Merge pull request #626 from guardian/aa-migrate-ami-deletion-policy

feat: Migrate permissions to trigger AMI deletions

cdk/lib/__snapshots__/amigo.test.ts.snap

@@ -78,38 +78,6 @@ Object {
       "Properties": Object {
         "PolicyDocument": Object {
           "Statement": Array [
-            Object {
-              "Action": Array [
-                "sns:*",
-              ],
-              "Effect": "Allow",
-              "Resource": Object {
-                "Fn::Sub": Array [
-                  "arn:aws:sns:*:*:amigo-\${Stage}-notify",
-                  Object {
-                    "Stage": Object {
-                      "Ref": "Stage",
-                    },
-                  },
-                ],
-              },
-            },
-            Object {
-              "Action": Array [
-                "sns:*",
-              ],
-              "Effect": "Allow",
-              "Resource": Object {
-                "Fn::Sub": Array [
-                  "arn:aws:sns:*:*:amigo-\${Stage}-housekeeping-notify",
-                  Object {
-                    "Stage": Object {
-                      "Ref": "Stage",
-                    },
-                  },
-                ],
-              },
-            },
             Object {
               "Action": Array [
                 "s3:GetBucketPolicy",
@@ -244,6 +212,36 @@ Object {
               "Effect": "Allow",
               "Resource": "*",
             },
+            Object {
+              "Action": "sns:*",
+              "Effect": "Allow",
+              "Resource": Array [
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      "arn:aws:sns:*:*:amigo-",
+                      Object {
+                        "Ref": "Stage",
+                      },
+                      "-notify",
+                    ],
+                  ],
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      "arn:aws:sns:*:*:amigo-",
+                      Object {
+                        "Ref": "Stage",
+                      },
+                      "-housekeeping-notify",
+                    ],
+                  ],
+                },
+              ],
+            },
           ],
           "Version": "2012-10-17",
         },

cdk/lib/amigo.ts

@@ -76,6 +76,19 @@ export class AmigoStack extends GuStack {
           actions: ["sns:ListTopics"],
           resources: ["*"],
         }),
+
+        /*
+        Permissions to trigger AMI deletion
+        See https://github.com/guardian/amigo/pull/193
+         */
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          actions: ["sns:*"],
+          resources: [
+            `arn:aws:sns:*:*:amigo-${this.stage}-notify`,
+            `arn:aws:sns:*:*:amigo-${this.stage}-housekeeping-notify`,
+          ],
+        }),
       ],
     });
   }

cloudformation.yaml

@@ -61,15 +61,6 @@ Resources:
       PolicyName: amigo-app
       PolicyDocument:
         Statement:
-        - Effect: Allow
-          Action:
-          - sns:*
-          Resource: !Sub 'arn:aws:sns:*:*:amigo-${Stage}-notify'
-        - Effect: Allow
-          Action:
-          - sns:*
-          Resource: !Sub 'arn:aws:sns:*:*:amigo-${Stage}-housekeeping-notify'
-
         # Allow us to allow other accounts to retrieve the ImageCopier lambda artifact
         - Effect: Allow
           Action: