From 96333dc07dfab631cabfcd4bea56659d27c8d195 Mon Sep 17 00:00:00 2001 From: zender Date: Wed, 14 Jan 2026 21:08:15 +0000 Subject: [PATCH 1/2] Grant read only access to eks for the view only policy --- .../lib/__init__.py | 2 +- .../lib/lib.py | 7 ++++++- .../lib/permissions.py | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py index e2851601..c3b87482 100644 --- a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py +++ b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py @@ -1,4 +1,4 @@ -from .lib import create_read_state_inline_policy +from .lib import create_inline_view_only_policy from .permissions import EC2_SSO_PER_SET_CONTAINER from .permissions import LOW_RISK_ADMIN_PERM_SET_CONTAINER from .permissions import MANUAL_ARTIFACTS_UPLOAD_PERM_SET_CONTAINER diff --git a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py index c34d80e7..faab269c 100644 --- a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py +++ b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py @@ -4,10 +4,15 @@ from pulumi_aws.iam import get_policy_document -def create_read_state_inline_policy() -> str: +def create_inline_view_only_policy() -> str: state_bucket_name = get_config_str("proj:backend_bucket_name") return get_policy_document( statements=[ + GetPolicyDocumentStatementArgs( + effect="Allow", + actions=["eks:DescribeCluster", "eks:ListClusters"], + resources=["*"], + ), GetPolicyDocumentStatementArgs( effect="Allow", actions=["s3:GetObject", "s3:GetObjectVersion"], diff --git a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py index 5aae2345..7f01a92c 100644 --- a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py +++ b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py @@ -14,7 +14,7 @@ from pydantic import BaseModel from pydantic import Field -from .lib import create_read_state_inline_policy +from .lib import create_inline_view_only_policy logger = logging.getLogger(__name__) @@ -168,7 +168,7 @@ def create_manual_secrets_entry_inline_policy() -> str: # TODO: figure out how to add back in "AmazonAppStreamReadOnlyAccess", # look at the details of stack/fleet information to troubleshoot any issues # TODO: "CloudWatchEventsReadOnlyAccess", # see information about event rules and patterns ], - inline_policy_callable=create_read_state_inline_policy, + inline_policy_callable=create_inline_view_only_policy, ) EC2_SSO_PER_SET_CONTAINER = AwsSsoPermissionSetContainer( # based on https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/ From 644252dafd36d8ef47d1720f27fbfdd9ab275fd4 Mon Sep 17 00:00:00 2001 From: zender Date: Thu, 15 Jan 2026 16:01:47 +0000 Subject: [PATCH 2/2] update to latest --- .copier-answers.yml | 2 +- .github/actions/update-devcontainer-hash/action.yml | 3 --- .../.github/actions/check-skip-duplicates/action.yml | 11 +++++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.copier-answers.yml b/.copier-answers.yml index ea7eafe9..e66d2832 100644 --- a/.copier-answers.yml +++ b/.copier-answers.yml @@ -1,5 +1,5 @@ # Changes here will be overwritten by Copier -_commit: v0.0.92-5-gefbf643 +_commit: v0.0.92-7-g7c21006 _src_path: gh:LabAutomationAndScreening/copier-base-template.git description: Managing Central Infrastructure of an AWS Organization install_claude_cli: false diff --git a/.github/actions/update-devcontainer-hash/action.yml b/.github/actions/update-devcontainer-hash/action.yml index 4e6d434c..148062b4 100644 --- a/.github/actions/update-devcontainer-hash/action.yml +++ b/.github/actions/update-devcontainer-hash/action.yml @@ -5,9 +5,6 @@ inputs: description: 'Branch to checkout and update' required: true -permissions: - contents: write - outputs: new-sha: description: 'The SHA of the branch tip after update' diff --git a/template/.github/actions/check-skip-duplicates/action.yml b/template/.github/actions/check-skip-duplicates/action.yml index 1eb255d7..5638f11b 100644 --- a/template/.github/actions/check-skip-duplicates/action.yml +++ b/template/.github/actions/check-skip-duplicates/action.yml @@ -13,19 +13,22 @@ runs: id: check env: GH_TOKEN: ${{ github.token }} + REF_NAME: ${{ github.ref_name }} + REPO_NAME: ${{ github.repository }} + EVENT_NAME: ${{ github.event_name }} shell: bash run: | # For non-push events, always run - if [ "${{ github.event_name }}" != "push" ]; then + if [ "$EVENT_NAME" != "push" ]; then echo "should_run=true" >> $GITHUB_OUTPUT - echo "Event is ${{ github.event_name }}, will run CI" + echo "Event is $EVENT_NAME, will run CI" exit 0 fi # For push events, check if there's an open PR for this branch pr_json=$(gh pr list \ - --repo "${{ github.repository }}" \ - --head "${{ github.ref_name }}" \ + --repo "$REPO_NAME" \ + --head "$REF_NAME" \ --state open \ --json number \ --limit 1)