Open cgcompassion opened 8 months ago
It might be that we missed these after our recent updates. Can you share all the ones that failed? So we can go update them internally?
Sure. The one that already had the code block is: CloudFormationExecutionRole
and the ones that I added the code block to are:
FilePublishingRole
ImagePublishingRole
LookupRole
DeploymentActionRole
Thanks! I'll check.
@cgcompassion hmm.. looking at CDK's bootstrap template, the permission boundary is indeed only set on the ExecutionRole
— https://github.com/aws/aws-cdk/blob/6a7a24afcc1ebebf71c267b890732a455e865cc8/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L554-L558
SST could patch CDK's template.. but keeping the patch up to date over time might be tricky.
Best option here might be to submit a PR to CDK. I can nudge them to expedite the review.
One of the interesting problems we hit is that our AWS setup requires all IAM roles to have a specific permissions boundary applied (
DevBoundary
). There is no good way yet to enforce that in SST.The Error
Three different failures to do with creating roles in the bootstrap process. Here's one of them (with sensitive data redacted):
Things I Tried that did not work
Applying to config (this works, but not for all the roles in the bootstrap template):
Applying to the stack:
Applying to the app:
Adding a
cdk.context.json
with the following:How I finally got it working
I had to export the bootstrap template using
cdk bootstrap --show-template > template.yaml
Then, modify the template, adding this block to every
AWS::IAM::Role
:There are 5 roles in the template, and only one of them already has this block applied.
And finally, I updated the
InputPermissionsBoundary
to default to our customDevBoundary
.Then I had to install the cdk cli and use that to bootstrap CDK with the altered template. Now that it's done, it shouldn't need to be done again unless we move to a different AWS account, or someone destroys the CDKToolkit stack in CloudFormation.