feat(ecs): add codepipeline deploy-action to ecs cluster

[aweiher]

No Unit-Test, one Integration Test ist present. The similar compontent s3 deploy-action has no unit-test (didnt found it), so I oriented there. Please give me feedback when required.

I have tested the integration test in my private AWS Account, and it worked.

Notes:

• I did not implement toCodePipelineInvokeAction (on service?) as service and repository is required, as I didnt figured out an easy api for this. Need feedback if this is required.
• The default IAM rules are maybe too open (ecs:* for *), I oriented on the default AWS CodePipeline Role: https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html
• Not included in the component, but in the integration-test: sts:AssumeRole and iam:PassRole for * - same reason as point before. The following would be ideal, but I didnt figured out how to construct this with cdk:

              - Resource: "*"
                Effect: Allow
                Action:
                  - iam:PassRole
                Condition:
                  StringEqualsIfExists:
                    iam:PassedToService:
                      - ec2.amazonaws.com
                      - ecs-tasks.amazonaws.com

Fixes #1386

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
• Title and Description
  • Change type: title prefixed with fix, feat will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[rix0rrr]

@skinny85, @SoManyHs... opinions?

[skinny85]

This is great @aweiher , a really high quality contribution! Just a few small comments/questions.

Thanks for taking the time to do this!

[skinny85]

The build failure seems like something transient. Can you rebase, and try again? (there are some conflicts with current master, so that would have to be done sometime anyway). Thanks!

[aweiher]

Hej @skinny85 - Thank you very much for your code-review! :) I will fix the issues in the next days 👍

[skinny85]

Hey @aweiher ,

there's been a pretty big revolution in the way the Actions are represented in code in PR #2098 . This might make rebasing this PR particularly challenging. Given how close to the final shape this PR is, I'd be willing to take it over from you - I was the one doing the changes in #2098, so I'm quite familiar with what needs to be changed in this new way of doing things.

Let me know!

[aweiher]

Hi @skinny85 - No Problem, take this PR over. I really wanted to implement this by myself, but an other task is eating all my time unfortunately. I added one commit/comment regarding the permission, hope it helps.

[skinny85]

Thanks, will do!

[skinny85]

I've rebased the PR on top of master. @RomainMuller and @SoManyHs , I would appreciate if you took a look.

[skinny85]

Missed a new feature in ECS when rebasing that changes the expected file for the integ tests.