Skip to content

feat(ecs): add function to grant run permissions to task definition#21241

Merged
mergify[bot] merged 6 commits intoaws:mainfrom
jusdino:ecs-grant-run
Jul 19, 2022
Merged

feat(ecs): add function to grant run permissions to task definition#21241
mergify[bot] merged 6 commits intoaws:mainfrom
jusdino:ecs-grant-run

Conversation

@jusdino
Copy link
Copy Markdown
Contributor

@jusdino jusdino commented Jul 19, 2022

Adding a grantRun(IGrantable) method to aws-ecs.TaskDefinition to make it easier to set up permissions for running task definitions. I'm not super familiar with the case where executionRole is undefined, but I believe leaving that role off the PolicyStatement is the best behavior in that case. Hopefully somebody can sanity check me there. This method is a touch more complicated than I initially planned so it can gracefully handle the case where .addContainer() causes executionRole to be created after a grantRun() was already called (this case is included in the new tests).

Reopening #20281 from a personal fork, since the original org-owned fork doesn't allow PR owners to push to my branch.
@TheRealAmazonKendra 👋

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link
Copy Markdown

gitpod-io bot commented Jul 19, 2022

@github-actions github-actions bot added the p2 label Jul 19, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team July 19, 2022 21:22
@TheRealAmazonKendra TheRealAmazonKendra changed the title feat(aws-ecs): TaskDefinition.grantRun() feat(ecs): add function to grant run permissions to task definition Jul 19, 2022
TheRealAmazonKendra
TheRealAmazonKendra approved these changes Jul 19, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all your work on this!

@TheRealAmazonKendra TheRealAmazonKendra added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Jul 19, 2022
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jul 19, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Jul 19, 2022

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: b5c969d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit d7ac3bb into aws:main Jul 19, 2022
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jul 19, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@jusdino jusdino deleted the ecs-grant-run branch July 20, 2022 03:24
comcalvi pushed a commit to comcalvi/aws-cdk that referenced this pull request Jul 25, 2022
@comcalvi
feat(ecs): add function to grant run permissions to task definition (a…
aaeaf6d 
…ws#21241)

Adding a grantRun(IGrantable) method to aws-ecs.TaskDefinition to make it easier to set up permissions for running task definitions. I'm not super familiar with the case where executionRole is undefined, but I believe leaving that role off the PolicyStatement is the best behavior in that case. Hopefully somebody can sanity check me there. This method is a touch more complicated than I initially planned so it can gracefully handle the case where .addContainer() causes executionRole to be created after a grantRun() was already called (this case is included in the new tests).

Reopening aws#20281 from a personal fork, since the original org-owned fork doesn't allow PR owners to push to my branch.
@TheRealAmazonKendra 👋 

----

### All Submissions:

* [*] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheRealAmazonKendra TheRealAmazonKendra TheRealAmazonKendra approved these changes

Assignees

No one assigned

Labels

p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jusdino @aws-cdk-automation @TheRealAmazonKendra