diff --git a/src/core/cdk/src/assets/execution-role.template.json b/src/core/cdk/src/assets/execution-role.template.json index e413bfe02..fed84c003 100644 --- a/src/core/cdk/src/assets/execution-role.template.json +++ b/src/core/cdk/src/assets/execution-role.template.json @@ -92,7 +92,7 @@ { "Ref": "AWS::AccountId" }, - ":aws:role/", + ":role/", { "Ref": "RoleName" } diff --git a/src/core/cdk/src/assets/management-execution-role.template.json b/src/core/cdk/src/assets/management-execution-role.template.json index e413bfe02..486676605 100644 --- a/src/core/cdk/src/assets/management-execution-role.template.json +++ b/src/core/cdk/src/assets/management-execution-role.template.json @@ -55,54 +55,7 @@ "Principal": { "Service": "fms.amazonaws.com" } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Condition": { - "StringEquals": { - "AWS:PrincipalArn": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":aws:role/", - { - "Ref": "RoleName" - } - ] - ] - } - ] - } - } - } + } ], "Version": "2012-10-17" }, diff --git a/src/core/runtime/src/create-stack/create.ts b/src/core/runtime/src/create-stack/create.ts index e7e6ecced..29881d437 100644 --- a/src/core/runtime/src/create-stack/create.ts +++ b/src/core/runtime/src/create-stack/create.ts @@ -61,19 +61,19 @@ export const handler = async (input: CreateStackInput) => { console.debug(stackTemplate); // Load the template body from the given location - const templateBody = await getTemplateBody(stackTemplate); + let templateBody = await getTemplateBody(stackTemplate); /** Checks Parameters Table in DDB to see if we are in management account. * If so, our PBMM Pipeline role has different permissions and we use * a different template. */ - // if(parametersTableName){ - // const accounts = await loadAccounts(parametersTableName!, dynamodb); - // if((accounts.find(acc => acc.id === accountId)?.key!) === 'management'){ - // templateBody = await getTemplateBody(managementAccountTemplate!); - // } - // } + if (parametersTableName) { + const accounts = await loadAccounts(parametersTableName!, dynamodb); + if (accounts.find(acc => acc.id === accountId)?.key! === 'management') { + templateBody = await getTemplateBody(managementAccountTemplate!); + } + } let cfn: CloudFormation; if (accountId && assumeRoleName) {