aws-cloudformation-github-deploy icon indicating copy to clipboard operation
aws-cloudformation-github-deploy copied to clipboard
verified publisher icon aws-actions

"CreateStack" permission is not necessary

Open eladb opened this issue 4 years ago • 5 comments

In restricted environments, in which only ChangeSet-based creation of stacks is possible, it is impossible to use this action.

Our use case is as follows: we configure the job (using aws-actions/configure-aws-credentials) to assume an IAM role which will execute the CloudFormation deployment action. This role only has Change/ExecuteChangeSet IAM permissions.

This works for updating stacks, but for new stacks, aws-cloudformation-github-deploy action will use CreateStack, which will fail in our case.

I think it should be possible to use CreateChangeSet with ChangeSetType set to CREATE in case the stack does not exist. This will keep the same behavior while requiring a less privileged role.

See example here

If this sounds good, I am happy to contribute of course.

eladb avatar Jun 17 '21 22:06 eladb

@katallaxie let me know what you think about this

eladb avatar Jun 18 '21 09:06 eladb

This would be a great implementation but would require making separate calls since as @kddejong mentioned, termination protection and policy changes currently can't be used with createChangeSet.

josealdaco avatar Dec 15 '23 19:12 josealdaco

@kddejong Would the changes be appropriate for https://github.com/aws-actions/aws-cloudformation-github-deploy/pull/120 or will a new PR be required?

josealdaco avatar Dec 15 '23 19:12 josealdaco

I was going to merge this in and then adjust from there as we also have the aws-sdk v3 migration pending.

kddejong avatar Dec 15 '23 19:12 kddejong