Skip to content

Commit

Permalink
adds support for adding IAM permissions to support ecs exec support
Browse files Browse the repository at this point in the history
  • Loading branch information
@aaronwalker
aaronwalker committed Apr 20, 2021
1 parent 3370851 commit aa93be6
Show file tree
Hide file tree
Showing 3 changed files with 128 additions and 0 deletions.
13 changes: 13 additions & 0 deletions ecs-task.cfndsl.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,19 @@

iam_policies = external_parameters.fetch(:iam_policies, {})
service_discovery = external_parameters.fetch(:service_discovery, {})
enable_execute_command = external_parameters.fetch(:enable_execute_command, false)

if enable_execute_command
iam_policies['ssm-session-manager'] = {
'action' => %w(
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel
)
}
end

unless iam_policies.empty?

unless service_discovery.empty?
Expand Down
98 changes: 98 additions & 0 deletions spec/ecs_exec_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
require 'yaml'

describe 'compiled component' do

context 'cftest' do
it 'compiles test' do
expect(system("cfhighlander cftest #{@validate} --tests tests/ecs-exec.test.yaml")).to be_truthy
end
end

let(:template) { YAML.load_file("#{File.dirname(__FILE__)}/../out/tests/ecs-exec/ecs-task.compiled.yaml") }

context 'Resource Task' do
let(:properties) { template["Resources"]["Task"]["Properties"] }

it 'has property RequiresCompatibilities ' do
expect(properties["RequiresCompatibilities"]).to eq(['FARGATE'])
end

it 'has property NetworkMode ' do
expect(properties["NetworkMode"]).to eq('awsvpc')
end

it 'has property CPU ' do
expect(properties["Cpu"]).to eq(256)
end

it 'has property Memory ' do
expect(properties["Memory"]).to eq(512)
end

it 'has property One container definition ' do
expect(properties["ContainerDefinitions"].count).to eq(1)
expect(properties["ContainerDefinitions"]).to eq([{
"Image"=>{"Fn::Join"=>["", ["myrepo/", "backend", ":", {"Ref"=>"SchemaTag"}]]},
"LogConfiguration"=>
{
"LogDriver"=>"awslogs",
"Options"=> {
"awslogs-group"=>{"Ref"=>"LogGroup"},
"awslogs-region"=>{"Ref"=>"AWS::Region"},
"awslogs-stream-prefix"=>"schema"
}
},
"Name"=>"schema"
}])
end

it 'has property Tags' do
expect(properties["Tags"]).to eq([
{"Key"=>"Name", "Value"=>"ecs-task"},
{"Key"=>"Environment", "Value"=>{"Ref"=>"EnvironmentName"}},
{"Key"=>"EnvironmentType", "Value"=>{"Ref"=>"EnvironmentType"}}
])
end
end

context 'Task Role' do
let(:properties) { template["Resources"]["TaskRole"]["Properties"] }

it 'has ecs-tasks assume role permissions' do
expect(properties["AssumeRolePolicyDocument"]).to eq({
"Version" => "2012-10-17",
"Statement" => [
{
"Action"=>"sts:AssumeRole",
"Effect"=>"Allow",
"Principal"=>{"Service"=>"ecs-tasks.amazonaws.com"}
},
{
"Action"=>"sts:AssumeRole",
"Effect"=>"Allow",
"Principal"=>{"Service"=>"ssm.amazonaws.com"}
}
],
})
end

it 'has SSM IAM Policies' do
expect(properties["Policies"]).to eq([
"PolicyName" => "ssm-session-manager",
"PolicyDocument" => {
"Statement" => [{
"Sid" => "ssmsessionmanager",
"Effect" => "Allow",
"Action" => [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource" => ["*"],
}]
}
])
end
end
end
17 changes: 17 additions & 0 deletions tests/ecs-exec.test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
test_metadata:
type: config
name: ecs-exec
description: iam permissions for ecs-exec

enable_execute_command: true

task_definition:
schema:
repo: myrepo
image: backend
tag_param: SchemaTag
task_type: FARGATE
network_mode: awsvpc
maximum_availability_zones: 3
cpu: 256
memory: 512

0 comments on commit aa93be6

Please sign in to comment.