Service: use existing IAM role for execution role

platform/src/components/aws/cluster.ts

@@ -981,7 +981,7 @@ export interface ClusterServiceArgs {
     };
   }>[];
   /**
-   * Assigns the given IAM role name to the service. This allows you to pass in a previously created role.
+   * Assigns the given IAM role name to the containers running in the service. This allows you to pass in a previously created role.
    *
    * :::caution
    * When you pass in a role, the service will not update it if you add `permissions` or `link` resources.
@@ -995,11 +995,25 @@ export interface ClusterServiceArgs {
    * @example
    * ```js
    * {
-   *   taskRole: "my-role"
+   *   taskRole: "my-task-role"
    * }
    * ```
    */
   taskRole?: Input<string>;
+  /**
+   * Assigns the given IAM role name to AWS ECS to launch and manage the containers in the service. This allows you to pass in a previously created role.
+   *
+   * By default, the service creates a new IAM role when it's created.
+   *
+   * @default Creates a new role
+   * @example
+   * ```js
+   * {
+   *   executionRole: "my-execution-role"
+   * }
+   * ```
+   */
+  executionRole?: Input<string>;
   /**
    * [Transform](/docs/components#transform) how this component creates its underlying
    * resources.
@@ -1013,6 +1027,10 @@ export interface ClusterServiceArgs {
      * Transform the ECS Service resource.
      */
     service?: Transform<ecs.ServiceArgs>;
+    /**
+     * Transform the ECS Execution IAM Role resource.
+     */
+    executionRole?: Transform<iam.RoleArgs>;
     /**
      * Transform the ECS Task IAM Role resource.
      */

platform/src/components/aws/service.ts

@@ -77,6 +77,7 @@ export class Service extends Component implements Link.Linkable {
   private readonly _service?: ecs.Service;
   private readonly cloudmapNamespace?: Output<string>;
   private readonly cloudmapService?: servicediscovery.Service;
+  private readonly executionRole?: iam.Role;
   private readonly taskRole: iam.Role;
   private readonly taskDefinition?: ecs.TaskDefinition;
   private readonly loadBalancer?: lb.LoadBalancer;
@@ -130,6 +131,7 @@ export class Service extends Component implements Link.Linkable {
 
     this._service = service;
     this.cloudmapService = cloudmapService;
+    this.executionRole = executionRole;
     this.taskDefinition = taskDefinition;
     this.loadBalancer = loadBalancer;
     this.domain = pub?.domain
@@ -558,17 +560,28 @@ export class Service extends Component implements Link.Linkable {
     }
 
     function createExecutionRole() {
+      if (args.executionRole)
+        return iam.Role.get(
+          `${name}ExecutionRole`,
+          args.executionRole,
+          {},
+          { parent: self },
+        );
+
       return new iam.Role(
-        `${name}ExecutionRole`,
-        {
-          assumeRolePolicy: iam.assumeRolePolicyForPrincipal({
-            Service: "ecs-tasks.amazonaws.com",
-          }),
-          managedPolicyArns: [
-            "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
-          ],
-        },
-        { parent: self },
+        ...transform(
+          args.transform?.executionRole,
+          `${name}ExecutionRole`,
+          {
+            assumeRolePolicy: iam.assumeRolePolicyForPrincipal({
+              Service: "ecs-tasks.amazonaws.com",
+            }),
+            managedPolicyArns: [
+              "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+            ],
+          },
+          { parent: self },
+        ),
       );
     }
 
@@ -911,6 +924,10 @@ export class Service extends Component implements Link.Linkable {
           throw new VisibleError("Cannot access `nodes.service` in dev mode.");
         return self.service!;
       },
+      /**
+       * The Amazon ECS Execution Role.
+       */
+      executionRole: this.executionRole,
       /**
        * The Amazon ECS Task Role.
        */