Skip to content

Commit

Permalink
Add feature flag
Browse files Browse the repository at this point in the history
  • Loading branch information
msambol committed Jun 20, 2024
1 parent 2293ed8 commit 63f6e9f
Show file tree
Hide file tree
Showing 6 changed files with 534 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as cdk from 'aws-cdk-lib';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api';
import { IntegTest } from '@aws-cdk/integ-tests-alpha';

/*
Expand All @@ -20,6 +20,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task');
stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true);

const cluster = new ecs.Cluster(stack, 'Ec2Cluster');
cluster.addCapacity('DefaultAutoScalingGroup', {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as cdk from 'aws-cdk-lib';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api';
import { IntegTest } from '@aws-cdk/integ-tests-alpha';

/*
Expand All @@ -19,6 +19,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task');
stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true);

const cluster = new ecs.Cluster(stack, 'FargateCluster');

Expand Down
32 changes: 26 additions & 6 deletions packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import * as ecs from '../../../aws-ecs';
import * as iam from '../../../aws-iam';
import * as sfn from '../../../aws-stepfunctions';
import * as cdk from '../../../core';
import * as cxapi from '../../../cx-api';
import { integrationResourceArn, validatePatternSupported } from '../private/task-utils';

/**
Expand Down Expand Up @@ -346,12 +347,31 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
private makePolicyStatements(): iam.PolicyStatement[] {
const stack = cdk.Stack.of(this);

const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn();
const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS);
let policyStatements = [];

// https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
const policyStatements = [
new iam.PolicyStatement({
actions: ['ecs:RunTask'],
resources: [`${this.getTaskDefinitionFamilyArn()}:*`],
}),
if (reduceRunTaskPermissions) {
policyStatements.push(
new iam.PolicyStatement({
actions: ['ecs:RunTask'],
resources: [`${taskDefinitionFamilyArn}:*`],
}),
);
} else {
policyStatements.push(
new iam.PolicyStatement({
actions: ['ecs:RunTask'],
resources: [
taskDefinitionFamilyArn,
`${taskDefinitionFamilyArn}:*`,
],
}),
);
}

policyStatements.push(
new iam.PolicyStatement({
actions: ['ecs:StopTask', 'ecs:DescribeTasks'],
resources: ['*'],
Expand All @@ -360,7 +380,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
actions: ['iam:PassRole'],
resources: this.taskExecutionRoles().map((r) => r.roleArn),
}),
];
);

if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) {
policyStatements.push(
Expand Down
Loading

0 comments on commit 63f6e9f

Please sign in to comment.