fix: add a policy to allow services to access global SSM parameters (#…

…531)
uktrade · Aug 19, 2024 · 6fb9795 · 6fb9795
1 parent 5241adf
commit 6fb9795
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml b/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml
@@ -12,3 +12,15 @@
   path: /Resources/TaskDefinition/Properties/Volumes
   value:
     - Name: temporary-fs
+
+- op: add
+  path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/4
+  value:
+    Effect: 'Allow'
+    Action:
+      - 'ssm:GetParameters'
+    Resource:
+      - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*'
+    Condition:
+      StringEquals:
+          'ssm:ResourceTag/copilot-application': '__all__'
diff --git a/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml b/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml
@@ -12,3 +12,15 @@
   path: /Resources/TaskDefinition/Properties/Volumes
   value:
     - Name: temporary-fs
+
+- op: add
+  path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/4
+  value:
+    Effect: 'Allow'
+    Action:
+      - 'ssm:GetParameters'
+    Resource:
+      - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*'
+    Condition:
+      StringEquals:
+          'ssm:ResourceTag/copilot-application': '__all__'