From 0e1b4bbab199d25975be4c501833388ab5775585 Mon Sep 17 00:00:00 2001 From: kukushking Date: Tue, 11 Feb 2025 01:35:56 +0100 Subject: [PATCH 1/3] docs --- docs/source/bootstrapping.md | 4 +++- docs/source/manifests.md | 2 -- seedfarmer/__main__.py | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/source/bootstrapping.md b/docs/source/bootstrapping.md index be74599..9e7c8ed 100644 --- a/docs/source/bootstrapping.md +++ b/docs/source/bootstrapping.md @@ -93,7 +93,9 @@ The qualifier post-pends a 6 chars alpha-numeric string to the deployment role a ## IAM Paths Prefixes for Toolchain, Target Roles, and Policies We have added support for the use of a IAM Paths for the toolchain role, target account deployment role(s), and policie(s). Using IAM Paths you can create groupings and design a logical separation to simplify permissions management. A common example in organizations is using Service Control Policies enforcing logical separation by team e.g. `/legal/` or `/sales/`, or project name. -A `--role-prefix` and `--policy-prefix` can be used if you want to provide IAM Paths to the roles and policies created by `seed-farmer`. IAM Paths must begin and end with a `/`. More information in [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). +A `--role-prefix` and `--policy-prefix` CLI parameters can be used if you want to provide IAM Paths to the toolchain, deployment roles, and project policy created by `seed-farmer`. If bootstrapped with prefixes, same prefixes must be provided with `apply` and `destroy` CLI commands so that seedfarmer is able to locate correct toolchain and target deployment roles. IAM Paths must begin and end with a `/`. More information in [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). + +Additionally, seed-farmer creates module deployment roles at `apply`. It is possible to provide prefixes for the module deployment roles using the deployment manifest. See [manifest](manifest.md). ## Prepping the Account / Region `seedfarmer` leverages the AWS CDKv2. This must be bootstrapped in each account/region combination to be used of each target account. diff --git a/docs/source/manifests.md b/docs/source/manifests.md index 8844ef5..934ebb7 100644 --- a/docs/source/manifests.md +++ b/docs/source/manifests.md @@ -548,8 +548,6 @@ There is a level of logic that is followed: 2. if a prefix is defined at the account level --- USE IT... ELSE 4. use default `/` prefix -NOTE: the prefixes provided must match the prefixes provided during bootstrap, unless a custom bootstrap is used. - (archivesecret)= ### Archive Secret diff --git a/seedfarmer/__main__.py b/seedfarmer/__main__.py index 58f5126..5fa670c 100644 --- a/seedfarmer/__main__.py +++ b/seedfarmer/__main__.py @@ -67,7 +67,7 @@ def version() -> None: @click.option( "--role-prefix", default=None, - help="""An IAM path prefix to use with the seedfarmer roles. + help="""An IAM path prefix of the seedfarmer toolchain and deployment roles. Use only if bootstrapped with this path""", required=False, ) @@ -212,7 +212,7 @@ def apply( @click.option( "--role-prefix", default=None, - help="""An IAM path prefix to use with the seedfarmer roles. + help="""An IAM path prefix of the seedfarmer toolchain and deployment roles. Use only if bootstrapped with this path""", required=False, ) From 64910536aa0937ca8fd9326a4218c0e6adf36ecc Mon Sep 17 00:00:00 2001 From: kukushking Date: Tue, 11 Feb 2025 01:42:26 +0100 Subject: [PATCH 2/3] terminology --- docs/source/bootstrapping.md | 2 +- seedfarmer/__main__.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/bootstrapping.md b/docs/source/bootstrapping.md index 9e7c8ed..24d4e8b 100644 --- a/docs/source/bootstrapping.md +++ b/docs/source/bootstrapping.md @@ -93,7 +93,7 @@ The qualifier post-pends a 6 chars alpha-numeric string to the deployment role a ## IAM Paths Prefixes for Toolchain, Target Roles, and Policies We have added support for the use of a IAM Paths for the toolchain role, target account deployment role(s), and policie(s). Using IAM Paths you can create groupings and design a logical separation to simplify permissions management. A common example in organizations is using Service Control Policies enforcing logical separation by team e.g. `/legal/` or `/sales/`, or project name. -A `--role-prefix` and `--policy-prefix` CLI parameters can be used if you want to provide IAM Paths to the toolchain, deployment roles, and project policy created by `seed-farmer`. If bootstrapped with prefixes, same prefixes must be provided with `apply` and `destroy` CLI commands so that seedfarmer is able to locate correct toolchain and target deployment roles. IAM Paths must begin and end with a `/`. More information in [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). +A `--role-prefix` and `--policy-prefix` CLI parameters can be used if you want to provide IAM Paths to the toolchain, target roles, and project policy created by `seed-farmer`. If bootstrapped with prefixes, same prefixes must be provided with `apply` and `destroy` CLI commands so that seedfarmer is able to locate correct toolchain and target deployment roles. IAM Paths must begin and end with a `/`. More information in [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). Additionally, seed-farmer creates module deployment roles at `apply`. It is possible to provide prefixes for the module deployment roles using the deployment manifest. See [manifest](manifest.md). diff --git a/seedfarmer/__main__.py b/seedfarmer/__main__.py index 5fa670c..d811723 100644 --- a/seedfarmer/__main__.py +++ b/seedfarmer/__main__.py @@ -67,7 +67,7 @@ def version() -> None: @click.option( "--role-prefix", default=None, - help="""An IAM path prefix of the seedfarmer toolchain and deployment roles. + help="""An IAM path prefix of the seedfarmer toolchain and target roles. Use only if bootstrapped with this path""", required=False, ) @@ -212,7 +212,7 @@ def apply( @click.option( "--role-prefix", default=None, - help="""An IAM path prefix of the seedfarmer toolchain and deployment roles. + help="""An IAM path prefix of the seedfarmer toolchain and target roles. Use only if bootstrapped with this path""", required=False, ) From ef29a58e1c8a1fd908deec4ab9bbcdc6f51e7ace Mon Sep 17 00:00:00 2001 From: kukushking Date: Tue, 18 Feb 2025 13:19:14 +0000 Subject: [PATCH 3/3] fix link --- docs/source/bootstrapping.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/bootstrapping.md b/docs/source/bootstrapping.md index 24d4e8b..c12e303 100644 --- a/docs/source/bootstrapping.md +++ b/docs/source/bootstrapping.md @@ -95,7 +95,7 @@ We have added support for the use of a IAM Paths for the toolchain role, target A `--role-prefix` and `--policy-prefix` CLI parameters can be used if you want to provide IAM Paths to the toolchain, target roles, and project policy created by `seed-farmer`. If bootstrapped with prefixes, same prefixes must be provided with `apply` and `destroy` CLI commands so that seedfarmer is able to locate correct toolchain and target deployment roles. IAM Paths must begin and end with a `/`. More information in [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). -Additionally, seed-farmer creates module deployment roles at `apply`. It is possible to provide prefixes for the module deployment roles using the deployment manifest. See [manifest](manifest.md). +Additionally, seed-farmer creates module deployment roles at `apply`. It is possible to provide prefixes for the module deployment roles using the deployment manifest. See [manifests](manifests.md). ## Prepping the Account / Region `seedfarmer` leverages the AWS CDKv2. This must be bootstrapped in each account/region combination to be used of each target account.