Merge pull request #595 from docker/IAM

Distinguish TaskExecutionRole and TaskRole
2020-09-09 11:37:22 +02:00 · 2020-09-09 11:37:22 +02:00 · eaabee12e8
parent fda09712c0 d4c745a7a8
commit eaabee12e8
2 changed files with 41 additions and 30 deletions
--- a/ecs/cloudformation.go
+++ b/ecs/cloudformation.go
@ -159,12 +159,14 @@ func (b *ecsAPIService) convert(project *types.Project) (*cloudformation.Templat
 			return nil, err
 		}

-		taskExecutionRole, err := createTaskExecutionRole(service, err, definition, template)
-		if err != nil {
-			return template, err
-		}
+		taskExecutionRole := createTaskExecutionRole(service, definition, template)
 		definition.ExecutionRoleArn = cloudformation.Ref(taskExecutionRole)

+		taskRole := createTaskRole(service, template)
+		if taskRole != "" {
+			definition.TaskRoleArn = cloudformation.Ref(taskRole)
+		}
+
 		taskDefinition := fmt.Sprintf("%sTaskDefinition", normalizeResourceName(service.Name))
 		template.Resources[taskDefinition] = definition

@ -459,40 +461,43 @@ func createServiceRegistry(service types.ServiceConfig, template *cloudformation
 	return serviceRegistry
 }

-func createTaskExecutionRole(service types.ServiceConfig, err error, definition *ecs.TaskDefinition, template *cloudformation.Template) (string, error) {
+func createTaskExecutionRole(service types.ServiceConfig, definition *ecs.TaskDefinition, template *cloudformation.Template) string {
 	taskExecutionRole := fmt.Sprintf("%sTaskExecutionRole", normalizeResourceName(service.Name))
-	policy := getPolicy(definition)
-	if err != nil {
-		return taskExecutionRole, err
-	}
-	rolePolicies := []iam.Role_Policy{}
-	if policy != nil {
-		rolePolicies = append(rolePolicies, iam.Role_Policy{
-			PolicyDocument: policy,
-			PolicyName:     fmt.Sprintf("%sGrantAccessToSecrets", service.Name),
-		})
+	policies := createPolicies(service, definition)
+	template.Resources[taskExecutionRole] = &iam.Role{
+		AssumeRolePolicyDocument: assumeRolePolicyDocument,
+		Policies:                 policies,
+		ManagedPolicyArns: []string{
+			ecsTaskExecutionPolicy,
+			ecrReadOnlyPolicy,
+		},
 	}
+	return taskExecutionRole
+}

+func createTaskRole(service types.ServiceConfig, template *cloudformation.Template) string {
+	taskRole := fmt.Sprintf("%sTaskRole", normalizeResourceName(service.Name))
+	rolePolicies := []iam.Role_Policy{}
 	if roles, ok := service.Extensions[extensionRole]; ok {
 		rolePolicies = append(rolePolicies, iam.Role_Policy{
 			PolicyDocument: roles,
 		})
 	}
-	managedPolicies := []string{
-		ecsTaskExecutionPolicy,
-		ecrReadOnlyPolicy,
-	}
+	managedPolicies := []string{}
 	if v, ok := service.Extensions[extensionManagedPolicies]; ok {
 		for _, s := range v.([]interface{}) {
 			managedPolicies = append(managedPolicies, s.(string))
 		}
 	}
-	template.Resources[taskExecutionRole] = &iam.Role{
+	if len(rolePolicies) == 0 && len(managedPolicies) == 0 {
+		return ""
+	}
+	template.Resources[taskRole] = &iam.Role{
 		AssumeRolePolicyDocument: assumeRolePolicyDocument,
 		Policies:                 rolePolicies,
 		ManagedPolicyArns:        managedPolicies,
 	}
-	return taskExecutionRole, nil
+	return taskRole
 }

 func createCluster(project *types.Project, template *cloudformation.Template) string {
@ -582,7 +587,7 @@ func normalizeResourceName(s string) string {
 	return strings.Title(regexp.MustCompile("[^a-zA-Z0-9]+").ReplaceAllString(s, ""))
 }

-func getPolicy(taskDef *ecs.TaskDefinition) *PolicyDocument {
+func createPolicies(service types.ServiceConfig, taskDef *ecs.TaskDefinition) []iam.Role_Policy {
 	arns := []string{}
 	for _, container := range taskDef.ContainerDefinitions {
 		if container.RepositoryCredentials != nil {
@ -596,13 +601,19 @@ func getPolicy(taskDef *ecs.TaskDefinition) *PolicyDocument {

 	}
 	if len(arns) > 0 {
-		return &PolicyDocument{
-			Statement: []PolicyStatement{
-				{
-					Effect:   "Allow",
-					Action:   []string{actionGetSecretValue, actionGetParameters, actionDecrypt},
-					Resource: arns,
-				}},
+		return []iam.Role_Policy{
+			{
+				PolicyDocument: &PolicyDocument{
+					Statement: []PolicyStatement{
+						{
+							Effect:   "Allow",
+							Action:   []string{actionGetSecretValue, actionGetParameters, actionDecrypt},
+							Resource: arns,
+						},
+					},
+				},
+				PolicyName: fmt.Sprintf("%sGrantAccessToSecrets", service.Name),
+			},
 		}
 	}
 	return nil
--- a/tests/ecs-e2e/e2e-ecs_test.go
+++ b/tests/ecs-e2e/e2e-ecs_test.go
@ -99,7 +99,7 @@ func TestCompose(t *testing.T) {
 	})

 	t.Run("compose ls", func(t *testing.T) {
-		res := c.RunDockerCmd("compose", "ls")
+		res := c.RunDockerCmd("compose", "ls", "--project-name", stack)
 		lines := strings.Split(strings.TrimSpace(res.Stdout()), "\n")

 		assert.Equal(t, 2, len(lines))