Skip to content

feat(bootstrap): add --permissions-boundary-all-roles flag #1057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
akazakou wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(bootstrap): add --permissions-boundary-all-roles flag #1057

akazakou wants to merge 3 commits into from
+242 −0

Conversation

@akazakou
Copy link

@akazakou akazakou commented Jan 22, 2026
edited
Loading

Description

Implements the feature requested in #284 to apply permissions boundary to all bootstrap roles, not just the CloudFormation execution role.

Changes

CloudFormation Bootstrap Template

  • Added PermissionsBoundaryAllRoles parameter (default: 'false')
  • Added ApplyPermissionsBoundaryToAllRoles condition
  • Added PermissionsBoundary property to 4 roles:
    • FilePublishingRole
    • ImagePublishingRole
    • LookupRole
    • DeploymentActionRole

CLI Configuration

  • Added --permissions-boundary-all-roles option with type boolean and default false

CLI Logic

  • Added warning when --permissions-boundary-all-roles is used without --custom-permissions-boundary or --example-permissions-boundary
  • Passes the parameter to the bootstrap function

Bootstrap Props & Environment

  • Added permissionsBoundaryAllRoles?: boolean to BootstrappingParameters interface
  • Added mapping of PermissionsBoundaryAllRoles parameter to CloudFormation

Public API

  • Added permissionsBoundaryAllRoles?: boolean to public BootstrapParameters interface in @aws-cdk/toolkit-lib

Tests

  • Added 11 comprehensive unit tests in bootstrap2.test.ts:
    • Parameter passing (true/false/default values)
    • Warning display when flag is used without a permissions boundary
    • No warning when used with customPermissionsBoundary or examplePermissionsBoundary
    • Template contains PermissionsBoundaryAllRoles parameter
    • Template contains ApplyPermissionsBoundaryToAllRoles condition
    • Additional roles have conditional PermissionsBoundary property
    • CloudFormationExecutionRole continues to use PermissionsBoundarySet condition (backward compatible)
  • Updated existing tests in bootstrap.test.ts to include the new parameter

Usage

cdk bootstrap --custom-permissions-boundary my-policy --permissions-boundary-all-roles

This will apply the permissions boundary to ALL bootstrap roles (FilePublishingRole, ImagePublishingRole, LookupRole, DeploymentActionRole, and CloudFormationExecutionRole) instead of just the CloudFormationExecutionRole.

Testing

  • Build compiles successfully (yarn nx run aws-cdk:compile)
  • Lint checks pass (yarn nx run aws-cdk:eslint)
  • All bootstrap tests pass
  • All toolkit-lib tests pass (1291 tests)

Closes #284

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@akazakou
feat(bootstrap): add --permissions-boundary-all-roles flag
f07f74a 
Implements the feature requested in aws#284 to apply permissions boundary
to all bootstrap roles, not just the CloudFormation execution role.

Changes:
- Add PermissionsBoundaryAllRoles parameter to bootstrap template
- Add ApplyPermissionsBoundaryToAllRoles condition
- Apply permissions boundary to FilePublishingRole, ImagePublishingRole,
  LookupRole, and DeploymentActionRole when flag is set
- Add --permissions-boundary-all-roles CLI option (default: false)
- Display warning when flag is used without --custom-permissions-boundary
  or --example-permissions-boundary
- Update tests to include new parameter

Closes aws#284
@aws-cdk-automation aws-cdk-automation requested a review from a team January 22, 2026 18:00
@akazakou
refactor(bootstrap): move warning to bootstrap-environment.ts
59ebb1b 
Moves the --permissions-boundary-all-roles warning from cli.ts to
bootstrap-environment.ts to follow the existing parameter validation
pattern in the modernBootstrap function.
auto-merge was automatically disabled January 22, 2026 18:16

Head branch was pushed to by a user without write access

@akazakou
test: add unit tests for PermissionsBoundaryAllRoles feature
b37d5cd 
- Test parameter passing (true/false/default)
- Test warning when used without permissions boundary
- Test no warning with customPermissionsBoundary or examplePermissionsBoundary
- Test template contains PermissionsBoundaryAllRoles parameter
- Test template contains ApplyPermissionsBoundaryToAllRoles condition
- Test PermissionsBoundary on additional roles with condition
- Test CloudFormationExecutionRole uses PermissionsBoundarySet condition
@akazakou akazakou mentioned this pull request Jan 22, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature-request p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Apply PermissionBoundary to all bootstrap roles (for easier self-service bootstrapping under existing boundary)

1 participant

@akazakou