Skip to content

Commit

Permalink
Merge pull request #43 from aligent/fix/compress_iam_role_policy
Browse files Browse the repository at this point in the history
Fix/compress iam role policy
  • Loading branch information
crispy101 authored May 1, 2024
2 parents 137ca96 + 2141a5c commit b8308d2
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 122 deletions.
104 changes: 14 additions & 90 deletions packages/serverless-deploy-iam/bin/app.ts
Original file line number Diff line number Diff line change
Expand Up @@ -111,22 +111,7 @@ export class ServiceDeployIAM extends cdk.Stack {
`:log-stream:*`,
`${serviceName}*`,
],
actions: [
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:DeleteLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:DeleteLogStream",
"logs:FilterLogEvents",
"logs:TagResource",
"logs:UntagResource",
"logs:DescribeMetricFilters",
"logs:PutMetricFilter",
"logs:ListTagsForResource",
"logs:PutDataProtectionPolicy",
"logs:UpdateDataProtectionPolicy",
],
actions: ["logs:*"],
},
{
name: "CLOUD_WATCH",
Expand All @@ -138,17 +123,11 @@ export class ServiceDeployIAM extends cdk.Stack {
prefix: `arn:aws:cloudwatch:${region}:${accountId}:alarm:`,
qualifiers: [`TaskTimedOutAlarm`, `${serviceName}*`],
actions: [
"cloudwatch:ListMetrics",
"cloudwatch:ListMetricStreams",
"cloudwatch:ListTagsForResource",
"cloudwatch:ListDashboards",
"cloudwatch:List*",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms",
"cloudwatch:EnableAlarmActions",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricStream",
"cloudwatch:Put*",
"cloudwatch:SetAlarmState",
"cloudwatch:TagResource",
"cloudwatch:StartMetricStreams",
Expand All @@ -159,34 +138,7 @@ export class ServiceDeployIAM extends cdk.Stack {
name: "LAMBDA",
prefix: `arn:aws:lambda:${region}:${accountId}:function:`,
qualifiers: [`${serviceName}*`],
actions: [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionCode",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:CreateAlias",
"lambda:DeleteAlias",
"lambda:UpdateAlias",
"lambda:GetFunctionConfiguration",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:PutFunctionConcurrency",
"lambda:DeleteEventSourceMapping",
"lambda:UpdateEventSourceMapping",
"lambda:CreateFunctionUrlConfig",
"lambda:DeleteFunctionUrlConfig",
"lambda:GetFunctionUrlConfig",
"lambda:ListFunctionUrlConfigs",
"lambda:UpdateFunctionUrlConfig",
"lambda:DeleteFunctionConcurrency",
],
actions: ["lambda:*"],
},
{
name: "LAMBDA",
Expand Down Expand Up @@ -335,15 +287,9 @@ export class ServiceDeployIAM extends cdk.Stack {
actions: [
"cognito-sync:BulkPublish",
"cognito-sync:DeleteDataset",
"cognito-sync:DescribeDataset",
"cognito-sync:DescribeIdentityPoolUsage",
"cognito-sync:DescribeIdentityUsage",
"cognito-sync:GetBulkPublishDetails",
"cognito-sync:GetCognitoEvents",
"cognito-sync:GetIdentityPoolConfiguration",
"cognito-sync:ListDatasets",
"cognito-sync:ListIdentityPoolUsage",
"cognito-sync:ListRecords",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:List*",
"cognito-sync:QueryRecords",
"cognito-sync:RegisterDevice",
"cognito-sync:SetCognitoEvents",
Expand All @@ -355,17 +301,9 @@ export class ServiceDeployIAM extends cdk.Stack {
"cognito-identity:CreateIdentityPool",
"cognito-identity:DeleteIdentities",
"cognito-identity:DeleteIdentityPool",
"cognito-identity:DescribeIdentity",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:GetCredentialsForIdentity",
"cognito-identity:GetId",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetOpenIdToken",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-identity:ListIdentities",
"cognito-identity:ListIdentityPools",
"cognito-identity:ListTagsForResource",
"cognito-identity:Describe*",
"cognito-identity:Get*",
"cognito-identity:List*",
"cognito-identity:LookupDeveloperIdentity",
"cognito-identity:MergeDeveloperIdentities",
"cognito-identity:SetIdentityPoolRoles",
Expand All @@ -381,17 +319,7 @@ export class ServiceDeployIAM extends cdk.Stack {
name: "COGNITO_IDP",
prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool`,
qualifiers: [`${serviceName}*`, `${region}_*`],
actions: [
"cognito-idp:Create*",
"cognito-idp:Delete*",
"cognito-idp:Describe*",
"cognito-idp:Get*",
"cognito-idp:List*",
"cognito-idp:Set*",
"cognito-idp:TagResource",
"cognito-idp:UntagResource",
"cognito-idp:Update*",
],
actions: ["cognito-idp:*"],
},
{
name: "COGNITO_IDP_CREATEUSERPOOL",
Expand Down Expand Up @@ -509,18 +437,14 @@ export class ServiceDeployIAM extends cdk.Stack {
qualifiers: [`${serviceName}*`],
actions: [
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ListStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
],
},
{
Expand Down
39 changes: 7 additions & 32 deletions packages/serverless-deploy-iam/test/deploy-role.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -55,18 +55,14 @@ describe("Deploy user policy", () => {
objectLike({
Action: [
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ListStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
],
Effect: "Allow",
Resource: [
Expand Down Expand Up @@ -148,7 +144,7 @@ describe("Deploy user policy", () => {
);
});

test("has correct CloudWatch permissions", () => {
test("has correct CloudWatch logs permissions", () => {
const app = new cdk.App();
const stack = new ServiceDeployIAM(app, "jest-deploy-iam");
expectCDK(stack).to(
Expand All @@ -157,22 +153,7 @@ describe("Deploy user policy", () => {
PolicyDocument: {
Statement: arrayWith(
objectLike({
Action: [
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:DeleteLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:DeleteLogStream",
"logs:FilterLogEvents",
"logs:TagResource",
"logs:UntagResource",
"logs:DescribeMetricFilters",
"logs:PutMetricFilter",
"logs:ListTagsForResource",
"logs:PutDataProtectionPolicy",
"logs:UpdateDataProtectionPolicy",
],
Action: "logs:*",
Effect: "Allow",
Resource: [
{
Expand Down Expand Up @@ -278,17 +259,11 @@ describe("Deploy user policy", () => {
Statement: arrayWith(
objectLike({
Action: [
"cloudwatch:ListMetrics",
"cloudwatch:ListMetricStreams",
"cloudwatch:ListTagsForResource",
"cloudwatch:ListDashboards",
"cloudwatch:List*",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms",
"cloudwatch:EnableAlarmActions",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricStream",
"cloudwatch:Put*",
"cloudwatch:SetAlarmState",
"cloudwatch:TagResource",
"cloudwatch:StartMetricStreams",
Expand Down

0 comments on commit b8308d2

Please sign in to comment.