From 5ca5f79b23e6f309e88ce8d0bea3d250aaa5edae Mon Sep 17 00:00:00 2001 From: Frank Date: Thu, 10 Oct 2024 01:20:47 -0400 Subject: [PATCH] Service: use existing IAM role for execution role --- platform/src/components/aws/cluster.ts | 22 +++++++++++++-- platform/src/components/aws/service.ts | 37 +++++++++++++++++++------- 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/platform/src/components/aws/cluster.ts b/platform/src/components/aws/cluster.ts index 34042b408..bb0d25851 100644 --- a/platform/src/components/aws/cluster.ts +++ b/platform/src/components/aws/cluster.ts @@ -981,7 +981,7 @@ export interface ClusterServiceArgs { }; }>[]; /** - * Assigns the given IAM role name to the service. This allows you to pass in a previously created role. + * Assigns the given IAM role name to the containers running in the service. This allows you to pass in a previously created role. * * :::caution * When you pass in a role, the service will not update it if you add `permissions` or `link` resources. @@ -995,11 +995,25 @@ export interface ClusterServiceArgs { * @example * ```js * { - * taskRole: "my-role" + * taskRole: "my-task-role" * } * ``` */ taskRole?: Input; + /** + * Assigns the given IAM role name to AWS ECS to launch and manage the containers in the service. This allows you to pass in a previously created role. + * + * By default, the service creates a new IAM role when it's created. + * + * @default Creates a new role + * @example + * ```js + * { + * executionRole: "my-execution-role" + * } + * ``` + */ + executionRole?: Input; /** * [Transform](/docs/components#transform) how this component creates its underlying * resources. @@ -1013,6 +1027,10 @@ export interface ClusterServiceArgs { * Transform the ECS Service resource. */ service?: Transform; + /** + * Transform the ECS Execution IAM Role resource. + */ + executionRole?: Transform; /** * Transform the ECS Task IAM Role resource. */ diff --git a/platform/src/components/aws/service.ts b/platform/src/components/aws/service.ts index d3af29e48..ea7ff48fb 100644 --- a/platform/src/components/aws/service.ts +++ b/platform/src/components/aws/service.ts @@ -77,6 +77,7 @@ export class Service extends Component implements Link.Linkable { private readonly _service?: ecs.Service; private readonly cloudmapNamespace?: Output; private readonly cloudmapService?: servicediscovery.Service; + private readonly executionRole?: iam.Role; private readonly taskRole: iam.Role; private readonly taskDefinition?: ecs.TaskDefinition; private readonly loadBalancer?: lb.LoadBalancer; @@ -130,6 +131,7 @@ export class Service extends Component implements Link.Linkable { this._service = service; this.cloudmapService = cloudmapService; + this.executionRole = executionRole; this.taskDefinition = taskDefinition; this.loadBalancer = loadBalancer; this.domain = pub?.domain @@ -558,17 +560,28 @@ export class Service extends Component implements Link.Linkable { } function createExecutionRole() { + if (args.executionRole) + return iam.Role.get( + `${name}ExecutionRole`, + args.executionRole, + {}, + { parent: self }, + ); + return new iam.Role( - `${name}ExecutionRole`, - { - assumeRolePolicy: iam.assumeRolePolicyForPrincipal({ - Service: "ecs-tasks.amazonaws.com", - }), - managedPolicyArns: [ - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", - ], - }, - { parent: self }, + ...transform( + args.transform?.executionRole, + `${name}ExecutionRole`, + { + assumeRolePolicy: iam.assumeRolePolicyForPrincipal({ + Service: "ecs-tasks.amazonaws.com", + }), + managedPolicyArns: [ + "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", + ], + }, + { parent: self }, + ), ); } @@ -911,6 +924,10 @@ export class Service extends Component implements Link.Linkable { throw new VisibleError("Cannot access `nodes.service` in dev mode."); return self.service!; }, + /** + * The Amazon ECS Execution Role. + */ + executionRole: this.executionRole, /** * The Amazon ECS Task Role. */