Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: permission boundaries are missing for the nested stacks #60

Open
ThePlenkov opened this issue Jun 12, 2024 · 0 comments
Open

[Feature]: permission boundaries are missing for the nested stacks #60

ThePlenkov opened this issue Jun 12, 2024 · 0 comments
Labels
enhancement

Comments

@ThePlenkov
Copy link

Feature Description

Hi!
Our company set up requires stacks to inherit permission boundaries.
It works with CDK for the main stack like:


    // Forcing all roles created in a stack to apply permissions boundary
    const permissionsBoundary = ManagedPolicy.fromManagedPolicyArn(
      this,
      'boundary',
      `arn:aws:iam::${this.account}:policy/AdministratorAccessPermissionBoundary`,
    );
    PermissionsBoundary.of(this).apply(permissionsBoundary);
...
 const solaceStack = new CfnInclude(this, 'solace-task-definition', {
      templateFile: 'solace.template',
      parameters: {
        KeyPairName: keyPairName,
        VPCID: vpc.vpcId,
        PrivateSubnetIDs: taskSubnets.subnetIds,
        PublicSubnetIDs: [],
        SSHSecurityGroupID: sg.securityGroupId,
        RemoteAccessCIDR: '0.0.0.0/0',
        AdminPassword: secret.secretValueFromJson('password').unsafeUnwrap(),
        WorkerNodeInstanceType: `t2.small`,
        MonitorNodeInstanceType: `t2.small`,
        NumberOfAZs: 2,
      },

but for nested stacks 'EventBrokerPrimaryStack', 'MonitorStack', 'EventBrokerBackupStack', it doesn't work.

The best solution would be to provide a permissionboundary parameter for NodeRole as it's described here

In this case we can probably give PB as an input parameter to CfnInclude and then solace.template would propagate this PB to nested stacks.

Does it make sense?

Use Case

Currently we're facing the error like:

Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::975050047728:assumed-role/TerraformDeploymentService/DeploySession is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::975050047728:role/solace-aws-MonitorStack-1LIIC6XZMB3KI-NodeRole-BDZyF4iroWPJ with an explicit deny in a service control policy (Service: Iam, Status Code: 403, Request ID: c17f8abd-4092-46d2-bad1-16e0fc857233)"

Proposed Solution

as what proposed above we suggest to introduce permission boundary parameter for both solace template and node template. That would let us provide right PBs.

Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ThePlenkov