IAM Permission Boundaries in ion

[cgcompassion]

Anyone know the correct way to add a custom Permission Boundary to all IAM roles that might be created by SST, now that we are no longer using CF?

The way I used to do this is:

config(_input) {
    return {
      name: 'myApp',
      region: 'us-east-2',
      cdk: {
        customPermissionsBoundary: myBoundaryName,
      },
    };
  },

in conjunction with:

const boundary = iam.ManagedPolicy.fromManagedPolicyArn(stack, 'boundary', myBoundaryARN);
iam.PermissionsBoundary.of(stack).apply(boundary);

Due to our AWS Org Settings, all deploys will fail unless the IAM roles have this boundary attached. I'm struggling trying to figure out how to do this in the new world of Pulumi.

I assume it can be done in the global $transform function, but I can't find any clarity in the docs on how to do that.

[fwang]

@cgcompassion yeah you can achieve it using $transform.

I added an example here https://ion.sst.dev/docs/examples/#iam-permissions-boundaries

Feel free to reopen this issue if the example doesn't work for you.