Skip to content

Commit

Permalink
Remove hard dependency (Sage-Bionetworks#616)
Browse files Browse the repository at this point in the history
A direct ImportValue dependency in a template makes it a hard dependency
which makes it difficult to update. This changes the dependency to be
more easily updateable.
  • Loading branch information
zaro0508 authored Oct 30, 2023
1 parent 6b36ce1 commit 81ee021
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 8 deletions.
4 changes: 3 additions & 1 deletion config/prod/htan-synapse-sync-kms-key.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,6 @@ stack_tags:
OwnerEmail: "thomas.yu@sagebase.org"
CostCenter: "HTAN-DFCI / 120100"
parameters:
AdminRoleArn: "arn:aws:sts::055273631518:assumed-role/AWSReservedSSO_Developer_d1a84a78c9777596/thomas.yu@sagebase.org"
AdminRoleArns:
- "arn:aws:sts::055273631518:assumed-role/AWSReservedSSO_Developer_d1a84a78c9777596/thomas.yu@sagebase.org"
- !stack_output_external "sagebase-github-oidc-sage-bionetworks-scicomp-provisioner::ProviderRoleArn"
11 changes: 4 additions & 7 deletions templates/htan-synapse-sync-kms-key.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ AWSTemplateFormatVersion: '2010-09-09'
Description: HTAN SynapseSync KMS Key and IAM policy

Parameters:
AdminRoleArn:
Type: String
Description: ARN of the Administrator Role for a particular account
AdminRoleArns:
Type: List<String>
Description: A list of Administrator Role ARNs for a particular account

Resources:
KmsDecryptPolicy:
Expand Down Expand Up @@ -46,10 +46,7 @@ Resources:
- Sid: "Allow administration of the key to CFN service role"
Effect: "Allow"
Principal:
AWS:
- !ImportValue
'Fn::Sub': '${AWS::Region}-bootstrap-CfServiceRoleArn'
- !Ref AdminRoleArn
AWS: !Ref AdminRoleArns
Action:
- "kms:Create*"
- "kms:Describe*"
Expand Down

0 comments on commit 81ee021

Please sign in to comment.