Skip to content

Add ecoeng account, modify IAM policy json#995

Merged
pragya811 merged 1 commit into
mainfrom
ecoeng-update
May 11, 2026
Merged

Add ecoeng account, modify IAM policy json#995
pragya811 merged 1 commit into
mainfrom
ecoeng-update

Conversation

@pragya811

@pragya811 pragya811 commented May 5, 2026

Copy link
Copy Markdown
Member

Type of change

Note: Fill x in []

  • bug
  • enhancement
  • documentation
  • dependencies

Description

  1. Added new ecoeng account to ecoeng1 job
  2. Modified CloudGovernance Read and Delete Policy jsons to include missing permissions for s3 buckets

For security reasons, all pull requests need to be approved first before running any automated CI

Summary by CodeRabbit

  • New Features

    • Enhanced S3 permissions in governance policies with CreateBucket and additional read/metadata operations.
    • Added new account entries to support expanded multi-account management across the infrastructure.
  • Documentation

    • Updated account listings and configuration documentation to reflect newly added accounts.

@coderabbitai

coderabbitai Bot commented May 5, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This change expands AWS governance infrastructure by adding new S3 permissions to IAM policies and incorporating new AWS accounts (ecoeng-buildSign, medik8s-ci) into Jenkins automation pipelines for policy and tagging operations.

Changes

AWS Governance Account & Permission Expansion

Layer / File(s) Summary
IAM Permissions Expansion
iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json, iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
S3 action lists are expanded to include s3:CreateBucket, s3:GetBucketAcl, s3:GetBucketPolicy, and s3:GetBucketVersioning alongside existing permissions.
Jenkins Pipeline Account Configuration
jenkins/tenant/aws/ecoeng_01/PolicyJenkinsfileDaily, jenkins/tenant/aws/ecoeng_01/TaggingJenkinsfileHourly
New AWS accounts (ecoeng-buildSign, medik8s-ci, ecoeng-flightctl, partners-eng, fusionaccess) are added to account lists that drive per-account policy and tagging job execution.
Documentation
jenkins/tenant/aws/ecoeng_01/README.md
Accounts list is updated to reflect new accounts (ecoeng-buildSign, medik8s-ci).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 New accounts hop into the fold,
Permissions expand, bold and cold,
S3 buckets and builds take flight,
Jenkins pipelines dance through the night,
Governance grows, a quantum delight! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main changes: adding an ecoeng account and modifying IAM policy JSON files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ecoeng-update

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started


Comment @coderabbitai help to get the list of available commands and usage tips.

@ebattat ebattat added the documentation Improvements or additions to documentation label May 5, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json`:
- Around line 160-167: The S3Bucket statement in
CloudGovernanceDeletePolicy.json incorrectly includes the "s3:CreateBucket"
action which grants provisioning rights outside the delete/governance scope;
remove "s3:CreateBucket" from the actions array in the S3Bucket statement (the
entry that currently lists "s3:CreateBucket","s3:DeleteBucket", etc.) so the
policy only contains delete/governance actions, and if bucket creation is
required create a separate, narrowly-scoped policy for provisioning instead.

In `@iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json`:
- Around line 116-121: Remove the write permission "s3:CreateBucket" from the
CloudGovernanceReadPolicy JSON (the permission entry listed alongside
"s3:GetBucketAcl", "s3:GetBucketLocation", etc.); update the
CloudGovernanceReadPolicy to only include read-related S3 actions and, if any
workflow requires bucket creation, create a separate dedicated policy (e.g.,
CloudGovernanceCreateBucketPolicy) granting "s3:CreateBucket" scoped to the
specific resources rather than keeping it in the read policy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 43cae77f-18b4-441d-bc80-b3772cffdc1c

📥 Commits

Reviewing files that changed from the base of the PR and between acdc4a3 and 75b774a.

📒 Files selected for processing (5)
  • iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
  • iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
  • jenkins/tenant/aws/ecoeng_01/PolicyJenkinsfileDaily
  • jenkins/tenant/aws/ecoeng_01/README.md
  • jenkins/tenant/aws/ecoeng_01/TaggingJenkinsfileHourly

Comment thread iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
@ebattat ebattat assigned halbfin and unassigned halbfin May 5, 2026
@ebattat ebattat requested a review from halbfin May 5, 2026 12:46
@ebattat

ebattat commented May 5, 2026

Copy link
Copy Markdown
Member

@halbfin, can u approve ?

@ebattat ebattat left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approved

@pragya811 pragya811 merged commit dc8220e into main May 11, 2026
29 checks passed
@github-project-automation github-project-automation Bot moved this from In progress to Done in Cloud-Governance project May 11, 2026
@pragya811 pragya811 deleted the ecoeng-update branch May 11, 2026 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation

Projects

Development

Successfully merging this pull request may close these issues.

3 participants