Skip to content

Feat/always enable autodeployment#93

Merged
ngjinshan merged 3 commits into
mainfrom
feat/always-enable-autodeployment
May 10, 2026
Merged

Feat/always enable autodeployment#93
ngjinshan merged 3 commits into
mainfrom
feat/always-enable-autodeployment

Conversation

@ngjinshan
Copy link
Copy Markdown
Collaborator

@ngjinshan ngjinshan commented May 10, 2026

Description

Brief description of the change and the problem it solves.

Type of change

  • Bug fix
  • New resource type support
  • Security improvement
  • Documentation update

Testing

  • Tested end-to-end in a real AWS account (or CI E2E will cover this)
  • No false positives observed
  • CloudWatch logs reviewed for errors

Checklist

  • CloudFormation template is valid (cfn-lint passes — checked by CI)
  • IAM permissions follow least-privilege (only tag actions added)
  • If adding a new service handler: corresponding resource added to .github/scripts/resource_groups/ for E2E coverage
  • CHANGELOG.md updated

CI Notes

Layer 1 (lint) runs immediately on every PR — ~1 min.
Layer 2 (E2E) runs when configurator.yaml or configurator.html changes — ~37 min across 7 AWS accounts. No AWS credentials needed.
If Layer 2 fails, download verification-report.json from the Actions run for details.

ngjinshan added 3 commits May 10, 2026 22:20
@ngjinshan
fix: remove CloudFormation stack tagging (causes cascade failures)
65df6ed 
Remove CreateStack/CreateStackSet events and cloudformation:TagResource/
UpdateStack/UpdateStackSet permissions. CloudFormation stacks are not
MAP-eligible resources, and tagging them causes CFN to propagate tags
to child resources — triggering UPDATE_ROLLBACK_FAILED on unrelated
stacks when the tagger role lacks Describe permissions on those children.

DescribeStacks and ListStacks retained for peer-tagger detection.
@ngjinshan
docs: replace MAP_Included_Services_List.pdf with MAP_included.md
7b1e30c
@ngjinshan
feat(deploy): Always enable StackSet AutoDeployment
381ec36 
Previously AutoDeployment was only enabled when scope was set to ALL
accounts. With specific-account scoping, new accounts joining the OU
would not receive the Lambda stack at all.

Now AutoDeployment is always enabled regardless of scope. The Lambda
deploys to every account but defers to the SSM scope parameter at
runtime — out-of-scope accounts no-op in ~100ms with negligible cost.
This ensures new accounts are pre-wired and customers only need to
run update.sh to bring them into scope when ready.
@ngjinshan ngjinshan requested a review from hyunsies as a code owner May 10, 2026 15:11
@ngjinshan ngjinshan merged commit dce27fe into main May 10, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hyunsies hyunsies Awaiting requested review from hyunsies hyunsies is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ngjinshan