-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource tagging in the registry-creds up command #718
Conversation
Testing:
|
2bc76eb
to
cc92faf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add test output that shows existing secrets getting new tags after running the cmd with --update-existing-secrets
?
for key, value := range tags { | ||
iamTags = append(iamTags, &iam.Tag{ | ||
Key: aws.String(key), | ||
Value: value, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it valid to have a nil
value for a tag? If so, can we add a case for it to TestCreateTaskExecutionRoleWithTags
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs say its a required field: https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#Tag
You can pass an empty string though, which my code handles correctly:
$ ecs-cli registry-creds up --role-name catsss --tags cat=,meow= reg-creds.yml
INFO[0000] Processing credentials for registry my-registry.example.com...
INFO[0000] Existing credential secret found, using arn:aws:secretsmanager:us-west-1:REDACTED:secret:amazon-ecs-cli-setup-my-registry.example.com-TIxAwp
INFO[0000] Creating resources for task execution role catsss...
INFO[0000] Created new task execution role arn:aws:iam::REDACTED:role/catsss
INFO[0000] Created new task execution role policy arn:aws:iam::REDACTED:policy/amazon-ecs-cli-setup-catsss-policy-20190213T184615Z
INFO[0001] Attached AWS managed policy arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy to role catsss
INFO[0001] Attached new policy arn:aws:iam::REDACTED:policy/amazon-ecs-cli-setup-catsss-policy-20190213T184615Z to role catsss
INFO[0001] Writing registry credential output to new file stuffnthings/bugbash/compose3/ecs-registry-creds_20190213T184615Z.yml
INFO[0001]
If your input file contains sensitive information, make sure that you delete it after use.
(I checked that the tags had been set in the Console)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to log info about what tags are being applied to what resources?
New and old tags are present on the secret:
|
2bd004c
to
65df7f1
Compare
65df7f1
to
ce01726
Compare
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/utils/regcredio" | ||
"github.com/aws/aws-sdk-go/aws" | ||
taggngSDK "github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should be taggingSDK
} | ||
|
||
for resource, info := range output.FailedResourcesMap { | ||
return fmt.Errorf("Failed to tag resource %s; error=%s", resource, *info.ErrorMessage) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we add test for this error case (FailedResourceMap != nil) and the API error return (line 342)?
@@ -65,5 +65,9 @@ func regcredsUpFlags() []cli.Flag { | |||
Name: flags.OutputDirFlag, | |||
Usage: "[Optional] The directory where the output file should be created. If none specified, file will be created in the current working directory.", | |||
}, | |||
cli.StringFlag{ | |||
Name: flags.ResourceTagsFlag, | |||
Usage: "[Optional] Add AWS Resource tags to the Secrets Manager secrets and IAM Role. Note that tags can only be added to the IAM role at time of creation.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggested edit for conciseness + consistency w/ other flags:
"The AWS Resource tags to add to the Secrets Manager secrets and new IAM Role. Existing IAM Roles cannot be tagged."
createRoleRequest := iam.CreateRoleInput{ | ||
AssumeRolePolicyDocument: aws.String(assumeRolePolicyDoc), | ||
Description: aws.String(roleDescription), | ||
RoleName: aws.String(roleName), | ||
} | ||
if len(tags) > 0 { | ||
createRoleRequest.Tags = tags | ||
} | ||
roleResult, err := c.CreateRole(createRoleRequest) | ||
// if err is b/c role already exists, OK to continue | ||
if err != nil && !utils.EntityAlreadyExists(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if we try to apply tags to an existing role? Does it return a distinct error or succeed? If the former, wondering if we should be checking for a specific error here & allowing it to succeed (like with EntityAlreadyExists
) or let it fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding here what we discussed: trying to re-create an existing role but with tags will still fail with an EntityAlreadyExists
error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy to go along with what @allisaurus agrees with but curious why this is the correct behavior?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per offline discussion, I understand now that this is strictly on creation of a new role, so this seems fine.
LGTM! Though do consider the suggested flag text change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few questions just for my own clarification but otherwise LGTM
createRoleRequest := iam.CreateRoleInput{ | ||
AssumeRolePolicyDocument: aws.String(assumeRolePolicyDoc), | ||
Description: aws.String(roleDescription), | ||
RoleName: aws.String(roleName), | ||
} | ||
if len(tags) > 0 { | ||
createRoleRequest.Tags = tags | ||
} | ||
roleResult, err := c.CreateRole(createRoleRequest) | ||
// if err is b/c role already exists, OK to continue | ||
if err != nil && !utils.EntityAlreadyExists(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy to go along with what @allisaurus agrees with but curious why this is the correct behavior?
for key, value := range tags { | ||
iamTags = append(iamTags, &iam.Tag{ | ||
Key: aws.String(key), | ||
Value: value, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to log info about what tags are being applied to what resources?
4287af8
to
6aec326
Compare
Description of changes:
Tag SM secrets and new IAM roles. (IAM is not supported by the standalone resource tagging API, so tagging can only be supported during role creation).
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.