-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix tagging of Cross Account Access role in the management account #700
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**Why?** When ADF needs to tag or untag the cross-account access role, it fails to do so. **What?** * Granting the required permissions to tag and untag the roles. * Removal of the invalid `s3:listObjects` permission, the permissions required to list objects in a bucket are managed via the `s3:listBucket` permission. Which is already present.
javydekoning
approved these changes
Mar 29, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I was under the impression we validate IAM policy's in the linters, looks like that's not the case.
Thanks for fixing!
StewartW
approved these changes
Apr 3, 2024
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 16, 2024
…wslabs#700) **Why?** When ADF needs to tag or untag the cross-account access role, it fails to do so. **What?** * Granting the required permissions to tag and untag the roles. * Removal of the invalid `s3:listObjects` permission, the permissions required to list objects in a bucket are managed via the `s3:listBucket` permission. Which is already present.
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 17, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok.
Merged
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 23, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok.
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 24, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Install: Add uncommitted changes check (awslabs#733)
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 24, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Install: Add uncommitted changes check (awslabs#733)
sbkok
added a commit
that referenced
this pull request
May 27, 2024
) **Why?** When ADF needs to tag or untag the cross-account access role, it fails to do so. **What?** * Granting the required permissions to tag and untag the roles. * Removal of the invalid `s3:listObjects` permission, the permissions required to list objects in a bucket are managed via the `s3:listBucket` permission. Which is already present.
sbkok
added a commit
that referenced
this pull request
May 27, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (#596) by @sbkok. * Fix CodeBuild stage naming bug (#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (#686) by @sbkok, resolves #594 and #659. * Fix permissions to enable delete default VPC in management account (#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (#701) by @sbkok. * Fix clean bootstrap of the deployment account (#703) by @sbkok, resolves #696. * Bump Jinja2 from 3.1.3 to 3.1.4 (#720 and #721) by @dependabot. * Fix account management lambdas in v3.2 (#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (#677) by @sbkok. * Ensure tox fails at first pytest failure (#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (#726) by @sbkok. * Install: Add uncommitted changes check (#733)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why?
When ADF needs to tag or untag the cross-account access role, it fails to do so.
What?
s3:ListObjects
permission, the permissions required to list objects in a bucket are managed via thes3:ListBucket
permission. Which is already present.By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.