diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml index 7fd26eba2bd..999956348f4 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml @@ -157,6 +157,16 @@ Resources: - "kms:Decrypt" Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml index 5aad68427ca..a84f392bb4d 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml @@ -192,6 +192,16 @@ Resources: - "kms:Decrypt" Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml index 212cd72614d..ec9832fc4f8 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml @@ -157,6 +157,16 @@ Resources: - "kms:Decrypt" Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml index d6539ed791a..2ccd70ad86f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml @@ -141,6 +141,16 @@ Resources: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml index 050ed625703..689510ebca9 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml @@ -147,6 +147,16 @@ Resources: - "kms:Decrypt" Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml index 4725ef12beb..50f05057a4e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml @@ -150,6 +150,16 @@ Resources: - "kms:Decrypt" Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml index 1f8c72375ad..633c95a4bce 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml @@ -287,6 +287,16 @@ Resources: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml index afc31e355ca..20199482658 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml @@ -129,6 +129,16 @@ Resources: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - PolicyName: 'Publish2SNS' PolicyDocument: Version: '2012-10-17' diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml index d72629ee460..1312703e820 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml @@ -155,6 +155,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml index 3831259b54d..92ef88aa910 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml @@ -154,6 +154,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml index 6ce47788520..5c35a60779b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml @@ -212,6 +212,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml index 6263177a018..d13ac25ef55 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml @@ -149,6 +149,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml index 287e183479a..e2329175704 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml @@ -313,6 +313,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml index 5bb7172eb61..02215833848 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml @@ -157,6 +157,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml index be7f5176d36..2f0db80eee8 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml @@ -155,6 +155,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml index 93dea51c69e..3388d5f1f18 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml @@ -146,6 +146,16 @@ Resources: # If a bucket URL is specified, that means the template exists. - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml index 93b4a61f9f9..4e850e78cc9 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml @@ -255,6 +255,16 @@ Resources: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml b/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml index e0f25772c1a..6fba9c5eb8a 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml @@ -41,6 +41,16 @@ ExecutionRole: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam # Example EnvFileARN: arn:aws:s3:::stackset-demo-infrastruc-pipelinebuiltartifactbuc-11dj7ctf52wyf/manual/1638391936/env diff --git a/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml b/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml index 8d6342822b5..0974fa458ae 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml @@ -58,6 +58,16 @@ InstanceRole: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN + - Sid: DecryptTaggedKMSKey + Effect: 'Allow' + Action: + - 'kms:Decrypt' + Resource: + - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + Condition: + StringEquals: + 'aws:ResourceTag/copilot-application': !Sub '${AppName}' + 'aws:ResourceTag/copilot-environment': !Sub '${EnvName}' {{- end }} {{- if .Publish }} {{- if .Publish.Topics }}