aws
feat: Allow adding permissions boundaries via app upgrade
I couldn't find a way to add permissions boundary to an existing app, so I kinda hacked around the internals to make it possible. I thought others might find this helpful.
I added a --permissions-boundary flag to copilot app upgrade, so you can set a boundary. During the upgrade process, the application parameter in Parameter Store will get updated with the permissions boundary value and the infra roles and app stackset will get upgraded as well. Then you can deploy your envs, services and jobs individually, which will add permissions boundaries to their resources.
I also added a --force flag to force "upgrading" an app when the version is unchanged. This allows you to add the permissions boundary to an existing app even if it's already on the latest version.
I haven't added tests or anything since I doubt this is the best way to implement this (or if it's even safe to add a permissions boundary). But I am happy to get this into a shippable state if anyone has any feedback. Piggy-backing on upgrade was mostly for expediency, this may be better implemented in a new command like app modify or something.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
