fix: add kms permission to work with cicd pipeline (#836)

awslabs · Dec 17, 2021 · 9ecd9ee · 9ecd9ee
1 parent ff11c16
commit 9ecd9ee
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/main/cicd/README.md b/main/cicd/README.md
@@ -58,7 +58,7 @@ The pipeline stops upon failure of any stage and notifies user via configured SN
 
   * Create a settings file in `cicd/cicd-source/config/settings` for the environment for which you want to create the 
   CI/CD pipeline. For example, to create the CI/CD pipeline for `dev` environment, create `dev.yml` file in 
-  `cicd/cicd-source/config/settings/`. You can create the settings file by copying the sample `demo.yml` file. 
+  `cicd/cicd-source/config/settings/`. You can create the settings file by copying the sample `example-codecommit.yml` file. 
   Please adjust the settings as per your environment. Read inline comments in the file for information about each 
   setting.
 
@@ -79,9 +79,11 @@ The pipeline stops upon failure of any stage and notifies user via configured SN
 
   * Create a settings file in `cicd/cicd-pipeline/config/settings` for the environment for which you want to create the 
   CI/CD pipeline. For example, to create the CI/CD pipeline for `dev` environment, create `dev.yml` file in 
-  `cicd/cicd-pipeline/config/settings/`. You can create the settings file by copying the sample `demo.yml` file. 
+  `cicd/cicd-pipeline/config/settings/`. You can create the settings file by copying the sample `example-codecommit.yml` file. 
   Please adjust the settings as per your environment. Read inline comments in the file for information about each 
   setting.
+
+  * Edit the settings file in `main/config/settings` for the environment. Comment out the line that states the `awsProfile`.
 
   * Deploy the `cicd-pipeline` stack.
   ```bash

diff --git a/main/cicd/cicd-pipeline/config/infra/cloudformation.yml b/main/cicd/cicd-pipeline/config/infra/cloudformation.yml
@@ -22,8 +22,7 @@ Resources:
     Type: AWS::SNS::Topic
     Properties: !If
       - SubscribeNotificationEmail
-      -
-        Subscription:
+      - Subscription:
           - Endpoint: ${self:custom.settings.emailForNotifications}
             Protocol: email
         KmsMasterKeyId: alias/aws/sns
@@ -117,8 +116,6 @@ Resources:
         Rules:
           - ExpirationInDays: 365 # Delete old artifacts from S3 after 1 year to save costs
             Status: Enabled
-      VersioningConfiguration:
-        Status: Enabled
 
   # The artifacts bucket S3 policy to allow CodePipeline's source stage to upload artifacts
   AppArtifactBucketPolicy:
@@ -378,6 +375,7 @@ Resources:
               - kms:TagResource
               - kms:UntagResource
               - kms:GetKeyPolicy
+              - kms:EnableKeyRotation
             Resource:
               - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*${self:custom.settings.namespace}*'
               - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'