Launch policy defined twice - each different

[robsyme]

The launch policy looks to be defined twice:

once in launch/launch-policy.json:

nf-tower-aws/launch/launch-policy.json

Lines 5 to 8 in ca1eca1

	"Sid": "VisualEditor0",
	"Effect": "Allow",
	"Action": [
	"batch:DescribeJobQueues",

and once in forge/forge-policy.json (this json document contains both the forge policy and the second launch policy:

nf-tower-aws/forge/forge-policy.json

Lines 62 to 66 in ca1eca1

	"Sid": "TowerLaunch0",
	"Effect": "Allow",
	"Action": [
	"s3:Get*",
	"s3:List*",

There are differences between the two launch policies:

Is there any benefit in defining the launch policy in forge/forge-policy.json? Perhaps it would be best to remove it and rely on just the one copy in launch/launch-policy.json.

[pditommaso]

Because they are meant to be used indipendly

[robsyme]

I understand that the forge policy is to be used independently from the launch policy, but what is the difference between the two launch policies? Why would you need to define a launch policy if you are using Tower Forge - doesn't it create those policies for you anyway?

[pditommaso]

Why would you need to define a launch policy if you are using Tower Forge - doesn't it create those policies for you anyway?

Tower creates the instance policy and other permission policies used by the child jobs, but it cannot grant permissions to itself. Said differently, that's the policy to allow Forge to access Batch, Cloudwatch and other APIs required to launch the pipeline execution.

The launch policy is a subset of the forge policy because Forge requires more permissions to carry out some operation in place of the user.