Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manually create service linked roles #43824

Merged
merged 3 commits into from
Dec 1, 2021
Merged

Manually create service linked roles #43824

merged 3 commits into from
Dec 1, 2021

Conversation

cat5inthecradle
Copy link
Contributor

@cat5inthecradle cat5inthecradle commented Nov 29, 2021
edited

This unblocks #43755 for INF-506

These roles would normally be created automatically the first time you create a Lambda@Edge implementation, but rather than giving CloudFormationService the permissions necessary to create them, we will create them explicitly here.

Lambda@Edge Permissions: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html

More: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html

Service Linked Roles for Lambda@Edge: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html#using-service-linked-roles

Rather than using the CLI to create them, we're using cloudformation.

Links

  • jira ticket: INF-506

Testing story

$ export AWS_PROFILE=codeorg-admin
$ bin/aws_access
$ bundle exec rake stack:iam:validate RAILS_ENV=production ADMIN=1

Pending update for stack `IAM`:
Add CloudfrontLoggerRole [AWS::IAM::ServiceLinkedRole]
Add LambdaReplicatorRole [AWS::IAM::ServiceLinkedRole]

Deployment strategy

$ export AWS_PROFILE=codeorg-admin
$ bin/aws_access
AWS access: GoogleSignInAdmin/suresh@code.org
$ bundle exec rake stack:iam:start RAILS_ENV=production ADMIN=1

Stack update requested, waiting for provisioning to complete...
2021-11-29 21:42:08 UTC- IAM [UPDATE_IN_PROGRESS]: User Initiated
.2021-11-29 21:42:15 UTC- CloudfrontLoggerRole [CREATE_IN_PROGRESS]
.2021-11-29 21:42:15 UTC- LambdaReplicatorRole [CREATE_IN_PROGRESS]
2021-11-29 21:42:17 UTC- LambdaReplicatorRole [CREATE_IN_PROGRESS]: Resource creation Initiated
2021-11-29 21:42:18 UTC- LambdaReplicatorRole [CREATE_COMPLETE]
2021-11-29 21:42:18 UTC- CloudfrontLoggerRole [CREATE_IN_PROGRESS]: Resource creation Initiated
2021-11-29 21:42:18 UTC- CloudfrontLoggerRole [CREATE_COMPLETE]
.2021-11-29 21:42:21 UTC- IAM [UPDATE_COMPLETE_CLEANUP_IN_PROGRESS]

Stack update complete.

Follow-up work

Privacy

Security

Caching

PR Checklist:

  • Tests provide adequate coverage
  • Privacy and Security impacts have been assessed
  • Code is well-commented
  • New features are translatable or updates will not break translations
  • Relevant documentation has been added or updated
  • User impact is well-understood and desirable
  • Pull Request is labeled appropriately
  • Follow-up work items (including potential tech debt) are tracked and linked

@cat5inthecradle cat5inthecradle changed the base branch from staging-next to staging November 29, 2021 21:26
@sureshc sureshc requested review from a team and jmkulwik November 29, 2021 21:44
@cat5inthecradle cat5inthecradle merged commit c4e1d14 into staging Dec 1, 2021
@cat5inthecradle cat5inthecradle deleted the service-linked-roles branch December 1, 2021 17:12
snickell pushed a commit that referenced this pull request Feb 3, 2024
@cat5inthecradle
Merge pull request #43824 from code-dot-org/service-linked-roles
14f9e5c 
Manually create service linked roles
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sureshc sureshc sureshc approved these changes

@jmkulwik jmkulwik jmkulwik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cat5inthecradle @sureshc @jmkulwik