Skip to content

Commit

Permalink
[Templates] Scope down CloudFormation permissions in 'parallelcluster…
Browse files Browse the repository at this point in the history 
…-policies.yaml' template.

Signed-off-by: Giacomo Marciani <[email protected]>
  • Loading branch information
@gmarciani
gmarciani committed Apr 17, 2023
1 parent d27a800 commit 0704826
Showing 1 changed file with 29 additions and 9 deletions.
38 changes: 29 additions & 9 deletions cloudformation/policies/parallelcluster-policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,16 +394,36 @@ Resources:
Effect: Allow
Sid: Route53HostedZones
- Action:
- cloudformation:*
Resource: '*'
- cloudformation:CreateStack
Resource: !Sub
- arn:*:cloudformation:${RequestedRegion}:${AWS::AccountId}:stack/*
- RequestedRegion: !If [IsMultiRegion, '*', !Ref Region]
Effect: Allow
Condition: !If
- IsMultiRegion
- !Ref AWS::NoValue
- StringEquals:
aws:RequestedRegion:
- !Ref Region
Sid: CloudFormation
Condition:
ForAnyValue:StringEquals:
aws:TagKeys: ["parallelcluster:cluster-name"]
Sid: CloudFormationCreate
- Action:
- cloudformation:UpdateStack
Resource: !Sub
- arn:*:cloudformation:${RequestedRegion}:${AWS::AccountId}:stack/*
- RequestedRegion: !If [IsMultiRegion, '*', !Ref Region]
Effect: Allow
Condition:
ForAnyValue:StringLike:
aws:ResourceTag/parallelcluster:cluster-name: "*"
Sid: CloudFormationUpdate
- Action:
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:DescribeStackEvents
- cloudformation:DescribeStackResources
- cloudformation:GetTemplate
Resource: !Sub
- arn:*:cloudformation:${RequestedRegion}:${AWS::AccountId}:stack/*
- RequestedRegion: !If [IsMultiRegion, '*', !Ref Region]
Effect: Allow
Sid: CloudFormationReadAndDelete
- Action:
- cloudwatch:PutDashboard
- cloudwatch:ListDashboards
Expand Down

0 comments on commit 0704826

Please sign in to comment.