Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add to PipelineExecutionRolePermissions to allow stack deletion #3213

Merged
merged 102 commits into from
Oct 7, 2021
Merged

Add to PipelineExecutionRolePermissions to allow stack deletion #3213

merged 102 commits into from
Oct 7, 2021

Conversation

brianz
Copy link
Contributor

@brianz brianz commented Aug 30, 2021
edited by lesau
Loading

Why

The PipelineExecutionRole is assumed by the PipelineUser when deploying CI/CD pipelines.
This role doesn't have permission to delete stacks via sam delete. This means that any stacks
created need to be deleted manually. In order to support automated stack deletions for feature
branches, this role needs a few extra permissions.

This change is needed to support the this PR in the sam pipeline
templates:

aws/aws-sam-cli-pipeline-init-templates#42

How

  • Add three additional IAM permissions which allow the sam delete command to work as
    expected in PipelineExecutionRolePermissions.

Next Steps

Which issue(s) does this change fix?

Why is this change necessary?

How does it address the issue?

What side effects does this change have?

Checklist

  • Add input/output type hints to new functions/methods
  • Write design document (Do I need to write a design document?)
  • Write unit tests
  • Write/update functional tests
  • Write/update integration tests
  • make pr passes
  • make update-reproducible-reqs if dependencies were changed
  • Write documentation

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

sanathkr and others added 30 commits November 29, 2018 12:44
@sanathkr
Merge pull request #809 from awslabs/develop
b428871 
chore: Release v0.8.0
@jfuss
Merge pull request #815 from awslabs/develop
b493394 
chore: v0.8.1 Release
@jfuss
Merge pull request #856 from awslabs/develop
7e08351 
chore: Release v0.9.0
@sriram-mv
Merge pull request #882 from awslabs/develop
afce048 
chore: Release v0.10.0
@jfuss
Merge pull request #980 from awslabs/develop
b23d425 
chore: Release v0.11.0
@sanathkr
Merge pull request #1031 from awslabs/develop
7ddb5e4 
Releasing v0.12.0
@jfuss
Merge pull request #1051 from awslabs/develop
d88100f 
SAM CLI v0.13 release
@sriram-mv
Merge pull request #1077 from awslabs/develop
c861d49 
Release: Version 0.14.0
@sriram-mv
Merge pull request #1083 from awslabs/develop
f01b6d5 
chore: Version bump SAM CLI to 0.14.1 (#1082)
@sriram-mv
Merge pull request #1089 from awslabs/develop
21be617 
Release: v0.14.2
@sriram-mv
Merge pull request #1132 from awslabs/develop
0c421c1 
v0.15.0 Release
@sriram-mv
Merge pull request #1168 from awslabs/develop
f834f5c 
chore(version): 0.16.0
@jfuss
Merge pull request #1184 from awslabs/develop
a681eb4 
Release v0.16.1
@awood45
Merge pull request #1208 from awslabs/develop
dc81449 
chore: v0.17.0
@sriram-mv
Merge pull request #1258 from awslabs/develop
dad3ab8 
release: Version 0.18.0 (#1206)
@sriram-mv
Merge pull request #1290 from awslabs/develop
bdc7abf 
v0.19.0
@sanathkr
Merge pull request #1342 from awslabs/develop
d7d2822 
release: 0.20.0
@sanathkr
Revert "release: 0.20.0"
2090431
@sanathkr
Merge pull request #1351 from awslabs/revert-1342-develop
06b3ef9 
Revert "release: 0.20.0"
@sanathkr
chore: Update version to 0.20.1
e218d29
@sanathkr
Merge pull request #1352 from sanathkr/rollback/v0.20.1
6df4970 
chore: Update version to 0.20.1
@sriram-mv
Revert "Revert "release: 0.20.0"" (#1377)
18908c1 
This reverts commit 2090431.
@sriram-mv
Merge pull request #1374 from awslabs/develop
0943b37 
v0.21.0
@sanathkr
Merge pull request #1413 from awslabs/develop
1802ed8 
chore: Release SAM CLI v0.22
@jfuss
Merge pull request #1475 from awslabs/develop
5caeb32 
Release: 0.23.0
@awood45
Merge pull request #1493 from awslabs/develop
380183e 
chore: v0.30.0
@sanathkr
Merge pull request #1511 from awslabs/develop
f183dbb 
Release v0.31.0
@jfuss
Merge pull request #1520 from awslabs/develop
11b80b6 
Release v0.31.1
@jfuss
Merge pull request #1570 from awslabs/develop
647ef14 
chore: 0.32.0 Release
@jfuss
Merge pull request #1583 from awslabs/develop
dc6f42f 
Release v0.33.0
aws-sam-cli-bot and others added 18 commits February 25, 2021 11:49
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
2b20f65
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
2e7a2a3
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
5879b26
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
f94c5d5
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
e53b730
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
86f88cb
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
f1a231f
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
2ce6ee0
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
18ac2e9
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
1ec81ce
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
c1e1b45
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
ec9fd6c
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
e725cc3
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
40b3de8
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
41f5701
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
5290329
@aws-sam-cli-bot
Merge from aws/aws-sam-cli/develop
ddd8fe0
@brianz
Add to PipelineExecutionRolePermissions to allow stack deletion
49c85e0 
Why
---

The `PipelineExecutionRole` is assumed by the `PipelineUser` when deploying CI/CD pipelines.
This role doesn't have permission to delete stacks via `sam delete`. This means that any stacks
created need to be deleted manually. In order to support automated stack deletions for feature
branches, this role needs a few extra permissions.

This change is needed to support the this PR in the sam pipeline
templates:

aws/aws-sam-cli-pipeline-init-templates#42

How
---

- Add three additional IAM permissions which allow the `sam delete`
command to work as expected in `PipelineExecutionRolePermissions`.

Next Steps
----------

- After this is merged, [this PR in the Pipeline templates for GitHub
Actions](aws/aws-sam-cli-pipeline-init-templates#42)
can be merged.
@SimonCMoore SimonCMoore requested review from aahung and c2tarun August 30, 2021 21:39
@aahung aahung changed the base branch from master to develop October 6, 2021 21:13
@aahung aahung self-requested a review October 6, 2021 21:58
aahung
aahung suggested changes Oct 6, 2021
View reviewed changes
Copy link
Contributor

@aahung aahung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add one permission BatchDeleteImage to

          - Fn::If:
            - ShouldHaveImageRepository
            - Effect: "Allow"
              Action:
                - "ecr:GetDownloadUrlForLayer"
                - "ecr:BatchGetImage"
                - "ecr:BatchCheckLayerAvailability"
                - "ecr:PutImage"
                - "ecr:InitiateLayerUpload"
                - "ecr:UploadLayerPart"
                - "ecr:CompleteLayerUpload"
              Resource:
                Fn::If:
                  - MissingImageRepository
                  - !GetAtt ImageRepository.Arn
                  - !Ref ImageRepositoryArn

@brianz
Add BatchDeleteImage to PipelineExecutionRolePermissions
a4e74b6 
Based on PR feedback, allow for this role to delete a list of ImageIds
by adding `ecr:BatchDeleteImage` to the Pipeline role.
@aahung aahung merged commit 9a3aee3 into aws:develop Oct 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aahung aahung aahung approved these changes

@c2tarun c2tarun c2tarun approved these changes

Assignees
No one assigned
Labels
pr/external
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@brianz @c2tarun @aahung @CoshUS @sanathkr @jfuss @sriram-mv @awood45 @aws-sam-cli-bot