Skip to content

Commit aaf7fc7

Browse files
vrr-21vrr-21
authored
Update CodeDeploy default policy to AWSCodeDeployRoleForLambdaLimited (#98)
* Updating CodeDeploy policy to AWSCodeDeployForLambdaLimited * Adding SNS policy when TriggerConfigurations are provided * Added trigger configurations check in buildCodeDeployRole method * Add function to check trigger configurations Authored-by: Varun Rao <[email protected]>
1 parent f049056 commit aaf7fc7

13 files changed

+90
-42
lines changed

fixtures/1.output.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -503,7 +503,7 @@
503503
"Type": "AWS::IAM::Role",
504504
"Properties": {
505505
"ManagedPolicyArns": [
506-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
506+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
507507
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
508508
],
509509
"AssumeRolePolicyDocument": {

fixtures/10.output.v2-websocket.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -817,7 +817,7 @@
817817
"Type": "AWS::IAM::Role",
818818
"Properties": {
819819
"ManagedPolicyArns": [
820-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
820+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
821821
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
822822
],
823823
"AssumeRolePolicyDocument": {

fixtures/11.output.v2-websocket-authorizer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -914,7 +914,7 @@
914914
"Type": "AWS::IAM::Role",
915915
"Properties": {
916916
"ManagedPolicyArns": [
917-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
917+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
918918
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
919919
],
920920
"AssumeRolePolicyDocument": {

fixtures/12.output-with-permissions-boundary.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -503,7 +503,7 @@
503503
"Type": "AWS::IAM::Role",
504504
"Properties": {
505505
"ManagedPolicyArns": [
506-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
506+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
507507
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
508508
],
509509
"AssumeRolePolicyDocument": {

fixtures/2.output.without-hooks.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -370,7 +370,7 @@
370370
"Type": "AWS::IAM::Role",
371371
"Properties": {
372372
"ManagedPolicyArns": [
373-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
373+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
374374
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
375375
],
376376
"AssumeRolePolicyDocument": {

fixtures/5.output.with-trigger.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -503,8 +503,9 @@
503503
"Type": "AWS::IAM::Role",
504504
"Properties": {
505505
"ManagedPolicyArns": [
506-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
507-
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
506+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
507+
"arn:aws:iam::aws:policy/AWSLambdaFullAccess",
508+
"arn:aws:iam::aws:policy/AmazonSNSFullAccess"
508509
],
509510
"AssumeRolePolicyDocument": {
510511
"Version": "2012-10-17",

fixtures/6.output.cloudwatch-events-trigger.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -302,7 +302,7 @@
302302
"Type": "AWS::IAM::Role",
303303
"Properties": {
304304
"ManagedPolicyArns": [
305-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
305+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
306306
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
307307
],
308308
"AssumeRolePolicyDocument": {

fixtures/7.output.cloudwatch-logs-trigger.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -295,7 +295,7 @@
295295
"Type": "AWS::IAM::Role",
296296
"Properties": {
297297
"ManagedPolicyArns": [
298-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
298+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
299299
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
300300
],
301301
"AssumeRolePolicyDocument": {

fixtures/8.output.sns-subscriptions-trigger.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -232,7 +232,7 @@
232232
"Type": "AWS::IAM::Role",
233233
"Properties": {
234234
"ManagedPolicyArns": [
235-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
235+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
236236
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
237237
],
238238
"AssumeRolePolicyDocument": {

fixtures/9.output.iot-topic-rule.json

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -706,8 +706,9 @@
706706
"Type": "AWS::IAM::Role",
707707
"Properties": {
708708
"ManagedPolicyArns": [
709-
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda",
710-
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
709+
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
710+
"arn:aws:iam::aws:policy/AWSLambdaFullAccess",
711+
"arn:aws:iam::aws:policy/AmazonSNSFullAccess"
711712
],
712713
"AssumeRolePolicyDocument": {
713714
"Version": "2012-10-17",
@@ -865,4 +866,4 @@
865866
}
866867
}
867868
}
868-
}
869+
}

0 commit comments

Comments
 (0)