From ec95e00c3cdbde0442eb6e0cf8c50879a70f0f67 Mon Sep 17 00:00:00 2001 From: Wanxian Yang Date: Fri, 5 Apr 2024 17:06:48 -0700 Subject: [PATCH 1/2] add list stacks permission to env manager role --- .../environment/partials/environment-manager-role.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/pkg/template/templates/environment/partials/environment-manager-role.yml b/internal/pkg/template/templates/environment/partials/environment-manager-role.yml index 15c3053ee64..9b94381c659 100644 --- a/internal/pkg/template/templates/environment/partials/environment-manager-role.yml +++ b/internal/pkg/template/templates/environment/partials/environment-manager-role.yml @@ -313,6 +313,11 @@ EnvironmentManagerRole: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: From 1eff71435f8c3a9bedd742a9af97f09f9091fd27 Mon Sep 17 00:00:00 2001 From: Wanxian Yang Date: Mon, 8 Apr 2024 10:08:08 -0700 Subject: [PATCH 2/2] fix test --- .../testdata/environments/template-with-basic-manifest.yml | 5 +++++ .../environments/template-with-cloudfront-observability.yml | 5 +++++ .../environments/template-with-custom-security-group.yml | 5 +++++ .../environments/template-with-default-access-log-config.yml | 5 +++++ .../environments/template-with-defaultvpc-flowlogs.yml | 5 +++++ ...-imported-certs-sslpolicy-custom-empty-security-group.yml | 5 +++++ .../environments/template-with-importedvpc-flowlogs.yml | 5 +++++ 7 files changed, 35 insertions(+) diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml index fe981688528..dc78bfd307c 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml @@ -387,6 +387,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-cloudfront-observability.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-cloudfront-observability.yml index 85919f89cb6..e2932ba41a3 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-cloudfront-observability.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-cloudfront-observability.yml @@ -1045,6 +1045,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-custom-security-group.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-custom-security-group.yml index b7a4e5b6aa5..503648f2be9 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-custom-security-group.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-custom-security-group.yml @@ -921,6 +921,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml index d1f20588b97..5bf2c8f65e8 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml @@ -449,6 +449,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml index 2a6771d2c77..4e87fbe78a0 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml @@ -392,6 +392,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-imported-certs-sslpolicy-custom-empty-security-group.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-imported-certs-sslpolicy-custom-empty-security-group.yml index ea8c9e81abe..36f3e807f82 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-imported-certs-sslpolicy-custom-empty-security-group.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-imported-certs-sslpolicy-custom-empty-security-group.yml @@ -898,6 +898,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml index 7109d68a9c9..01ef9df8868 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml @@ -399,6 +399,11 @@ Resources: - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - Sid: ListStacks + Effect: Allow + Action: + - 'cloudformation:ListStacks' + Resource: "*" - Sid: RDS Effect: Allow Action: