-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource tagging in the registry-creds up command #718
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,10 +21,13 @@ import ( | |
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/clients/aws/iam" | ||
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/clients/aws/kms" | ||
secretsClient "github.com/aws/amazon-ecs-cli/ecs-cli/modules/clients/aws/secretsmanager" | ||
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/clients/aws/tagging" | ||
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/commands/flags" | ||
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/config" | ||
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/utils" | ||
"github.com/aws/amazon-ecs-cli/ecs-cli/modules/utils/regcredio" | ||
"github.com/aws/aws-sdk-go/aws" | ||
taggingSDK "github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi" | ||
"github.com/aws/aws-sdk-go/service/secretsmanager" | ||
"github.com/pkg/errors" | ||
log "github.com/sirupsen/logrus" | ||
|
@@ -85,6 +88,14 @@ func Up(c *cli.Context) { | |
log.Fatal("Error executing 'up': ", err) | ||
} | ||
|
||
var tags map[string]*string | ||
if tagVal := c.String(flags.ResourceTagsFlag); tagVal != "" { | ||
tags, err = utils.GetTagsMap(tagVal) | ||
if err != nil { | ||
log.Fatal("Error executing 'up': ", err) | ||
} | ||
} | ||
|
||
var policyCreateTime *time.Time | ||
if !skipRole { | ||
region := commandConfig.Session.Config.Region | ||
|
@@ -93,6 +104,7 @@ func Up(c *cli.Context) { | |
CredEntries: credentialOutput, | ||
RoleName: roleName, | ||
Region: *region, | ||
Tags: tags, | ||
} | ||
|
||
policyCreateTime, err = createTaskExecutionRole(roleParams, iamClient, kmsClient) | ||
|
@@ -103,6 +115,14 @@ func Up(c *cli.Context) { | |
log.Info("Skipping role creation.") | ||
} | ||
|
||
if len(tags) > 0 { | ||
taggingClient := tagging.NewTaggingClient(commandConfig) | ||
err = tagRegistryCredentials(credentialOutput, tags, taggingClient) | ||
if err != nil { | ||
log.Fatal("Failed to tag resources: ", err) | ||
} | ||
} | ||
|
||
// produce output file | ||
if !skipOutput { | ||
regcredio.GenerateCredsOutput(credentialOutput, roleName, outputDir, policyCreateTime) | ||
|
@@ -306,3 +326,26 @@ func validateOutputOptions(outputDir string, skipOutput bool) error { | |
} | ||
return nil | ||
} | ||
|
||
func tagRegistryCredentials(creds map[string]regcredio.CredsOutputEntry, tags map[string]*string, taggingClient tagging.Client) error { | ||
var arns []*string | ||
|
||
for _, credInfo := range creds { | ||
arns = append(arns, aws.String(credInfo.CredentialARN)) | ||
} | ||
|
||
input := &taggingSDK.TagResourcesInput{ | ||
ResourceARNList: arns, | ||
Tags: tags, | ||
} | ||
output, err := taggingClient.TagResources(input) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
for resource, info := range output.FailedResourcesMap { | ||
return fmt.Errorf("Failed to tag resource %s; error=%s", resource, *info.ErrorMessage) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. can we add test for this error case (FailedResourceMap != nil) and the API error return (line 342)? |
||
} | ||
|
||
return nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,7 +27,7 @@ type Client interface { | |
AttachRolePolicy(policyArn, roleName string) (*iam.AttachRolePolicyOutput, error) | ||
CreateRole(iam.CreateRoleInput) (*iam.CreateRoleOutput, error) | ||
CreatePolicy(iam.CreatePolicyInput) (*iam.CreatePolicyOutput, error) | ||
CreateOrFindRole(string, string, string) (string, error) | ||
CreateOrFindRole(string, string, string, []*iam.Tag) (string, error) | ||
} | ||
|
||
type iamClient struct { | ||
|
@@ -81,12 +81,15 @@ func (c *iamClient) CreatePolicy(input iam.CreatePolicyInput) (*iam.CreatePolicy | |
} | ||
|
||
// CreateOrFindRole returns a new role ARN or an empty string if role already exists | ||
func (c *iamClient) CreateOrFindRole(roleName, roleDescription, assumeRolePolicyDoc string) (string, error) { | ||
func (c *iamClient) CreateOrFindRole(roleName, roleDescription, assumeRolePolicyDoc string, tags []*iam.Tag) (string, error) { | ||
createRoleRequest := iam.CreateRoleInput{ | ||
AssumeRolePolicyDocument: aws.String(assumeRolePolicyDoc), | ||
Description: aws.String(roleDescription), | ||
RoleName: aws.String(roleName), | ||
} | ||
if len(tags) > 0 { | ||
createRoleRequest.Tags = tags | ||
} | ||
roleResult, err := c.CreateRole(createRoleRequest) | ||
// if err is b/c role already exists, OK to continue | ||
if err != nil && !utils.EntityAlreadyExists(err) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What happens if we try to apply tags to an existing role? Does it return a distinct error or succeed? If the former, wondering if we should be checking for a specific error here & allowing it to succeed (like with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Adding here what we discussed: trying to re-create an existing role but with tags will still fail with an There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm happy to go along with what @allisaurus agrees with but curious why this is the correct behavior? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As per offline discussion, I understand now that this is strictly on creation of a new role, so this seems fine. |
||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it valid to have a
nil
value for a tag? If so, can we add a case for it toTestCreateTaskExecutionRoleWithTags
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs say its a required field: https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#Tag
You can pass an empty string though, which my code handles correctly:
(I checked that the tags had been set in the Console)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to log info about what tags are being applied to what resources?