-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update CodeDeploy default policy to AWSCodeDeployRoleForLambdaLimited #98
Conversation
👍 |
Hi there! First of all, thank you for your contribution. A couple of questions though, I'm trying to understand the new logic introduced, but after not looking at this plugin's code in quite a while, it's being a bit difficult to follow. Why are we checking precisely the first key of |
@davidgf thanks for your response. I'll let @vrr-21 cover some topics and I'll answer one here:
That seems accurate to me. It should not break if this change is merged. The new policy is scoped down but has been tested to work by the CodeDeploy team. Furthermore, AWS will be setting a deprecation date on the old policy at some point soon. So it will be a breaking change not to update to new policy. |
Hi @davidgf Thank you for your response, I will answer the questions below:
I was checking the first key to find if
Yes, if I am not wrong. I agree that there can be a better way to do this.
That is correct. I agree to the fact that generating the appropriate role should fall on the
This PR will not break any deployments currently, but I was not sure if changing permissions would constitute a breaking change so I marked it as a breaking change (with the intent of working from there). @philstrong is correct. |
@davidgf any further comments? |
Hey @Helen1987, no further comments, but the suggested changes haven't been included. I'm happy to add them myself, but I couldn't give an ETA, due to professional commitments |
Hi @davidgf Thanks for your response. I can add the changes. |
Hi @davidgf |
Amazing, thanks for your contribution! |
Proposed changes
The managed policy AWSCodeDeployRoleForLambda used for Lambda deployments has broad permissions, providing publish access to all SNS topics within the customer's accounts.
This change replaces that with a new policy AWSCodeDeployRoleForLambdaLimited which removes those permissions.
To handle customers who may have triggers set up for SNS notifications on CodeDeploy, this change also attaches the AmazonSNSFullAccess managed policy when the deployment preferences include trigger configurations.
Types of changes
What types of changes does your code introduce to the plugin?
Put an
x
in the boxes that applyChecklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments