Add ecoeng account, modify IAM policy json#995
Conversation
📝 WalkthroughWalkthroughThis change expands AWS governance infrastructure by adding new S3 permissions to IAM policies and incorporating new AWS accounts ( ChangesAWS Governance Account & Permission Expansion
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json`:
- Around line 160-167: The S3Bucket statement in
CloudGovernanceDeletePolicy.json incorrectly includes the "s3:CreateBucket"
action which grants provisioning rights outside the delete/governance scope;
remove "s3:CreateBucket" from the actions array in the S3Bucket statement (the
entry that currently lists "s3:CreateBucket","s3:DeleteBucket", etc.) so the
policy only contains delete/governance actions, and if bucket creation is
required create a separate, narrowly-scoped policy for provisioning instead.
In `@iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json`:
- Around line 116-121: Remove the write permission "s3:CreateBucket" from the
CloudGovernanceReadPolicy JSON (the permission entry listed alongside
"s3:GetBucketAcl", "s3:GetBucketLocation", etc.); update the
CloudGovernanceReadPolicy to only include read-related S3 actions and, if any
workflow requires bucket creation, create a separate dedicated policy (e.g.,
CloudGovernanceCreateBucketPolicy) granting "s3:CreateBucket" scoped to the
specific resources rather than keeping it in the read policy.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 43cae77f-18b4-441d-bc80-b3772cffdc1c
📒 Files selected for processing (5)
iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.jsoniam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.jsonjenkins/tenant/aws/ecoeng_01/PolicyJenkinsfileDailyjenkins/tenant/aws/ecoeng_01/README.mdjenkins/tenant/aws/ecoeng_01/TaggingJenkinsfileHourly
|
@halbfin, can u approve ? |
Type of change
Note: Fill x in []
Description
For security reasons, all pull requests need to be approved first before running any automated CI
Summary by CodeRabbit
New Features
Documentation