Merge branch 'fix/cf-iam-updates' into 'develop'

Update IAM role along with short demo placeholders

See merge request genaiic-reusable-assets/engagement-artifacts/genaiic-idp-accelerator!451

Author: rstrahan

docs/deployment.md

@@ -104,6 +104,9 @@ idp-cli deploy \
 
 ## Option 3: Build Deployment Assets from Source Code
 
+Demo Video (5 minutes)
+
+
 ### Dependencies
 
 You need to have the following packages installed on your computer:

iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml

@@ -8,7 +8,6 @@ Description: >
   service role to CloudFormation. The iam:PassRole policy must be attached to
   the user or role that will be using the CloudFormation Service Role in order
   to successfully pass the role.
-
 Resources:
   CloudFormationServiceRole:
     Type: AWS::IAM::Role
@@ -55,28 +54,34 @@ Resources:
                   - iam:DeleteRole
                   - iam:UpdateRole
                   - iam:GetRole
+                  - iam:GetRolePolicy
                   - iam:ListRoles
+                  - iam:ListRolePolicies
+                  - iam:ListAttachedRolePolicies
+                  - iam:ListRoleTags
+                  - iam:PutRolePolicy
+                  - iam:DeleteRolePolicy
+                  - iam:AttachRolePolicy
+                  - iam:DetachRolePolicy
+                  - iam:TagRole
+                  - iam:UntagRole
+                  - iam:PassRole
+                  - iam:CreateServiceLinkedRole
+                  - iam:DeleteServiceLinkedRole
+                Resource: '*'
+              - Effect: Allow
+                Action:
                   - iam:CreatePolicy
                   - iam:DeletePolicy
                   - iam:GetPolicy
+                  - iam:GetPolicyVersion
                   - iam:ListPolicies
                   - iam:ListPolicyVersions
                   - iam:CreatePolicyVersion
                   - iam:DeletePolicyVersion
                   - iam:SetDefaultPolicyVersion
-                  - iam:AttachRolePolicy
-                  - iam:DetachRolePolicy
-                  - iam:PutRolePolicy
-                  - iam:DeleteRolePolicy
-                  - iam:GetRolePolicy
-                  - iam:ListRolePolicies
-                  - iam:ListAttachedRolePolicies
-                  - iam:CreateServiceLinkedRole
-                  - iam:DeleteServiceLinkedRole
-                  - iam:TagRole
-                  - iam:UntagRole
-                  - iam:ListRoleTags
-                  - iam:PassRole
+                  - iam:TagPolicy
+                  - iam:UntagPolicy
                 Resource: '*'
         - PolicyName: IDPAcceleratorPermissions
           PolicyDocument:
@@ -129,7 +134,6 @@ Resources:
                   - ec2:DescribeAvailabilityZones
                   - ecr:*
                 Resource: '*'
-
   PassRolePolicy:
     Type: AWS::IAM::ManagedPolicy
     Metadata:
@@ -158,4 +162,4 @@ Outputs:
     Description: ARN of the PassRole policy for admins to assign to users
     Value: !Ref PassRolePolicy
     Export:
-      Name: !Sub '${AWS::StackName}-PassRolePolicyArn'
+      Name: !Sub '${AWS::StackName}-PassRolePolicyArn'

iam-roles/cloudformation-management/README.md

@@ -15,6 +15,8 @@ This approach enables a security model where:
 
 The **IDPAcceleratorCloudFormationServiceRole** is a CloudFormation service role that provides the necessary permissions for AWS CloudFormation to deploy, update, and manage GenAI IDP Accelerator stacks across all patterns (Pattern 1: BDA, Pattern 2: Textract+Bedrock, Pattern 3: Textract+UDOP+Bedrock). This role can only be assumed by the CloudFormation service, not by users directly.
 
+Demo (5 minutes)
+
 ### Key Capabilities
 - **Full CloudFormation Management**: Create, update, delete IDP stacks - This IAM service role (which CloudFormation assumes) gives necessary privileges to create/update/delete the stack which is helpful in development and sandbox environments. In production environments, admins can further limit these permissions to their discretion (e.g. disabling stack deletion).