Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add iam role permission boundaries #7319

Merged
merged 4 commits into from
Feb 12, 2020
Merged

Add iam role permission boundaries #7319

merged 4 commits into from
Feb 12, 2020

Conversation

thomaschaaf
Copy link
Contributor

@thomaschaaf thomaschaaf commented Feb 11, 2020
edited

What did you implement

Added support for permission boundaries: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

  • Write and run all tests
  • Write documentation
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES
Is it a breaking change?: NO

@codecov-io
Copy link

codecov-io commented Feb 11, 2020
edited

Codecov Report

❗ No coverage uploaded for pull request base (master@263c169). Click here to learn what that means.
The diff coverage is 61.34%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #7319   +/-   ##
=========================================
  Coverage          ?   87.88%           
=========================================
  Files             ?      240           
  Lines             ?     8854           
  Branches          ?        0           
=========================================
  Hits              ?     7781           
  Misses            ?     1073           
  Partials          ?        0
Impacted Files Coverage Δ
lib/classes/CLI.js 95.2% <100%> (ø)
lib/plugins/aws/deploy/lib/uploadArtifacts.js 90.47% <100%> (ø)
lib/classes/Utils.js 95.27% <100%> (ø)
lib/utils/fs/dirExists.js 28.57% <28.57%> (ø)
lib/plugins/aws/invokeLocal/index.js 71.74% <62.03%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 263c169...ca48700. Read the comment docs.

medikoo
medikoo suggested changes Feb 12, 2020
View reviewed changes
Copy link
Contributor

@medikoo medikoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @thomaschaaf, looks great. I've just added few minor suggestions, and we should be good to go

docs/providers/aws/guide/serverless.yml.md Outdated
@@ -54,6 +54,7 @@ provider:
key2: value2
deploymentPrefix: serverless # The S3 prefix under which deployed artifacts should be stored. Default is serverless
role: arn:aws:iam::XXXXXX:role/role # Overwrite the default IAM role which is used for all functions
permissionsBoundary: arn:aws:iam::XXXXXX:policy/policy # ARN of an Permissions Boundary for the role.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe let's rename it to rolePermissionsBoundary (to correlate it more with role setting, as otherwise we also have cfnRole, provider.logs.restApi.role etc, even though in other cases we never construct the role)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Done

lib/plugins/aws/package/lib/mergeIamTemplates.js Outdated
@@ -69,6 +69,11 @@ module.exports = {
);
iamRoleLambdaExecutionTemplate.Properties.Path = this.provider.naming.getRolePath();
iamRoleLambdaExecutionTemplate.Properties.RoleName = this.provider.naming.getRoleName();

if ('permissionsBoundary' in this.serverless.service.provider) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should accepty only truthy values, so let's do:

if (this.serverless.service.provider.permissionsBoundary) {
...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@medikoo I have made the requested changes

medikoo
medikoo approved these changes Feb 12, 2020
View reviewed changes
Copy link
Contributor

@medikoo medikoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you @thomaschaaf

@medikoo medikoo merged commit 09466b5 into serverless:master Feb 12, 2020
@snyk-bot snyk-bot mentioned this pull request Mar 15, 2020
Merged
astuyve pushed a commit that referenced this pull request Apr 15, 2020
@thomaschaaf @astuyve
feat: Support provider.rolePermissionsBoundary to set IAM boundary (#…
ed8c56a 
…7319)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@medikoo medikoo medikoo approved these changes

Assignees

@thomaschaaf thomaschaaf

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thomaschaaf @codecov-io @medikoo