tyler.durden/compose
1
0
Fork 0
mirror of https://github.com/docker/compose.git synced 2025-07-23 05:34:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Distinguish TaskExecutionRole and TaskRole

Browse Source 
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
This commit is contained in:
Nicolas De Loof 2020-09-08 15:18:02 +02:00
parent fda09712c0
commit 2f4011bfe6
No known key found for this signature in database
GPG Key ID: 9858809D6F8F6E7E
1 changed files with 40 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
ecs/cloudformation.go
View File

@ -159,12 +159,14 @@ func (b *ecsAPIService) convert(project *types.Project) (*cloudformation.Templat
return nil, err return nil, err
} }
taskExecutionRole, err := createTaskExecutionRole(service, err, definition, template) taskExecutionRole := createTaskExecutionRole(service, definition, template)
if err != nil {
return template, err
}
definition.ExecutionRoleArn = cloudformation.Ref(taskExecutionRole) definition.ExecutionRoleArn = cloudformation.Ref(taskExecutionRole)
taskRole := createTaskRole(service, template)
if taskRole != "" {
definition.TaskRoleArn = cloudformation.Ref(taskRole)
}
taskDefinition := fmt.Sprintf("%sTaskDefinition", normalizeResourceName(service.Name)) taskDefinition := fmt.Sprintf("%sTaskDefinition", normalizeResourceName(service.Name))
template.Resources[taskDefinition] = definition template.Resources[taskDefinition] = definition
@ -459,40 +461,43 @@ func createServiceRegistry(service types.ServiceConfig, template *cloudformation
return serviceRegistry return serviceRegistry
} }
func createTaskExecutionRole(service types.ServiceConfig, err error, definition *ecs.TaskDefinition, template *cloudformation.Template) (string, error) { func createTaskExecutionRole(service types.ServiceConfig, definition *ecs.TaskDefinition, template *cloudformation.Template) string {
taskExecutionRole := fmt.Sprintf("%sTaskExecutionRole", normalizeResourceName(service.Name)) taskExecutionRole := fmt.Sprintf("%sTaskExecutionRole", normalizeResourceName(service.Name))
policy := getPolicy(definition) policies := createPolicies(service, definition)
if err != nil { template.Resources[taskExecutionRole] = &iam.Role{
return taskExecutionRole, err AssumeRolePolicyDocument: assumeRolePolicyDocument,
} Policies: policies,
rolePolicies := []iam.Role_Policy{} ManagedPolicyArns: []string{
if policy != nil { ecsTaskExecutionPolicy,
rolePolicies = append(rolePolicies, iam.Role_Policy{ ecrReadOnlyPolicy,
PolicyDocument: policy, },
PolicyName: fmt.Sprintf("%sGrantAccessToSecrets", service.Name),
})
} }
return taskExecutionRole
}
func createTaskRole(service types.ServiceConfig, template *cloudformation.Template) string {
taskRole := fmt.Sprintf("%sTaskRole", normalizeResourceName(service.Name))
rolePolicies := []iam.Role_Policy{}
if roles, ok := service.Extensions[extensionRole]; ok { if roles, ok := service.Extensions[extensionRole]; ok {
rolePolicies = append(rolePolicies, iam.Role_Policy{ rolePolicies = append(rolePolicies, iam.Role_Policy{
PolicyDocument: roles, PolicyDocument: roles,
}) })
} }
managedPolicies := []string{ managedPolicies := []string{}
ecsTaskExecutionPolicy,
ecrReadOnlyPolicy,
}
if v, ok := service.Extensions[extensionManagedPolicies]; ok { if v, ok := service.Extensions[extensionManagedPolicies]; ok {
for _, s := range v.([]interface{}) { for _, s := range v.([]interface{}) {
managedPolicies = append(managedPolicies, s.(string)) managedPolicies = append(managedPolicies, s.(string))
} }
} }
template.Resources[taskExecutionRole] = &iam.Role{ if len(rolePolicies) == 0 && len(managedPolicies) == 0 {
return ""
}
template.Resources[taskRole] = &iam.Role{
AssumeRolePolicyDocument: assumeRolePolicyDocument, AssumeRolePolicyDocument: assumeRolePolicyDocument,
Policies: rolePolicies, Policies: rolePolicies,
ManagedPolicyArns: managedPolicies, ManagedPolicyArns: managedPolicies,
} }
return taskExecutionRole, nil return taskRole
} }
func createCluster(project *types.Project, template *cloudformation.Template) string { func createCluster(project *types.Project, template *cloudformation.Template) string {
@ -582,7 +587,7 @@ func normalizeResourceName(s string) string {
return strings.Title(regexp.MustCompile("[^a-zA-Z0-9]+").ReplaceAllString(s, "")) return strings.Title(regexp.MustCompile("[^a-zA-Z0-9]+").ReplaceAllString(s, ""))
} }
func getPolicy(taskDef *ecs.TaskDefinition) *PolicyDocument { func createPolicies(service types.ServiceConfig, taskDef *ecs.TaskDefinition) []iam.Role_Policy {
arns := []string{} arns := []string{}
for _, container := range taskDef.ContainerDefinitions { for _, container := range taskDef.ContainerDefinitions {
if container.RepositoryCredentials != nil { if container.RepositoryCredentials != nil {
@ -596,13 +601,19 @@ func getPolicy(taskDef *ecs.TaskDefinition) *PolicyDocument {
} }
if len(arns) > 0 { if len(arns) > 0 {
return &PolicyDocument{ return []iam.Role_Policy{
Statement: []PolicyStatement{ {
{ PolicyDocument: &PolicyDocument{
Effect: "Allow", Statement: []PolicyStatement{
Action: []string{actionGetSecretValue, actionGetParameters, actionDecrypt}, {
Resource: arns, Effect: "Allow",
}}, Action: []string{actionGetSecretValue, actionGetParameters, actionDecrypt},
Resource: arns,
},
},
},
PolicyName: fmt.Sprintf("%sGrantAccessToSecrets", service.Name),
},
} }
} }
return nil return nil