From 6fb9795cbf56963af8483ec018c16771f351390a Mon Sep 17 00:00:00 2001 From: Lyndon Garvey <237923+lgarvey@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:38:16 +0100 Subject: [PATCH] fix: add a policy to allow services to access global SSM parameters (#531) --- .../templates/svc/overrides/cfn.patches.yml | 12 ++++++++++++ .../expected/web/overrides/cfn.patches.yml | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml b/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml index c4a96d11a..0ca134edb 100644 --- a/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml +++ b/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml @@ -12,3 +12,15 @@ path: /Resources/TaskDefinition/Properties/Volumes value: - Name: temporary-fs + +- op: add + path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/4 + value: + Effect: 'Allow' + Action: + - 'ssm:GetParameters' + Resource: + - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' + Condition: + StringEquals: + 'ssm:ResourceTag/copilot-application': '__all__' diff --git a/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml b/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml index c4a96d11a..0ca134edb 100644 --- a/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml +++ b/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml @@ -12,3 +12,15 @@ path: /Resources/TaskDefinition/Properties/Volumes value: - Name: temporary-fs + +- op: add + path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/4 + value: + Effect: 'Allow' + Action: + - 'ssm:GetParameters' + Resource: + - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' + Condition: + StringEquals: + 'ssm:ResourceTag/copilot-application': '__all__'