Skip to content

Commit b3be107

Browse files
rycerrathickeydh-aws
rycerrat
and
hickeydh-aws
authored
Address new IAM Trust Policy behavior, Upgrade CDK to 1.174.0, and update NodeJS12 functions (#1066)
* updated version * Fixed import for assume role plugin * added error checking * more logging * changed logging * explicit check for ec2 creds * ASsumeRole First try * Updating creds issue * Updating SFN-MasterRole policy * Fixing arn for assume role * Cleaning up code and updating trust policy * Fixing arn * Rolling in changes from updating IAM PBMM Pipeline role for new trust policy behavior * removing new lines from assumebyrolearn * Updating policies and template * Updating initial setup * Removing L-SFN-Master role trust to itself * Remove commented out line * Updating pnpm-lock after pnpm install * fixed test problems * fixed lock file * Upgrading version of @aws-cdk/aws-iam to 1.174.0 * Fixing pnpm-lock after delete and pnpm-install Co-authored-by: hickeydh-aws <hickeydh@amazon.com>
1 parent 8d9fbc1 commit b3be107

File tree

78 files changed

+3202
-2809
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

78 files changed

+3202
-2809
lines changed

pnpm-lock.yaml

Lines changed: 2446 additions & 2332 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/core/cdk/package.json

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -20,23 +20,23 @@
2020
"dependencies": {
2121
"@aws-accelerator/accelerator-runtime": "workspace:*",
2222
"@aws-accelerator/cdk-accelerator": "workspace:*",
23-
"@aws-cdk/aws-codebuild": "1.144.0",
24-
"@aws-cdk/aws-dynamodb": "1.144.0",
25-
"@aws-cdk/aws-events": "1.144.0",
26-
"@aws-cdk/aws-iam": "1.144.0",
27-
"@aws-cdk/aws-kms": "1.144.0",
28-
"@aws-cdk/aws-lambda": "1.144.0",
29-
"@aws-cdk/aws-s3": "1.144.0",
30-
"@aws-cdk/aws-s3-assets": "1.144.0",
31-
"@aws-cdk/aws-secretsmanager": "1.144.0",
32-
"@aws-cdk/aws-sns": "1.144.0",
33-
"@aws-cdk/aws-stepfunctions": "1.144.0",
34-
"@aws-cdk/aws-stepfunctions-tasks": "1.144.0",
35-
"@aws-cdk/core": "1.144.0"
23+
"@aws-cdk/aws-codebuild": "1.174.0",
24+
"@aws-cdk/aws-dynamodb": "1.174.0",
25+
"@aws-cdk/aws-events": "1.174.0",
26+
"@aws-cdk/aws-iam": "1.174.0",
27+
"@aws-cdk/aws-kms": "1.174.0",
28+
"@aws-cdk/aws-lambda": "1.174.0",
29+
"@aws-cdk/aws-s3": "1.174.0",
30+
"@aws-cdk/aws-s3-assets": "1.174.0",
31+
"@aws-cdk/aws-secretsmanager": "1.174.0",
32+
"@aws-cdk/aws-sns": "1.174.0",
33+
"@aws-cdk/aws-stepfunctions": "1.174.0",
34+
"@aws-cdk/aws-stepfunctions-tasks": "1.174.0",
35+
"@aws-cdk/core": "1.174.0"
3636
},
3737
"devDependencies": {
3838
"@types/node": "14.14.31",
39-
"aws-cdk": "1.144.0",
39+
"aws-cdk": "1.174.0",
4040
"eslint": "7.25.0",
4141
"jest": "25.2.4",
4242
"ts-jest": "25.3.0",

src/core/cdk/src/assets/execution-role.template.json

Lines changed: 48 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,54 @@
5555
"Principal": {
5656
"Service": "fms.amazonaws.com"
5757
}
58-
}
58+
},
59+
{
60+
"Action": "sts:AssumeRole",
61+
"Effect": "Allow",
62+
"Principal": {
63+
"AWS": {
64+
"Fn::Join": [
65+
"",
66+
[
67+
"arn:",
68+
{
69+
"Ref": "AWS::Partition"
70+
},
71+
":iam::",
72+
{
73+
"Ref": "AWS::AccountId"
74+
},
75+
":root"
76+
]
77+
]
78+
}
79+
},
80+
"Condition": {
81+
"StringEquals": {
82+
"AWS:PrincipalArn": [
83+
{
84+
"Fn::Join": [
85+
"",
86+
[
87+
"arn:",
88+
{
89+
"Ref": "AWS::Partition"
90+
},
91+
":iam::",
92+
{
93+
"Ref": "AWS::AccountId"
94+
},
95+
":aws:role/",
96+
{
97+
"Ref": "RoleName"
98+
}
99+
]
100+
]
101+
}
102+
]
103+
}
104+
}
105+
}
59106
],
60107
"Version": "2012-10-17"
61108
},

src/core/cdk/src/assets/management-execution-role.template.json

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
{
2+
"Parameters": {
3+
"RoleName": {
4+
"Type": "String"
5+
},
6+
"MaxSessionDuration": {
7+
"Type": "Number"
8+
},
9+
"AssumedByRoleArn": {
10+
"Type": "CommaDelimitedList"
11+
},
12+
"AcceleratorPrefix": {
13+
"Type": "String"
14+
}
15+
},
16+
"Resources": {
17+
"Role1ABCC5F0": {
18+
"Type": "AWS::IAM::Role",
19+
"Properties": {
20+
"AssumeRolePolicyDocument": {
21+
"Statement": [
22+
{
23+
"Action": "sts:AssumeRole",
24+
"Effect": "Allow",
25+
"Principal": {
26+
"AWS": {
27+
"Ref": "AssumedByRoleArn"
28+
}
29+
}
30+
},
31+
{
32+
"Action": "sts:AssumeRole",
33+
"Effect": "Allow",
34+
"Principal": {
35+
"Service": "ssm.amazonaws.com"
36+
}
37+
},
38+
{
39+
"Action": "sts:AssumeRole",
40+
"Effect": "Allow",
41+
"Principal": {
42+
"Service": "cloudformation.amazonaws.com"
43+
}
44+
},
45+
{
46+
"Action": "sts:AssumeRole",
47+
"Effect": "Allow",
48+
"Principal": {
49+
"Service": "lambda.amazonaws.com"
50+
}
51+
},
52+
{
53+
"Action": "sts:AssumeRole",
54+
"Effect": "Allow",
55+
"Principal": {
56+
"Service": "fms.amazonaws.com"
57+
}
58+
},
59+
{
60+
"Action": "sts:AssumeRole",
61+
"Effect": "Allow",
62+
"Principal": {
63+
"AWS": {
64+
"Fn::Join": [
65+
"",
66+
[
67+
"arn:",
68+
{
69+
"Ref": "AWS::Partition"
70+
},
71+
":iam::",
72+
{
73+
"Ref": "AWS::AccountId"
74+
},
75+
":root"
76+
]
77+
]
78+
}
79+
},
80+
"Condition": {
81+
"StringEquals": {
82+
"AWS:PrincipalArn": [
83+
{
84+
"Fn::Join": [
85+
"",
86+
[
87+
"arn:",
88+
{
89+
"Ref": "AWS::Partition"
90+
},
91+
":iam::",
92+
{
93+
"Ref": "AWS::AccountId"
94+
},
95+
":aws:role/",
96+
{
97+
"Ref": "RoleName"
98+
}
99+
]
100+
]
101+
}
102+
]
103+
}
104+
}
105+
}
106+
],
107+
"Version": "2012-10-17"
108+
},
109+
"ManagedPolicyArns": [
110+
{
111+
"Fn::Join": [
112+
"",
113+
[
114+
"arn:",
115+
{
116+
"Ref": "AWS::Partition"
117+
},
118+
":iam::aws:policy/AdministratorAccess"
119+
]
120+
]
121+
}
122+
],
123+
"Policies": [
124+
{
125+
"PolicyName": "CDKAssetsPolicy",
126+
"PolicyDocument": {
127+
"Statement": [
128+
{
129+
"Action": "s3:*",
130+
"Effect": "Allow",
131+
"Resource": [
132+
{
133+
"Fn::Join": [
134+
"",
135+
[
136+
"arn:aws:s3:::cdk-",
137+
{
138+
"Ref": "AcceleratorPrefix"
139+
},
140+
"-assets-*"
141+
]
142+
]
143+
}
144+
]
145+
}
146+
],
147+
"Version": "2012-10-17"
148+
}
149+
}
150+
],
151+
"RoleName": {
152+
"Ref": "RoleName"
153+
},
154+
"MaxSessionDuration": {
155+
"Ref": "MaxSessionDuration"
156+
},
157+
"Tags": [
158+
{
159+
"Key": "Accelerator",
160+
"Value": "PBMM"
161+
}
162+
]
163+
},
164+
"Metadata": {
165+
"aws:cdk:path": "AssumeRole/Role/Resource"
166+
}
167+
}
168+
}
169+
}

src/core/cdk/src/initial-setup.ts

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,8 @@ export namespace InitialSetup {
187187
// The role used by the build should allow this session duration
188188
const buildTimeout = cdk.Duration.hours(4);
189189

190+
const roleArnRoot = `arn:aws:iam::${stack.account}:root`;
191+
190192
// The pipeline stage `InstallRoles` will allow the pipeline role to assume a role in the sub accounts
191193
const pipelineRole = new iam.Role(this, 'Role', {
192194
roleName: createRoleName('L-SFN-MasterRole'),
@@ -195,6 +197,7 @@ export namespace InitialSetup {
195197
new iam.ServicePrincipal('codebuild.amazonaws.com'),
196198
new iam.ServicePrincipal('lambda.amazonaws.com'),
197199
new iam.ServicePrincipal('events.amazonaws.com'),
200+
new iam.ArnPrincipal(roleArnRoot),
198201
),
199202
managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess')],
200203
maxSessionDuration: buildTimeout,
@@ -561,6 +564,8 @@ export namespace InitialSetup {
561564
);
562565

563566
const accountsPath = path.join(__dirname, 'assets', 'execution-role.template.json');
567+
const managementAccountPath = path.join(__dirname, 'assets', 'management-execution-role.template.json');
568+
const managementAccountExecutionRoleContent = fs.readFileSync(managementAccountPath);
564569
const executionRoleContent = fs.readFileSync(accountsPath);
565570

566571
const installRolesStateMachine = new sfn.StateMachine(this, `${props.acceleratorPrefix}InstallRoles_sm`, {
@@ -582,14 +587,16 @@ export namespace InitialSetup {
582587
RoleName: props.stateMachineExecutionRole,
583588
MaxSessionDuration: `${buildTimeout.toSeconds()}`,
584589
// TODO Only add root role for development environments
585-
AssumedByRoleArn: `arn:aws:iam::${stack.account}:root,${pipelineRole.roleArn}`,
590+
AssumedByRoleArn: `${pipelineRole.roleArn},arn:aws:iam::${stack.account}:root`,
586591
AcceleratorPrefix: props.acceleratorPrefix.endsWith('-')
587592
? props.acceleratorPrefix.slice(0, -1).toLowerCase()
588593
: props.acceleratorPrefix.toLowerCase(),
589594
},
590595
stackTemplate: executionRoleContent.toString(),
596+
managementAccountTemplate: managementAccountExecutionRoleContent.toString(),
591597
'accountId.$': '$.accountId',
592598
'assumeRoleName.$': '$.organizationAdminRole',
599+
parametersTableName: parametersTable.tableName,
593600
}),
594601
resultPath: 'DISCARD',
595602
});

src/core/runtime/src/create-stack/create.ts

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@
1414
import { CloudFormation, objectToCloudFormationParameters } from '@aws-accelerator/common/src/aws/cloudformation';
1515
import { StackTemplateLocation, getTemplateBody } from '../create-stack-set/create-stack-set';
1616
import { STS } from '@aws-accelerator/common/src/aws/sts';
17+
import { DynamoDB } from '@aws-accelerator/common/src/aws/dynamodb';
18+
19+
import { loadAccounts } from '../utils/load-accounts';
1720

1821
interface CreateStackInput {
1922
stackName: string;
@@ -22,11 +25,14 @@ interface CreateStackInput {
2225
stackTemplate: StackTemplateLocation;
2326
accountId?: string;
2427
assumeRoleName?: string;
28+
managementAccountTemplate?: StackTemplateLocation;
2529
region?: string;
2630
ignoreAccountId?: string;
2731
ignoreRegion?: string;
32+
parametersTableName?: string;
2833
}
2934

35+
const dynamodb = new DynamoDB();
3036
const sts = new STS();
3137
export const handler = async (input: CreateStackInput) => {
3238
console.log(`Creating stack...`);
@@ -38,10 +44,12 @@ export const handler = async (input: CreateStackInput) => {
3844
stackParameters,
3945
stackTemplate,
4046
accountId,
47+
managementAccountTemplate,
4148
assumeRoleName,
4249
region,
4350
ignoreAccountId,
4451
ignoreRegion,
52+
parametersTableName,
4553
} = input;
4654

4755
if (ignoreAccountId && ignoreAccountId === accountId && !ignoreRegion) {
@@ -55,6 +63,18 @@ export const handler = async (input: CreateStackInput) => {
5563
// Load the template body from the given location
5664
const templateBody = await getTemplateBody(stackTemplate);
5765

66+
/** Checks Parameters Table in DDB to see if we are in management account.
67+
* If so, our PBMM Pipeline role has different permissions and we use
68+
* a different template.
69+
*/
70+
71+
// if(parametersTableName){
72+
// const accounts = await loadAccounts(parametersTableName!, dynamodb);
73+
// if((accounts.find(acc => acc.id === accountId)?.key!) === 'management'){
74+
// templateBody = await getTemplateBody(managementAccountTemplate!);
75+
// }
76+
// }
77+
5878
let cfn: CloudFormation;
5979
if (accountId && assumeRoleName) {
6080
const credentials = await sts.getCredentialsForAccountAndRole(accountId, assumeRoleName);

0 commit comments

Comments
 (0)