From 986497d7059814476e51459a4bed4224007a23f4 Mon Sep 17 00:00:00 2001 From: Lyndon Garvey Date: Thu, 15 Aug 2024 15:19:52 +0100 Subject: [PATCH] fix: add a policy to allow sedrvices to access global SSM parameters --- .../templates/svc/overrides/cfn.patches.yml | 12 ++++++++++++ .../expected/web/overrides/cfn.patches.yml | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml b/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml index c4a96d11a..0ca134edb 100644 --- a/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml +++ b/dbt_platform_helper/templates/svc/overrides/cfn.patches.yml @@ -12,3 +12,15 @@ path: /Resources/TaskDefinition/Properties/Volumes value: - Name: temporary-fs + +- op: add + path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/4 + value: + Effect: 'Allow' + Action: + - 'ssm:GetParameters' + Resource: + - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' + Condition: + StringEquals: + 'ssm:ResourceTag/copilot-application': '__all__' diff --git a/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml b/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml index c4a96d11a..0ca134edb 100644 --- a/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml +++ b/tests/platform_helper/fixtures/make_addons/expected/web/overrides/cfn.patches.yml @@ -12,3 +12,15 @@ path: /Resources/TaskDefinition/Properties/Volumes value: - Name: temporary-fs + +- op: add + path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/4 + value: + Effect: 'Allow' + Action: + - 'ssm:GetParameters' + Resource: + - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' + Condition: + StringEquals: + 'ssm:ResourceTag/copilot-application': '__all__'