data-dot-all
DataAllCustomPolicy is removed from the cdk-hnb659fds-cfn-exec-role after installing the latest version of cdkExecPolicy
Describe the bug
After installing / updating the existing cdkExecPolicy.yaml on CF . The new DataAllCustomPolicy is created by appending the region.
This though removes the attached policy on the cdk-hnb659fds-cfn-exec-role.
How to Reproduce
Update the stack used to create the DataAllCustomPolicy. Check if the cdk-hnb659fds-cfn-exec-role now doesn't have the policy attached
Expected behavior
No response
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.9
AWS data.all version
2.4
Additional context
No response
I faced this too while creating a new environment in the OS deployed code
Hi @TejasRGitHub and @anushka-singh. Because of feature #1064, I updated the policy DataAllCustomPolicy because it was causing issues for multi-region setups.
For new environments, the bootstraping changes a bit. As it appears in the UI command the name of the policy is no longer DataAllCustomPolicy but DataAllCustomPolicyREGION. So if you have documentation internally around this, it needs to be updated. We will make sure to add it in the release notes.
For existing environments, they can continue using the CDKToolkit as they were using it. If there is a need to update the custom policy (e.g. we add new permissions), then they should update the policy in CloudFormation and then run the cdk bootstrap command again with the new DataAllCustomPolicyREGION, this will update the CDKToolkit stack. DO NOT DELETE AND RE-CREATE Deleting IAM roles might cause issues for some AWS resources. I have not tested it, but I some AWS resources created by CDK can contain resource policies referencing that role, for example KMS keys.
Hi @dlpzx , Thanks for clearing this up. I was able to upgrade to the new policy.