Feature Request: Add PermissionsBoundary as option for role that gets created

[cervantek]

For SAM functions, you are able to specify a Permissions Boundary to use for the role that gets created automatically by Serverless::Function resources. However, there is no way for us as a consumer of these Serverless Applications to specify that to you.

Could you please add an optional parameter to the Serverless Application that allows us to specify a PermissionsBoundary?

If your App is passed PermissionsBoundary as a parameter by a user, simply pass it down to the Serverless::Function it creates. This should only be a few line change to your template.

We (and others likely) cannot take advantage of your Serverless Apps due being required (by a standard/policy within our organizations) to always specify a PermissionsBoundary on any role we create (or is created for us by things like SAM).

[joebaro]

Thank you for your feedback. We have noted this as a feature request.

[ArielPrevu3D]

Any plans on making this happen? Currently, the rotation applications are only useful if you want to give developers all access to the AWS account, which is often not possible.

[markussiebert]

Need this to! Would implement this, but need to know where the template resides

[Saberos]

Are the SAM templates available anywhere to provide PRs on?

[asifma]

Can you please apply Globals.Function.PermissionsBoundary to the SAM Template that gets created. This is supported by SAM. You can use this template as reference: https://github.com/aws-samples/cloudfront-authorization-at-edge/blob/master/template.yaml

I would have create a PR, but cant find the yaml template available anywhere in this repo

[asifma]

Below is a proposed template for: SecretsManagerRDSPostgreSQLRotationSingleUser — version 1.1.384

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
  endpoint:
    Type: String
    Description: The Secrets Manager endpoint to use.
  functionName:
    Type: String
    Description: The name of the Lambda function.
  invokingServicePrincipal:
    Type: String
    Description: The service principal for the invoking service.
    Default: secretsmanager.amazonaws.com
  vpcSubnetIds:
    Type: CommaDelimitedList
    Description: A comma-separated list of VPC subnet IDs applied to the database
      network.
    Default: ''
  vpcSecurityGroupIds:
    Type: CommaDelimitedList
    Description: A comma-separated list of security group IDs applied to the database.
    Default: ''
  kmsKeyArn:
    Type: String
    Description: The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
    Default: ''
  excludeCharacters:
    Type: String
    Description: A string of the characters that you don't want in the password.
    Default: :/@"'\
  runtime:
    Type: String
    Description: The python runtime associated with the Lambda function
    Default: python3.9
  PermissionsBoundaryPolicyArn:
    Description: ARN of a boundary policy if your organisation uses some for roles, optional.
    Type: String
    Default: ""
Conditions:
  AddVpcConfig:
    Fn::And:
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSubnetIds
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSecurityGroupIds
  KmsKeyArnExists:
    Fn::Not:
    - Fn::Equals:
      - ''
      - Ref: kmsKeyArn
  ApplyPermissionsBoundary:
    !Not [!Equals [!Ref PermissionsBoundaryPolicyArn, ""]]

Resources:
  SecretsManagerRDSPostgreSQLRotationSingleUser:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName:
        Ref: functionName
      Description: Rotates a Secrets Manager secret for Amazon RDS PostgreSQL credentials
        using the single user rotation strategy.
      Handler: lambda_function.lambda_handler
      Runtime:
        Ref: runtime
      CodeUri:
        Bucket: <%REPO_BUCKET%>
        Key: 8494558e-a7c7-479b-b855-6a42fa99ba3f
      AutoPublishCodeSha256: b6db215a045dfe41d9838f1236af55b0de0d491d7d03b67d78ebde754eeadaae
      Timeout: 30
      PermissionsBoundary: !If
        - ApplyPermissionsBoundary
        - !Ref PermissionsBoundaryPolicyArn
        - !Ref AWS::NoValue
      Policies:
      - VPCAccessPolicy: {}
      - AWSSecretsManagerRotationPolicy:
          FunctionName:
            Ref: functionName
      - Fn::If:
        - KmsKeyArnExists
        - Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - kms:Decrypt
            - kms:DescribeKey
            - kms:GenerateDataKey
            Resource:
              Ref: kmsKeyArn
        - Ref: AWS::NoValue
      Environment:
        Variables:
          SECRETS_MANAGER_ENDPOINT:
            Ref: endpoint
          EXCLUDE_CHARACTERS:
            Ref: excludeCharacters
      VpcConfig:
        Fn::If:
        - AddVpcConfig
        - SubnetIds:
            Ref: vpcSubnetIds
          SecurityGroupIds:
            Ref: vpcSecurityGroupIds
        - Ref: AWS::NoValue
      Tags:
        SecretsManagerLambda: Rotation
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
        - SecretsManagerRDSPostgreSQLRotationSingleUser
        - Arn
      Principal:
        Ref: invokingServicePrincipal
      SourceAccount:
        Ref: AWS::AccountId
Outputs:
  RotationLambdaARN:
    Description: The ARN of the rotation lambda
    Value:
      Fn::GetAtt:
      - SecretsManagerRDSPostgreSQLRotationSingleUser
      - Arn