Skip to content

feat(cli): add permissions to the bootstrap action role for cdk deploy#6684

Merged
mergify[bot] merged 2 commits intoaws:masterfrom
skinny85:feat/bootstrap-cli-cfn-perms
Mar 17, 2020
Merged

feat(cli): add permissions to the bootstrap action role for cdk deploy#6684
mergify[bot] merged 2 commits intoaws:masterfrom
skinny85:feat/bootstrap-cli-cfn-perms

Conversation

@skinny85
Copy link
Contributor

@skinny85 skinny85 commented Mar 11, 2020

In the "CI/CD for CDK apps" epic, we use the bootstrap action role to perform cdk deploy (in the self-mutating stage). To do that, we need 2 additional read-only CloudFormation permissions that the CLI uses (GetTemplate and DescribeStackEvents) added to that role.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@skinny85 skinny85 requested review from NetaNir and rix0rrr March 11, 2020 23:58
@skinny85 skinny85 self-assigned this Mar 11, 2020
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 11, 2020
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Mar 12, 2020

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: c8c98fa
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

rix0rrr
rix0rrr requested changes Mar 12, 2020
View reviewed changes
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json Outdated
"Action": [
"cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet", "cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents", "cloudformation:GetTemplate",
Copy link
Contributor

@rix0rrr rix0rrr Mar 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't we already add these?

There is a statement called CliPermissions, I'd rather you add them there (I want to start annotating this giant permissions set with why we need them, because it's growing big).

Copy link
Contributor Author

@skinny85 skinny85 Mar 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't we already add these?

No. Searching the current bootstrap-template.json on master does not give any results for GetTemplate.

There is a statement called CliPermissions, I'd rather you add them there (I want to start annotating this giant permissions set with why we need them, because it's growing big).

I don't see a statement called like that anywhere in the current file.

Copy link
Contributor

@rix0rrr rix0rrr Mar 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh! Misremembering where we put this:

https://github.com/aws/aws-cdk/blob/feat/convmode/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json#L353-L363

Copy link
Contributor Author

@skinny85 skinny85 Mar 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in the newest revision to what you have in that branch.

BTW, do we really need DeleteStack on "*"? That seems a little wide...

@skinny85 skinny85 added the pr-linter/exempt-readme The PR linter will not require README changes label Mar 12, 2020
@skinny85
feat(cli): add permissions to the bootstrap action role for cdk deploy
9d8a87f 
In the "CI/CD for CDK apps" epic,
we use the bootstrap action role to perform
`cdk deploy` (in the self-mutating stage).
To do that, we need 2 additional
read-only CloudFormation permissions that the CLI uses
(GetTemplate and DescribeStackEvents)
added to that role.
@skinny85 skinny85 force-pushed the feat/bootstrap-cli-cfn-perms branch from c8c98fa to 9d8a87f Compare March 13, 2020 21:16
@skinny85 skinny85 added the pr-linter/exempt-test The PR linter will not require test changes label Mar 13, 2020
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Mar 13, 2020

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 9d8a87f
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@ddeboer
Copy link

ddeboer commented Mar 15, 2020

Ran into the … is not authorized to perform: cloudformation:GetTemplate error as well, so would be nice to have this merged.

In the meantime, is there a workaround?

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Mar 17, 2020

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 6554738
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 52fd078 into aws:master Mar 17, 2020
@skinny85 skinny85 deleted the feat/bootstrap-cli-cfn-perms branch March 17, 2020 19:17
@snyk-bot snyk-bot mentioned this pull request Apr 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rix0rrr rix0rrr rix0rrr approved these changes

+1 more reviewer

@NetaNir NetaNir NetaNir approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@skinny85 skinny85

Labels

contribution/core This is a PR that came from AWS. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@skinny85 @aws-cdk-automation @ddeboer @rix0rrr @NetaNir