Skip to content

Commit

Permalink
fix(ecs): make TaskDefinition accept IRoles (aws#2034)
Browse files Browse the repository at this point in the history
The role input parameters are currently Roles but should be IRoles.

Required adding the grant methods to the `IRole` definition, which
weren't there before.

Fixes aws#1925.
  • Loading branch information
rix0rrr committed Mar 19, 2019
1 parent fa99fb2 commit 13f99f3
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 5 deletions.
6 changes: 3 additions & 3 deletions packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ export interface CommonTaskDefinitionProps {
*
* @default An execution role will be automatically created if you use ECR images in your task definition
*/
executionRole?: iam.Role;
executionRole?: iam.IRole;

/**
* The IAM role assumable by your application code running inside the container
*
* @default A task role is automatically created for you
*/
taskRole?: iam.Role;
taskRole?: iam.IRole;

/**
* See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide//task_definition_parameters.html#volumes
Expand Down Expand Up @@ -112,7 +112,7 @@ export class TaskDefinition extends cdk.Construct {
/**
* Task role used by this task definition
*/
public readonly taskRole: iam.Role;
public readonly taskRole: iam.IRole;

/**
* Network mode used by this task definition
Expand Down
18 changes: 16 additions & 2 deletions packages/@aws-cdk/aws-iam/lib/lazy-role.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import cdk = require('@aws-cdk/cdk');
import { Policy } from './policy';
import { IPrincipal, Policy } from './policy';
import { PolicyPrincipal, PolicyStatement } from './policy-document';
import { IRole, Role, RoleImportProps, RoleProps } from './role';

Expand Down Expand Up @@ -85,6 +85,20 @@ export class LazyRole extends cdk.Construct implements IRole {
return this.instantiate().principal;
}

/**
* Grant the actions defined in actions to the identity Principal on this resource.
*/
public grant(identity?: IPrincipal, ...actions: string[]): void {
return this.instantiate().grant(identity, ...actions);
}

/**
* Grant permissions to the given principal to pass this role.
*/
public grantPassRole(identity?: IPrincipal): void {
return this.instantiate().grantPassRole(identity);
}

private instantiate(): Role {
if (!this.role) {
const role = new Role(this, 'Default', this.props);
Expand All @@ -95,4 +109,4 @@ export class LazyRole extends cdk.Construct implements IRole {
}
return this.role;
}
}
}
24 changes: 24 additions & 0 deletions packages/@aws-cdk/aws-iam/lib/role.ts
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,16 @@ export interface IRole extends IConstruct, IPrincipal {
* Export this role to another stack.
*/
export(): RoleImportProps;

/**
* Grant the actions defined in actions to the identity Principal on this resource.
*/
grant(identity?: IPrincipal, ...actions: string[]): void;

/**
* Grant permissions to the given principal to pass this role.
*/
grantPassRole(identity?: IPrincipal): void;
}

function createAssumeRolePolicy(principal: PolicyPrincipal, externalId?: string) {
Expand Down Expand Up @@ -331,4 +341,18 @@ class ImportedRole extends Construct implements IRole {
public attachManagedPolicy(_arn: string): void {
// FIXME: Add warning that we're ignoring this
}

/**
* Grant the actions defined in actions to the identity Principal on this resource.
*/
public grant(_identity?: IPrincipal, ..._actions: string[]): void {
// FIXME: Add warning that we're ignoring this
}

/**
* Grant permissions to the given principal to pass this role.
*/
public grantPassRole(_identity?: IPrincipal): void {
// FIXME: Add warning that we're ignoring this
}
}

0 comments on commit 13f99f3

Please sign in to comment.