From f593b3ed621286062c9d2c9ccfb8cc220c89d4cc Mon Sep 17 00:00:00 2001 From: Daniel van der Ploeg Date: Tue, 30 Apr 2024 13:44:04 +0930 Subject: [PATCH 1/8] feat: add tag permissions for dynamo --- packages/serverless-deploy-iam/bin/app.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 6f481f7..812f8ff 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -231,6 +231,9 @@ export class ServiceDeployIAM extends cdk.Stack { "dynamodb:CreateTable", "dynamodb:UpdateTable", "dynamodb:DeleteTable", + "dynamodb:ListTagsOfResource", + "dynamodb:TagResource", + "dynamodb:UntagResource", ], }, { From 9e103978e37cff792ac0b2d0e833835385a14dd5 Mon Sep 17 00:00:00 2001 From: finnholland-alg Date: Wed, 1 May 2024 13:20:33 +0930 Subject: [PATCH 2/8] FIX: Added TagRole required by serverless --- packages/serverless-deploy-iam/bin/app.ts | 2 ++ 1 file changed, 2 insertions(+) mode change 100644 => 100755 packages/serverless-deploy-iam/bin/app.ts diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts old mode 100644 new mode 100755 index 6f481f7..562c311 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -220,6 +220,8 @@ export class ServiceDeployIAM extends cdk.Stack { "iam:DetachRolePolicy", "iam:AttachRolePolicy", "iam:UpdateAssumeRolePolicy", + "iam:TagRole", + "iam:UntagRole" ], }, { From 4faaccb57dea9f6f26eb0eac319ff78d7a778d68 Mon Sep 17 00:00:00 2001 From: finnholland-alg Date: Wed, 1 May 2024 13:31:45 +0930 Subject: [PATCH 3/8] FIX: Linted --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 562c311..d9d4528 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -221,7 +221,7 @@ export class ServiceDeployIAM extends cdk.Stack { "iam:AttachRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:TagRole", - "iam:UntagRole" + "iam:UntagRole", ], }, { From a1c8f1d11a31ad806630990c9b0d05ed00993f5e Mon Sep 17 00:00:00 2001 From: Daniel van der Ploeg Date: Fri, 3 May 2024 10:17:16 +0930 Subject: [PATCH 4/8] feat: add ttl permission --- packages/serverless-deploy-iam/bin/app.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 74f6f8c..9ed45f7 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -188,6 +188,7 @@ export class ServiceDeployIAM extends cdk.Stack { "dynamodb:ListTagsOfResource", "dynamodb:TagResource", "dynamodb:UntagResource", + "dynamodb:*TimeToLive" ], }, { From 41edb0dfceefc7accf40bd8fa23d52de8912005c Mon Sep 17 00:00:00 2001 From: Daniel van der Ploeg Date: Fri, 3 May 2024 10:21:09 +0930 Subject: [PATCH 5/8] chore: add trailing comma --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 9ed45f7..cebeaed 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -188,7 +188,7 @@ export class ServiceDeployIAM extends cdk.Stack { "dynamodb:ListTagsOfResource", "dynamodb:TagResource", "dynamodb:UntagResource", - "dynamodb:*TimeToLive" + "dynamodb:*TimeToLive", ], }, { From 04f1b86fb0b1b0a8297b6c47091752663ed3cbbb Mon Sep 17 00:00:00 2001 From: Daniel Van Der Ploeg Date: Wed, 8 May 2024 14:00:08 +0930 Subject: [PATCH 6/8] fix: add parameter hash as default value --- packages/serverless-deploy-iam/bin/app.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index cebeaed..c53f099 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -241,7 +241,6 @@ export class ServiceDeployIAM extends cdk.Stack { actions: [ "scheduler:GetScheduleGroup", "scheduler:CreateScheduleGroup", - "scheduler:UpdateScheduleGroup", "scheduler:DeleteScheduleGroup", "scheduler:TagResource", "scheduler:ListTagsForResource", @@ -541,7 +540,7 @@ export class ServiceDeployIAM extends cdk.Stack { new CfnParameter(this, parameterName, { type: "String", description: `Custom qualifier values provided for ${policy.name}`, - default: "", + default: PARAMETER_HASH, }) ); } From a0f66d97a6452058bb158a97a460f4fbf63625b1 Mon Sep 17 00:00:00 2001 From: Daniel Van Der Ploeg Date: Thu, 23 May 2024 14:04:01 +0930 Subject: [PATCH 7/8] feat: compress api gateway permissions --- packages/serverless-deploy-iam/bin/app.ts | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index c53f099..020cf64 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -503,20 +503,7 @@ export class ServiceDeployIAM extends cdk.Stack { // Generated api key names are random so this cannot be limited to the service at this time { name: "API_GATEWAY", - resources: [`arn:aws:apigateway:${region}::/apikeys/*`], - actions: ["apigateway:GET", "apigateway:PATCH"], - }, - { - name: "API_GATEWAY_RESTAPIS", - prefix: `arn:aws:apigateway:${region}::/restapis`, - qualifiers: [`/*/deployments`], - actions: ["apigateway:GET"], - }, - // The serverless-api-gateway-throttling requires PATCH access using the deploy user to update maxRequestsPerSecond and maxConcurrentRequests - { - name: "API_GATEWAY", - prefix: `arn:aws:apigateway:${region}::/restapis/*/stages`, - qualifiers: [`*`], + resources: [`arn:aws:apigateway:${region}::*`], actions: ["apigateway:GET", "apigateway:PATCH", "apigateway:POST"], }, { From 48d50b3be925f16454c4f8018c3ca2d15ce57516 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Fri, 31 May 2024 14:38:27 +0930 Subject: [PATCH 8/8] add sns:SetTopicAttributes permission --- packages/serverless-deploy-iam/bin/app.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index c53f099..41572fe 100755 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -257,6 +257,7 @@ export class ServiceDeployIAM extends cdk.Stack { qualifiers: [`${serviceName}*`], actions: [ "sns:GetTopicAttributes", + "sns:SetTopicAttributes", "sns:CreateTopic", "sns:DeleteTopic", "sns:Subscribe",