drop GetEcsTaskExecutionRole which is not in used anymore

We need to define a way for compose-user to declare additional Policies to be added to TaskExecutionRole Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2020-05-04 15:15:22 +02:00 · 2020-05-04 15:15:22 +02:00 · 2544307f55
parent 3e30f2cd1a
commit 2544307f55
4 changed files with 54 additions and 58 deletions
--- a/ecs/pkg/amazon/cloudformation.go
+++ b/ecs/pkg/amazon/cloudformation.go
@ -13,10 +13,8 @@ import (
 	"github.com/awslabs/goformation/v4/cloudformation/ec2"
 	"github.com/awslabs/goformation/v4/cloudformation/ecs"
 	"github.com/awslabs/goformation/v4/cloudformation/iam"
-	"github.com/compose-spec/compose-go/types"
 	"github.com/docker/ecs-plugin/pkg/compose"
 	"github.com/docker/ecs-plugin/pkg/convert"
-	"github.com/sirupsen/logrus"
 )

 func (c client) Convert(ctx context.Context, project *compose.Project) (*cloudformation.Template, error) {
@ -118,43 +116,9 @@ func (c client) GetVPC(ctx context.Context, project *compose.Project) (string, e
 	return defaultVPC, nil
 }

-const ECSTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-
-var defaultTaskExecutionRole string
-
-// GetEcsTaskExecutionRole retrieve the role ARN to apply for task execution
-func (c client) GetEcsTaskExecutionRole(ctx context.Context, spec types.ServiceConfig) (string, error) {
-	if arn, ok := spec.Extras["x-ecs-TaskExecutionRole"]; ok {
-		return arn.(string), nil
-	}
-	if defaultTaskExecutionRole != "" {
-		return defaultTaskExecutionRole, nil
-	}
-
-	logrus.Debug("Retrieve Task Execution Role")
-	entities, err := c.api.ListRolesForPolicy(ctx, ECSTaskExecutionPolicy)
-	if err != nil {
-		return "", err
-	}
-	if len(entities) == 0 {
-		return "", fmt.Errorf("no Role is attached to AmazonECSTaskExecutionRole Policy, please provide an explicit task execution role")
-	}
-	if len(entities) > 1 {
-		return "", fmt.Errorf("multiple Roles are attached to AmazonECSTaskExecutionRole Policy, please provide an explicit task execution role")
-	}
-
-	arn, err := c.api.GetRoleArn(ctx, entities[0])
-	if err != nil {
-		return "", err
-	}
-	defaultTaskExecutionRole = arn
-	return arn, nil
-}
-
 type convertAPI interface {
 	GetDefaultVPC(ctx context.Context) (string, error)
 	VpcExists(ctx context.Context, vpcID string) (bool, error)
 	GetSubNets(ctx context.Context, vpcID string) ([]string, error)
-	ListRolesForPolicy(ctx context.Context, policy string) ([]string, error)
 	GetRoleArn(ctx context.Context, name string) (string, error)
 }
--- a/ecs/pkg/amazon/iam.go
+++ b/ecs/pkg/amazon/iam.go
@ -1,5 +1,7 @@
 package amazon

+const ECSTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+
 var assumeRolePolicyDocument = PolicyDocument{
 	Version: "2012-10-17", // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html
 	Statement: []PolicyStatement{
--- a/ecs/pkg/amazon/mock/api.go
+++ b/ecs/pkg/amazon/mock/api.go
@ -8,6 +8,7 @@ import (
 	context "context"
 	cloudformation "github.com/aws/aws-sdk-go/service/cloudformation"
 	cloudformation0 "github.com/awslabs/goformation/v4/cloudformation"
+	docker "github.com/docker/ecs-plugin/pkg/docker"
 	gomock "github.com/golang/mock/gomock"
 	reflect "reflect"
 )
@ -65,6 +66,21 @@ func (mr *MockAPIMockRecorder) CreateCluster(arg0, arg1 interface{}) *gomock.Cal
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateCluster", reflect.TypeOf((*MockAPI)(nil).CreateCluster), arg0, arg1)
 }

+// CreateSecret mocks base method
+func (m *MockAPI) CreateSecret(arg0 context.Context, arg1, arg2 string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateSecret", arg0, arg1, arg2)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateSecret indicates an expected call of CreateSecret
+func (mr *MockAPIMockRecorder) CreateSecret(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateSecret", reflect.TypeOf((*MockAPI)(nil).CreateSecret), arg0, arg1, arg2)
+}
+
 // CreateStack mocks base method
 func (m *MockAPI) CreateStack(arg0 context.Context, arg1 string, arg2 *cloudformation0.Template) error {
 	m.ctrl.T.Helper()
@ -93,6 +109,20 @@ func (mr *MockAPIMockRecorder) DeleteCluster(arg0, arg1 interface{}) *gomock.Cal
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteCluster", reflect.TypeOf((*MockAPI)(nil).DeleteCluster), arg0, arg1)
 }

+// DeleteSecret mocks base method
+func (m *MockAPI) DeleteSecret(arg0 context.Context, arg1 string, arg2 bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteSecret", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteSecret indicates an expected call of DeleteSecret
+func (mr *MockAPIMockRecorder) DeleteSecret(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteSecret", reflect.TypeOf((*MockAPI)(nil).DeleteSecret), arg0, arg1, arg2)
+}
+
 // DeleteStack mocks base method
 func (m *MockAPI) DeleteStack(arg0 context.Context, arg1 string) error {
 	m.ctrl.T.Helper()
@ -182,19 +212,34 @@ func (mr *MockAPIMockRecorder) GetSubNets(arg0, arg1 interface{}) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSubNets", reflect.TypeOf((*MockAPI)(nil).GetSubNets), arg0, arg1)
 }

-// ListRolesForPolicy mocks base method
-func (m *MockAPI) ListRolesForPolicy(arg0 context.Context, arg1 string) ([]string, error) {
+// InspectSecret mocks base method
+func (m *MockAPI) InspectSecret(arg0 context.Context, arg1 string) (docker.Secret, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ListRolesForPolicy", arg0, arg1)
-	ret0, _ := ret[0].([]string)
+	ret := m.ctrl.Call(m, "InspectSecret", arg0, arg1)
+	ret0, _ := ret[0].(docker.Secret)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }

-// ListRolesForPolicy indicates an expected call of ListRolesForPolicy
-func (mr *MockAPIMockRecorder) ListRolesForPolicy(arg0, arg1 interface{}) *gomock.Call {
+// InspectSecret indicates an expected call of InspectSecret
+func (mr *MockAPIMockRecorder) InspectSecret(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListRolesForPolicy", reflect.TypeOf((*MockAPI)(nil).ListRolesForPolicy), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InspectSecret", reflect.TypeOf((*MockAPI)(nil).InspectSecret), arg0, arg1)
+}
+
+// ListSecrets mocks base method
+func (m *MockAPI) ListSecrets(arg0 context.Context) ([]docker.Secret, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ListSecrets", arg0)
+	ret0, _ := ret[0].([]docker.Secret)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ListSecrets indicates an expected call of ListSecrets
+func (mr *MockAPIMockRecorder) ListSecrets(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListSecrets", reflect.TypeOf((*MockAPI)(nil).ListSecrets), arg0)
 }

 // StackExists mocks base method
--- a/ecs/pkg/amazon/sdk.go
+++ b/ecs/pkg/amazon/sdk.go
@ -132,21 +132,6 @@ func (s sdk) GetSubNets(ctx context.Context, vpcID string) ([]string, error) {
 	return ids, nil
 }

-func (s sdk) ListRolesForPolicy(ctx context.Context, policy string) ([]string, error) {
-	entities, err := s.IAM.ListEntitiesForPolicyWithContext(ctx, &iam.ListEntitiesForPolicyInput{
-		EntityFilter: aws.String("Role"),
-		PolicyArn:    aws.String(policy),
-	})
-	if err != nil {
-		return nil, err
-	}
-	roles := []string{}
-	for _, e := range entities.PolicyRoles {
-		roles = append(roles, *e.RoleName)
-	}
-	return roles, nil
-}
-
 func (s sdk) GetRoleArn(ctx context.Context, name string) (string, error) {
 	role, err := s.IAM.GetRoleWithContext(ctx, &iam.GetRoleInput{
 		RoleName: aws.String(name),