cloudformation-cli icon indicating copy to clipboard operation
cloudformation-cli copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

CloudFormationManagedUploadInfrastructure stack Company resource restrictions

Open AnthonyPoschen opened this issue 4 years ago • 7 comments

while trying to run cfn submit creating the CloudFormationManagedUploadInfrastructure stack fails as my companies enforced role boundaries require a specific PermissionBoundary and ManagedPolicy be present. If i manually create the stack it attempts to align it which would not be allowed in my circumstance.

the breakage for me occurs on the following resource where i need permissionBoundary set and a managed policy added. https://github.com/aws-cloudformation/cloudformation-cli/blob/85dba80439e044f65e294af65d36fa0934151bad/src/rpdk/core/data/managed-upload-infrastructure.yaml#L99

I have a local version of this repository working with the changes i needed and i am wondering if this kind of issue is something worth addressing, i am not sure what mechanism would be most appropriate to allow someone in my situation to control that stack and/or keep a modified version of the stack without forking this repo.

AnthonyPoschen avatar Jun 23 '20 02:06 AnthonyPoschen

I need this as well, is there any recommended work around? I don't see a path forward to use the CFN CLI in any kind of regulated account other than to fork this project and change the cloudformation template? Any kind of tagging requirements in a tagging policy or configuration requirements for resources in an SCP (both very common and AWS best practices) prevent the use of the managed-upload-infrastructure.yaml template in its current form.

I dont see a way to support every user's needs in the template, so I'd propose an argument to provide a custom cloudformation template and a note in documentation about how to customize the existing template.

cfn submit ... --custom-managed-upload-infrastructure-template ./my-custom-template.yml

Edit: I suppose a workaround (tho nasty) is to manually overwrite the file in the user's Python package installation. For example on the maven:3-openjdk-11 Docker image I'm using in a deployment pipeline, the file could be overwritten at /usr/local/lib/python3.7/dist-packages/rpdk/core/data/managed-upload-infrastructure.yaml. Leaving this here for anyone that runs into this before this issue is resolved - but this is a pretty bad practice and I'd only recommend doing it if 1) you know what youre doing and 2) if youre doing it in a disposable environment (like a Docker container in a deployment pipeline).

# example to overwrite the cloudformation template in a pipeline
mv ./my-custom-template.yaml "$(find / -type f -name 'managed-upload-infrastructure.yaml')"

atheiman avatar Dec 16 '20 21:12 atheiman

similar to https://github.com/aws-cloudformation/cloudformation-cli/issues/623

PatMyron avatar Apr 29 '21 00:04 PatMyron

Anyone has a work around for this? I tried adding the S3 and KMS actions to my local managed-upload-infrastructure.yaml template but that did not resolve the issue. Getting API: iam:CreateRole User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/DeveloperPowerUser/yyyyyyyyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/CloudFormationManagedUplo-LogAndMetricsDeliveryRol-1MMXUJ1M24H5Q with an explicit deny

kylien65 avatar Jun 29 '21 17:06 kylien65

@kylien65 look thru the policies attached to the DeveloperPowerUser role and look for the DENY of iam:CreateRole. Youre likely going to need a more privileged role in your account to create an IAM role via cfn submit if you are not granted that permission.

atheiman avatar Jun 29 '21 18:06 atheiman

@atheiman thanks for the quick response. I confirmed that the DeveloperPowerUser role has the DENY of iam:CreateRole. Curious that I can create roles via aws cloudformation deploy --stack-name --template-file --capabilities CAPABILITY_NAMED_IAM cli but not cfn submit. Is there an equivalent aws cli to cfn submit?

kylien65 avatar Jun 29 '21 18:06 kylien65

Are you sure you can create a role using the DeveloperPowerUser role? if it is denied in a policy attached to the DeveloperPowerUser role, DeveloperPowerUser should not be able to create another role, and that would be backed up by what you're seeing with running cfn submit. Confirm you can create an IAM role via cloudformation using DeveloperPowerUser - if you can create a role using DeveloperPowerUser, but cannot use DeveloperPowerUser to create an IAM role via cfn submit, then Im not sure what's going on in your environment and I likely won't be able to help you.

atheiman avatar Jun 29 '21 19:06 atheiman

The outputs of the managed-upload-infrastructure.yaml template are:

Outputs:
  CloudFormationManagedUploadBucketName:
    Value: !Ref ArtifactBucket
  LogAndMetricsDeliveryRoleArn:
    Value: !GetAtt LogAndMetricsDeliveryRole.Arn

Presumably that means that the role arn and the s3 bucket are used by the rest of the tooling for the actual resource type/module registration process. The process, as used by the 'cfn' command, should provide parameters where the required values can be specified, by passing the need for creation of the template (and associated resources). This would enable a more 'corporate' user to implement the required resources in a manner that adheres to the security standards of the corporation. This would also enable the user to reduce cost, such as using 'bucket key', and 'aws provided default key' for the S3 SSE.

pgdad avatar Jul 16 '21 18:07 pgdad