compose/ecs/iam.go

/*
   Copyright 2020 Docker Compose CLI authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package ecs

const (
	ecsTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
	ecrReadOnlyPolicy      = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
	ecsEC2InstanceRole     = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"

	actionGetSecretValue = "secretsmanager:GetSecretValue"
	actionGetParameters  = "ssm:GetParameters"
	actionDecrypt        = "kms:Decrypt"
)

var ecsTaskAssumeRolePolicyDocument = PolicyDocument{
	Version: "2012-10-17", // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html
	Statement: []PolicyStatement{
		{
			Effect: "Allow",
			Principal: PolicyPrincipal{
				Service: "ecs-tasks.amazonaws.com",
			},
			Action: []string{"sts:AssumeRole"},
		},
	},
}

var ec2InstanceAssumeRolePolicyDocument = PolicyDocument{
	Version: "2012-10-17", // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html
	Statement: []PolicyStatement{
		{
			Effect: "Allow",
			Principal: PolicyPrincipal{
				Service: "ec2.amazonaws.com",
			},
			Action: []string{"sts:AssumeRole"},
		},
	},
}

// PolicyDocument describes an IAM policy document
// could alternatively depend on https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/master/cmd/clusterawsadm/api/iam/v1alpha1/types.go
type PolicyDocument struct {
	Version   string            `json:",omitempty"`
	Statement []PolicyStatement `json:",omitempty"`
}

// PolicyStatement describes an IAM policy statement
type PolicyStatement struct {
	Effect    string          `json:",omitempty"`
	Action    []string        `json:",omitempty"`
	Principal PolicyPrincipal `json:",omitempty"`
	Resource  []string        `json:",omitempty"`
}

// PolicyPrincipal describes an IAM policy principal
type PolicyPrincipal struct {
	Service string `json:",omitempty"`
}
Copytight header Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 11:38:23 +02:00			`/*`
Update copyright Signed-off-by: Chris Crone <christopher.crone@docker.com> 2020-09-22 12:13:00 +02:00			`Copyright 2020 Docker Compose CLI authors`
Copytight header Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 11:38:23 +02:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

Make ECS integration a compose-cli backend Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-17 17:48:52 +02:00			`package ecs`
Create CloudWatch LogGroup and IAM TaskExecutionRole As part of the CloudFormation template, create a LogGroup and configure task with awslogs log-driver. Also create a dedicated IAM Role, with AmazonECSTaskExecutionRolePolicy. This one will later be fine-tuned to grant access to secrets/config and other AWS resources according to custom extensions close #42 Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-04 15:09:08 +02:00
Create CloudFormation template with parameters so we don't need AWS API to resolve IDs and can run conversion offline Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-12 15:22:17 +02:00			`const (`
Apply linter recommendations Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 16:56:42 +02:00			`ecsTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"`
			`ecrReadOnlyPolicy = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
Run on EC2 when a service require GPU Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-09-07 11:20:41 +02:00			`ecsEC2InstanceRole = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"`
Create CloudFormation template with parameters so we don't need AWS API to resolve IDs and can run conversion offline Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-12 15:22:17 +02:00
Apply linter recommendations Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 16:56:42 +02:00			`actionGetSecretValue = "secretsmanager:GetSecretValue"`
			`actionGetParameters = "ssm:GetParameters"`
			`actionDecrypt = "kms:Decrypt"`
Create CloudFormation template with parameters so we don't need AWS API to resolve IDs and can run conversion offline Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-12 15:22:17 +02:00			`)`
drop GetEcsTaskExecutionRole which is not in used anymore We need to define a way for compose-user to declare additional Policies to be added to TaskExecutionRole Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-04 15:15:22 +02:00
Run on EC2 when a service require GPU Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-09-07 11:20:41 +02:00			`var ecsTaskAssumeRolePolicyDocument = PolicyDocument{`
Create CloudWatch LogGroup and IAM TaskExecutionRole As part of the CloudFormation template, create a LogGroup and configure task with awslogs log-driver. Also create a dedicated IAM Role, with AmazonECSTaskExecutionRolePolicy. This one will later be fine-tuned to grant access to secrets/config and other AWS resources according to custom extensions close #42 Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-04 15:09:08 +02:00			`Version: "2012-10-17", // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html`
			`Statement: []PolicyStatement{`
			`{`
			`Effect: "Allow",`
			`Principal: PolicyPrincipal{`
			`Service: "ecs-tasks.amazonaws.com",`
			`},`
			`Action: []string{"sts:AssumeRole"},`
			`},`
			`},`
			`}`

Run on EC2 when a service require GPU Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-09-07 11:20:41 +02:00			`var ec2InstanceAssumeRolePolicyDocument = PolicyDocument{`
			`Version: "2012-10-17", // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html`
			`Statement: []PolicyStatement{`
			`{`
			`Effect: "Allow",`
			`Principal: PolicyPrincipal{`
			`Service: "ec2.amazonaws.com",`
			`},`
			`Action: []string{"sts:AssumeRole"},`
			`},`
			`},`
			`}`

Apply linter recommendations Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 16:56:42 +02:00			`// PolicyDocument describes an IAM policy document`
Allow user to customize Roles / ManagedPolicy Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-13 15:43:24 +02:00			`// could alternatively depend on https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/master/cmd/clusterawsadm/api/iam/v1alpha1/types.go`
Create CloudWatch LogGroup and IAM TaskExecutionRole As part of the CloudFormation template, create a LogGroup and configure task with awslogs log-driver. Also create a dedicated IAM Role, with AmazonECSTaskExecutionRolePolicy. This one will later be fine-tuned to grant access to secrets/config and other AWS resources according to custom extensions close #42 Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-04 15:09:08 +02:00			`type PolicyDocument struct {`
			Version string `json:",omitempty"`
			Statement []PolicyStatement `json:",omitempty"`
			`}`

Apply linter recommendations Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 16:56:42 +02:00			`// PolicyStatement describes an IAM policy statement`
Create CloudWatch LogGroup and IAM TaskExecutionRole As part of the CloudFormation template, create a LogGroup and configure task with awslogs log-driver. Also create a dedicated IAM Role, with AmazonECSTaskExecutionRolePolicy. This one will later be fine-tuned to grant access to secrets/config and other AWS resources according to custom extensions close #42 Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-04 15:09:08 +02:00			`type PolicyStatement struct {`
			Effect string `json:",omitempty"`
			Action []string `json:",omitempty"`
			Principal PolicyPrincipal `json:",omitempty"`
			Resource []string `json:",omitempty"`
			`}`

Apply linter recommendations Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-08-18 16:56:42 +02:00			`// PolicyPrincipal describes an IAM policy principal`
Create CloudWatch LogGroup and IAM TaskExecutionRole As part of the CloudFormation template, create a LogGroup and configure task with awslogs log-driver. Also create a dedicated IAM Role, with AmazonECSTaskExecutionRolePolicy. This one will later be fine-tuned to grant access to secrets/config and other AWS resources according to custom extensions close #42 Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com> 2020-05-04 15:09:08 +02:00			`type PolicyPrincipal struct {`
			Service string `json:",omitempty"`
			`}`