-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ecs-service-extensions): allow taskRole to be passed in on creation of an ECS service #13834
Conversation
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
This looks good to me! One minor nit: it would be ideal to provide a separate test case for passing a role in, and perhaps also provide handling for the case where a user passes in a role with mutable set to false, like this: const role = iam.Role.fromRoleArn(this, 'Role', 'arn:aws:iam::123456789012:role/MyExistingRole', {
// Set 'mutable' to 'false' to use the role as-is and prevent adding new
// policies to it. The default is 'true', which means the role may be
// modified as part of the deployment.
mutable: false,
}); I believe this would cause the ecs-service-extensions to fail, as many of the extensions attempt to mutate the role, so if it is not mutable it will fail. We would ideally have a test case for this, and verify that the resulting error message is sensible, something like "When passing an IAM role it must be mutable, so that extensions can add their required policies to the role" Let me know if this is something you can add, if not we can still merge this in and fill that in later. |
@nathanpeck I finally got a few minutes to look at adding this tests but I couldn't get anything to fail like you had expected with mutable: false. Here's a look at what I attempted to add and run Another thing related to this that wasn't clear to me as a contributor. In order to make a new integration test case like this, it says to setup your AWS credentials first and then you can run Here's what the error looked like if you can help at all:
I manually constructed the snapshot just to validate that Any help you can provide to get past this final hump? |
@nathanpeck I was able to get the integration tests to fully deploy and work correctly with Thoughts? Are we good to proceed without this test or did you want something different? |
@brentryan can you show a small example where a Role is imported with |
@skinny85 See example test I made here: https://github.com/brentryan/aws-cdk/pull/1/files#diff-a085d1e5ae122c741bc547a19a09ae61602186c399be47cf92d4c1397462c73fR21 Then if you look at the You may need to click "load diff" to render the large cloudformation in your browser and look at line 1019. You can see an example of where the role in this test case is being mutated https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk-containers/ecs-service-extensions/lib/extensions/appmesh.ts#L210 |
That is an interesting find. The code in ecs-service-extensions that mutates the role can be found here: https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk-containers/ecs-service-extensions/lib/extensions/cloudwatch-agent.ts#L51-L60 Basically it is creating a new |
Ah, that's probably what it is! Nice catch @nathanpeck. I guess this should be solved in the IAM library then. |
@skinny85 Are you creating a bug against the iam package for this? Do you want me to do anything with regards to that? @nathanpeck How do you want me to handle this given the bug in iam? |
I don't want to block this PR on a possible bug in the IAM module, especially since this bug may require investigation to see if fixing it in IAM would cause unintended sideffects in other modules. I'll approve this PR for merge. |
@nathanpeck I clicked the "Update Branch" button by accident. Need another approval it looks like. Sorry. |
@nathanpeck @skinny85 Sorry to be a bother, but anything we can do to kick this along? I'm not sure what's normal for how long to wait or who else to contact. |
Sorry it looks like it was hung up on one of the checks. I hit the button to retry the checks, and merge again. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
It looks like it successfully merged this time! Thanks so much for the contribution @brentryan |
This PR should address issue #13304
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license