From 3c29abc6a7e29ca1919321245c24108306876ada Mon Sep 17 00:00:00 2001 From: Valentin Palkovic Date: Wed, 31 Mar 2021 19:27:27 +0200 Subject: [PATCH] Replace deprecated AWS managed policy for codedeploy (#116) After March 1, 2021, the AWS managed policies AWSLambdaReadOnlyAccess and AWSLambdaFullAccess will be deprecated and can no longer be attached to new IAM users. AWS Lambda has introduced a new AWS managed policy. The AWSLambda_FullAccess policy grants full access to Lambda, Lambda console features, and other related AWS services. This policy was created by scoping down the previous policy AWSLambdaFullAccess. fixes #115 --- fixtures/1.output.json | 2 +- fixtures/10.output.v2-websocket.json | 2 +- fixtures/11.output.v2-websocket-authorizer.json | 2 +- fixtures/12.output-with-permissions-boundary.json | 2 +- fixtures/13.output.multiple-function-hooks.json | 2 +- fixtures/2.output.without-hooks.json | 2 +- fixtures/5.output.with-trigger.json | 2 +- fixtures/6.output.cloudwatch-events-trigger.json | 2 +- fixtures/7.output.cloudwatch-logs-trigger.json | 2 +- fixtures/8.output.sns-subscriptions-trigger.json | 2 +- fixtures/9.output.iot-topic-rule.json | 2 +- lib/CfTemplateGenerators/Iam.js | 2 +- lib/CfTemplateGenerators/Iam.test.js | 8 ++++---- 13 files changed, 16 insertions(+), 16 deletions(-) diff --git a/fixtures/1.output.json b/fixtures/1.output.json index 914ebb6..6d5288b 100644 --- a/fixtures/1.output.json +++ b/fixtures/1.output.json @@ -515,7 +515,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/10.output.v2-websocket.json b/fixtures/10.output.v2-websocket.json index 4e4ac13..61f76ce 100644 --- a/fixtures/10.output.v2-websocket.json +++ b/fixtures/10.output.v2-websocket.json @@ -829,7 +829,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/11.output.v2-websocket-authorizer.json b/fixtures/11.output.v2-websocket-authorizer.json index 38bd478..0d3a456 100644 --- a/fixtures/11.output.v2-websocket-authorizer.json +++ b/fixtures/11.output.v2-websocket-authorizer.json @@ -926,7 +926,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/12.output-with-permissions-boundary.json b/fixtures/12.output-with-permissions-boundary.json index 27eba2f..bac9d99 100644 --- a/fixtures/12.output-with-permissions-boundary.json +++ b/fixtures/12.output-with-permissions-boundary.json @@ -504,7 +504,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/13.output.multiple-function-hooks.json b/fixtures/13.output.multiple-function-hooks.json index c4e9761..9cd7aa2 100644 --- a/fixtures/13.output.multiple-function-hooks.json +++ b/fixtures/13.output.multiple-function-hooks.json @@ -290,7 +290,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/2.output.without-hooks.json b/fixtures/2.output.without-hooks.json index cc4248e..9a86dc4 100644 --- a/fixtures/2.output.without-hooks.json +++ b/fixtures/2.output.without-hooks.json @@ -371,7 +371,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/5.output.with-trigger.json b/fixtures/5.output.with-trigger.json index 1f78aee..f68ee37 100644 --- a/fixtures/5.output.with-trigger.json +++ b/fixtures/5.output.with-trigger.json @@ -515,7 +515,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess", + "arn:aws:iam::aws:policy/AWSLambda_FullAccess", "arn:aws:iam::aws:policy/AmazonSNSFullAccess" ], "AssumeRolePolicyDocument": { diff --git a/fixtures/6.output.cloudwatch-events-trigger.json b/fixtures/6.output.cloudwatch-events-trigger.json index 28ccd39..302ae2b 100644 --- a/fixtures/6.output.cloudwatch-events-trigger.json +++ b/fixtures/6.output.cloudwatch-events-trigger.json @@ -314,7 +314,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/7.output.cloudwatch-logs-trigger.json b/fixtures/7.output.cloudwatch-logs-trigger.json index c4451b0..79ac0de 100644 --- a/fixtures/7.output.cloudwatch-logs-trigger.json +++ b/fixtures/7.output.cloudwatch-logs-trigger.json @@ -307,7 +307,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/8.output.sns-subscriptions-trigger.json b/fixtures/8.output.sns-subscriptions-trigger.json index 834cf4a..ac25574 100644 --- a/fixtures/8.output.sns-subscriptions-trigger.json +++ b/fixtures/8.output.sns-subscriptions-trigger.json @@ -244,7 +244,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess" + "arn:aws:iam::aws:policy/AWSLambda_FullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/fixtures/9.output.iot-topic-rule.json b/fixtures/9.output.iot-topic-rule.json index 5970582..d9d12b9 100644 --- a/fixtures/9.output.iot-topic-rule.json +++ b/fixtures/9.output.iot-topic-rule.json @@ -718,7 +718,7 @@ "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", - "arn:aws:iam::aws:policy/AWSLambdaFullAccess", + "arn:aws:iam::aws:policy/AWSLambda_FullAccess", "arn:aws:iam::aws:policy/AmazonSNSFullAccess" ], "AssumeRolePolicyDocument": { diff --git a/lib/CfTemplateGenerators/Iam.js b/lib/CfTemplateGenerators/Iam.js index 2305e9b..98ffcde 100644 --- a/lib/CfTemplateGenerators/Iam.js +++ b/lib/CfTemplateGenerators/Iam.js @@ -3,7 +3,7 @@ const _ = require('lodash/fp') function buildCodeDeployRole (codeDeployRolePermissionsBoundaryArn, areTriggerConfigurationsSet) { const attachedPolicies = [ 'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited', - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess' + 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' ] if (areTriggerConfigurationsSet) { attachedPolicies.push('arn:aws:iam::aws:policy/AmazonSNSFullAccess') diff --git a/lib/CfTemplateGenerators/Iam.test.js b/lib/CfTemplateGenerators/Iam.test.js index d7fde61..abee18e 100644 --- a/lib/CfTemplateGenerators/Iam.test.js +++ b/lib/CfTemplateGenerators/Iam.test.js @@ -10,7 +10,7 @@ describe('Iam', () => { Properties: { ManagedPolicyArns: [ 'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited', - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess' + 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' ], AssumeRolePolicyDocument: { Version: '2012-10-17', @@ -35,7 +35,7 @@ describe('Iam', () => { Properties: { ManagedPolicyArns: [ 'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited', - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess', + 'arn:aws:iam::aws:policy/AWSLambda_FullAccess', 'arn:aws:iam::aws:policy/AmazonSNSFullAccess' ], AssumeRolePolicyDocument: { @@ -62,7 +62,7 @@ describe('Iam', () => { Properties: { ManagedPolicyArns: [ 'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited', - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess' + 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' ], AssumeRolePolicyDocument: { Version: '2012-10-17', @@ -201,7 +201,7 @@ describe('Iam', () => { Properties: { ManagedPolicyArns: [ 'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited', - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess' + 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' ], AssumeRolePolicyDocument: { Version: '2012-10-17',