contributor

mergify bot commented Nov 15, 2022

update

✅ Branch has been successfully updated

@mergify
Copy link
Contributor

mergify bot commented Nov 15, 2022

update

☑️ Nothing to do

  • #commits-behind>0 [:pushpin: update requirement]
  • -closed [:pushpin: update requirement]

@Naumel Naumel added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label Nov 15, 2022
@Naumel
Copy link
Contributor Author

Naumel commented Nov 21, 2022

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Nov 21, 2022

update

✅ Branch has been successfully updated

Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking really good! I only have a couple of minor comments and then I
think we are good to go!

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Outdated Show resolved Hide resolved
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Outdated Show resolved Hide resolved
packages/aws-cdk/README.md Show resolved Hide resolved
Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found a couple of issues in my testing.

return arn;
}

const policyDoc = JSON.parse(serializeStructure(template, true)).CdkBoostrapPermissionsBoundaryPolicy;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const policyDoc = JSON.parse(serializeStructure(template, true)).CdkBoostrapPermissionsBoundaryPolicy;
const policyDoc = JSON.parse(serializeStructure(template, true)).Resources.CdkBoostrapPermissionsBoundaryPolicy.Properties.PolicyDocument;

Also, looks like the policy is valid from CloudFormations perspective because it
contains CloudFormation intrinsics which doesn't work with the IAM API. Not sure
if it would be easier to do a Regex replacement or just manage the policy in two
places? I would be fine managing it in two places if that is easier.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do a Regex replacement

sounds more heavy-duty -- can I open a follow-up for that POC and switch back to the policy doc as string for now?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds more heavy-duty -- can I open a follow-up for that POC and switch back to the policy doc as string for now?

Yeah sounds good to me

Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of small things

@corymhall corymhall added the pr/do-not-merge This PR should not be merged at this time. label Nov 22, 2022
@Naumel Naumel removed the pr/do-not-merge This PR should not be merged at this time. label Nov 23, 2022
@Naumel
Copy link
Contributor Author

Naumel commented Nov 23, 2022

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Nov 23, 2022

update

✅ Branch has been successfully updated

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7669755
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Nov 23, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 6224b6d into main Nov 23, 2022
@mergify mergify bot deleted the perm-bound branch November 23, 2022 14:07
Description: "Bootstrap Permission Boundary"
ManagedPolicyName:
Fn::Sub: cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
Path: /
# The SSM parameter is used in pipeline-deployed templates to verify the version
# of the bootstrap resources.
CdkBootstrapVersion:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Naumel @corymhall just curious, should the CdkBootstrapVersion be also updated as part of this change? (i.e. When do we increment this version?)

We're currently encountering an issue in our bootstrap stacks where:

  • developers with CDK toolkit v.2.54.0 are creating changesets to our toolkit stack and updating the template; and
  • developers with CDK toolkit less than v.2.54.0 creating changesets to our toolkit stack and downgrading the template.

Previously, we would encounter a warning:

Not downgrading existing bootstrap stack from version 'X+n' to version 'X'

that would prevent developers using an outdated CDK toolkit from downgrading the toolkit stack.

Wondering if this was the cause

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution/core This is a PR that came from AWS. p2 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants