fix: Make SageMaker IAM policy case insensitive (#1177)

awslabs · Apr 17, 2023 · fd6f1b8 · fd6f1b8
1 parent 8fb2320
commit fd6f1b8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml
@@ -106,13 +106,13 @@ Parameters:
     Description: Optional custom Domain name to be created in Route53
     Type: String
     Default: ''
-  
+
   EnableAmiSharing:
     Type: String
     AllowedValues: [true, false]
     Description: Use appstream image from the central devops account
     Default: false
-  
+
   DevopsAccountId:
     Type: String
     Description: The account id of the central AWS account where the appstream image is created.
@@ -150,8 +150,8 @@ Conditions:
     - !Not [!Equals [!Ref 'DomainName', '']]
     - !Condition isAppStream
   enableFlowLogs: !Equals [!Ref EnableFlowLogs, true]
-  enableFlowLogsNonAppStream: !And [Condition: isNotAppStream,Condition: enableFlowLogs]
-  enableFlowLogsWithAppStream: !And [Condition: isAppStream,Condition: enableFlowLogs]
+  enableFlowLogsNonAppStream: !And [Condition: isNotAppStream, Condition: enableFlowLogs]
+  enableFlowLogsWithAppStream: !And [Condition: isAppStream, Condition: enableFlowLogs]
   amiSharingEnabled: !Equals
     - !Ref EnableAmiSharing
     - true
@@ -424,7 +424,7 @@ Resources:
               - sagemaker:StartNotebookInstance
               - sagemaker:StopNotebookInstance
               - sagemaker:DescribeNotebookInstance
-            Resource: !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/basicnotebookinstance-*'
+            Resource: !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/?asic?otebook?nstance-*'
           - Effect: Allow
             Action:
               - sagemaker:ListNotebookInstances
@@ -768,7 +768,7 @@ Resources:
     Properties:
       AliasName: !Join ['', ['alias/', Ref: Namespace, '-encryption-key']]
       TargetKeyId: !Ref EncryptionKey
-  
+
   FlowLogCloudwatchGroup:
     Type: 'AWS::Logs::LogGroup'
     DeletionPolicy: Retain
@@ -1082,7 +1082,12 @@ Resources:
       EnableDefaultInternetAccess: False
       FleetType: !Ref AppStreamFleetType
       IdleDisconnectTimeoutInSeconds: !Ref AppStreamIdleDisconnectTimeoutSeconds
-      ImageArn: !If [amiSharingEnabled, !Sub 'arn:aws:appstream:${AWS::Region}:${DevopsAccountId}:image/${AppStreamImageName}', !Sub 'arn:aws:appstream:${AWS::Region}:${CentralAccountId}:image/${AppStreamImageName}']
+      ImageArn:
+        !If [
+          amiSharingEnabled,
+          !Sub 'arn:aws:appstream:${AWS::Region}:${DevopsAccountId}:image/${AppStreamImageName}',
+          !Sub 'arn:aws:appstream:${AWS::Region}:${CentralAccountId}:image/${AppStreamImageName}',
+        ]
       InstanceType: !Ref AppStreamInstanceType
       MaxUserDurationInSeconds: !Ref AppStreamMaxUserDurationSeconds
       Name: !Sub ${Namespace}-ServiceWorkbenchFleet

diff --git a/main/solution/post-deployment/config/infra/cloudformation.yml b/main/solution/post-deployment/config/infra/cloudformation.yml
@@ -421,15 +421,15 @@ Resources:
                   - sagemaker:DescribeNotebookInstanceLifecycleConfig
                   - sagemaker:CreateNotebookInstanceLifecycleConfig
                   - sagemaker:DeleteNotebookInstanceLifecycleConfig
-                Resource: 'arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/basicnotebookinstancelifecycleconfig-*'
+                Resource: 'arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/?asic?otebook?nstance?ifecycle?onfig-*'
               - Effect: Allow
                 Action:
                   - sagemaker:DescribeNotebookInstance
                   - sagemaker:CreateNotebookInstance
                   - sagemaker:AddTags
                   - sagemaker:StopNotebookInstance
                   - sagemaker:DeleteNotebookInstance
-                Resource: 'arn:aws:sagemaker:*:*:notebook-instance/basicnotebookinstance-*'
+                Resource: 'arn:aws:sagemaker:*:*:notebook-instance/?asic?otebook?nstance-*'
               - Effect: Allow
                 Action:
                   - ec2:DescribeNetworkInterfaces