From 3dc152aca8105e62c6c395c9bacc39085bdeceb3 Mon Sep 17 00:00:00 2001 From: Iakov GAN <82834333+iakov-aws@users.noreply.github.com> Date: Fri, 19 Apr 2024 19:53:12 +0200 Subject: [PATCH] Fix permissions boundaries + release 0.3.1 (#790) --- cfn-templates/cid-cfn.yml | 17 +++++++++-------- cfn-templates/cur-aggregation.yaml | 7 ++++--- cid/_version.py | 2 +- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index 952266ca..bfdbb478 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deployment of Cloud Intelligence Dashboards v0.3.0 +Description: Deployment of Cloud Intelligence Dashboards v0.3.1 Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -281,6 +281,7 @@ Conditions: Fn::And: - !Condition NeedQuickSightDataSourceRole - !Condition NeedDataBucketsKms + NeedPermissionsBoundary: !Not [!Equals [ !Ref PermissionsBoundary, "" ]] Resources: SpiceRefreshExecutionRole: #Role needed to schedule spice ingestion for the datasets not used by default @@ -298,7 +299,7 @@ Resources: - lambda.amazonaws.com Action: - sts:AssumeRole - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] Policies: - PolicyName: !Sub 'CidSpiceRefreshExecutionRole${Suffix}' PolicyDocument: @@ -677,7 +678,7 @@ Resources: - Effect: Allow Action: quicksight:DescribeUser Resource: !Sub 'arn:${AWS::Partition}:quicksight:*:${AWS::AccountId}:user/default/${QuickSightUser}' # region=* as at this moment we do not know the Identity region where QS stores users - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole @@ -765,7 +766,7 @@ Resources: Action: - sts:AssumeRole Path: !Ref RolePath - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole CustomResourceProcessPath: @@ -1037,7 +1038,7 @@ Resources: Action: - 'sts:AssumeRole' Path: !Ref RolePath - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] ManagedPolicyArns: - Fn::Sub: 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSGlueServiceRole' Policies: @@ -1098,7 +1099,7 @@ Resources: - 'sts:AssumeRole' Path: !Ref RolePath RoleName: !Sub '${QuickSightDataSourceRoleName}${Suffix}' - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] Policies: - PolicyName: AthenaAccess PolicyDocument: @@ -1247,7 +1248,7 @@ Resources: - lambda.amazonaws.com Action: - sts:AssumeRole - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: @@ -1567,7 +1568,7 @@ Resources: Description: An AWS managed layer with a cid-cmd package installed Content: S3Bucket: !Sub '${LambdaLayerBucketPrefix}-${AWS::Region}' - S3Key: 'cid-resource-lambda-layer/cid-0.3.0.zip' #replace version here if needed + S3Key: 'cid-resource-lambda-layer/cid-0.3.1.zip' #replace version here if needed CompatibleRuntimes: - python3.10 - python3.11 diff --git a/cfn-templates/cur-aggregation.yaml b/cfn-templates/cur-aggregation.yaml index 3795d95f..31ed97ec 100644 --- a/cfn-templates/cur-aggregation.yaml +++ b/cfn-templates/cur-aggregation.yaml @@ -73,6 +73,7 @@ Conditions: DeployCURViaCFNInDestination: !And [!Condition CUREnable, !Condition IsDestinationAccount, !Condition RegionSupportsCURviaCFN] DeployCURViaLambda: !And [!Condition CUREnable, !Not [!Condition RegionSupportsCURviaCFN]] EmptySourceAccountIds: !Equals [ !Ref SourceAccountIds, ''] + NeedPermissionsBoundary: !Not [!Equals [ !Ref PermissionsBoundary, "" ]] Resources: @@ -344,7 +345,7 @@ Resources: - "s3.amazonaws.com" Action: - "sts:AssumeRole" - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] Policies: - PolicyName: CrossRegionPolicy PolicyDocument: @@ -457,7 +458,7 @@ Resources: - lambda.amazonaws.com Action: - sts:AssumeRole - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] Policies: - PolicyName: "ExecutionDefault" PolicyDocument: @@ -600,7 +601,7 @@ Resources: - lambda.amazonaws.com Action: - sts:AssumeRole - PermissionsBoundary: !Ref PermissionsBoundary + PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref AWS::NoValue] Policies: - PolicyName: "ExecutionDefault" PolicyDocument: diff --git a/cid/_version.py b/cid/_version.py index 0404d810..e1424ed0 100644 --- a/cid/_version.py +++ b/cid/_version.py @@ -1 +1 @@ -__version__ = '0.3.0' +__version__ = '0.3.1'