Fix permission boundary validation and cleanup logic

Taniya Mathur · Taniya Mathur · commit b3efd660f90f · 2025-09-25T02:06:02.000Z
- Add missing PermissionsBoundary to Discovery Lambda functions
- Make permission boundary validation failure cause deployment to fail
- Remove redundant cleanup from install_service
- Cleanup handled by uninstall_service and CodePipeline
diff --git a/patterns/pattern-1/template.yaml b/patterns/pattern-1/template.yaml
@@ -714,6 +714,7 @@ Resources:
           - id: W92
             reason: "Function does not require concurrent execution limits as it is designed to scale based on demand"
     Properties:
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       CodeUri: src/bda_discovery_function/
       Handler: index.handler
       Runtime: python3.12
diff --git a/scripts/sdlc/idp-cli/src/idp_cli/service/install_service.py b/scripts/sdlc/idp-cli/src/idp_cli/service/install_service.py
@@ -136,66 +136,6 @@ def publish(self):
             return False
         
 
-    def cleanup_failed_stack(self, stack_name):
-        """
-        Clean up failed stack if it exists in ROLLBACK_COMPLETE state.
-        
-        Args:
-            stack_name: Name of the stack to clean up
-            
-        Returns:
-            bool: True if cleanup successful or not needed, False if cleanup failed
-        """
-        try:
-            # Check stack status
-            cmd = [
-                'aws', 'cloudformation', 'describe-stacks',
-                '--region', self.region,
-                '--stack-name', stack_name,
-                '--query', 'Stacks[0].StackStatus',
-                '--output', 'text'
-            ]
-            
-            process = subprocess.run(
-                cmd,
-                check=True,
-                text=True,
-                stdout=subprocess.PIPE,
-                stderr=subprocess.PIPE
-            )
-            
-            stack_status = process.stdout.strip()
-            
-            if stack_status in ['ROLLBACK_COMPLETE', 'CREATE_FAILED', 'DELETE_FAILED']:
-                logger.info(f"Cleaning up failed stack {stack_name} (status: {stack_status})")
-                
-                delete_cmd = [
-                    'aws', 'cloudformation', 'delete-stack',
-                    '--region', self.region,
-                    '--stack-name', stack_name
-                ]
-                
-                subprocess.run(delete_cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-                
-                # Wait for deletion to complete
-                wait_cmd = [
-                    'aws', 'cloudformation', 'wait', 'stack-delete-complete',
-                    '--region', self.region,
-                    '--stack-name', stack_name
-                ]
-                
-                subprocess.run(wait_cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-                logger.info(f"Successfully cleaned up failed stack {stack_name}")
-                
-            return True
-            
-        except subprocess.CalledProcessError:
-            # Stack doesn't exist - no cleanup needed
-            return True
-        except Exception as e:
-            logger.error(f"Failed to cleanup stack {stack_name}: {e}")
-            return False
-
     def deploy_service_role(self):
         """
         Deploy the CloudFormation service role stack.
@@ -487,6 +427,7 @@ def install(self, admin_email: str, idp_pattern: str):
             logger.info("Step 4: Validating permission boundary on all IAM roles...")
             if not self.validate_permission_boundary(self.stack_name, permission_boundary_arn):
                 logger.error("Permission boundary validation failed!")
+                logger.error("Deployment failed due to security policy violations.")
                 return False
             
             logger.info("Deployment and validation completed successfully!")
@@ -501,10 +442,6 @@ def install(self, admin_email: str, idp_pattern: str):
                 logger.debug(f"Command stdout: {e.stdout}")
             if e.stderr:
                 logger.debug(f"Command stderr: {e.stderr}")
-            
-            # Cleanup failed deployment for next attempt
-            logger.info("Cleaning up failed deployment for next attempt...")
-            self.cleanup_failed_stack(self.stack_name)
             return False
         except Exception as e:
             logger.error(f"Unexpected error during stack deployment: {e}")
diff --git a/template.yaml b/template.yaml
@@ -5744,6 +5744,7 @@ Resources:
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
     # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
     Properties:
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Handler: index.handler
       Runtime: python3.12
       CodeUri: ./src/lambda/discovery_upload_resolver
@@ -5907,6 +5908,7 @@ Resources:
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
     # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
     Properties:
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Handler: index.handler
       Runtime: python3.12
       CodeUri: ./src/lambda/discovery_processor
