Add IAM Permissions Boundary support for environments

[petrkalos]

Summary

Adds the ability to configure an IAM Permissions Boundary policy on data.all environments. When set, the boundary is automatically applied to all IAM roles created by the environment, dataset, and pipeline CDK stacks — including roles auto-generated by CDK constructs (e.g. cr.Provider, BucketDeployment).

This is a common requirement for organizations that enforce permissions boundaries as part of their AWS account governance.

Changes

Backend

• GraphQL schema (input_types.py, types.py): Added PermissionsBoundaryPolicyArn as an optional string field to NewEnvironmentInput, ModifyEnvironmentInput, and the Environment type.
• DB model (environment_models.py): Added nullable PermissionsBoundaryPolicyArn column to the Environment model.
• Service (environment_service.py): Handles the new field on create and update. On update, the field is set when the key is present in the input (including empty string to clear it).
• CDK Aspect (permissions_boundary_aspect.py): New PermissionsBoundaryAspect class that walks the construct tree and adds PermissionsBoundary to every AWS::IAM::Role resource. Applied in:
  • environment_stack.py
  • dataset_stack.py
  • datapipelines_pipeline.py
• Migration (a4f8b2c1d3e5): Adds the PermissionsBoundaryPolicyArn column to the environment table.

Migration fix

• ba2da94739ab: Replaced ORM session.query(Environment) and session.query(DatasetBase) with raw SQL queries. The ORM model now includes the new column, which doesn't exist in the DB when this older migration runs — causing a ProgrammingError. Using raw SQL with only the needed columns avoids this.

Frontend

• getEnvironment.js: Added PermissionsBoundaryPolicyArn to the GraphQL query.
• EnvironmentCreateForm.js: Added optional text field in the Deployment card and included the value in the create mutation payload.
• EnvironmentEditForm.js: Added optional text field in the AWS Information card and included the value in the update mutation payload.
• EnvironmentConsoleAccess.js: Displays the boundary ARN in the AWS Information section on the environment details page (conditionally rendered when set).

Integration tests

• queries.py: Added PermissionsBoundaryPolicyArn to the ENV_TYPE fragment and as an optional parameter to create_environment.
• global_conftest.py: Passed the new parameter through the create_env context manager. session_env1 now creates with PermissionsBoundaryPolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'.
• test_environment.py: Added test_env_permissions_boundary which asserts the boundary ARN is returned by the API and verifies the environment's default IAM role in AWS has the boundary attached.

How it works

1. User provides a pre-existing IAM policy ARN (the boundary) when creating or editing an environment.
2. The ARN is stored on the environment record.
3. On stack deployment, a CDK Aspect applies the boundary to every IAM role in the CloudFormation template.
4. Clearing the ARN (empty string) removes the Aspect, and the next deploy removes the boundary from roles.
5. Dataset and pipeline stacks read the boundary from their parent environment and apply the same Aspect.

Testing

• Verified environment creation with boundary via local docker-compose deployment
• Confirmed IAM roles in AWS have the PermissionsBoundary property set after stack deployment
• Migration tested against fresh and existing databases

Resolve #1233