Add IAM Permissions Boundary support for environments

[petrkalos]

Summary

Adds the ability to configure an IAM Permissions Boundary policy on data.all environments. When set, the boundary is automatically applied to all IAM roles created by the environment, dataset, and pipeline CDK stacks — including roles auto-generated by CDK constructs (e.g. cr.Provider, BucketDeployment).

This is a common requirement for organizations that enforce permissions boundaries as part of their AWS account governance.

Changes

Backend

• GraphQL schema (input_types.py, types.py): Added PermissionsBoundaryPolicyArn as an optional string field to NewEnvironmentInput, ModifyEnvironmentInput, and the Environment type.
• DB model (environment_models.py): Added nullable PermissionsBoundaryPolicyArn column to the Environment model.
• Service (environment_service.py): Handles the new field on create and update. On update, the field is set when the key is present in the input (including empty string to clear it).
• CDK Aspect (permissions_boundary_aspect.py): New PermissionsBoundaryAspect class that walks the construct tree and adds PermissionsBoundary to every AWS::IAM::Role resource. Applied in:
  • environment_stack.py
  • dataset_stack.py
  • datapipelines_pipeline.py
• Migration (a4f8b2c1d3e5): Adds the PermissionsBoundaryPolicyArn column to the environment table.

Migration fix

• ba2da94739ab: Replaced ORM session.query(Environment) and session.query(DatasetBase) with raw SQL queries. The ORM model now includes the new column, which doesn't exist in the DB when this older migration runs — causing a ProgrammingError. Using raw SQL with only the needed columns avoids this.

Frontend

• getEnvironment.js: Added PermissionsBoundaryPolicyArn to the GraphQL query.
• EnvironmentCreateForm.js: Added optional text field in the Deployment card and included the value in the create mutation payload.
• EnvironmentEditForm.js: Added optional text field in the AWS Information card and included the value in the update mutation payload.
• EnvironmentConsoleAccess.js: Displays the boundary ARN in the AWS Information section on the environment details page (conditionally rendered when set).

Integration tests

• queries.py: Added PermissionsBoundaryPolicyArn to the ENV_TYPE fragment and as an optional parameter to create_environment.
• global_conftest.py: Passed the new parameter through the create_env context manager. session_env1 now creates with PermissionsBoundaryPolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'.
• test_environment.py: Added test_env_permissions_boundary which asserts the boundary ARN is returned by the API and verifies the environment's default IAM role in AWS has the boundary attached.

How it works

1. User provides a pre-existing IAM policy ARN (the boundary) when creating or editing an environment.
2. The ARN is stored on the environment record.
3. On stack deployment, a CDK Aspect applies the boundary to every IAM role in the CloudFormation template.
4. Clearing the ARN (empty string) removes the Aspect, and the next deploy removes the boundary from roles.
5. Dataset and pipeline stacks read the boundary from their parent environment and apply the same Aspect.

Testing

• Verified environment creation with boundary via local docker-compose deployment
• Confirmed IAM roles in AWS have the PermissionsBoundary property set after stack deployment
• Migration tested against fresh and existing databases

Resolve #1233

[TejasRGitHub]

So when user has entered nothing , then in that case this will be '' ? ( empty string ) . If yes, wouldn't this pass empty string ''.

The reason I am thinking it will be '' is because of the code here = backend/dataall/core/environment/services/environment_service.py .. The model uses PermissionsBoundaryPolicyArn=data.get('PermissionsBoundaryPolicyArn', ''),

Please correct if I am wrong here

[petrkalos]

If the user pass an empty string '' the condition will evaluate to False and hence the boundary will be removed. Is that wrong?

[TejasRGitHub]

That is right. I actually wanted to allude to the possibility if the user enters ' ' ( blank space ) or 'arn:aws....' then in that case are we validating that the input is an ARN or that we are conditioning the string properly in the backend ?

[petrkalos]

• Empty string will mean no boundary (it will be removed if already set)
• Invalid arn will mean an async deployment failure indeed, we could validate the ARN pattern as we do elsewhere if you prefer

[TejasRGitHub]

Invalid arn will mean an async deployment failure indeed, we could validate the ARN pattern as we do elsewhere if you prefer

Anything is fine . I think if the stack fails on deployment then the ARN can be corrected by editing it worsecase

[TejasRGitHub]

Added one comment. Rest all looks good

[TejasRGitHub]

Deployment Notes

When updating an existing environment with a PermissionsBoundaryPolicyArn, the CloudFormation stack update failed because the cfn-exec role (cdk-hnb659fds-cfn-exec-role-<account>-<region>) was missing the following IAM permissions:

• iam:PutRolePermissionsBoundary
• iam:DeleteRolePermissionsBoundary

These must be added to the cfn-exec role policy for the permissions boundary feature to work. Without them, CloudFormation cannot attach or remove the boundary from IAM roles in the stack.

Additionally, if the permissions boundary policy ARN referenced by the environment is deleted (e.g., by automated IAM cleanup processes), the stack will enter UPDATE_ROLLBACK_FAILED state. Recovery requires continue-update-rollback with --resources-to-skip for the affected roles.

Tests Performed

#	Test	Status
1	Editing an existing environment with a permissions boundary	Fail ( Only able to make this successful after adding the permissions )
2	Checking if the environment roles were updated successfully with the permissions boundary	Fail ( Only able to make this successful after adding the permissions )
3	Checking if all datasets associated with the environment were attached a permissions boundary	Fail ( Only able to make this successful after adding the permissions )
4	Onboarding a new environment with a permissions boundary	Pass ( This passes the first time the stack is created but when editing that stack - by editing the permission boundary , etc - this stack fails due to missing permission above
5	Onboarding a new dataset with a permissions boundary	Fail - due to missing permissions

[petrkalos]

@TejasRGitHub

Deployment Notes

When updating an existing environment with a PermissionsBoundaryPolicyArn, the CloudFormation stack update failed because the cfn-exec role (cdk-hnb659fds-cfn-exec-role-<account>-<region>) was missing the following IAM permissions:

• iam:PutRolePermissionsBoundary
• iam:DeleteRolePermissionsBoundary

These must be added to the cfn-exec role policy for the permissions boundary feature to work. Without them, CloudFormation cannot attach or remove the boundary from IAM roles in the stack.

It probably pass my tests because I don't use the custom template. I pushed a commit with the fix.

Additionally, if the permissions boundary policy ARN referenced by the environment is deleted (e.g., by automated IAM cleanup processes), the stack will enter UPDATE_ROLLBACK_FAILED state. Recovery requires continue-update-rollback with --resources-to-skip for the affected roles.

I am not sure how to help with that. Do you have a way to instruct your scanners to leave the policy alone if it is used?

[TejasRGitHub]

Deployment Notes

When updating an existing environment with a PermissionsBoundaryPolicyArn, the CloudFormation stack update
Additionally, if the permissions boundary policy ARN referenced by the environment is deleted (e.g., by automated IAM cleanup processes), the stack will enter UPDATE_ROLLBACK_FAILED state. Recovery requires continue-update-rollback with --resources-to-skip for the affected roles.

I am not sure how to help with that. Do you have a way to instruct your scanners to leave the policy alone if it is used?

Hey @petrkalos , no need for any fix on that. Its just how I solved this issue when the stacks where in UPDATE_ROLLBACK_FAILED.

[TejasRGitHub]

LGTM

All tests passed with the new permissions

[anushka-singh]

LGTM!

[rbernotas]

LGTM