@devramps/cli 0.1.15 → 0.1.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +48 -2
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -2030,7 +2030,8 @@ function buildOrgRolePolicies(orgSlug) {
|
|
|
2030
2030
|
Action: [
|
|
2031
2031
|
"kms:Encrypt",
|
|
2032
2032
|
"kms:Decrypt",
|
|
2033
|
-
"kms:GenerateDataKey*"
|
|
2033
|
+
"kms:GenerateDataKey*",
|
|
2034
|
+
"kms:DescribeKey"
|
|
2034
2035
|
],
|
|
2035
2036
|
Resource: "*",
|
|
2036
2037
|
Condition: {
|
|
@@ -2064,9 +2065,35 @@ function buildOrgRolePolicies(orgSlug) {
|
|
|
2064
2065
|
"ecr:PutImage",
|
|
2065
2066
|
"ecr:InitiateLayerUpload",
|
|
2066
2067
|
"ecr:UploadLayerPart",
|
|
2067
|
-
"ecr:CompleteLayerUpload"
|
|
2068
|
+
"ecr:CompleteLayerUpload",
|
|
2069
|
+
"ecr:DescribeRepositories"
|
|
2068
2070
|
],
|
|
2069
2071
|
Resource: "*"
|
|
2072
|
+
},
|
|
2073
|
+
{
|
|
2074
|
+
Sid: "AllowS3ArtifactBuckets",
|
|
2075
|
+
Effect: "Allow",
|
|
2076
|
+
Action: [
|
|
2077
|
+
"s3:ListBucket",
|
|
2078
|
+
"s3:GetBucketLocation"
|
|
2079
|
+
],
|
|
2080
|
+
Resource: "*"
|
|
2081
|
+
},
|
|
2082
|
+
{
|
|
2083
|
+
Sid: "AllowSecretsManagerOperations",
|
|
2084
|
+
Effect: "Allow",
|
|
2085
|
+
Action: [
|
|
2086
|
+
"secretsmanager:CreateSecret",
|
|
2087
|
+
"secretsmanager:GetSecretValue",
|
|
2088
|
+
"secretsmanager:PutSecretValue",
|
|
2089
|
+
"secretsmanager:UpdateSecret",
|
|
2090
|
+
"secretsmanager:DeleteSecret",
|
|
2091
|
+
"secretsmanager:DescribeSecret",
|
|
2092
|
+
"secretsmanager:TagResource"
|
|
2093
|
+
],
|
|
2094
|
+
Resource: {
|
|
2095
|
+
"Fn::Sub": "arn:aws:secretsmanager:*:${AWS::AccountId}:secret:devramps/*"
|
|
2096
|
+
}
|
|
2070
2097
|
}
|
|
2071
2098
|
]
|
|
2072
2099
|
}
|
|
@@ -2442,6 +2469,25 @@ function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl
|
|
|
2442
2469
|
}
|
|
2443
2470
|
function buildStagePolicies(steps, additionalPolicies) {
|
|
2444
2471
|
const policies = [];
|
|
2472
|
+
policies.push({
|
|
2473
|
+
PolicyName: "DevRampsValidationPolicy",
|
|
2474
|
+
PolicyDocument: {
|
|
2475
|
+
Version: "2012-10-17",
|
|
2476
|
+
Statement: [
|
|
2477
|
+
{
|
|
2478
|
+
Sid: "AllowResourceValidation",
|
|
2479
|
+
Effect: "Allow",
|
|
2480
|
+
Action: [
|
|
2481
|
+
"ecr:DescribeRepositories",
|
|
2482
|
+
"s3:ListBucket",
|
|
2483
|
+
"s3:GetBucketLocation",
|
|
2484
|
+
"cloudwatch:DescribeAlarms"
|
|
2485
|
+
],
|
|
2486
|
+
Resource: "*"
|
|
2487
|
+
}
|
|
2488
|
+
]
|
|
2489
|
+
}
|
|
2490
|
+
});
|
|
2445
2491
|
for (const step of steps) {
|
|
2446
2492
|
if (!hasPermissions(step.type)) {
|
|
2447
2493
|
continue;
|