Skip to content

Expand JPL deploy policy for ITS_LIVE #2936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jhkennedy merged 4 commits into from
Jan 26, 2026
Merged

Expand JPL deploy policy for ITS_LIVE #2936

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4866b1d
ITS_LIVE monitoring needs to be able to do cloudformation operations …
jhkennedy Oct 16, 2025
6f11ac5
readme and changelog
jhkennedy Oct 16, 2025
e6f8f80
Add ECR
jhkennedy Oct 23, 2025
c14550b
Update CHANGELOG.md
jhkennedy Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Changed
- Increased the maximum `stride_for_norm_param_estimation` to 32 from 16 for the `OPERA_DIST_S1` job specification to handle models with a larger input size.
- The hyp3-ci stack permission for JPL deployments were expanded to support deploying HyP3-based monitoring stacks:
- Listing CloudFormation stacks is now allowed.
- CloudFormation permissions were expanded to any region from just us-west-2.
- ECR actions are now allowed.

## [10.12.1]

Expand Down
5 changes: 1 addition & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,10 +184,7 @@ aws cloudformation deploy \
--template-file cicd-stacks/JPL-deployment-policy-cf.yml
```

*Warning: This stack should only be deployed once per AWS account. This stack also
assumes you are only deploying into a single AWS Region. If you are deploying into
multiple regions in the same AWS account, you'll need to adjust the IAM permissions
that are limited to a single region.*
*Warning: This stack should only be deployed once per AWS account.*

Then open a [Cloud Team Service Desk](https://itsd-jira.jpl.nasa.gov/servicedesk/customer/portal/13)
request for a service user account here:
Expand Down
18 changes: 17 additions & 1 deletion cicd-stacks/JPL-deployment-policy-cf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Resources:
- dynamodb:*
- ec2:*
- ecs:*
- ecr:GetAuthorizationToken
- events:*
- iam:CreateServiceLinkedRole
- iam:DeleteServiceLinkedRole
Expand Down Expand Up @@ -49,6 +50,7 @@ Resources:
- Effect: Allow
Action:
- cloudformation:SetStackPolicy
- cloudformation:ListStacks
- cloudformation:CreateStack
- cloudformation:UpdateStack
- cloudformation:DeleteStack
Expand All @@ -57,7 +59,21 @@ Resources:
- cloudformation:ExecuteChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:GetTemplateSummary
Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
Resource: !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/*"

- Effect: Allow
Action:
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:DescribeImages
- ecr:BatchGetImage
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:PutImage
Resource: !Sub "arn:aws:ecr:*:${AWS::AccountId}:repository/*"

ApiGatewayLoggingRole:
Type: Custom::JplRole
Expand Down