fix: update CWP CloudFormation template (#4323)

webiny · Oct 10, 2024 · 04061f0 · 04061f0
1 parent c0d893e
commit 04061f0
Show file tree

Hide file tree

Showing 7 changed files with 768 additions and 1,033 deletions.
diff --git a/docs/DEPLOY_WEBINY_PROJECT_CF_TEMPLATE.yaml b/docs/DEPLOY_WEBINY_PROJECT_CF_TEMPLATE.yaml
@@ -40,6 +40,15 @@ Resources:
                   "Null":
                     "aws:ResourceTag/WbyProjectName": "false"
 
+              # We had to add this because without it, upon destroying Admin/Website apps, we'd get an error:
+              # > waiting for CloudFront Distribution ({CF-DISTRIBUTION-ID}) delete: operation error CloudFront: GetDistribution
+              # > AccessDenied: User: arn:aws:iam::{X}:user/{Y} is not authorized to perform: cloudfront:GetDistribution on resource
+              # Was trying to resolve it for some time, but ultimately, did not succeed. Might be a Pulumi/Terraform issue.
+              - Effect: Allow
+                Resource: arn:*:cloudfront::*:distribution/*
+                Action:
+                  - cloudfront:GetDistribution
+
               - Effect: Allow
                 Resource: arn:*:cloudfront::*:function/*
                 Action:
@@ -251,20 +260,29 @@ Resources:
                   - arn:aws:iam::*:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService
                   - arn:aws:iam::*:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonElasticsearchService
 
-
               # AWS Step Functions
               - Effect: Allow
                 Action:
-                - states:CreateStateMachine
-                - states:DeleteStateMachine
-                - states:DescribeStateMachine
-                - states:ListTagsForResource
-                - states:TagResource
-                - states:UntagResource
-                - states:ListStateMachines
-                - states:UpdateStateMachine
+                  - states:CreateStateMachine
+                  - states:DeleteStateMachine
+                  - states:DescribeStateMachine
+                  - states:ListTagsForResource
+                  - states:TagResource
+                  - states:UntagResource
+                  - states:ListStateMachines
+                  - states:UpdateStateMachine
+                  - states:ListStateMachineVersions
                 Resource: arn:aws:states:*:*:stateMachine:wby-*
 
+              # AWS Step Functions - ValidateStateMachineDefinition
+              # We needed to set "arn:aws:states:*:*:stateMachine:*" because the action
+              # "states:ValidateStateMachineDefinition" does not support resource-level permissions.
+              # https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html#awsstepfunctions-ValidateStateMachineDefinition
+              - Effect: Allow
+                Action:
+                  - states:ValidateStateMachineDefinition
+                Resource: arn:aws:states:*:*:stateMachine:*
+
               # AWS Lambda
               - Effect: Allow
                 Action:
@@ -296,19 +314,37 @@ Resources:
 
               - Effect: Allow
                 Action:
-                  # Only wildcard can be used here.
-                  # https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html
-                  # https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html#permissions-resources-eventsource
                   - lambda:CreateEventSourceMapping
+                  - lambda:TagResource
+                Condition:
+                  "Null":
+                    aws:RequestTag/WbyProjectName: "false"
+
+                # Only wildcard can be used here.
+                # https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html
+                # https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html#permissions-resources-eventsource
+                Resource: "*"
+
+              - Effect: Allow
+                Action:
                   - lambda:ListEventSourceMappings
+                # Only wildcard can be used here.
+                # https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html
+                # https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html#permissions-resources-eventsource
+                Resource: "*"
 
+              - Effect: Allow
+                Action:
                   # Initially, we grouped these with `Resource: arn:aws:lambda:*:*:event-source-mapping:*`, but that
                   # caused several `xyz is not authorized to perform: lambda:GetEventSourceMapping on resource: *`
                   # errors. But still, note that, even if we managed to use the initial resource string, we'd still
                   # be relying on wildcards, which, if we think about it, is essentially the same as `Resource: *`.
+                  # Also, there weren't any Condition keys that could've been used here (there is `lambda:FunctionArn`,
+                  # but it doesn't help us in this case). We might want to revisit this in the future.
                   - lambda:GetEventSourceMapping
                   - lambda:UpdateEventSourceMapping
                   - lambda:DeleteEventSourceMapping
+                  - lambda:ListTags
                 Resource: "*"
 
               # We want to provide the ability to get different layers.

diff --git a/packages/pulumi-aws/package.json b/packages/pulumi-aws/package.json
@@ -13,8 +13,8 @@
     "directory": "dist"
   },
   "dependencies": {
-    "@pulumi/aws": "^6.48.0",
-    "@pulumi/pulumi": "^3.128.0",
+    "@pulumi/aws": "^6.55.0",
+    "@pulumi/pulumi": "^3.136.1",
     "@pulumi/random": "^4.16.3",
     "@webiny/aws-sdk": "0.0.0",
     "@webiny/cli-plugin-deploy-pulumi": "0.0.0",

diff --git a/packages/pulumi-aws/src/utils/tagResources.ts b/packages/pulumi-aws/src/utils/tagResources.ts
@@ -174,6 +174,7 @@ const taggableResourceTypes = new Set([
     "aws:kms/externalKey:ExternalKey",
     "aws:kms/key:Key",
     "aws:lambda/function:Function",
+    "aws:lambda/eventSourceMapping:EventSourceMapping",
     "aws:lb/loadBalancer:LoadBalancer",
     "aws:lb/targetGroup:TargetGroup",
     "aws:licensemanager/licenseConfiguration:LicenseConfiguration",

diff --git a/packages/pulumi-sdk/package.json b/packages/pulumi-sdk/package.json
@@ -14,8 +14,8 @@
     "directory": "dist"
   },
   "dependencies": {
-    "@pulumi/aws": "^6.48.0",
-    "@pulumi/pulumi": "^3.128.0",
+    "@pulumi/aws": "^6.55.0",
+    "@pulumi/pulumi": "^3.136.1",
     "decompress": "^4.2.1",
     "execa": "^5.0.0",
     "fs-extra": "^11.2.0",

diff --git a/packages/pulumi/package.json b/packages/pulumi/package.json
@@ -14,7 +14,7 @@
     "directory": "dist"
   },
   "dependencies": {
-    "@pulumi/pulumi": "^3.128.0",
+    "@pulumi/pulumi": "^3.136.1",
     "find-up": "^5.0.0",
     "lodash": "^4.17.21"
   },

diff --git a/packages/serverless-cms-aws/package.json b/packages/serverless-cms-aws/package.json
@@ -13,8 +13,8 @@
     "directory": "dist"
   },
   "dependencies": {
-    "@pulumi/aws": "^6.48.0",
-    "@pulumi/pulumi": "^3.128.0",
+    "@pulumi/aws": "^6.55.0",
+    "@pulumi/pulumi": "^3.136.1",
     "@webiny/api-aco": "0.0.0",
     "@webiny/api-apw": "0.0.0",
     "@webiny/api-apw-scheduler-so-ddb": "0.0.0",