I was able to get permission boundaries to work wi...
# helpm
Matt Morgan
11/22/2021, 4:29 PMI was able to get permission boundaries to work with SST but I'm wondering if anybody has thought about a way to add them to the debug stack? We have the same permission boundaries in our dev environments we do in prod, thereby to encounter any problems ASAP. That means we can't deploy the debug stack.
f
Frank
11/23/2021, 7:39 AM
Hey @Matt Morgan, you can add this block to ur
index.js/ts Copy code
export function debugStack(
app: <http://cdk.App|cdk.App>,
stack: cdk.Stack,
props: sst.DebugStackProps
): void {
const boundary = new iam.ManagedPolicy(this, 'Boundary', {
statements: [
new iam.PolicyStatement({
effect: iam.Effect.DENY,
actions: ['iam:*'],
resources: ['*'],
}),
],
});
iam.PermissionsBoundary.of(this).apply(boundary);
}Frank
11/23/2021, 7:39 AM
So essentially this is how to make changes to the debug stack (ie. tagging resources in the debug stack).
Frank
11/23/2021, 7:39 AM
Here are some more details https://docs.serverless-stack.com/live-lambda-development#tagging-the-debug-stack
m
Matt Morgan
11/23/2021, 12:46 PMCool! I'll try that. Thanks for the reply.
Matt Morgan
11/23/2021, 1:07 PMYeah that worked. Amazing work on this project. Gonna look at migrating a bunch of stacks to SST over the next year.
3 Views