Switch Permissions to cdk

data-dot-all · Nov 10, 2023 · 057fe83 · 057fe83
1 parent 9ec7c87
commit 057fe83
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 6 deletions.
diff --git a/backend/dataall/modules/datapipelines/cdk/pivot_role_datapipelines_policy.py b/backend/dataall/modules/datapipelines/cdk/pivot_role_datapipelines_policy.py
@@ -37,7 +37,7 @@ def get_statements(self):
                 effect=iam.Effect.ALLOW,
                 actions=['sts:AssumeRole'],
                 resources=[
-                    f'arn:aws:iam::{self.account}:role/ddk-*',
+                    f'arn:aws:iam::{self.account}:role/cdk-*',
                 ],
             ),
             iam.PolicyStatement(
@@ -54,11 +54,11 @@ def get_statements(self):
                 ],
             ),
             iam.PolicyStatement(
-                sid='ParameterStoreDDK',
+                sid='ParameterStorePipelines',
                 effect=iam.Effect.ALLOW,
                 actions=['ssm:GetParameter'],
                 resources=[
-                    f'arn:aws:ssm:*:{self.account}:parameter/ddk/*',
+                    f'arn:aws:ssm:*:{self.account}:parameter/cdk*',
                 ],
             ),
         ]

diff --git a/deploy/pivot_role/pivotRole.yaml b/deploy/pivot_role/pivotRole.yaml
@@ -430,7 +430,7 @@ Resources:
             Resource:
               - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/${EnvironmentResourcePrefix}/*'
               - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/dataall/*'
-              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/ddk/*'
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/cdk*'
           - Sid: IAMListGet
             Action:
               - 'iam:Get*'
@@ -464,7 +464,7 @@ Resources:
             Effect: Allow
             Resource:
               - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${EnvironmentResourcePrefix}*'
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/ddk-*'
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/cdk-*'
           - Sid: CodeCommit
             Action:
               - 'codecommit:GetFile'

diff --git a/deploy/stacks/container.py b/deploy/stacks/container.py
@@ -501,7 +501,6 @@ def create_task_role(self, envname, resource_prefix, pivot_role_name):
                     resources=[
                         f'arn:aws:iam::*:role/{pivot_role_name}',
                         f'arn:aws:iam::*:role/cdk*',
-                        'arn:aws:iam::*:role/ddk*',
                         f'arn:aws:iam::{self.account}:role/{resource_prefix}-{envname}-ecs-tasks-role',
                     ],
                 ),