Skip to content

Commit

Permalink
chore: Update CloudFormation template for AWS policies (webiny#1783)
Browse files Browse the repository at this point in the history
* chore: add custom policy doc

* chore: update custom policy doc

* chore: add permission for each lambda role

* feat(api): add lambda policies for prod environment

* feat(api): add lambda policies for dev environment

* chore: add EC2 and logs permission to customPolicyForProgrammaticAccess

* chore: add resources to policy document

* chore: update IAM policies

* feat(api): update getApiGraphqlLambdaPolicy

* feat(api): update policy resources

* feat(api): update policy resources

* chore: rename policy document

* docs: add cwp policy cloudformation template

* docs: update cwp policy cloudformation template

* chore: ran prettier

* chore: update PassRole permission

* chore: update cloudformation template for AWS policy
Ashu96 authored Jul 15, 2021
1 parent 2386c5b commit dfaff2a
Showing 2 changed files with 33 additions and 6 deletions.
13 changes: 13 additions & 0 deletions docs/AWS_USER_POLICY_DOCUMENT.js
Original file line number Diff line number Diff line change
@@ -227,6 +227,19 @@ const policyForProgrammaticAccess = {
"logs:UpdateLogDelivery"
],
Resource: "*"
},
{
Sid: "PermissionForPassRole",
Effect: "Allow",
Action: ["iam:PassRole"],
Resource: [
"arn:aws:iam::*:role/fm-lambda-role-*",
"arn:aws:iam::*:role/pre-rendering-service-lambda-role*",
"arn:aws:iam::*:role/dynamo-to-elastic-lambda-role-*",
"arn:aws:iam::*:role/headless-cms-lambda-role-*",
"arn:aws:iam::*:role/pb-update-settings-lambda-role-*",
"arn:aws:iam::*:role/api-lambda-role-*"
]
}
]
};
26 changes: 20 additions & 6 deletions docs/CWP_POLICY_CLOUDFORMATION_TEMPLATE.json
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create an IAM group with required permissions for a Webiny project and add it to a given IAM user.",
"Parameters": {
"UserName": {
"Username": {
"Type": "String",
"Description": "Name of an existing User to which this policy will be attached",
"Description": "Name of an existing IAM user to be added to the group.",
"AllowedPattern": ".+"
}
},
"Resources": {
"TheGroup": {
"CwpGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"GroupName": "CreateWebinyProjectAccessGroup",
@@ -237,22 +238,35 @@
"logs:UpdateLogDelivery"
],
"Resource": "*"
},
{
"Sid": "PermissionForPassRole",
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": [
"arn:aws:iam::*:role/fm-lambda-role-*",
"arn:aws:iam::*:role/pre-rendering-service-lambda-role*",
"arn:aws:iam::*:role/dynamo-to-elastic-lambda-role-*",
"arn:aws:iam::*:role/headless-cms-lambda-role-*",
"arn:aws:iam::*:role/pb-update-settings-lambda-role-*",
"arn:aws:iam::*:role/api-lambda-role-*"
]
}
]
}
}
]
}
},
"TheUserToGroup": {
"CwpUserToGroup": {
"Type": "AWS::IAM::UserToGroupAddition",
"Properties": {
"GroupName": {
"Ref": "TheGroup"
"Ref": "CwpGroup"
},
"Users": [
{
"Ref": "UserName"
"Ref": "Username"
}
]
}

0 comments on commit dfaff2a

Please sign in to comment.