Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(apprunner): make Service implement IGrantable #26130

Merged
merged 9 commits into from
Jul 24, 2023
Merged

feat(apprunner): make Service implement IGrantable #26130

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
7e4292c
feat(apprunner): expose instanceRole from Service instance
lpizzinidev Jun 27, 2023
64b2611
Merge branch 'main' into gh-26089
lpizzinidev Jun 28, 2023
b784781
made Service implement IGrantable
lpizzinidev Jun 28, 2023
1c0bdcd
added automatic instance role creation and addToRolePolicy method
lpizzinidev Jun 30, 2023
0c62347
Merge branch 'main' into gh-26089
lpizzinidev Jun 30, 2023
e66a4b9
Merge branch 'main' into gh-26089
lpizzinidev Jul 15, 2023
b550db3
updated README
lpizzinidev Jul 15, 2023
69ecdcc
Merge branch 'main' into gh-26089
lpizzinidev Jul 21, 2023
dfbe8d5
Merge branch 'main' into gh-26089
mergify[bot] Jul 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -959,7 +959,7 @@ export abstract class Secret {
/**
* The App Runner Service.
*/
export class Service extends cdk.Resource {
export class Service extends cdk.Resource implements iam.IGrantable {
/**
* Import from service name.
*/
Expand Down Expand Up @@ -993,6 +993,7 @@ export class Service extends cdk.Resource {

return new Import(scope, id);
}
public readonly grantPrincipal: iam.IPrincipal;
private readonly props: ServiceProps;
private accessRole?: iam.IRole;
private instanceRole?: iam.IRole;
Expand Down Expand Up @@ -1052,6 +1053,7 @@ export class Service extends cdk.Resource {
this.props = props;

this.instanceRole = this.props.instanceRole;
this.grantPrincipal = this.instanceRole || new iam.UnknownPrincipal({ resource: this });
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should just go ahead and create the role if the user doesn't provide it. I'm not sure why we try to only generate one if needed.


const environmentVariables = this.getEnvironmentVariables();
const environmentSecrets = this.getEnvironmentSecrets();
Expand Down
44 changes: 43 additions & 1 deletion packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
import * as ssm from 'aws-cdk-lib/aws-ssm';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { testDeprecated } from '@aws-cdk/cdk-build-tools';
import * as cdk from 'aws-cdk-lib';
import * as apprunner from '../lib';
Expand Down Expand Up @@ -1252,4 +1253,45 @@ testDeprecated('Using both environmentVariables and environment should throw an
}),
});
}).toThrow(/You cannot set both \'environmentVariables\' and \'environment\' properties./);
});
});

test('Service is grantable', () => {
// GIVEN
const app = new cdk.App();
const stack = new cdk.Stack(app, 'demo-stack');
// WHEN
const bucket = s3.Bucket.fromBucketAttributes(stack, 'ImportedBucket', { bucketArn: 'arn:aws:s3:::my-bucket' });
const service = new apprunner.Service(stack, 'DemoService', {
source: apprunner.Source.fromEcrPublic({
imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
}),
instanceRole: new iam.Role(stack, 'InstanceRole', {
assumedBy: new iam.ServicePrincipal('tasks.apprunner.amazonaws.com'),
}),
});

bucket.grantRead(service);

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Action: [
's3:GetObject*',
's3:GetBucket*',
's3:List*',
],
Resource: [
'arn:aws:s3:::my-bucket',
'arn:aws:s3:::my-bucket/*',
],
},
],
},
PolicyName: 'InstanceRoleDefaultPolicy1531605C',
Roles: [
{ Ref: 'InstanceRole3CCE2F1D' },
],
});
});