Skip to content

Commit

Permalink
Addressed comments on #625
Browse files Browse the repository at this point in the history 
- Renamed DecodeSSMParameterPolicy to SSMParameterReadPolicy
- Removed DecodeSSMParameterCusomKeyPolicy
  • Loading branch information
@RobRoseKnows
RobRoseKnows committed Jan 30, 2019
1 parent e89a714 commit 8eedad6
Show file tree
Hide file tree
Showing 5 changed files with 3 additions and 235 deletions.
70 changes: 2 additions & 68 deletions samtranslator/policy_templates_data/policy_templates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1525,8 +1525,8 @@
]
}
},
"DecodeSSMParameterPolicy": {
"Description": "Gives access to SSM key and parameter to load secrets in this account.",
"SSMParameterReadPolicy": {
"Description": "Gives access to a parameter to load secrets in this account. If not using default key, KMSDecryptPolicy will also be needed.",
"Parameters": {
"ParameterName": {
"Description":"The name of the secret stored in SSM in your account."
Expand Down Expand Up @@ -1557,72 +1557,6 @@
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:alias/aws/ssm"
]
}
}
]
}
},
"DecodeSSMParameterCustomKeyPolicy": {
"Description": "Gives access to decoding a SSM Parameters store using non-default key.",
"Parameters": {
"ParameterName": {
"Description": "The name of the secret stored in SSM in your account."
},
"KeyId": {
"Description": "ID of the KMS Key"
}
},
"Definition": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
}
Expand Down
6 changes: 1 addition & 5 deletions tests/translator/input/all_policy_templates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,9 +141,5 @@ Resources:
- FilterLogEventsPolicy:
LogGroupName: name

- DecodeSSMParameterPolicy:
- SSMParameterReadPolicy:
ParameterName: name

- DecodeSSMParameterCustomKeyPolicy:
ParameterName: name
KeyId: id
54 changes: 0 additions & 54 deletions tests/translator/output/all_policy_templates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1210,60 +1210,6 @@
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:alias/aws/ssm"
]
}
}
]
}
},
{
"PolicyName": "KitchenSinkFunctionRolePolicy49",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": "name"
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": "id"
}
]
}
}
]
}
Expand Down
54 changes: 0 additions & 54 deletions tests/translator/output/aws-cn/all_policy_templates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1209,60 +1209,6 @@
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:alias/aws/ssm"
]
}
}
]
}
},
{
"PolicyName": "KitchenSinkFunctionRolePolicy49",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": "name"
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": "id"
}
]
}
}
]
}
Expand Down
54 changes: 0 additions & 54 deletions tests/translator/output/aws-us-gov/all_policy_templates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1210,60 +1210,6 @@
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:alias/aws/ssm"
]
}
}
]
}
},
{
"PolicyName": "KitchenSinkFunctionRolePolicy49",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": "name"
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": "id"
}
]
}
}
]
}
Expand Down

0 comments on commit 8eedad6

Please sign in to comment.