Skip to content

Commit 1369e6f

Browse files
rycerratrycerrat
authored
Fixing template source to correct Condition role arn (#1069)
* Fixing template source to correct Condition role arn * Rolling back to original two template approach for seperating mgmt and additional accounts
1 parent ed5e78f commit 1369e6f

File tree

3 files changed

+9
-56
lines changed

3 files changed

+9
-56
lines changed

src/core/cdk/src/assets/execution-role.template.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@
9292
{
9393
"Ref": "AWS::AccountId"
9494
},
95-
":aws:role/",
95+
":role/",
9696
{
9797
"Ref": "RoleName"
9898
}

src/core/cdk/src/assets/management-execution-role.template.json

Lines changed: 1 addition & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -55,54 +55,7 @@
5555
"Principal": {
5656
"Service": "fms.amazonaws.com"
5757
}
58-
},
59-
{
60-
"Action": "sts:AssumeRole",
61-
"Effect": "Allow",
62-
"Principal": {
63-
"AWS": {
64-
"Fn::Join": [
65-
"",
66-
[
67-
"arn:",
68-
{
69-
"Ref": "AWS::Partition"
70-
},
71-
":iam::",
72-
{
73-
"Ref": "AWS::AccountId"
74-
},
75-
":root"
76-
]
77-
]
78-
}
79-
},
80-
"Condition": {
81-
"StringEquals": {
82-
"AWS:PrincipalArn": [
83-
{
84-
"Fn::Join": [
85-
"",
86-
[
87-
"arn:",
88-
{
89-
"Ref": "AWS::Partition"
90-
},
91-
":iam::",
92-
{
93-
"Ref": "AWS::AccountId"
94-
},
95-
":aws:role/",
96-
{
97-
"Ref": "RoleName"
98-
}
99-
]
100-
]
101-
}
102-
]
103-
}
104-
}
105-
}
58+
}
10659
],
10760
"Version": "2012-10-17"
10861
},

src/core/runtime/src/create-stack/create.ts

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -61,19 +61,19 @@ export const handler = async (input: CreateStackInput) => {
6161
console.debug(stackTemplate);
6262

6363
// Load the template body from the given location
64-
const templateBody = await getTemplateBody(stackTemplate);
64+
let templateBody = await getTemplateBody(stackTemplate);
6565

6666
/** Checks Parameters Table in DDB to see if we are in management account.
6767
* If so, our PBMM Pipeline role has different permissions and we use
6868
* a different template.
6969
*/
7070

71-
// if(parametersTableName){
72-
// const accounts = await loadAccounts(parametersTableName!, dynamodb);
73-
// if((accounts.find(acc => acc.id === accountId)?.key!) === 'management'){
74-
// templateBody = await getTemplateBody(managementAccountTemplate!);
75-
// }
76-
// }
71+
if (parametersTableName) {
72+
const accounts = await loadAccounts(parametersTableName!, dynamodb);
73+
if (accounts.find(acc => acc.id === accountId)?.key! === 'management') {
74+
templateBody = await getTemplateBody(managementAccountTemplate!);
75+
}
76+
}
7777

7878
let cfn: CloudFormation;
7979
if (accountId && assumeRoleName) {

0 commit comments

Comments
 (0)