Bearse Release 12.17.0

version: 2.17.0-b92

Update Summary

New IAM Roles

The new IAM roles for removes the old ciinabox 2 with full admin privilege and replaces it with 2 new roles. The new roles allow for a higher level of account security and as well as MFA or custom ciinabox 2 IAM roles support.

A new role for resource stop-start ciinabox-stop-start-resources with only the required permissions to stop and start the resources supported by the stop-start tool.

The ciinabox-v2 role replaces the ciinabox role in your Jenkins pipeline. It has limited permissions to allow cloudformation deployments and queries utilising a CloudFromation service role to offload the permissions. The ciinabox-cloudformation-deployer is the cloudformation service role with full admin permissions and can only be assumed by the CloudFormation service in the AWS account.

To enable the new roles, one of the following Bearse parameters are required:

To utilise the new role in the pipeline see the snippets bellow:

cloudformation

cloudformation(
  action: 'update',
  region: 'ap-southeast-2',
  accountId: '12345678912',
  role: 'path/ciinabox-v2', // role for cross account access
  stackName: 'my-stack',
  templateUrl: env.TEMPLATE_URL,
  roleArn: 'arn:aws:iam:12345678901::role/path/ciinabox-cloudformation-deployer' // role to pass to the ciinabox service
)

changesets

createChangeSet(
  description: env.GIT_COMMIT,
  region: 'ap-southeast-2',
  accountId: '12345678912',
  role: 'path/ciinabox-v2', // role for cross account access
  stackName: 'my-stack',
  templateUrl: env.TEMPLATE_URL,
  roleArn: 'arn:aws:iam:12345678901::role/path/ciinabox-cloudformation-deployer' // full role arn to pass to the ciinabox service
)

executeChangeSet(
  region: 'ap-southeast-2',
  stackName: 'my-stack',
  awsAccountId: '12345678912',
  role: 'ciinabox-v2'
)

#bearse #security