From 9220b93cd3f3855eb6a5b214b50e76708a07ec24 Mon Sep 17 00:00:00 2001 From: Mohsan Jaffery Date: Tue, 15 Aug 2023 00:01:10 +0100 Subject: [PATCH 1/5] update root with pb stack params --- source/cfn/templates/main.template | 47 ++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/source/cfn/templates/main.template b/source/cfn/templates/main.template index 9d2307d4..e19581eb 100644 --- a/source/cfn/templates/main.template +++ b/source/cfn/templates/main.template @@ -146,6 +146,18 @@ Parameters: Type: String Default: "primary" Description: Specify the name of the Athena Workgroup you would like to use. By default it will use 'primary'. + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + Default: "No" + AllowedValues: + - 'Yes' + - 'No' + ConstraintDescription: Please specify if Roles should have a Permissions Boundary set (Yes/No) + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Mappings: Solution: @@ -220,6 +232,8 @@ Resources: DeploymentBucketKey: !FindInMap [Solution, Constants, DeploymentBucketKey] CreateConfigBucket: !If [SetUpConfig, 'true', 'false'] CustomResourceHelperLambdaLayer: !GetAtt LayerStack.Outputs.CustomResourceHelper + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary TemplateURL: !Sub - "${DeploymentBucket}/buckets.template" @@ -234,6 +248,9 @@ Resources: - "${DeploymentBucket}/vpc.template" - DeploymentBucket: !GetAtt Variables.DeploymentBucket TimeoutInMinutes: 60 + Parameters: + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary NeptuneStack: Type: AWS::CloudFormation::Stack @@ -254,6 +271,8 @@ Resources: Port: 6174 CreateNeptuneReplica: !Ref CreateNeptuneReplica DBInstanceClass: !Ref NeptuneInstanceClass + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary ConfigAggregator: Type: AWS::CloudFormation::Stack @@ -266,6 +285,8 @@ Resources: Parameters: ExistingConfigInstallation: !Ref AlreadyHaveConfigSetup ConfigBucket: !If [SetUpConfig, !GetAtt S3Buckets.Outputs.ConfigBucket, ''] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary OpenSearchRoleStack: Type: AWS::CloudFormation::Stack @@ -277,6 +298,8 @@ Resources: TimeoutInMinutes: 60 Parameters: CreateOpensearchServiceRole: !Ref CreateOpensearchServiceRole + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary OpenSearchStack: Type: AWS::CloudFormation::Stack @@ -322,6 +345,8 @@ Resources: CustomResourceHelper: !GetAtt LayerStack.Outputs.CustomResourceHelper DeploymentBucketName: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary CodebuildStack: Type: AWS::CloudFormation::Stack @@ -340,6 +365,8 @@ Resources: ImageVersion: !FindInMap [Solution, Constants, ImageVersion] SolutionVersion: !FindInMap [Solution, Constants, SolutionVersion] WebUIBucket: !GetAtt S3Buckets.Outputs.WebUIBucket + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary CognitoStack: Type: AWS::CloudFormation::Stack @@ -353,6 +380,8 @@ Resources: AdminUserEmailAddress: !Ref AdminUserEmailAddress AmplifyStorageBucket: !GetAtt S3Buckets.Outputs.AmplifyStorageBucket WebUiUrl: !GetAtt WebUiStack.Outputs.WebUiUrl + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary GremlinResolversStack: Type: AWS::CloudFormation::Stack @@ -375,6 +404,8 @@ Resources: PrivateSubnet1: !GetAtt VpcStack.Outputs.PrivateSubnet1 DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary SearchResolversStack: Type: AWS::CloudFormation::Stack @@ -397,6 +428,8 @@ Resources: SolutionVersion: !FindInMap [Solution, Constants, SolutionVersion] DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary DrawIoExportResolversStack: Type: AWS::CloudFormation::Stack @@ -410,6 +443,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary AccountImportTemplatesResolversStack: Type: AWS::CloudFormation::Stack @@ -423,6 +458,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary AppSyncApiStack: Type: AWS::CloudFormation::Stack @@ -436,6 +473,8 @@ Resources: CognitoUserPoolId: !GetAtt CognitoStack.Outputs.UserPoolId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary CostResolversStack: Type: AWS::CloudFormation::Stack @@ -452,6 +491,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary SettingsResolversStack: Type: AWS::CloudFormation::Stack @@ -467,6 +508,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary AthenaGlueCrawlerStack: Type: AWS::CloudFormation::Stack @@ -480,6 +523,8 @@ Resources: CostAndUsageBucket: !GetAtt S3Buckets.Outputs.CostAndUsageReportBucket DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary WebUiStack: Type: AWS::CloudFormation::Stack @@ -512,6 +557,8 @@ Resources: CollectAnonymousMetrics: !Ref OptOutOfSendingAnonymousUsageMetrics SettingsObjectKey: "settings.js" SolutionVersion: !FindInMap [Solution, Constants, SolutionVersion] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary Outputs: From 5c2070236b2a4d1785d1d309b8336f37b1d538cf Mon Sep 17 00:00:00 2001 From: Mohsan Jaffery Date: Tue, 15 Aug 2023 00:15:33 +0100 Subject: [PATCH 2/5] update children with passed down params --- .../account-import-templates-resolvers.template | 8 ++++++++ source/cfn/templates/appsync-api.template | 10 +++++++++- source/cfn/templates/athena-glue-crawler.template | 6 ++++++ source/cfn/templates/buckets.template | 10 +++++++++- source/cfn/templates/codebuild.template | 10 +++++++++- source/cfn/templates/cognito.template | 10 +++++++++- source/cfn/templates/config-aggregator.template | 8 ++++++++ source/cfn/templates/cost-resolvers.template | 8 ++++++++ source/cfn/templates/discovery-crawler.template | 8 ++++++++ source/cfn/templates/draw-io-resolvers.template | 8 ++++++++ source/cfn/templates/gremlin-resolvers.template | 8 ++++++++ source/cfn/templates/neptune.template | 8 ++++++++ source/cfn/templates/opensearch-roles.template | 8 ++++++++ source/cfn/templates/search-resolvers.template | 10 +++++++++- source/cfn/templates/settings-resolvers.template | 8 ++++++++ source/cfn/templates/vpc.template | 6 ++++++ source/cfn/templates/webui-settings.template | 10 +++++++++- 17 files changed, 138 insertions(+), 6 deletions(-) diff --git a/source/cfn/templates/account-import-templates-resolvers.template b/source/cfn/templates/account-import-templates-resolvers.template index e24793f4..c2c4fe92 100644 --- a/source/cfn/templates/account-import-templates-resolvers.template +++ b/source/cfn/templates/account-import-templates-resolvers.template @@ -14,6 +14,14 @@ Parameters: PerspectiveAppSyncApiId: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: AccountImportTemplatesApiLambdaFunctionRole: diff --git a/source/cfn/templates/appsync-api.template b/source/cfn/templates/appsync-api.template index eabf320e..f80df906 100644 --- a/source/cfn/templates/appsync-api.template +++ b/source/cfn/templates/appsync-api.template @@ -15,6 +15,14 @@ Parameters: CognitoUserPoolId: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: PerspectiveAppSyncLoggingRole: @@ -76,4 +84,4 @@ Outputs: AppSyncApiArn: Value: !GetAtt PerspectiveAppSyncApi.Arn AppSyncApiUrl: - Value: !GetAtt PerspectiveAppSyncApi.GraphQLUrl \ No newline at end of file + Value: !GetAtt PerspectiveAppSyncApi.GraphQLUrl diff --git a/source/cfn/templates/athena-glue-crawler.template b/source/cfn/templates/athena-glue-crawler.template index ab06b129..044ff5f9 100644 --- a/source/cfn/templates/athena-glue-crawler.template +++ b/source/cfn/templates/athena-glue-crawler.template @@ -17,6 +17,12 @@ Parameters: DeploymentBucketKey: Type: String Description: "The key to the deployment code for Perspective" + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String Resources: AWSCURDatabase: diff --git a/source/cfn/templates/buckets.template b/source/cfn/templates/buckets.template index 22ec6f83..58f86bb2 100644 --- a/source/cfn/templates/buckets.template +++ b/source/cfn/templates/buckets.template @@ -29,6 +29,14 @@ Parameters: S3CleanupBucket: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: CreateConfigBucket: !Equals - Ref: CreateConfigBucket @@ -501,4 +509,4 @@ Outputs: Value: !Ref WebUIBucket WebUIBucketRegionalDomainName: - Value: !GetAtt WebUIBucket.RegionalDomainName \ No newline at end of file + Value: !GetAtt WebUIBucket.RegionalDomainName diff --git a/source/cfn/templates/codebuild.template b/source/cfn/templates/codebuild.template index 7e10ddc0..8fd44dc1 100644 --- a/source/cfn/templates/codebuild.template +++ b/source/cfn/templates/codebuild.template @@ -32,6 +32,14 @@ Parameters: SolutionVersion: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: CodeBuildRole: @@ -182,4 +190,4 @@ Resources: Resource: !GetAtt CodeBuildProject.Arn Runtime: python3.8 ReservedConcurrentExecutions: 1 - Timeout: 900 \ No newline at end of file + Timeout: 900 diff --git a/source/cfn/templates/cognito.template b/source/cfn/templates/cognito.template index 0107ca3b..f30d1dbb 100644 --- a/source/cfn/templates/cognito.template +++ b/source/cfn/templates/cognito.template @@ -13,6 +13,14 @@ Parameters: WebUiUrl: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: CognitoAuthRole: @@ -144,4 +152,4 @@ Outputs: UserPoolARN: Value: !GetAtt WDCognitoUserPool.Arn WebClientId: - Value: !Ref UserPoolClient \ No newline at end of file + Value: !Ref UserPoolClient diff --git a/source/cfn/templates/config-aggregator.template b/source/cfn/templates/config-aggregator.template index dd286e45..7699e36a 100644 --- a/source/cfn/templates/config-aggregator.template +++ b/source/cfn/templates/config-aggregator.template @@ -10,6 +10,14 @@ Parameters: ConfigBucket: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: SetUpConfig: !Equals [!Ref ExistingConfigInstallation, 'No'] diff --git a/source/cfn/templates/cost-resolvers.template b/source/cfn/templates/cost-resolvers.template index 5681ec05..ed638f92 100644 --- a/source/cfn/templates/cost-resolvers.template +++ b/source/cfn/templates/cost-resolvers.template @@ -36,6 +36,14 @@ Parameters: CustomUserAgent: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: PerspectiveCostLambdaRole: diff --git a/source/cfn/templates/discovery-crawler.template b/source/cfn/templates/discovery-crawler.template index acde0b22..48eaa1a5 100644 --- a/source/cfn/templates/discovery-crawler.template +++ b/source/cfn/templates/discovery-crawler.template @@ -91,6 +91,14 @@ Parameters: Type: String Default: 'AwsSolution/SO0075/1.1.0' + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: PerspectiveContainerRepo: Type: AWS::ECR::Repository diff --git a/source/cfn/templates/draw-io-resolvers.template b/source/cfn/templates/draw-io-resolvers.template index e51e2ed6..2ccc5f51 100644 --- a/source/cfn/templates/draw-io-resolvers.template +++ b/source/cfn/templates/draw-io-resolvers.template @@ -14,6 +14,14 @@ Parameters: PerspectiveAppSyncApiId: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: DrawIoLambdaFunctionRole: diff --git a/source/cfn/templates/gremlin-resolvers.template b/source/cfn/templates/gremlin-resolvers.template index 1e483863..5a45289a 100644 --- a/source/cfn/templates/gremlin-resolvers.template +++ b/source/cfn/templates/gremlin-resolvers.template @@ -42,6 +42,14 @@ Parameters: CustomUserAgent: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: GremlinResolverLambdaSg: diff --git a/source/cfn/templates/neptune.template b/source/cfn/templates/neptune.template index ab6624de..aa13a632 100644 --- a/source/cfn/templates/neptune.template +++ b/source/cfn/templates/neptune.template @@ -210,6 +210,14 @@ Parameters: Type: String Default: 'No' + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: EnableAuditLogUpload: Fn::Equals: diff --git a/source/cfn/templates/opensearch-roles.template b/source/cfn/templates/opensearch-roles.template index 7cb09eec..9c100763 100644 --- a/source/cfn/templates/opensearch-roles.template +++ b/source/cfn/templates/opensearch-roles.template @@ -6,6 +6,14 @@ Parameters: CreateOpensearchServiceRole: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: DeployOpensearchServiceRole: !Equals [!Ref CreateOpensearchServiceRole, 'Yes'] diff --git a/source/cfn/templates/search-resolvers.template b/source/cfn/templates/search-resolvers.template index 528f8205..6b5574a0 100644 --- a/source/cfn/templates/search-resolvers.template +++ b/source/cfn/templates/search-resolvers.template @@ -41,6 +41,14 @@ Parameters: SolutionVersion: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: SearchLambdaSg: @@ -196,4 +204,4 @@ Resources: ApiId: !Ref PerspectiveAppSyncApiId TypeName: Query FieldName: searchResources - DataSourceName: !GetAtt PerspectiveAppSyncSearchLambdaDataSource.Name \ No newline at end of file + DataSourceName: !GetAtt PerspectiveAppSyncSearchLambdaDataSource.Name diff --git a/source/cfn/templates/settings-resolvers.template b/source/cfn/templates/settings-resolvers.template index e434cf7d..81f4e76e 100644 --- a/source/cfn/templates/settings-resolvers.template +++ b/source/cfn/templates/settings-resolvers.template @@ -21,6 +21,14 @@ Parameters: CustomUserAgent: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: PerspectiveSettingsTable: diff --git a/source/cfn/templates/vpc.template b/source/cfn/templates/vpc.template index 45c55d19..c57f61c6 100644 --- a/source/cfn/templates/vpc.template +++ b/source/cfn/templates/vpc.template @@ -16,6 +16,12 @@ Parameters: - ACCEPT - REJECT - ALL + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String Mappings: SubnetConfig: diff --git a/source/cfn/templates/webui-settings.template b/source/cfn/templates/webui-settings.template index 5a5b1823..86c686c1 100644 --- a/source/cfn/templates/webui-settings.template +++ b/source/cfn/templates/webui-settings.template @@ -33,6 +33,14 @@ Parameters: WebUIBucket: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Resources: UiSettingsResource: @@ -131,4 +139,4 @@ Resources: ContentType: text/javascript ObjectKey: !Ref SettingsObjectKey ServiceToken: !GetAtt UiSettingsResource.Arn - UpdateReplacePolicy: Delete \ No newline at end of file + UpdateReplacePolicy: Delete From cbc1b57e9f71beec0a75aa4a439f2efdb50cfa7e Mon Sep 17 00:00:00 2001 From: Mohsan Jaffery Date: Tue, 15 Aug 2023 10:48:40 +0100 Subject: [PATCH 3/5] update children with PB condition --- .../cfn/templates/account-import-templates-resolvers.template | 4 ++++ source/cfn/templates/appsync-api.template | 4 ++++ source/cfn/templates/athena-glue-crawler.template | 4 ++++ source/cfn/templates/buckets.template | 2 ++ source/cfn/templates/codebuild.template | 4 ++++ source/cfn/templates/cognito.template | 4 ++++ source/cfn/templates/config-aggregator.template | 2 ++ source/cfn/templates/cost-resolvers.template | 4 ++++ source/cfn/templates/discovery-crawler.template | 4 ++++ source/cfn/templates/draw-io-resolvers.template | 4 ++++ source/cfn/templates/gremlin-resolvers.template | 4 ++++ source/cfn/templates/neptune.template | 2 ++ source/cfn/templates/opensearch-roles.template | 2 ++ source/cfn/templates/search-resolvers.template | 4 ++++ source/cfn/templates/settings-resolvers.template | 4 ++++ source/cfn/templates/vpc.template | 4 ++++ source/cfn/templates/webui-settings.template | 4 ++++ 17 files changed, 60 insertions(+) diff --git a/source/cfn/templates/account-import-templates-resolvers.template b/source/cfn/templates/account-import-templates-resolvers.template index c2c4fe92..fb06a5d0 100644 --- a/source/cfn/templates/account-import-templates-resolvers.template +++ b/source/cfn/templates/account-import-templates-resolvers.template @@ -22,6 +22,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: AccountImportTemplatesApiLambdaFunctionRole: diff --git a/source/cfn/templates/appsync-api.template b/source/cfn/templates/appsync-api.template index f80df906..6def0aea 100644 --- a/source/cfn/templates/appsync-api.template +++ b/source/cfn/templates/appsync-api.template @@ -23,6 +23,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveAppSyncLoggingRole: diff --git a/source/cfn/templates/athena-glue-crawler.template b/source/cfn/templates/athena-glue-crawler.template index 044ff5f9..4442fcd2 100644 --- a/source/cfn/templates/athena-glue-crawler.template +++ b/source/cfn/templates/athena-glue-crawler.template @@ -24,6 +24,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: AWSCURDatabase: Type: 'AWS::Glue::Database' diff --git a/source/cfn/templates/buckets.template b/source/cfn/templates/buckets.template index 58f86bb2..f0cd883b 100644 --- a/source/cfn/templates/buckets.template +++ b/source/cfn/templates/buckets.template @@ -41,6 +41,8 @@ Conditions: CreateConfigBucket: !Equals - Ref: CreateConfigBucket - "true" + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: # The custom resource disables access logging because otherwise logs will be diff --git a/source/cfn/templates/codebuild.template b/source/cfn/templates/codebuild.template index 8fd44dc1..48a87e24 100644 --- a/source/cfn/templates/codebuild.template +++ b/source/cfn/templates/codebuild.template @@ -40,6 +40,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: CodeBuildRole: diff --git a/source/cfn/templates/cognito.template b/source/cfn/templates/cognito.template index f30d1dbb..0c66cff1 100644 --- a/source/cfn/templates/cognito.template +++ b/source/cfn/templates/cognito.template @@ -21,6 +21,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: CognitoAuthRole: diff --git a/source/cfn/templates/config-aggregator.template b/source/cfn/templates/config-aggregator.template index 7699e36a..12a81568 100644 --- a/source/cfn/templates/config-aggregator.template +++ b/source/cfn/templates/config-aggregator.template @@ -20,6 +20,8 @@ Parameters: Conditions: SetUpConfig: !Equals [!Ref ExistingConfigInstallation, 'No'] + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: diff --git a/source/cfn/templates/cost-resolvers.template b/source/cfn/templates/cost-resolvers.template index ed638f92..95e9c7eb 100644 --- a/source/cfn/templates/cost-resolvers.template +++ b/source/cfn/templates/cost-resolvers.template @@ -44,6 +44,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveCostLambdaRole: diff --git a/source/cfn/templates/discovery-crawler.template b/source/cfn/templates/discovery-crawler.template index 48eaa1a5..fba1b54a 100644 --- a/source/cfn/templates/discovery-crawler.template +++ b/source/cfn/templates/discovery-crawler.template @@ -99,6 +99,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveContainerRepo: Type: AWS::ECR::Repository diff --git a/source/cfn/templates/draw-io-resolvers.template b/source/cfn/templates/draw-io-resolvers.template index 2ccc5f51..506498c4 100644 --- a/source/cfn/templates/draw-io-resolvers.template +++ b/source/cfn/templates/draw-io-resolvers.template @@ -22,6 +22,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: DrawIoLambdaFunctionRole: diff --git a/source/cfn/templates/gremlin-resolvers.template b/source/cfn/templates/gremlin-resolvers.template index 5a45289a..c46adb3d 100644 --- a/source/cfn/templates/gremlin-resolvers.template +++ b/source/cfn/templates/gremlin-resolvers.template @@ -50,6 +50,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: GremlinResolverLambdaSg: diff --git a/source/cfn/templates/neptune.template b/source/cfn/templates/neptune.template index aa13a632..d03d34a5 100644 --- a/source/cfn/templates/neptune.template +++ b/source/cfn/templates/neptune.template @@ -227,6 +227,8 @@ Conditions: Fn::Equals: - Ref: CreateNeptuneReplica - 'Yes' + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: diff --git a/source/cfn/templates/opensearch-roles.template b/source/cfn/templates/opensearch-roles.template index 9c100763..3fe27a31 100644 --- a/source/cfn/templates/opensearch-roles.template +++ b/source/cfn/templates/opensearch-roles.template @@ -16,6 +16,8 @@ Parameters: Conditions: DeployOpensearchServiceRole: !Equals [!Ref CreateOpensearchServiceRole, 'Yes'] + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: # As this stack has no dependencies it should be created first giving sufficient time for diff --git a/source/cfn/templates/search-resolvers.template b/source/cfn/templates/search-resolvers.template index 6b5574a0..9e60cbe9 100644 --- a/source/cfn/templates/search-resolvers.template +++ b/source/cfn/templates/search-resolvers.template @@ -49,6 +49,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: SearchLambdaSg: diff --git a/source/cfn/templates/settings-resolvers.template b/source/cfn/templates/settings-resolvers.template index 81f4e76e..e8e253a6 100644 --- a/source/cfn/templates/settings-resolvers.template +++ b/source/cfn/templates/settings-resolvers.template @@ -29,6 +29,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveSettingsTable: diff --git a/source/cfn/templates/vpc.template b/source/cfn/templates/vpc.template index c57f61c6..c53c3107 100644 --- a/source/cfn/templates/vpc.template +++ b/source/cfn/templates/vpc.template @@ -70,6 +70,10 @@ Mappings: us-west-2: AZs: ['a', 'b'] +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: VPC: Type: AWS::EC2::VPC diff --git a/source/cfn/templates/webui-settings.template b/source/cfn/templates/webui-settings.template index 86c686c1..0e79a7e4 100644 --- a/source/cfn/templates/webui-settings.template +++ b/source/cfn/templates/webui-settings.template @@ -41,6 +41,10 @@ Parameters: Description: Name of optional Permissions Boundary Type: String +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: UiSettingsResource: From 27e6180691d898ca48eeedf2ceba5196a9352a75 Mon Sep 17 00:00:00 2001 From: Mohsan Jaffery Date: Tue, 15 Aug 2023 11:08:06 +0100 Subject: [PATCH 4/5] add conditional PB property to native Roles --- .../templates/account-import-templates-resolvers.template | 4 ++++ source/cfn/templates/appsync-api.template | 2 ++ source/cfn/templates/athena-glue-crawler.template | 6 ++++++ source/cfn/templates/codebuild.template | 4 ++++ source/cfn/templates/cognito.template | 2 ++ source/cfn/templates/config-aggregator.template | 2 ++ source/cfn/templates/cost-resolvers.template | 4 ++++ source/cfn/templates/discovery-crawler.template | 4 ++++ source/cfn/templates/draw-io-resolvers.template | 4 ++++ source/cfn/templates/gremlin-resolvers.template | 4 ++++ source/cfn/templates/neptune.template | 2 ++ source/cfn/templates/opensearch-roles.template | 2 ++ source/cfn/templates/search-resolvers.template | 2 ++ source/cfn/templates/settings-resolvers.template | 4 ++++ source/cfn/templates/vpc.template | 2 ++ 15 files changed, 48 insertions(+) diff --git a/source/cfn/templates/account-import-templates-resolvers.template b/source/cfn/templates/account-import-templates-resolvers.template index fb06a5d0..b420954f 100644 --- a/source/cfn/templates/account-import-templates-resolvers.template +++ b/source/cfn/templates/account-import-templates-resolvers.template @@ -42,6 +42,8 @@ Resources: Service: - lambda.amazonaws.com Action: sts:AssumeRole + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AccountImportTemplatesApiFunction: Metadata: @@ -89,6 +91,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt AccountImportTemplatesApiFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AccountImportTemplatesApiLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/appsync-api.template b/source/cfn/templates/appsync-api.template index 6def0aea..14d933a4 100644 --- a/source/cfn/templates/appsync-api.template +++ b/source/cfn/templates/appsync-api.template @@ -60,6 +60,8 @@ Resources: Action: - logs:PutLogEvents Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncApi: Type: AWS::AppSync::GraphQLApi diff --git a/source/cfn/templates/athena-glue-crawler.template b/source/cfn/templates/athena-glue-crawler.template index 4442fcd2..650ae54b 100644 --- a/source/cfn/templates/athena-glue-crawler.template +++ b/source/cfn/templates/athena-glue-crawler.template @@ -80,6 +80,8 @@ Resources: - 's3:GetObject' - 's3:PutObject' Resource: !Sub 'arn:${AWS::Partition}:s3:::${CostAndUsageBucket}/${CURCrawlerKey}/*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AWSCURCrawlerLambdaExecutor: Metadata: @@ -123,6 +125,8 @@ Resources: Action: - 'glue:StartCrawler' Resource: '*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AWSCURCrawler: Type: 'AWS::Glue::Crawler' @@ -212,6 +216,8 @@ Resources: Action: - 's3:PutBucketNotification' Resource: !Sub 'arn:${AWS::Partition}:s3:::${CostAndUsageBucket}' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AWSS3CURNotification: Metadata: diff --git a/source/cfn/templates/codebuild.template b/source/cfn/templates/codebuild.template index 48a87e24..315b6485 100644 --- a/source/cfn/templates/codebuild.template +++ b/source/cfn/templates/codebuild.template @@ -103,6 +103,8 @@ Resources: - s3:PutObject Resource: - !Sub "arn:aws:s3:::${WebUIBucket}/*" + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] CodeBuildProject: Type: AWS::CodeBuild::Project @@ -195,3 +197,5 @@ Resources: Runtime: python3.8 ReservedConcurrentExecutions: 1 Timeout: 900 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] diff --git a/source/cfn/templates/cognito.template b/source/cfn/templates/cognito.template index 0c66cff1..4060d014 100644 --- a/source/cfn/templates/cognito.template +++ b/source/cfn/templates/cognito.template @@ -82,6 +82,8 @@ Resources: - Action: s3:ListBucket Resource: !Sub "arn:aws:s3:::${AmplifyStorageBucket}" Effect: "Allow" + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] IdentityPoolRoleMap: Type: AWS::Cognito::IdentityPoolRoleAttachment diff --git a/source/cfn/templates/config-aggregator.template b/source/cfn/templates/config-aggregator.template index 12a81568..ee98700a 100644 --- a/source/cfn/templates/config-aggregator.template +++ b/source/cfn/templates/config-aggregator.template @@ -88,6 +88,8 @@ Resources: Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] Outputs: diff --git a/source/cfn/templates/cost-resolvers.template b/source/cfn/templates/cost-resolvers.template index 95e9c7eb..9f012ab5 100644 --- a/source/cfn/templates/cost-resolvers.template +++ b/source/cfn/templates/cost-resolvers.template @@ -123,6 +123,8 @@ Resources: - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${AthenaDatabaseName} - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${AthenaDatabaseName}/${AthenaTableName} + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveCostFunction: Metadata: @@ -173,6 +175,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt PerspectiveCostFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncCostLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/discovery-crawler.template b/source/cfn/templates/discovery-crawler.template index fba1b54a..787e20d1 100644 --- a/source/cfn/templates/discovery-crawler.template +++ b/source/cfn/templates/discovery-crawler.template @@ -209,6 +209,8 @@ Resources: ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveDiscoveryTaskRole: Type: AWS::IAM::Role @@ -272,6 +274,8 @@ Resources: Action: - appsync:GraphQL Resource: !Sub ${AppSyncArn}/* + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] TaskDefinition: Type: AWS::ECS::TaskDefinition diff --git a/source/cfn/templates/draw-io-resolvers.template b/source/cfn/templates/draw-io-resolvers.template index 506498c4..5a0831fc 100644 --- a/source/cfn/templates/draw-io-resolvers.template +++ b/source/cfn/templates/draw-io-resolvers.template @@ -42,6 +42,8 @@ Resources: Service: - lambda.amazonaws.com Action: sts:AssumeRole + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] DrawIoFunction: Type: AWS::Serverless::Function @@ -82,6 +84,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt DrawIoFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] DrawIoExportLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/gremlin-resolvers.template b/source/cfn/templates/gremlin-resolvers.template index c46adb3d..7537c9fa 100644 --- a/source/cfn/templates/gremlin-resolvers.template +++ b/source/cfn/templates/gremlin-resolvers.template @@ -110,6 +110,8 @@ Resources: - neptune-db:ReadDataViaQuery - neptune-db:WriteDataViaQuery Resource: !Sub arn:aws:neptune-db:${AWS::Region}:${AWS::AccountId}:${NeptuneClusterResourceId}/* + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] GremlinAppSyncFunction: Metadata: @@ -165,6 +167,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt GremlinAppSyncFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncGremlinLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/neptune.template b/source/cfn/templates/neptune.template index d03d34a5..222027a6 100644 --- a/source/cfn/templates/neptune.template +++ b/source/cfn/templates/neptune.template @@ -417,6 +417,8 @@ Resources: ManagedPolicyArns: - Ref: NeptuneCloudWatchPolicy - Ref: NeptuneS3Policy + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] NeptuneCloudWatchPolicy: Type: AWS::IAM::ManagedPolicy diff --git a/source/cfn/templates/opensearch-roles.template b/source/cfn/templates/opensearch-roles.template index 3fe27a31..cb04f2bc 100644 --- a/source/cfn/templates/opensearch-roles.template +++ b/source/cfn/templates/opensearch-roles.template @@ -47,6 +47,8 @@ Resources: - lambda.amazonaws.com Action: - sts:AssumeRole + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] Outputs: OpenSearchLambdaRoleArn: diff --git a/source/cfn/templates/search-resolvers.template b/source/cfn/templates/search-resolvers.template index 9e60cbe9..30ba92e2 100644 --- a/source/cfn/templates/search-resolvers.template +++ b/source/cfn/templates/search-resolvers.template @@ -166,6 +166,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt SearchApiAppSyncFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncSearchLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/settings-resolvers.template b/source/cfn/templates/settings-resolvers.template index e8e253a6..4335475e 100644 --- a/source/cfn/templates/settings-resolvers.template +++ b/source/cfn/templates/settings-resolvers.template @@ -97,6 +97,8 @@ Resources: Action: - ec2:DescribeRegions Resource: '*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveSettingsFunction: Metadata: @@ -146,6 +148,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt PerspectiveSettingsFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncSettingsLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/vpc.template b/source/cfn/templates/vpc.template index c53c3107..2b118acd 100644 --- a/source/cfn/templates/vpc.template +++ b/source/cfn/templates/vpc.template @@ -114,6 +114,8 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !GetAtt 'FlowLogGroup.Arn' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] FlowLogGroup: Metadata: From 160726233b6792c56f5058a7c68208fc776c4055 Mon Sep 17 00:00:00 2001 From: Mohsan Jaffery Date: Tue, 15 Aug 2023 11:21:08 +0100 Subject: [PATCH 5/5] add conditional PB property to Roles created by SAM --- source/cfn/templates/buckets.template | 2 ++ source/cfn/templates/discovery-crawler.template | 2 ++ source/cfn/templates/draw-io-resolvers.template | 2 ++ source/cfn/templates/main.template | 2 ++ source/cfn/templates/webui-settings.template | 2 ++ 5 files changed, 10 insertions(+) diff --git a/source/cfn/templates/buckets.template b/source/cfn/templates/buckets.template index f0cd883b..4df3c0b8 100644 --- a/source/cfn/templates/buckets.template +++ b/source/cfn/templates/buckets.template @@ -422,6 +422,8 @@ Resources: - Ref: "AWS::NoValue" Runtime: python3.8 Timeout: 60 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] CleanupAccessLogsBucket: Type: "Custom::S3BucketCleanup" diff --git a/source/cfn/templates/discovery-crawler.template b/source/cfn/templates/discovery-crawler.template index 787e20d1..202df692 100644 --- a/source/cfn/templates/discovery-crawler.template +++ b/source/cfn/templates/discovery-crawler.template @@ -176,6 +176,8 @@ Resources: Environment: Variables: CustomUserAgent: !Ref CustomUserAgent + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] CleanupECRRepository: Type: Custom::Setup diff --git a/source/cfn/templates/draw-io-resolvers.template b/source/cfn/templates/draw-io-resolvers.template index 5a0831fc..1cf7e12e 100644 --- a/source/cfn/templates/draw-io-resolvers.template +++ b/source/cfn/templates/draw-io-resolvers.template @@ -62,6 +62,8 @@ Resources: Timeout: 5 MemorySize: 256 ReservedConcurrentExecutions: 5 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] DrawIoInvokeRole: Type: AWS::IAM::Role diff --git a/source/cfn/templates/main.template b/source/cfn/templates/main.template index e19581eb..8ec16ad7 100644 --- a/source/cfn/templates/main.template +++ b/source/cfn/templates/main.template @@ -196,6 +196,8 @@ Resources: physicalResourceId=event.get("LogicalResourceId"), reason=None, ) + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] Variables: Type: "Custom::Variables" diff --git a/source/cfn/templates/webui-settings.template b/source/cfn/templates/webui-settings.template index 0e79a7e4..d834285c 100644 --- a/source/cfn/templates/webui-settings.template +++ b/source/cfn/templates/webui-settings.template @@ -102,6 +102,8 @@ Resources: Runtime: python3.9 Timeout: 120 ReservedConcurrentExecutions: 1 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] UiSettings: Type: Custom::UiSettings