"CreateStack" permission is not necessary #62
Labels
enhancement
New feature or request
Comments
|
@katallaxie let me know what you think about this |
|
This would be a great implementation but would require making separate calls since as @kddejong mentioned, termination protection and policy changes currently can't be used with |
|
I was going to merge this in and then adjust from there as we also have the aws-sdk v3 migration pending. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In restricted environments, in which only ChangeSet-based creation of stacks is possible, it is impossible to use this action.
Our use case is as follows: we configure the job (using
aws-actions/configure-aws-credentials) to assume an IAM role which will execute the CloudFormation deployment action. This role only hasChange/ExecuteChangeSetIAM permissions.This works for updating stacks, but for new stacks,
aws-cloudformation-github-deployaction will useCreateStack, which will fail in our case.I think it should be possible to use
CreateChangeSetwithChangeSetTypeset toCREATEin case the stack does not exist. This will keep the same behavior while requiring a less privileged role.See example here
If this sounds good, I am happy to contribute of course.
The text was updated successfully, but these errors were encountered: