Release/0.0.24 (#22)

Topic Policy was being clobbered
awslabs · Apr 29, 2019 · c95b38a · c95b38a
1 parent 3491a2b
commit c95b38a
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 44 deletions.
diff --git a/servicecatalog_puppet/servicecatalog-puppet.template.yaml b/servicecatalog_puppet/servicecatalog-puppet.template.yaml
@@ -13,7 +13,6 @@ Parameters:
     Default: "None"
 
 Conditions:
-  ShouldNotUseOrgs: !Equals [ !Ref OrgIamRoleArn, None ]
   ShouldUseOrgs: !Not [!Equals [!Ref OrgIamRoleArn, None]]
 
 Resources:
@@ -220,38 +219,10 @@ Resources:
               OutputArtifacts:
                 - Name: Deploy
 
-  GenerateRoleForOrg:
+  GenerateRole:
     Type: AWS::IAM::Role
-    Condition: ShouldUseOrgs
     Properties:
-      RoleName: PuppetGenerateProjectRole
-      Path: /servicecatalog-puppet/
-      Policies:
-        - PolicyName: Org
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
-              - Effect: Allow
-                Action:
-                  - sts:AssumeRole
-                Resource: !Ref OrgIamRoleArn
-      AssumeRolePolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: "Allow"
-            Principal:
-              Service:
-                - "codebuild.amazonaws.com"
-            Action:
-              - "sts:AssumeRole"
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AdministratorAccess
-
-  GenerateRoleNotForOrg:
-    Type: AWS::IAM::Role
-    Condition: ShouldNotUseOrgs
-    Properties:
-      RoleName: PuppetGenerateProjectRole
+      RoleName: PuppetGenerateRole
       Path: /servicecatalog-puppet/
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
@@ -264,6 +235,18 @@ Resources:
               - "sts:AssumeRole"
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/AdministratorAccess
+      Policies:
+        - !If
+          - ShouldUseOrgs
+          - PolicyName: Org
+            PolicyDocument:
+              Version: 2012-10-17
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - sts:AssumeRole
+                  Resource: !Ref OrgIamRoleArn
+          - !Ref AWS::NoValue
 
   DeployRole:
     Type: AWS::IAM::Role
@@ -288,7 +271,7 @@ Resources:
     Properties:
       Name: servicecatalog-puppet-generate
       Description: "builds out the products to be deployed"
-      ServiceRole: !If [ShouldUseOrgs, !GetAtt GenerateRoleForOrg.Arn, !GetAtt GenerateRoleNotForOrg.Arn]
+      ServiceRole: !GetAtt GenerateRole.Arn
       Artifacts:
         Type: CODEPIPELINE
       Environment:
@@ -354,7 +337,7 @@ Resources:
     Properties:
       Name: servicecatalog-puppet-single-account-run
       Description: "Runs puppet for a single account - SINGLE_ACCOUNT_ID"
-      ServiceRole: !If [ShouldUseOrgs, !GetAtt GenerateRoleForOrg.Arn, !GetAtt GenerateRoleNotForOrg.Arn]
+      ServiceRole: !GetAtt GenerateRole.Arn
       Artifacts:
         Type: NO_ARTIFACTS
       Environment:

diff --git a/servicecatalog_puppet/templates/shares.template.yaml.j2 b/servicecatalog_puppet/templates/shares.template.yaml.j2
@@ -98,9 +98,7 @@ Resources:
       Timeout: 30
 
 
-{% for account_id, portfolios in portfolio_use_by_account.items() %}
-  {% if account_id != host_account_id %}
-  TopicPolicyFor{{ account_id }}:
+  TopicPolicies:
     Type: AWS::SNS::TopicPolicy
     Condition: RunningInHomeRegion
     Properties:
@@ -109,28 +107,30 @@ Resources:
       PolicyDocument:
         Id: MyTopicPolicy
         Version: '2012-10-17'
-        Statement:
+        Statement: {% for account_id, portfolios in portfolio_use_by_account.items() %} {% if account_id != host_account_id %}
           - Sid: "{{ account_id }}"
             Effect: Allow
             Principal:
-              AWS: "{{ account_id }}"
+              AWS: !Sub "arn:aws:iam::{{ account_id }}:root"
             Action: sns:Publish
-            Resource: "*"
+            Resource: "*"{% endif %}{% endfor %}
+
 
-  BucketPolicyFor{{ account_id }}:
+  BucketPolicies:
     Type: AWS::S3::BucketPolicy
     Properties:
       Bucket: !Sub "sc-factory-artifacts-${AWS::AccountId}-${AWS::Region}"
       PolicyDocument:
-        Statement:
+        Statement:{% for account_id, portfolios in portfolio_use_by_account.items() %} {% if account_id != host_account_id %}
           - Action:
               - "s3:GetObject"
             Effect: "Allow"
             Resource: !Sub "arn:aws:s3:::sc-factory-artifacts-${AWS::AccountId}-${AWS::Region}/*"
             Principal:
-              AWS: "arn:aws:iam::{{ account_id }}:root"
-  {% endif %}
+              AWS: "arn:aws:iam::{{ account_id }}:root"{% endif %}{% endfor %}
 
+
+{% for account_id, portfolios in portfolio_use_by_account.items() %}
 {% for portfolio in portfolios %}
 {% if account_id != host_account_id %}
 

diff --git a/setup.py b/setup.py
@@ -11,7 +11,7 @@
 
 setuptools.setup(
     name="aws-service-catalog-puppet",
-    version="0.0.23",
+    version="0.0.24",
     author="Eamonn Faherty",
     author_email="aws-service-catalog-tools@amazon.com",
     description="Making it easier to deploy ServiceCatalog products",