build: add support for execution role deployment #23
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change introduces a new `deploy` top-level project directory that contains parameterized CloudFormation templates that can be used to deploy the required Starfleet execution roles. The following CloudFormation templates are included: The `starfleet-execution-role-stackset.yml` template supports deployment through CloudFormation StackSets and allows users to target deployment to all member accounts in an AWS Organization or specific targets (e.g. OUs, accounts, etc.). The `starfleet-execution-role-org-management.yml` template is intended to be deployed as a standard CloudFormation Stack in the organization management account. The template creates a role for the Starfleet Account Index Generator and a standard Starfleet Worker execution role. Both templates enforce strict input checking for all parameters and implement least-privilege policies. Lastly, this change includes new `tox` environments to check CloudFormation templates for linting and security misconfigurations.
|
There seems to be a regression with: That's very strange that it would break SQS... |
|
This is the issue: getmoto/moto#6286 |
|
@ericwestfall in the meantime, let's pin to the older versions of |
mikegrima
reviewed
May 5, 2023
The underlying change in |
|
LGTM. The next step will be to update the docs to reference how to use the CF templates for the role. |
mikegrima
approved these changes
May 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change introduces a new
deploytop-level project directory that contains parameterized CloudFormation templates that can be used to deploy the required Starfleet execution roles.The following CloudFormation templates are included:
The
starfleet-execution-role-stackset.ymltemplate supports deployment through CloudFormation StackSets and allows users to target deployment to all member accounts in an AWS Organization or specific targets (e.g. OUs, accounts, etc.).The
starfleet-execution-role-org-management.ymltemplate is intended to be deployed as a standard CloudFormation Stack in the organization management account. The template creates a role for the Starfleet Account Index Generator and a standard Starfleet Worker execution role.Both templates enforce strict input checking for all parameters and implement least-privilege policies. Lastly, this change includes new
toxenvironments to check CloudFormation templates for linting and security misconfigurations.