Add support for permissions boundary: now the user can optionally specify the IAM policies to be used as permissions boundaries for the PCUI infrastructure and the PCAPI infrastructure, separately.
Add support for IAM roles and policies prefix: now the user can optionally specify a prefix to be added to every IAM role and policy name created as part of both PCUI and PCAPI infrastructure.
Note about Customer Experience
When a permissions boundary is specified for the PCAPI infrastructure, such boundary is also set as condition for iam:CreateRole/PutRolePolicy/DeleteRolePolicy/AttachRolePolicyDetachRolePolicy (this behaviour is part of the product since Jan 2023 see commit). This implies that when such boundary is specified, only clusters with the configuration Iam/PermissionsBoundary equal to that boundary can succeed.
How Has This Been Tested?
PCUI deployed as default without prefix and boundary.
verified that resources do not have prefix and boundaries.
Created and deleted a cluster.
PCUI deployed with prefix and boundary:
Verified that resources have the expected prefix and boundary.
Creation of a cluster without Iam/Permissions boundary fails as expected because of the condition on iam:CreateRole
Created and deleted a cluster with Iam/PermissionsBoundary equal to the one set for PCAPI
Created and deleted a cluster with Iam/PermissionsBoundary and prefix equal to the ones set for PCAPI
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Changes
Note about Customer Experience When a permissions boundary is specified for the PCAPI infrastructure, such boundary is also set as condition for iam:CreateRole/PutRolePolicy/DeleteRolePolicy/AttachRolePolicyDetachRolePolicy (this behaviour is part of the product since Jan 2023 see commit). This implies that when such boundary is specified, only clusters with the configuration Iam/PermissionsBoundary equal to that boundary can succeed.
How Has This Been Tested?
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.