From 9a3aee3afff97e8562ada39787bb37eeec250fe2 Mon Sep 17 00:00:00 2001 From: Brian Zambrano Date: Thu, 7 Oct 2021 16:17:04 -0600 Subject: [PATCH] Add to PipelineExecutionRolePermissions to allow stack deletion (#3213) * Revert "release: 0.20.0" * chore: Update version to 0.20.1 * Revert "Revert "release: 0.20.0"" (#1377) This reverts commit 20904315bea1db89362b59550e03ab8460a7d73d. * Add to PipelineExecutionRolePermissions to allow stack deletion Why --- The `PipelineExecutionRole` is assumed by the `PipelineUser` when deploying CI/CD pipelines. This role doesn't have permission to delete stacks via `sam delete`. This means that any stacks created need to be deleted manually. In order to support automated stack deletions for feature branches, this role needs a few extra permissions. This change is needed to support the this PR in the sam pipeline templates: https://github.com/aws/aws-sam-cli-pipeline-init-templates/pull/42 How --- - Add three additional IAM permissions which allow the `sam delete` command to work as expected in `PipelineExecutionRolePermissions`. Next Steps ---------- - After this is merged, [this PR in the Pipeline templates for GitHub Actions](https://github.com/aws/aws-sam-cli-pipeline-init-templates/pull/42) can be merged. * Add BatchDeleteImage to PipelineExecutionRolePermissions Based on PR feedback, allow for this role to delete a list of ImageIds by adding `ecr:BatchDeleteImage` to the Pipeline role. --- samcli/lib/pipeline/bootstrap/stage_resources.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/samcli/lib/pipeline/bootstrap/stage_resources.yaml b/samcli/lib/pipeline/bootstrap/stage_resources.yaml index bcc5e94423..6893a74f4e 100644 --- a/samcli/lib/pipeline/bootstrap/stage_resources.yaml +++ b/samcli/lib/pipeline/bootstrap/stage_resources.yaml @@ -228,13 +228,16 @@ Resources: - "cloudformation:CreateChangeSet" - "cloudformation:DescribeChangeSet" - "cloudformation:ExecuteChangeSet" + - "cloudformation:DeleteStack" - "cloudformation:DescribeStackEvents" - "cloudformation:DescribeStacks" + - "cloudformation:GetTemplate" - "cloudformation:GetTemplateSummary" - "cloudformation:DescribeStackResource" Resource: '*' - Effect: Allow Action: + - 's3:DeleteObject' - 's3:GetObject*' - 's3:PutObject*' - 's3:GetBucket*' @@ -257,6 +260,7 @@ Resources: - Effect: "Allow" Action: - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchDeleteImage" - "ecr:BatchGetImage" - "ecr:BatchCheckLayerAvailability" - "ecr:PutImage"