-
Notifications
You must be signed in to change notification settings - Fork 327
Feature/aws ecs/add ability attaching policy for task role #1935
Feature/aws ecs/add ability attaching policy for task role #1935
Conversation
Hi @psihachina, Does your use-case require that policies change from deployment to deployment, or are you looking for a way to use the same long-lived policy for every deployment for a given app? |
Hi @izaaklauer, The most important thing in our use is the function of automatic policy creation itself so that the user can describe the policy he needs and the waypoint created it himself. Please correct me if I misunderstood. |
Hey @psihachina, I asked because right now waypoint has a great system for creating and managing operation scoped resources (i.e. resources that need to be created and destroyed for every deployment or release), but not a great system for managing project-scoped resources (i.e. resources that need to be created once for each app and can be re-used for each deployment). We'd like to avoid waypoint managing more project-scoped resources until we can build better support for them. The fact that it's impossible to use a custom task-role policy is definitely a problem though, and thank you for bringing it to light! Our preferred solution to this for now would be to add a config field called Would that work for your use-case? |
Hey @izaaklauer, I understand your point of view. You already have such a field as |
Hey, @izaaklauer, I see your point with project-scoped resources and a solution with passing task role Hey, @psihachina. Thanks for the PR! Regarding the |
37638a3
to
6f0dd44
Compare
Hi @izaaklauer , I added a field |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for changing your approach! While this does introduce some new complexity around the task role (i.e. we're now sometimes looking for a task role by a given name, and sometimes creating one with the given name), I think users being able to add capabilities to their apps without interacting too deeply with IAM is a nice addition to waypoint.
Could you also add a changelog entry for this change? https://github.com/hashicorp/waypoint/blob/main/.github/CHANGELOG_GUIDE.md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for applying the suggestions! This looks good to me.
Just a note - we're going to be refactoring much of the structure of the ECS plugin shortly (in this pr: #2098), but we'll make sure these changes are incorporated into the restructure.
There's a bug in the overall refactor though - intermittent argmapper errors coming out of DestroyAll
There's a bug in the overall refactor though - intermittent argmapper errors coming out of DestroyAll
This commit adds the ability to pass IAM Policy ARN for attaching to new task role, for example
Test