Permissions are not correctly updated with SSM Parameter Store based workflow

[wppaul]

Describe the bug

When deploying the solution with SSM Parameter Store based workflow in Organization mode, only last ou in /QuotaMonitor/OUs is included in resource-based policy.

The reason may be due to PutPermissionCommand works different when using Policy as input compared with using the StatementId , Action , Principal , or Condition parameters. The policy update will be overwritten by the last elements at the end of the loop. As per deployment-manager.ts and events.ts.

To Reproduce

Deploy the solution with SSM Parameter Store based workflow in Organization mode with multiple OUs. In Parameter Store: set /QuotaMonitor/OUs: ou-xxxx-xxxxxxxx1,ou-xxxx-xxxxxxxx2,ou-xxxx-xxxxxxxx. resource-based policy is shown in event bus as: { "Version": "2012-10-17", "Statement": [{ "Sid": "ou-xxxx-xxxxxxxx3", "Effect": "Allow", "Principal": "*", "Action": "events:PutEvents", "Resource": "arn", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": "o-xxxxxxxxxx/*/ou-xxxx-xxxxxxxx3/*" } } }] }

Expected behavior

{ "Version": "2012-10-17", "Statement": [{ "Sid": "ou-xxxx-xxxxxxxx1", "Effect": "Allow", "Principal": "*", "Action": "events:PutEvents", "Resource": "arn", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": "o-xxxxxxxxxx/*/ou-xxxx-xxxxxxxx1/*" } } }, { "Sid": "ou-xxxx-xxxxxxxx2", "Effect": "Allow", "Principal": "*", "Action": "events:PutEvents", "Resource": "arn", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": "o-xxxxxxxxxx/*/ou-xxxx-xxxxxxxx2/*" } } }, { "Sid": "ou-xxxx-xxxxxxxx3", "Effect": "Allow", "Principal": "*", "Action": "events:PutEvents", "Resource": "arn", "Condition": { "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": "o-xxxxxxxxxx/*/ou-xxxx-xxxxxxxx3/*" } } } ] }

Please complete the following information about the solution:

• [ ] Version: v6.0.0
• [ ] Region: ap-southeast-2
• [ ] Was the solution modified from the version published on this repository? NO
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ ] Have you checked your service quotas for the services this solution uses? Yes
• [ ] Were there any errors in the CloudWatch Logs? [How to enable debug mode?] (https://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/troubleshooting.html) No

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

[AaronSchuetter]

This issue has been added to our backlog.