Add CFN prefix to service role and permission boundary ARNs for stack uniqueness

Taniya Mathur · Taniya Mathur · commit c4f08495da08 · 2025-09-25T00:11:42.000Z
- Updated permission boundary policy name to include CFN prefix
- Updated service role name to include stack name for uniqueness
- Updated uninstall service to use CFN prefix for permission boundary cleanup
- Ensures multiple stack deployments don't conflict in same AWS account
diff --git a/iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml b/iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml
@@ -13,7 +13,7 @@ Resources:
   CloudFormationServiceRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: IDPAcceleratorCloudFormationServiceRole
+      RoleName: !Sub '${AWS::StackName}-IDPAcceleratorCloudFormationServiceRole'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
diff --git a/scripts/sdlc/idp-cli/src/idp_cli/service/install_service.py b/scripts/sdlc/idp-cli/src/idp_cli/service/install_service.py
@@ -256,8 +256,6 @@ def deploy_service_role(self):
                 logger.debug(f"Command stdout: {e.stdout}")
             if e.stderr:
                 logger.debug(f"Command stderr: {e.stderr}")
-            
-            logger.info(f"Service role deployment failed. Stack '{service_role_stack_name}' left for debugging.")
             return None
         except Exception as e:
             logger.error(f"Unexpected error during service role deployment: {e}")
@@ -302,7 +300,7 @@ def _get_service_role_arn_from_stack(self, stack_name):
     def create_permission_boundary_policy(self):
         """Create an 'allow everything' permission boundary policy"""
         
-        policy_name = "IDPPermissionBoundary"
+        policy_name = f"{self.cfn_prefix}-IDPPermissionBoundary"
         iam = boto3.client('iam')
         
         try:
diff --git a/scripts/sdlc/idp-cli/src/idp_cli/service/uninstall_service.py b/scripts/sdlc/idp-cli/src/idp_cli/service/uninstall_service.py
@@ -73,12 +73,11 @@ def delete_service_role_stack(self):
 
     def delete_permission_boundary_policy(self):
         """Delete the permission boundary policy if it exists"""
-        policy_name = "IDPPermissionBoundary"
+        policy_name = f"{self.cfn_prefix}-IDPPermissionBoundary"
         
         try:
             iam = boto3.client('iam')
-            account_id = boto3.client('sts').get_caller_identity()['Account']
-            policy_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
+            policy_arn = f"arn:aws:iam::{self.account_id}:policy/{policy_name}"
             
             logger.info(f"Attempting to delete permission boundary policy: {policy_arn}")
             iam.delete_policy(PolicyArn=policy_arn)
