Fix updating old global-iam stacks in the deployment account (#711)

sbkok · web-flow · commit 915e716e3d25 · 2024-04-09T14:26:55.000+02:00
**Why?** With PR #568, the policy names in the `adf-bootstrap/deployment/example-global-iam.yml` file were updated to ensure that they are unique. However, if the `example-global-iam.yml` was not updated recently, then copied/renamed to `global-iam.yml` it would overwrite, and or delete policies that were created by the `global.yml` stack instead. This creates an issue that is hard to debug unfortunately. **What?** This proposed change will introduce the ADF managed policy as defined in the `global.yml` stack of the deployment account. This way the policies are (re)created correctly.
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -549,7 +549,7 @@ Resources:
   CloudFormationDeploymentPolicy:
     Type: AWS::IAM::Policy
     Properties:
-      PolicyName: "adf-cloudformation-deployment-role-policy"
+      PolicyName: "adf-cloudformation-deployment-role-policy-kms"
       PolicyDocument:
         Version: "2012-10-17"
         Statement:
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/enable_cross_account_access.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/enable_cross_account_access.py
@@ -46,7 +46,7 @@
         "adf-codepipeline-role-policy-kms",
     ],
     "adf-cloudformation-deployment-role": [
-        "adf-cloudformation-deployment-role-policy",
+        "adf-cloudformation-deployment-role-policy-kms",
     ],
     "adf-cloudformation-role": [
         "adf-cloudformation-role-policy",
