Publish AwsCommunity::IAM::PasswordPolicy

benbridts commented 1 month ago

What type of extension are you looking for?

Resource

Describe the extension you'd like to request

AwsCommunity::IAM::PasswordPolicy exists in source code form, it would be great if I could activate it in my account without having to build/publish it myself.

Describe the solution you'd like

AwsCommunity::IAM::PasswordPolicy being available as a Third Party Public Extension

Additional context

No response

Is this something that you'd be interested in working on?

[ ] 👋 I may be able to implement this feature request

Would this feature include a breaking change?

[ ] ⚠️ This feature might incur a breaking change

ericzbeard commented 1 month ago

We can't publish anything that needs IAM permissions other than PassRole.

benbridts commented 1 month ago

That's an annoying restriction.

The workaround for that is to:

add a property "InvokeRoleArn"
do an assumeRole in the handler to get a session in that role, (should be possible because sts:assumeRole is not an iam action
If that role has the right permissions, this should just work.

It's annoying to do that, and the security win of blocking iam is roughly 0; needing the consumer to not put iam:* in the role that's attached during the activation, or needing them to not add it to the role that is passed as a property, leaves the same responsibility for the user.

That being said, It would be nice if that was gated behind CAPABILITY_IAM both during activation and stack deployment.

Edit: Is there any interest in accepting the hacky-workaround as a code change, or do we want to give a good example here?

ericzbeard commented 1 month ago

I think we should leave the example as it is for now. I'll bring up the possibility of removing the restriction again internally.

aws-cloudformation / community-registry-extensions