-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(event-targets): EcsTask uses invalid task definition arn in policy #30390
(event-targets): EcsTask uses invalid task definition arn in policy #30390
Comments
Here's my exteremely hacky workaround, in case anyone else needs to fix this before it's fixed upstream: const role = (target as any).role as Role;
const statements = (role as any).defaultPolicy.document.statements as PolicyStatement[];
const withoutBadStatements = statements.filter((s) => {
const isBadStatement = s.actions.length === 1 && s.actions[0] === "ecs:RunTask";
return !isBadStatement;
});
(role as any).defaultPolicy.document.statements = withoutBadStatements;
role.addToPrincipalPolicy(
new PolicyStatement({
actions: ["ecs:RunTask"],
resources: [importedTaskDefArn + ":*"], // this is the fix for the bug
conditions: {
ArnEquals: {
"ecs:cluster": ecsCluster.clusterArn,
},
},
})
); |
Appears to be an issue based on below references:
Task Definition ARN in IAM policy resource should include task definition Revision Number. |
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
AWS recently sent this warning:
Of our affected resources, many were policies generated by the
EcsTask
target:aws-cdk/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts
Lines 280 to 292 in 8b234b7
Expected Behavior
The
EcsTask
construct should generate a valid task definition reference in the generated policy.Current Behavior
The generated policy includes an invalid reference, like this:
Specifically,
"Resource": "arn:aws:ecs:us-west-2:123456789101:task-definition/MyTask"
needs to be"Resource": "arn:aws:ecs:us-west-2:123456789101:task-definition/MyTask:*"
to comply with the new requirements.Reproduction Steps
This stack
Produces
Which is invalid based on the deprecation notice we received.
Possible Solution
If the task definition contains no revision information, a wildcard should automatically be applied.
Additional Information/Context
This is not an issue if the task definition is not imported. For example:
Produces this snippet:
Will reference the full ARN, including the revision, according to the docs.
CDK CLI Version
2.143.1 (build 29b0d66)
Framework Version
No response
Node.js Version
20
OS
MacOS
Language
TypeScript
Language Version
No response
Other information
See also #30368.
The text was updated successfully, but these errors were encountered: