Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize CloudFormation stack name and add Permission boundary for IAM roles #7468

Closed
vaibhavjainv opened this issue Jun 7, 2021 · 5 comments
Closed

Customize CloudFormation stack name and add Permission boundary for IAM roles #7468

vaibhavjainv opened this issue Jun 7, 2021 · 5 comments
Labels
extensibility Issues related to expand or customize current configuration feature-request Request a new feature

Comments

@vaibhavjainv
Copy link

vaibhavjainv commented Jun 7, 2021
edited by jhockett
Loading

Note: If your question is regarding the AWS Amplify Console service, please log it in the
AWS Amplify Console repository

Which Category is your question related to?

Amplify CLI Version

You can use amplify -v to check the amplify cli version on your system
4.51.3

What AWS Services are you utilizing?
amplify init

Provide additional details e.g. code snippets
We have a requirement that any cloudformation template, IAM role and policy created in the account should have a prefix in the resource name like: XXX-ABCDEF123-* . However, when running "amplify init" command, there is no option for us to customize the cloudformation stack name and the AuthRoleName/UnauthRoleName. There is no option for us to add permission boundary to IAM policy either. Customer has the following questions:

  1. Is there a way to customize the CloudFormation stack name, IAM role name created by "amplify init"
  2. Is there a way to create the IAM role with an existing permission boundary policy?
    There is a github pull for this feature. Is there any ETA on when this feature will be supported? Define IAM Permissions Boundary for Project #7144

Steps to reproduce the issue:

  1. run "npm init" to create a package.json file
  2. run "amplify init"

One CloudFormation stack, two IAM roles and one deployment S3 bucket will be created. They all have "amplify" as prefix in the resource name. For example, this is the team-provider-info.json file created by Amplify

{
"dev": {
"awscloudformation": {
"AuthRoleName": "amplify-<app name>-<env name>-104805-authRole",
"UnauthRoleArn": "arn:aws:iam::<ACCOUNT_NUMBER>:role/amplify-<app name>-<env name>-<APP_ID>-unauthRole",
"AuthRoleArn": "arn:aws:iam::<ACCOUNT_NUMBER>:role/amplify-<app name>-<env name>-<APP_ID>-authRole",
"Region": "us-east-1",
"DeploymentBucketName": "amplify-<app name>-<env name>-<APP_ID>-deployment",
"UnauthRoleName": "amplify-<app name>-<env name>-<APP_ID>-unauthRole",
"StackName": "amplify-<app name>-<env name>-<APP_ID>",
"StackId": "arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER>:stack/amplify-<app name>-<env name>-<APP_ID>/<STACK_ID>",
"AmplifyAppId": "<app id>"
}
}
}
@vaibhavjainv vaibhavjainv added the question General question label Jun 7, 2021
@jhockett
Copy link
Contributor

jhockett commented Jun 7, 2021 

1. Is there a way to customize the CloudFormation stack name, IAM role name created by "amplify init"

No, this is not supported today. Amplify CLI uses the generated names internally so they cannot be changed. Depending on the use-case, tags might be a good alternative: https://docs.amplify.aws/cli/usage/tags

2. Is there a way to create the IAM role with an existing permission boundary policy?
   There is a github pull for this feature. Is there any ETA on when this feature will be supported? #7144

Not until the PR is merged. We do not have a timeline we can share.

@renebrandel
Copy link
Contributor

hi @vaibhavjainv - we've just launch IAM permissions boundary support. LMK if that coupled with the tags feature resolves this issue.

@renebrandel
Copy link
Contributor

https://twitter.com/renebrandel/status/1405252722513760258?s=20

@kaustavghosh06 kaustavghosh06 added the extensibility Issues related to expand or customize current configuration label Jun 16, 2021
@kaustavghosh06 kaustavghosh06 added enhancement and removed question General question labels Jun 16, 2021
@ajitambike
Copy link

hi @vaibhavjainv - we've just launch IAM permissions boundary support. LMK if that coupled with the tags feature resolves this issue.

@renebrandel , This is an extremely useful feature. This alleviated some of the issues for sure. However, inability to customize role names remains a pain point. A lot of organizations have standardized naming conventions for all resources. And changing governance policies is neither easy nor a quick activity that can fit in the timelines of various projects. This means we cannot use Amplify CLI that is such a useful tool.
What can be done to request a new feature where we can customize names of AWS components created by Amplify including role names?

@josefaidt josefaidt added feature-request Request a new feature and removed enhancement labels Sep 3, 2021
@github-actions
Copy link

github-actions bot commented Nov 3, 2021

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
extensibility Issues related to expand or customize current configuration feature-request Request a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jhockett @renebrandel @josefaidt @kaustavghosh06 @vaibhavjainv @ajitambike