Cdk exec policy linked envs #562
Conversation
| Action: | ||
| - 'kms:CreateAlias' | ||
| - 'kms:CreateGrant' | ||
| - 'kms:Decrypt' |
There was a problem hiding this comment.
Why do we need Encrypt/Decrypt permissions for this role. It is a role to create resources right?
| Effect: Allow | ||
| Resource: | ||
| - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*' | ||
| - Sid: KMSKey |
There was a problem hiding this comment.
I don't understand this statement, what is it for?
|
I have tested the following with the restricted CDK Execution Role:
Comments: Additionally, in my testing I had to add the following permissions to the CDK Execution Role to get all create/delete actions to work as expected: Create Dataset Delete Dataset Create Pipelines Delete Pipelines Delete Environment NOTE: For Data All Pipelines this is a little tricky since the DDK execution role permissions will be used to both set up the foundational CICD Pipeline (this is managed by data all and known) AND deploy the infra to the respective development environments (this is customized by the customer and can be extended however they see fit per their use case). Because we will not know what a person would want to create as pipeline of their stack deployed in the pipeline should we opt to leave the default |
…et, envirronment and pipelines
…sight and codepipeline
|
Updated the stack to add additional required permissions and tested the following. Create Environment |
…ters and add permissions for vpc routing
|
Found issues during deployment of branch V1.6.0 introduced by this PR. I am opening a separate PR for this. |
### Feature or Bugfix - Bugfix ### Detail - Renamed resource to avoid duplicated resource names in CloudFormation ### Relates - #562 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
### Feature or Bugfix Release PR with the following list of features. Refer to each PR for the details ### Detail - #498 - #482 - #543 - #524 (which also solves #531) - #532 - #535 - #497 - #515 - #529 - #562 - #455 - #572 - #567 - #573 - #579 - #578 - #582 ### Breaking changes - release notes -⚠️ IMPORTANT: upgrade to a version >V1.5.0 before upgrading to V1.6 to avoid deletion of resources in custom resource deletion -⚠️ IMPORTANT: requires an update of environments and then datasets after upgrading. Either using cdk.json parameter `enable_update_dataall_stacks_in_cicd_pipeline`, waiting for overnight update stack task, or manually updating first environments and then datasets - CloudFront distribution replace for #529 - Additional EC2 permissions in CDK Synth CodeBuild stage for #543 --> this can be avoided by upgrading to v1.5.6 before upgrading to v1.6.0 - local development affected by more restrictive pivotRole trust policy ### Relates V1.6.0 release By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Gezim Musliaj <102723839+gmuslia@users.noreply.github.com> Co-authored-by: Noah Paige <69586985+noah-paige@users.noreply.github.com> Co-authored-by: nikpodsh <124577300+nikpodsh@users.noreply.github.com> Co-authored-by: chamcca <40579012+chamcca@users.noreply.github.com> Co-authored-by: Nikita Podshivalov <nikpodsh@amazon.com> Co-authored-by: dbalintx <132444646+dbalintx@users.noreply.github.com> Co-authored-by: mourya-33 <134511711+mourya-33@users.noreply.github.com>
Feature
Detail
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.