Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(task): grant task-run execution role access to secrets based on tag #3256

Merged
merged 6 commits into from
Feb 14, 2022
Merged

fix(task): grant task-run execution role access to secrets based on tag #3256

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4de175d
fix(task): copilot task run with --secrets
paragbhingre Feb 8, 2022
9838d8b
fix unit test for TestTaskStackConfig_Parameters
paragbhingre Feb 8, 2022
692b9a5
Address feedback to allow access to secretsmanager secrets
paragbhingre Feb 9, 2022
11132ee
remove extra conditions
paragbhingre Feb 10, 2022
94ee963
Remove extra conditions
paragbhingre Feb 14, 2022
eb032de
Merge branch 'mainline' into taskRunSecrets
mergify[bot] Feb 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions internal/pkg/deploy/cloudformation/stack/task.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ const (
taskEntryPointParamKey = "EntryPoint"
taskOSParamKey = "OS"
taskArchParamKey = "Arch"
taskAppParamKey = "App"
taskEnvParamKey = "Env"

taskLogRetentionInDays = "1"
)
Expand Down Expand Up @@ -115,6 +117,14 @@ func (t *taskStackConfig) Parameters() ([]*cloudformation.Parameter, error) {
ParameterKey: aws.String(taskArchParamKey),
ParameterValue: aws.String(t.Arch),
},
{
ParameterKey: aws.String(taskAppParamKey),
ParameterValue: aws.String(t.App),
},
{
ParameterKey: aws.String(taskEnvParamKey),
ParameterValue: aws.String(t.Env),
},
}, nil
}

Expand Down
8 changes: 8 additions & 0 deletions internal/pkg/deploy/cloudformation/stack/task_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,14 @@ func TestTaskStackConfig_Parameters(t *testing.T) {
ParameterKey: aws.String(taskArchParamKey),
ParameterValue: aws.String(""),
},
{
ParameterKey: aws.String(taskAppParamKey),
ParameterValue: aws.String(""),
},
{
ParameterKey: aws.String(taskEnvParamKey),
ParameterValue: aws.String(""),
},
}

taskInput := deploy.CreateTaskResourcesInput{
Expand Down
41 changes: 40 additions & 1 deletion internal/pkg/template/templates/task/cf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ Parameters:
Type: String
Arch:
Type: String
App:
Type: String
Env:
Type: String
Conditions:
# NOTE: Image cannot be pushed until the ECR repo is created, at which time ContainerImage would be "".
HasImage:
Expand All @@ -39,6 +43,13 @@ Conditions:
!Not [ !Equals [ !Join [ "", !Ref EntryPoint ], "" ] ]
HasCustomPlatform:
!Not [!Equals [!Ref OS, ""]]
HasApp:
!Not [!Equals [!Ref App, ""]]
HasEnv:
!Not [!Equals [!Ref Env, ""]]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need hasapp and has env?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually we can remove this and put these conditions directly into HasAppAndEnv condition.

HasAppAndEnv: !And
- !Condition HasApp
- !Condition HasEnv
Resources:
TaskDefinition:
Metadata:
Expand Down Expand Up @@ -89,6 +100,34 @@ Resources:
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
{{- if .Secrets}}
Policies:
- !If
- HasAppAndEnv
- PolicyName: 'PullSecrets'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- ssm:GetParameters
Condition:
StringEquals:
"ssm:ResourceTag/copilot-application": !If [ HasAppAndEnv, !Ref App, !Ref "AWS::NoValue" ]
"ssm:ResourceTag/copilot-environment": !If [ HasAppAndEnv, !Ref Env, !Ref "AWS::NoValue" ]
Copy link
Contributor

@Lou1415926 Lou1415926 Feb 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove these !If conditionals now that we have line 101-102?

Resource:
- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*
- Effect: 'Allow'
Action:
- secretsmanager:GetSecretValue
Condition:
StringEquals:
"secretsmanager:ResourceTag/copilot-application": !If [ HasAppAndEnv, !Ref App, !Ref "AWS::NoValue" ]
"secretsmanager:ResourceTag/copilot-environment": !If [ HasAppAndEnv, !Ref Env, !Ref "AWS::NoValue" ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Samesies!

Resource:
- !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
- !Ref AWS::NoValue
{{- end}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome!

DefaultTaskRole:
Metadata:
'aws:copilot:description': 'An IAM Role for the task to make AWS API calls on your behalf. Policies are required by ECS Exec'
Expand Down Expand Up @@ -154,4 +193,4 @@ Resources:
Outputs:
ECRRepo:
Description: ECR Repo used to store images of task.
Value: !GetAtt ECRRepo.Arn
Value: !GetAtt ECRRepo.Arn