chore: add flag for task run execution role and remove default task role from cfn template (#1196)

Lou1415926 · web-flow · commit ba02b02d8a46 · 2020-07-28T03:16:04.000Z
This PR contains the following changes: 1. allowing user to specify a specific `execution-role` for `task run` 2. removing `DefaultTaskRole` from task's cfn template since it doesn't require a task role in order to run a task  By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/internal/pkg/cli/flag.go b/internal/pkg/cli/flag.go
@@ -59,6 +59,7 @@ const (
 	memoryFlag         = "memory"
 	imageFlag          = "image"
 	taskRoleFlag       = "task-role"
+	executionRoleFlag  = "execution-role"
 	subnetsFlag        = "subnets"
 	securityGroupsFlag = "security-groups"
 	envVarsFlag        = "env-vars"
@@ -142,6 +143,7 @@ Must be of the format '<keyName>:<dataType>'.`
 	memoryFlagDescription         = "Optional. The amount of memory to reserve in MiB for each task."
 	imageFlagDescription          = "Optional. The image to run instead of building a Dockerfile."
 	taskRoleFlagDescription       = "Optional. The role for the task to use."
+	executionRoleFlagDescription  = "Optional. The role that grants the container agent permission to make AWS API calls."
 	subnetsFlagDescription        = "Optional. The subnet IDs for the task to use. Can be specified multiple times."
 	securityGroupsFlagDescription = "Optional. The security group IDs for the task to use. Can be specified multiple times."
 	envVarsFlagDescription        = "Optional. Environment variables specified by key=value separated with commas."
diff --git a/internal/pkg/cli/task_run.go b/internal/pkg/cli/task_run.go
@@ -68,6 +68,7 @@ type runTaskVars struct {
 	imageTag       string
 
 	taskRole string
+	executionRole string
 
 	subnets        []string
 	securityGroups []string
@@ -355,6 +356,7 @@ func (o *runTaskOpts) deploy() error {
 		Memory:   o.memory,
 		Image:    o.image,
 		TaskRole: o.taskRole,
+		ExecutionRole: o.executionRole,
 		Command:  o.command,
 		EnvVars:  o.envVars,
 	})
@@ -483,6 +485,7 @@ Run a task with a command.
 	cmd.Flags().StringVar(&vars.imageTag, imageTagFlag, "", taskImageTagFlagDescription)
 
 	cmd.Flags().StringVar(&vars.taskRole, taskRoleFlag, "", taskRoleFlagDescription)
+	cmd.Flags().StringVar(&vars.executionRole, executionRoleFlag, "", executionRoleFlagDescription)
 
 	cmd.Flags().StringVar(&vars.appName, appFlag, "", appFlagDescription)
 	cmd.Flags().StringVar(&vars.env, envFlag, "", envFlagDescription)
diff --git a/internal/pkg/deploy/cloudformation/stack/task.go b/internal/pkg/deploy/cloudformation/stack/task.go
@@ -24,6 +24,7 @@ const (
 
 	taskContainerImageParamKey = "ContainerImage"
 	taskTaskRoleParamKey       = "TaskRole"
+	taskExecutionRoleParamKey  = "ExecutionRole"
 	taskCommandParamKey        = "Command"
 
 	taskLogRetentionInDays = "1"
@@ -88,6 +89,10 @@ func (t *taskStackConfig) Parameters() ([]*cloudformation.Parameter, error) {
 			ParameterKey:   aws.String(taskTaskRoleParamKey),
 			ParameterValue: aws.String(t.TaskRole),
 		},
+		{
+			ParameterKey: aws.String(taskExecutionRoleParamKey),
+			ParameterValue: aws.String(t.ExecutionRole),
+		},
 		{
 			ParameterKey:   aws.String(taskCommandParamKey),
 			ParameterValue: aws.String(t.Command),
diff --git a/internal/pkg/deploy/cloudformation/stack/task_test.go b/internal/pkg/deploy/cloudformation/stack/task_test.go
@@ -96,6 +96,10 @@ func TestTaskStackConfig_Parameters(t *testing.T) {
 			ParameterKey:   aws.String(taskTaskRoleParamKey),
 			ParameterValue: aws.String("task-role"),
 		},
+		{
+			ParameterKey:   aws.String(taskExecutionRoleParamKey),
+			ParameterValue: aws.String("execution-role"),
+		},
 		{
 			ParameterKey:   aws.String(taskCommandParamKey),
 			ParameterValue: aws.String("echo hooray"),
@@ -109,6 +113,7 @@ func TestTaskStackConfig_Parameters(t *testing.T) {
 
 		Image: "7456.dkr.ecr.us-east-2.amazonaws.com/my-task:0.1",
 		TaskRole: "task-role",
+		ExecutionRole: "execution-role",
 		Command:  "echo hooray",
 	}
 
diff --git a/internal/pkg/deploy/task.go b/internal/pkg/deploy/task.go
@@ -13,6 +13,7 @@ type CreateTaskResourcesInput struct {
 
 	Image    string
 	TaskRole string
+	ExecutionRole string
 	Command  string
 	EnvVars  map[string]string
 
diff --git a/templates/task/cf.yml b/templates/task/cf.yml
@@ -15,14 +15,18 @@ Parameters:
     Type: String
   TaskRole:
     Type: String
+  ExecutionRole:
+    Type: String
   Command:
     Type: String
 Conditions:
   # NOTE: Image cannot be pushed until the ECR repo is created, at which time ContainerImage would be "".
   HasImage:
     !Not [!Equals [!Ref ContainerImage, ""]]
-  UseDefaultTaskRole:
-    !Equals [!Ref TaskRole, ""]
+  HasTaskRole:
+    !Not [!Equals [!Ref TaskRole, ""]]
+  HasExecutionRole:
+    !Not [!Equals [!Ref ExecutionRole, ""]]
   HasCommand:
     !Not [!Equals [!Ref Command, ""]]
 Resources:
@@ -51,20 +55,10 @@ Resources:
       NetworkMode: awsvpc
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !Ref ExecutionRole
+      ExecutionRoleArn: !If [HasExecutionRole, !Ref ExecutionRole, !Ref DefaultExecutionRole]
       TaskRoleArn:
-        !If [UseDefaultTaskRole, !Ref DefaultTaskRole, !Ref TaskRole]
-  DefaultTaskRole:
-    Condition: UseDefaultTaskRole
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service: ecs-tasks.amazonaws.com
-            Action: 'sts:AssumeRole'
-  ExecutionRole:
+        !If [HasTaskRole, !Ref TaskRole, !Ref "AWS::NoValue"]
+  DefaultExecutionRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
