Skip to content

Latest commit

 

History

History
82 lines (51 loc) · 3.33 KB

README.md

File metadata and controls

82 lines (51 loc) · 3.33 KB

cdw-cloud-policies

AWS IAM Policies

Restricted policy:

Since AWS has a character limit on the policies, the cross-account policy is split into 2.

To understand why CDW needs each permission see,

Reduced permissions mode Policy:

Restricted Policy with Managed Policy ARN:

Inline Node Role Policy:

Releases:

Development:

  • Policies under generated folder are generated & committed via the github workflow. There should be no manual changes to them.
  • Any changes to restricted policy,should be done in docs folder
  • The restricted policy w/o comments and restricted policy for managed policy ARN will be auto generated.

Guidelines:

Understand how conditions work, https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

  • If the action is a create resource with Request Tag passed, and
    • If the resource is created via running CloudFormation template, add the action in Sid CFRequestTag
    • Else Add the action in Sid - RequestTag
  • If the action is on an already existing resource which has a Resource Tag, and
    • If the action is called in the CloudFormation template, Then add the action in Sid - CFResourceTag
    • Else Add the action in Sid - ResourceTag
  • If the action is called from our DWX Server go code via AWS SDK API
    • Add it in Sid gocode* as applicable

Create a new release and tagging:

Create a new release when CDW branch is cut for QE to test
$ git checkout -b R39 origin/main // Cut a new branch say R39
$ git push origin HEAD // push the branch to remote
Once in Prod update the tags

Since the docs need to use static links for referencing the policies, we need to always maintain the tag "latest-release" pointing to the current release. Steps to take care for once a new release branch is cut. Once the release is out, update the tags

$ git checkout R39 // Switch to the current release branch say R39
$ git tag -d latest-release // Remove the old tag
$ git push origin :refs/tags/latest-release // push the deleted tag to remote
$ git tag latest-release // tag new release with latest-release
$ git push --tags // push the tag to remote
$ git push origin HEAD // push the branch to remote