Skip to content

Commit

Permalink
Merge pull request #1694 from guardian/sihil/switch-to-managed-ssm-po…
Browse files Browse the repository at this point in the history 
…licy

fix: Switch from our home baked SSM policy to the current managed policy
  • Loading branch information
@sihil
sihil authored Jan 20, 2023
2 parents 912b4b3 + 7669b00 commit c90792a
Show file tree
Hide file tree
Showing 8 changed files with 134 additions and 387 deletions.
1 change: 0 additions & 1 deletion src/constructs/iam/policies/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,3 @@ export * from "./parameter-store-read";
export * from "./s3-get-object";
export * from "./s3-put-object";
export * from "./ses";
export * from "./ssm";
42 changes: 0 additions & 42 deletions src/constructs/iam/policies/ssm.test.ts
View file

This file was deleted.

38 changes: 0 additions & 38 deletions src/constructs/iam/policies/ssm.ts
View file

This file was deleted.

221 changes: 70 additions & 151 deletions src/constructs/iam/roles/__snapshots__/instance-role.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ exports[`The GuInstanceRole construct should allow additional policies to be spe
"GuStack",
"GuGetS3ObjectsPolicy",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuDistributionBucketParameter",
"GuGetDistributablePolicy",
Expand Down Expand Up @@ -116,6 +115,20 @@ exports[`The GuInstanceRole construct should allow additional policies to be spe
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -201,42 +214,6 @@ exports[`The GuInstanceRole construct should allow additional policies to be spe
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleTestingCB7BD146",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Expand All @@ -247,7 +224,6 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
"gu:cdk:constructs": [
"GuStack",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuLoggingStreamNameParameter",
"GuLogShippingPolicy",
Expand Down Expand Up @@ -425,6 +401,20 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -465,6 +455,20 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -609,45 +613,6 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleMyfirstapp5C11A22B",
},
{
"Ref": "InstanceRoleMysecondapp48DD15D7",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Expand All @@ -658,7 +623,6 @@ exports[`The GuInstanceRole construct should create an additional logging policy
"gu:cdk:constructs": [
"GuStack",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuLoggingStreamNameParameter",
"GuLogShippingPolicy",
Expand Down Expand Up @@ -795,6 +759,20 @@ exports[`The GuInstanceRole construct should create an additional logging policy
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -880,42 +858,6 @@ exports[`The GuInstanceRole construct should create an additional logging policy
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleTestingCB7BD146",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Expand All @@ -926,7 +868,6 @@ exports[`The GuInstanceRole construct should create the correct resources with m
"gu:cdk:constructs": [
"GuStack",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuDistributionBucketParameter",
"GuGetDistributablePolicy",
Expand Down Expand Up @@ -1014,6 +955,20 @@ exports[`The GuInstanceRole construct should create the correct resources with m
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -1099,42 +1054,6 @@ exports[`The GuInstanceRole construct should create the correct resources with m
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleTestingCB7BD146",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Loading

0 comments on commit c90792a

Please sign in to comment.