Update to version v1.2.3

Fix issue #45 , updating IAM policy to fix deployment of use cases from deployment dashboard

Author: tabdunabi

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.3] - 2024-02-06
+
+### Fixed
+
+-   Fix AWS IAM policy that causes use case deployments to fail when creating, updating or deleting from the deployment dashboard.
+
 ## [1.2.2] - 2024-01-11
 
 ### Fixed

source/infrastructure/lib/use-case-management/management-stack.ts

@@ -441,7 +441,8 @@ const buildCfnDeployRole = (scope: Construct): iam.Role => {
                             'iam:GetRolePolicy',
                             'iam:PutRolePolicy',
                             'iam:TagRole',
-                            'iam:UpdateAssumeRolePolicy'
+                            'iam:UpdateAssumeRolePolicy',
+                            'iam:PassRole'
                         ],
                         resources: [
                             `arn:${cdk.Aws.PARTITION}:iam::${cdk.Aws.ACCOUNT_ID}:role/*`,
@@ -451,15 +452,6 @@ const buildCfnDeployRole = (scope: Construct): iam.Role => {
                             ...awsTagKeysCondition
                         }
                     }),
-                    new iam.PolicyStatement({
-                        effect: iam.Effect.ALLOW,
-                        actions: ['iam:PassRole'],
-                        resources: [`arn:${cdk.Aws.PARTITION}:iam::${cdk.Aws.ACCOUNT_ID}:role/*`],
-                        conditions: {
-                            ...awsCalledViaCondition,
-                            ...awsTagKeysCondition
-                        }
-                    }),
                     new iam.PolicyStatement({
                         effect: iam.Effect.ALLOW,
                         actions: ['lambda:AddPermission', 'lambda:RemovePermission', 'lambda:InvokeFunction'],
@@ -811,7 +803,21 @@ const buildCfnDeployRole = (scope: Construct): iam.Role => {
                             ...awsCalledViaCondition,
                             ...awsTagKeysCondition
                         }
-                    })
+                    }),
+                    new iam.PolicyStatement({
+                        effect: iam.Effect.ALLOW,
+                        actions: [
+                            'cloudformation:CreateStack',
+                            'cloudformation:UpdateStack',
+                            'cloudformation:DeleteStack'
+                        ],
+                        resources: [
+                            `arn:${cdk.Aws.PARTITION}:cloudformation:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:stack/*`
+                        ],
+                        conditions: {
+                            ...awsTagKeysCondition
+                        }
+                        })
                 ]
             })
         }

source/infrastructure/test/use-case-management/management-stack.test.ts

@@ -447,7 +447,8 @@ describe('When creating a use case management Stack', () => {
                                     'iam:GetRolePolicy',
                                     'iam:PutRolePolicy',
                                     'iam:TagRole',
-                                    'iam:UpdateAssumeRolePolicy'
+                                    'iam:UpdateAssumeRolePolicy',
+                                    'iam:PassRole'
                                 ],
                                 Condition: {
                                     'ForAllValues:StringEquals': {
@@ -490,34 +491,6 @@ describe('When creating a use case management Stack', () => {
                                     }
                                 ]
                             },
-                            {
-                                Action: 'iam:PassRole',
-                                Condition: {
-                                    'ForAnyValue:StringEquals': {
-                                        'aws:CalledVia': ['cloudformation.amazonaws.com']
-                                    },
-                                    'ForAllValues:StringEquals': {
-                                        'aws:TagKeys': ['createdVia', 'userId']
-                                    }
-                                },
-                                Effect: 'Allow',
-                                Resource: {
-                                    'Fn::Join': [
-                                        '',
-                                        [
-                                            'arn:',
-                                            {
-                                                Ref: 'AWS::Partition'
-                                            },
-                                            ':iam::',
-                                            {
-                                                Ref: 'AWS::AccountId'
-                                            },
-                                            ':role/*'
-                                        ]
-                                    ]
-                                }
-                            },
                             {
                                 Action: ['lambda:AddPermission', 'lambda:RemovePermission', 'lambda:InvokeFunction'],
                                 Condition: {
@@ -1307,6 +1280,39 @@ describe('When creating a use case management Stack', () => {
                                         ]
                                     ]
                                 }
+                            },
+                            {
+                                Action: [
+                                    'cloudformation:CreateStack',
+                                    'cloudformation:UpdateStack',
+                                    'cloudformation:DeleteStack'
+                                ],
+                                Condition: {
+                                    'ForAllValues:StringEquals': {
+                                        'aws:TagKeys': ['createdVia', 'userId']
+                                    }
+                                },
+                                Effect: 'Allow',
+                                Resource: {
+                                    'Fn::Join': [
+                                        '',
+                                        [
+                                            'arn:',
+                                            {
+                                                Ref: 'AWS::Partition'
+                                            },
+                                            ':cloudformation:',
+                                            {
+                                                Ref: 'AWS::Region'
+                                            },
+                                            ':',
+                                            {
+                                                Ref: 'AWS::AccountId'
+                                            },
+                                            ':stack/*'
+                                        ]
+                                    ]
+                                }
                             }
                         ]
                     }