Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto-generate IAM policies #2393

Merged
merged 6 commits into from
Mar 1, 2023
Merged

Auto-generate IAM policies #2393

merged 6 commits into from
Mar 1, 2023

Conversation

danielrbradley
Copy link
Member

Manually merge generated definitions with existing code.

Fixes #2269
Superceeds #2384

@github-actions
Copy link

github-actions bot commented Mar 1, 2023

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

@danielrbradley
Auto-generate IAM policies
f5bef93 
Manually merge generated definitions with existing code.
@danielrbradley danielrbradley marked this pull request as ready for review March 1, 2023 12:09
@danielrbradley danielrbradley requested a review from a team March 1, 2023 12:09
@danielrbradley danielrbradley self-assigned this Mar 1, 2023
@danielrbradley danielrbradley mentioned this pull request Mar 1, 2023
Closed
@github-actions
Copy link

github-actions bot commented Mar 1, 2023

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

@danielrbradley
Copy link
Member Author

danielrbradley commented Mar 1, 2023
edited

Ok, we've got a silly problem. Python adds _ characters in the name, but some policy names only vary by a _ e.g.

{Name: "AWSCloudTrail_FullAccess", Value: "arn:aws:iam::aws:policy/AWSCloudTrail_FullAccess"},
{Name: "AWSCloudTrailFullAccess", Value: "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess"},

In python these are generated as

AWS_CLOUD_TRAIL_FULL_ACCESS = "arn:aws:iam::aws:policy/AWSCloudTrail_FullAccess"
AWS_CLOUD_TRAIL_FULL_ACCESS = "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess"

@danielrbradley
Audit removed and superseded policies
4dc2318 
- Add notes for manual changes.
- Remove prefix for clashing names as has been done elsewhere in the past.
@danielrbradley
Re-order to maintain most original positioning to make reviewing easier
f100ad2
@danielrbradley
Copy link
Member Author

Logged an issue around the python conflicts (pulumi/pulumi#12314) and am just using the approach used elsewhere in the enum - to drop the leading "AWS" or "Amazon" on the new names.

thomas11
thomas11 approved these changes Mar 1, 2023
View reviewed changes
Copy link
Contributor

@thomas11 thomas11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The next step would be to hook this up with CI so we're alerted to new policies.

docs/generate-iam-policies.jq Outdated Show resolved Hide resolved
@github-actions
Copy link

github-actions bot commented Mar 1, 2023

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

@github-actions
Copy link

github-actions bot commented Mar 1, 2023

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

1 similar comment
@github-actions
Copy link

github-actions bot commented Mar 1, 2023

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

@danielrbradley danielrbradley merged commit ec4663b into master Mar 1, 2023
@danielrbradley danielrbradley deleted the generate-iam-policies branch March 1, 2023 21:47
@auvred auvred mentioned this pull request Mar 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomas11 thomas11 thomas11 approved these changes

Assignees

@danielrbradley danielrbradley

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Managed IAM Policy AWSCloudWatchLambdaInsightsExecutionRolePolicy incorrect ARN
2 participants
@danielrbradley @thomas11