fix(task): grant task-run execution role access to secrets based on tag

[paragbhingre]

This PR fixes the issue #2641

Fixed the issue by adding policies to the execution role when --secrets are provided.

Tests -
Following manual tests have been taken into consideration

1. When we send both --app and --env flags in copilot task run command then secrets are accessible only when copilot-application and copilot-environment tags are present with the correct values on the secret
2. When we send both --app and --env flags in copilot task run command then secrets are inaccessible only when copilot-application and copilot-environment tags are NOT present on the secret or they have incorrect values

[efekarakus]

I really like the changes with allowing access to the copilot-application and copilot-environment tags -- makes total sense to me. I am not sure though how obvious it's going to be when not using a copilot managed cluster, requiring the copilot-task tag for a one-time job seems a bit cumbersome.

What if we had an experience like this?

$ copilot task run --default --secrets hello=/hello,world=arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c
Looks like you're requesting ssm:GetParameters to the following SSM parameters:
* /hello 
and secretsmanager:GetSecretValue to the following Secrets Manager secrets:
* arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c

Do you grant permission to the ECS/Fargate agent for these secrets? (y/N)

Or if they'd like to skip the prompt they can pass a flag similar to what the CDK does with --require-approval never

$ copilot task run --default --secrets hello=/hello --require-approval never

Then we will augment the Task Execution role such that only the input resources are granted access.

Let me know what you think!

[iamhopaul123]

Do you grant permission to the ECS/Fargate agent for these secrets? (y/N)

If they choose "N", do we just error out saying they can't use these secrets without granting access? And what are available options for --require-approval?

[efekarakus]

If they choose "N", do we just error out saying they can't use these secrets without granting access?

I assume we'll abort then, but we can look to what the CDK does as well.

And what are available options for --require-approval?

hmm good point for us none, maybe we can flip the flag --acknowledge-iam

[efekarakus]

Looks good to me! Just to validate we tested it with both secrets (ssm and secretsmanager) and it works right? 😂

Similarly, can we test as well with a secret that's not tagged to make sure it still cannot access it

[paragbhingre]

Looks good to me! Just to validate we tested it with both secrets (ssm and secretsmanager) and it works right? 😂

Similarly, can we test as well with a secret that's not tagged to make sure it still cannot access it

Both the secrets (ssm and secretsmanager) and scenarios you mentioned are tested ✅

[iamhopaul123]

Do we really need hasapp and has env?

[paragbhingre]

Actually we can remove this and put these conditions directly into HasAppAndEnv condition.

[iamhopaul123]

This is awesome!

[Lou1415926]

Can we remove these !If conditionals now that we have line 101-102?

[Lou1415926]

Samesies!