Restrict custom topic policy

[nightfury1204]

What is the feature/fix?

https://app.asana.com/0/1203637156732418/1205889617139979/f

Add screenshot or video (optional)

** Any screenshot or video capture using the feature **

Does it has a breaking change?

** Describe the changes and if it has any breaking changes in any feature **

How to use/test it?

** Describe how to test or use the feature **

Checklist

• New coverage tests
• Unit tests passing
• E2E tests passing
• E2E downgrade/update test passing
• Documentation updated
• No warnings or errors on Deepsource/Codecov

[bladealslayer]

@nightfury1204 I think there's an iam:PassRole permission missing now from the policy. I'm seeing errors related to this when attempting to deploy a gen1 app with the latest rack release 20231121152130. In CloudFormation:

Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: User: arn:aws:sts::[redacted]:assumed-role/[redacted]-CustomTopicRole-1FK37CAL8VRBO/[redacted]-CustomTopic-R3Y3A4T9SXC4 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::[redacted]:role/convox/[redacted]-SecureEnvironmentRole-161UTGWG8MIY4 because no identity-based policy allows the iam:PassRole action status code: 400

[ntner]

Hey @bladealslayer how are you attempting to deploy this gen1 app? Is there a reason why you're still running on this depreciated generation?

[bladealslayer]

@ntner Just a normal convox deploy to an existing app, not setting up a new one. I'm planning to upgrade, but in the meantime, gen1 is still supported (albeit deprecated), so it should keep working. gen1 still has some advantages, like support for TCP services and the classic ELB allowing to route any hostname pointed to it, while the newer ALB requires setting up all hostnames explicitly and there's a limit. Applications that rely on that need some work to migrate.