From 1ca7739c1a33f3938af3de3a8833893ad0c30bd6 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Thu, 20 Jul 2023 09:31:00 +0200 Subject: [PATCH] Fix resource untagging permissions (#635) * Fix CodeCommit repo untagging **Why?** The ADF Automation Role will need the CodeCommit:UntagResource permission when you change the tags that should be applied to a CodeCommit repository. * Allow CodePipeline, SNS, and Organizations to Untag too **Why?** When changing an organization wide tag, it would fail to update the stack due to this missing permission.. --- .../bootstrap_repository/adf-bootstrap/deployment/global.yml | 1 + .../adf-bootstrap/deployment/pipeline_management.yml | 2 ++ .../bootstrap_repository/adf-bootstrap/global.yml | 1 + src/template.yml | 1 + 4 files changed, 5 insertions(+) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index 95fc3aff3..ffd22dbea 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -614,6 +614,7 @@ Resources: - "codecommit:PutRepositoryTriggers" - "codecommit:GetRepository" - "codecommit:TagResource" + - "codecommit:UntagResource" Resource: - "*" - Effect: Allow diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml index 03fa7c3f6..03190dbb3 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml @@ -796,6 +796,7 @@ Resources: - "codepipeline:RegisterWebhookWithThirdParty" - "codepipeline:StartPipelineExecution" - "codepipeline:TagResource" + - "codepipeline:UntagResource" - "codepipeline:UpdatePipeline" Resource: - !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:webhook:adf-webhook-* @@ -817,6 +818,7 @@ Resources: - "sns:SetTopicAttributes" - "sns:GetTopicAttributes" - "sns:TagResource" + - "sns:UntagResource" - "sns:ListSubscriptionsByTopic" Resource: - !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${PipelinePrefix}* diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml index bbbe23313..f9aaba107 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml @@ -301,6 +301,7 @@ Resources: - "codecommit:PutRepositoryTriggers" - "codecommit:GetRepository" - "codecommit:TagResource" + - "codecommit:UntagResource" Resource: - "*" - Effect: Allow diff --git a/src/template.yml b/src/template.yml index ebabd8b2e..bfbe18fbd 100644 --- a/src/template.yml +++ b/src/template.yml @@ -402,6 +402,7 @@ Resources: - Effect: Allow Action: - "organizations:TagResource" + - "organizations:UntagResource" Resource: "*" AccountTagConfigFunction: