Skip to content

Commit

Permalink
Stage files for v3.0.0 release
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewmarriott-aws
andrewmarriott-aws authored Jul 3, 2024
1 parent 859331b commit 9beb6ed
Show file tree
Hide file tree
Showing 128 changed files with 4,392 additions and 4,548 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ source/cdk_solution_helper_py/helpers_cdk/build/*

# coverage
.coverage
.coverage.*
*coverage-reports*

# local sonarqube
Expand Down
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [3.0.0] - 2024-05-30

### Added

- Implemented support for the Amazon Ads API while phasing out the previous authentication system

## [2.0.3] - 2024-02-20

### Added
Expand Down
308 changes: 156 additions & 152 deletions IAM_POLICY_INSTALL.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,202 +4,206 @@
{
"Effect": "Allow",
"Action": [
"logs:GetLogDelivery",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:PutResourcePolicy",
"logs:CreateLogGroup",
"logs:DescribeResourcePolicies",
"logs:CreateLogDelivery",
"logs:PutLogEvents",
"logs:ListLogDeliveries",
"logs:DeleteLogDelivery",
"logs:UpdateLogDelivery",
"logs:PutRetentionPolicy",
"s3:PutBucketNotification",
"s3:PutObjectVersionTagging",
"s3:ListAllMyBuckets",
"s3:PutAccountPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutBucketAcl",
"s3:GetBucketAcl",
"s3:GetBucketVersioning",
"s3:GetBucketPolicy",
"s3:GetBucketNotification",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucketPolicy",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutBucketOwnershipControls",
"s3:CreateBucket",
"s3:GetBucketOwnershipControls",
"s3:DeleteBucket",
"s3:GetBucketPolicyStatus",
"s3:GetEncryptionConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketVersioning",
"s3:PutBucketLogging",
"s3:PutEncryptionConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObject",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue",
"secretsmanager:DeleteSecret",
"sns:Publish",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:CreateTopic",
"sns:TagResource",
"sns:Subscribe",
"sns:DeleteTopic",
"sns:Unsubscribe",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListDeadLetterSourceQueues",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath",
"ssm:PutParameter",
"ssm:DeleteParameter",
"states:CreateStateMachine",
"states:TagResource",
"states:DescribeStateMachine",
"states:DeleteStateMachine",
"cloudformation:ListStacks",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:DeleteChangeSet",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate",
"cloudformation:GetTemplateSummary",
"cloudformation:CreateStack",
"cloudformation:ListStacks",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack",
"cloudformation:ValidateTemplate",
"cloudwatch:PutMetricData",
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:PutEventSelectors",
"cloudtrail:StartLogging",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:PutMetricData",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:DeleteItem",
"dynamodb:CreateTable",
"dynamodb:UpdateContinuousBackups",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DeleteTable",
"events:TagResource",
"events:RemoveTargets",
"events:PutRule",
"events:EnableRule",
"events:DeleteRule",
"events:ActivateEventSource",
"events:DeactivateEventSource",
"events:DeleteRule",
"events:DescribeRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:ActivateEventSource",
"events:RemoveTargets",
"events:TagResource",
"glue:CreateDatabase",
"glue:CreateJob",
"glue:DeleteDatabase",
"glue:DeleteJob",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateJob",
"glue:DeleteJob",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:UpdateRole",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeleteRolePolicy",
"iam:ListRolePolicies",
"iam:CreateRole",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:PutRolePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy",
"kms:UpdateAlias",
"kms:CreateGrant",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UpdateRole",
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:DescribeKey",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GetKeyPolicy",
"kms:ListAliases",
"kms:ListGrants",
"kms:GenerateDataKey",
"kms:ListKeyPolicies",
"kms:PutKeyPolicy",
"kms:TagResource",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListAliases",
"kms:DeleteAlias",
"kms:CreateKey",
"kms:PutKeyPolicy",
"kms:ScheduleKeyDeletion",
"kms:EnableKeyRotation",
"kms:EnableKey",
"kms:TagResource",
"kms:UpdateAlias",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"lakeformation:DeregisterResource",
"lakeformation:GetDataLakeSettings",
"lakeformation:GrantPermissions",
"lakeformation:PutDataLakeSettings",
"lakeformation:RegisterResource",
"lakeformation:RevokePermissions",
"lambda:AddPermission",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:PublishLayerVersion",
"lambda:GetFunction",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"lambda:DeleteLayerVersion",
"lambda:GetLayerVersion",
"lambda:DeleteEventSourceMapping",
"lambda:DeleteFunction",
"lambda:CreateEventSourceMapping",
"lambda:DeleteLayerVersion",
"lambda:GetEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetFunction",
"lambda:GetLayerVersion",
"lambda:InvokeFunction",
"lambda:PublishLayerVersion",
"lambda:RemovePermission",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"servicecatalog:CreateApplication",
"servicecatalog:CreateAttributeGroup",
"servicecatalog:TagResource",
"servicecatalog:AssociateResource",
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:DeleteAttributeGroup",
"servicecatalog:DeleteApplication",
"servicecatalog:DisassociateAttributeGroup",
"servicecatalog:DisassociateResource",
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings",
"lakeformation:GrantPermissions",
"lakeformation:RevokePermissions",
"lakeformation:RegisterResource",
"lakeformation:DeregisterResource",
"cloudtrail:CreateTrail",
"cloudtrail:StartLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:DescribeTrails",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:PutRetentionPolicy",
"logs:UpdateLogDelivery",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutEncryptionConfiguration",
"s3:PutObjectVersionTagging",
"sagemaker:CreateNotebookInstance",
"sagemaker:DescribeNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:StartNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"iam:PassRole"
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:AssociateResource",
"servicecatalog:CreateApplication",
"servicecatalog:CreateAttributeGroup",
"servicecatalog:DeleteApplication",
"servicecatalog:DeleteAttributeGroup",
"servicecatalog:DisassociateAttributeGroup",
"servicecatalog:DisassociateResource",
"servicecatalog:TagResource",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:Publish",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:TagResource",
"sns:Unsubscribe",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:PutParameter",
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:DescribeStateMachine",
"states:TagResource"
],
"Resource": [
"*"
Expand Down
5 changes: 2 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,7 @@ the AWS Well-Architected Framework.

### IAM Roles for Installation and Operation

The IAM policies required to install the solution are listed within
the `IAM_POLICY_INSTALL.json` file. The IAM policies required to operate the solution are generated dynamically on stack deployment in the `IAM_POLICY_OPERATE.json` file. A link to this policy can be found in the Outputs window of your Cloudformation stack after deploying. Note: the policy generated should be used as a guide. Please review it as it may need to be amended in order to fit your specific use case.
An IAM policy for installing the solution is listed within the `IAM_POLICY_INSTALL.json` file. An IAM policy for operating the solution is created on stack deployment with a name prefix of `{stack-name}-adminpolicy`. A link to this policy can be found in the Outputs window of your Cloudformation stack under the AdminPolicyOutput key. Note: the policy generated should be used as a guide. Please review it as it may need to be amended in order to fit your specific use case.

These JSON files can be used to create a JSON policy in AWS IAM to scope the actions available to a user so they can install and operate the solution.

Expand Down Expand Up @@ -144,7 +143,7 @@ export REGION_NAME=my-region
build-s3-cdk-dist deploy \
--source-bucket-name $DIST_BUCKET_PREFIX \
--solution-name $SOLUTION_NAME \
--version_code $VERSION \
--version-code $VERSION \
--cdk-app-path ../source/infrastructure/app.py \
--cdk-app-entrypoint app:build_app \
--region $REGION_NAME \
Expand Down
Loading

0 comments on commit 9beb6ed

Please sign in to comment.