- Added unique key to CodeBuild IAM permissions policies

- Added topic cache for SNS topic policies to prevent duplicates.
waterbear-cloud · Apr 6, 2021 · a7229ff · a7229ff
1 parent bd5fe4f
commit a7229ff
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/src/paco/cftemplates/iam_user_account_delegates.py b/src/paco/cftemplates/iam_user_account_delegates.py
@@ -263,7 +263,7 @@ def deployment_pipeline_codebuild_permissions(self, pipeline_list, assume_role_r
                         codebuild_arn = self.paco_ctx.get_ref(action.paco_ref+'.project.arn')
                         readonly_arn_list.append(codebuild_arn)
         if len(readonly_arn_list) > 0:
-            self.set_codebuild_permissions(readonly_arn_list, assume_role_res)
+            self.set_codebuild_permissions(readonly_arn_list, assume_role_res, 'DeploymentPipeline')
 
     def init_codebuild_permission(self, permission_config, assume_role_res):
         """CodeBuild Web Console Permissions"""
@@ -287,9 +287,9 @@ def init_codebuild_permission(self, permission_config, assume_role_res):
                 if codebuild_arn not in readonly_codebuild_arns:
                     readonly_codebuild_arns.append(codebuild_arn)
 
-        self.set_codebuild_permissions(readonly_codebuild_arns, assume_role_res)
+        self.set_codebuild_permissions(readonly_codebuild_arns, assume_role_res, 'CodeBuild')
 
-    def set_codebuild_permissions(self, readonly_codebuild_arns, assume_role_res):
+    def set_codebuild_permissions(self, readonly_codebuild_arns, assume_role_res, policy_id):
         statement_list = []
         readonly_codebuild_actions = [
             Action('codebuild', 'BatchGet*'),
@@ -312,7 +312,7 @@ def set_codebuild_permissions(self, readonly_codebuild_arns, assume_role_res):
             )
 
         managed_policy_res = troposphere.iam.ManagedPolicy(
-            title=self.create_cfn_logical_id("CodeBuildPolicy"),
+            title=self.create_cfn_logical_id_join([policy_id, "CodeBuildPolicy"]),
             PolicyDocument=PolicyDocument(
                 Version="2012-10-17",
                 Statement=statement_list

diff --git a/src/paco/cftemplates/snstopics.py b/src/paco/cftemplates/snstopics.py
@@ -57,6 +57,7 @@ def __init__(
 
         # Topic Resources and Outputs
         topics_ref_cross_list = []
+        topic_policy_cache = []
         for topic in topics:
             if not topic.is_enabled():
                 continue
@@ -112,9 +113,12 @@ def __init__(
                     account.account_id for account in self.paco_ctx.project.accounts.values()
                 ]
                 for account_id in account_id_list:
+                    if account_id in topic_policy_cache:
+                        continue
+                    topic_policy_cache.append(account_id)
                     statement = Statement(
                         Effect = Allow,
-                        Sid = self.create_cfn_logical_id(account_id),
+                        Sid = self.create_cfn_logical_id_join(account_id),
                         Principal = Principal("AWS", f'arn:aws:iam::{account_id}:root'),
                         Action = [ awacs.sns.Publish, awacs.sns.Subscribe ],
                         Resource = [ troposphere.Ref(topic_resource) ],