diff --git a/ecs/pkg/amazon/cloudformation.go b/ecs/pkg/amazon/cloudformation.go index c95034919..6afa06c3d 100644 --- a/ecs/pkg/amazon/cloudformation.go +++ b/ecs/pkg/amazon/cloudformation.go @@ -426,7 +426,6 @@ func normalizeResourceName(s string) string { } func (c client) getPolicy(taskDef *ecs.TaskDefinition) (*PolicyDocument, error) { - arns := []string{} for _, container := range taskDef.ContainerDefinitions { if container.RepositoryCredentials != nil { diff --git a/ecs/pkg/amazon/cloudformation_test.go b/ecs/pkg/amazon/cloudformation_test.go index 84b7c9bcc..e23079d5b 100644 --- a/ecs/pkg/amazon/cloudformation_test.go +++ b/ecs/pkg/amazon/cloudformation_test.go @@ -4,15 +4,13 @@ import ( "fmt" "testing" - "github.com/awslabs/goformation/v4/cloudformation/ec2" - "github.com/awslabs/goformation/v4/cloudformation" + "github.com/awslabs/goformation/v4/cloudformation/ec2" + "github.com/awslabs/goformation/v4/cloudformation/iam" "github.com/compose-spec/compose-go/loader" "github.com/compose-spec/compose-go/types" - - "gotest.tools/assert" - "github.com/docker/ecs-plugin/pkg/compose" + "gotest.tools/assert" "gotest.tools/v3/golden" ) @@ -30,6 +28,26 @@ func TestSimpleWithOverrides(t *testing.T) { golden.Assert(t, result, expected) } +func TestRolePolicy(t *testing.T) { + template := convertYaml(t, ` +version: "3" +services: + foo: + image: hello_world + x-aws-pull_credentials: "secret" +`) + role := template.Resources["FooTaskExecutionRole"].(*iam.Role) + assert.Check(t, role != nil) + assert.Check(t, role.ManagedPolicyArns[0] == ECSTaskExecutionPolicy) + assert.Check(t, role.ManagedPolicyArns[1] == ECRReadOnlyPolicy) + // We expect an extra policy has been created for x-aws-pull_credentials + assert.Check(t, len(role.Policies) == 1) + policy := role.Policies[0].PolicyDocument.(*PolicyDocument) + expected := []string{"secretsmanager:GetSecretValue", "ssm:GetParameters", "kms:Decrypt"} + assert.DeepEqual(t, expected, policy.Statement[0].Action) + assert.DeepEqual(t, []string{"secret"}, policy.Statement[0].Resource) +} + func TestMapNetworksToSecurityGroups(t *testing.T) { template := convertYaml(t, ` version: "3"