Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: update policy
Browse files Browse the repository at this point in the history
mazyu36 committed Jun 23, 2024
1 parent 3b95777 commit 1e922b8
Showing 9 changed files with 276 additions and 103 deletions.
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
Original file line number Diff line number Diff line change
@@ -1301,6 +1301,7 @@ export class Service extends cdk.Resource implements iam.IGrantable {
// grant required privileges for the role
if (this.source.ecrRepository && this.accessRole) {
this.source.ecrRepository.grantPull(this.accessRole);
this.source.ecrRepository.grant(this.accessRole, 'ecr:DescribeImages');
}

this.serviceArn = resource.attrServiceArn;

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
{
"Resources": {
"Service3InstanceRoleD40BEE82": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"Service3AccessRole3ACBAAA0": {
"Type": "AWS::IAM::Role",
"Properties": {
@@ -31,6 +48,7 @@
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer"
],
"Effect": "Allow",
@@ -72,6 +90,19 @@
"Service342D067F2": {
"Type": "AWS::AppRunner::Service",
"Properties": {
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service3InstanceRoleD40BEE82",
"Arn"
]
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
},
"SourceConfiguration": {
"AuthenticationConfiguration": {
"AccessRoleArn": {
@@ -91,19 +122,23 @@
},
"ImageRepositoryType": "ECR"
}
},
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service3InstanceRoleD40BEE82",
"Arn"
]
}
}
},
"Service2InstanceRole3F57F2AA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
],
"Version": "2012-10-17"
}
}
},
@@ -138,6 +173,7 @@
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer"
],
"Effect": "Allow",
@@ -179,6 +215,19 @@
"Service2AB4D14D8": {
"Type": "AWS::AppRunner::Service",
"Properties": {
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service2InstanceRole3F57F2AA",
"Arn"
]
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
},
"SourceConfiguration": {
"AuthenticationConfiguration": {
"AccessRoleArn": {
@@ -217,56 +266,9 @@
},
"ImageRepositoryType": "ECR"
}
},
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service2InstanceRole3F57F2AA",
"Arn"
]
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
}
}
},
"Service3InstanceRoleD40BEE82": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"Service2InstanceRole3F57F2AA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
}
}
},
"Outputs": {
"URL3": {

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -2,6 +2,7 @@ import * as path from 'path';
import * as assets from 'aws-cdk-lib/aws-ecr-assets';
import * as cdk from 'aws-cdk-lib';
import { Service, Source } from '../lib';
import * as integ from '@aws-cdk/integ-tests-alpha';

const app = new cdk.App();

@@ -29,3 +30,7 @@ const service2 = new Service(stack, 'Service2', {
}),
});
new cdk.CfnOutput(stack, 'URL2', { value: `https://${service2.serviceUrl}` });

new integ.IntegTest(app, 'AppRunnerEcr', {
testCases: [stack],
});
50 changes: 50 additions & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts
Original file line number Diff line number Diff line change
@@ -524,6 +524,56 @@ test('create a service from existing ECR repository(image repository type: ECR)'
Version: '2012-10-17',
},
});
// we should have a followiny IAM Policy
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Effect: 'Allow',
Action: 'ecr:GetAuthorizationToken',
Resource: '*',
},
{
Effect: 'Allow',
Action: [
'ecr:BatchCheckLayerAvailability',
'ecr:GetDownloadUrlForLayer',
'ecr:BatchGetImage',
],
Resource: {
'Fn::Join': ['', [
'arn:',
{ Ref: 'AWS::Partition' },
':ecr:',
{ Ref: 'AWS::Region' },
':',
{ Ref: 'AWS::AccountId' },
':repository/nginx',
]],
},
},
{
Effect: 'Allow',
Action: 'ecr:DescribeImages',
Resource: {
'Fn::Join': ['', [
'arn:',
{ Ref: 'AWS::Partition' },
':ecr:',
{ Ref: 'AWS::Region' },
':',
{ Ref: 'AWS::AccountId' },
':repository/nginx',
]],
},
},
],
},
PolicyName: 'ServiceAccessRoleDefaultPolicy9C214812',
Roles: [
{ Ref: 'ServiceAccessRole4763579D' },
],
});
// we should have the service
Template.fromStack(stack).hasResourceProperties('AWS::AppRunner::Service', {
SourceConfiguration: {

0 comments on commit 1e922b8

Please sign in to comment.