Fix resource untagging permissions (#635)

* Fix CodeCommit repo untagging **Why?** The ADF Automation Role will need the CodeCommit:UntagResource permission when you change the tags that should be applied to a CodeCommit repository. * Allow CodePipeline, SNS, and Organizations to Untag too **Why?** When changing an organization wide tag, it would fail to update the stack due to this missing permission..
awslabs · Jul 20, 2023 · 1ca7739 · 1ca7739
1 parent 91dffba
commit 1ca7739
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 0 deletions.
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -614,6 +614,7 @@ Resources:
               - "codecommit:PutRepositoryTriggers"
               - "codecommit:GetRepository"
               - "codecommit:TagResource"
+              - "codecommit:UntagResource"
             Resource:
               - "*"
           - Effect: Allow

diff --git a/...base/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/...base/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
@@ -796,6 +796,7 @@ Resources:
                   - "codepipeline:RegisterWebhookWithThirdParty"
                   - "codepipeline:StartPipelineExecution"
                   - "codepipeline:TagResource"
+                  - "codepipeline:UntagResource"
                   - "codepipeline:UpdatePipeline"
                 Resource:
                   - !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:webhook:adf-webhook-*
@@ -817,6 +818,7 @@ Resources:
                   - "sns:SetTopicAttributes"
                   - "sns:GetTopicAttributes"
                   - "sns:TagResource"
+                  - "sns:UntagResource"
                   - "sns:ListSubscriptionsByTopic"
                 Resource:
                   - !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${PipelinePrefix}*

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/global.yml
@@ -301,6 +301,7 @@ Resources:
               - "codecommit:PutRepositoryTriggers"
               - "codecommit:GetRepository"
               - "codecommit:TagResource"
+              - "codecommit:UntagResource"
             Resource:
               - "*"
           - Effect: Allow

diff --git a/src/template.yml b/src/template.yml
@@ -402,6 +402,7 @@ Resources:
               - Effect: Allow
                 Action:
                   - "organizations:TagResource"
+                  - "organizations:UntagResource"
                 Resource: "*"
 
   AccountTagConfigFunction: