Allowing RoleArn in x-rds Lookup (#233)

ecs_composex/common/compose_resources.py

@@ -150,7 +150,12 @@ def set_services_targets(self, settings):
                 f[0].name for f in self.families_targets
             ]:
                 self.families_targets.append(
-                    (settings.families[service_name], True, [], service["access"])
+                    (
+                        settings.families[service_name],
+                        True,
+                        settings.families[service_name].services,
+                        service["access"],
+                    )
                 )
             elif service_name in settings.families and service_name in [
                 f[0].name for f in self.families_targets

ecs_composex/common/compose_services.py

@@ -771,7 +771,7 @@ def set_xray(self):
                 service.depends_on.append(xray_service.name)
                 LOG.debug(f"Adding xray-daemon as dependency to {service.name}")
             self.add_service(xray_service)
-            if not xray_service.name not in self.ignored_services:
+            if xray_service.name not in self.ignored_services:
                 self.ignored_services.append(xray_service)
 
     def reset_logging_retention_period(self, closest_valid):

ecs_composex/rds/rds_aws.py

@@ -24,6 +24,7 @@
     find_aws_resource_arn_from_tags_api,
     define_lookup_role_from_info,
 )
+from ecs_composex.iam import ROLE_ARN_ARG
 
 
 def validate_rds_settings(lookup_properties):
@@ -67,16 +68,19 @@ def validate_rds_lookup(db_name, lookup):
         raise TypeError(
             "The Lookup section for RDS must be an object/dictionary. Got", type(lookup)
         )
-    allowed_keys = ["secret", "cluster", "db"]
+    allowed_keys = ["secret", "cluster", "db", ROLE_ARN_ARG]
+    rds_specific = ["secret", "cluster", "db"]
     if not all(key in allowed_keys for key in lookup.keys()):
         raise KeyError("Lookup section allows only", allowed_keys, "Got", lookup.keys())
     if not any(key in ["cluster", "db"] for key in lookup.keys()):
         raise KeyError("You must define at least one of", ["cluster", "db"])
     for key_name in lookup:
-        if not isinstance(lookup[key_name], dict):
+        if key_name in rds_specific and not isinstance(lookup[key_name], dict):
             raise TypeError(
                 f"{key_name} is of type", type(lookup[key_name]), "Expected", dict
             )
+        elif key_name == ROLE_ARN_ARG and not isinstance(lookup[ROLE_ARN_ARG], str):
+            raise TypeError(f"{ROLE_ARN_ARG} must be of type", str)
     if keyisset("cluster", lookup) and keyisset("db", lookup):
         raise KeyError(
             f"{db_name} - You can only search for RDS cluster or db but not both at the same time."

ecs_composex/rds/rds_ecs.py

@@ -22,25 +22,21 @@
 from troposphere import Select, FindInMap
 
 from ecs_composex.common import LOG, keyisset
-from ecs_composex.ecs.ecs_template import get_service_family_name
 from ecs_composex.rds.rds_aws import validate_rds_lookup, lookup_rds_resource
 from ecs_composex.rds.rds_perms import (
-    add_secret_to_containers,
+    add_secret_to_container,
     define_db_secret_import,
     add_rds_policy,
     add_security_group_ingress,
 )
 
 
 def handle_new_dbs_to_services(db, secret_import, target):
-    for service in target[2]:
-        add_secret_to_containers(
-            target[0].template,
-            db,
-            secret_import,
-            service.name,
-            target[1],
-        )
+    valid_ones = [
+        service for service in target[2] if service not in target[0].ignored_services
+    ]
+    for service in valid_ones:
+        add_secret_to_container(db, secret_import, service.container_definition)
     add_rds_policy(target[0].template, secret_import, db.logical_name)
     add_security_group_ingress(target[0].stack, db.logical_name)
 
@@ -53,13 +49,16 @@ def handle_import_dbs_to_services(
     if keyisset(db.logical_name, rds_mapping) and keyisset(
         "SecretArn", rds_mapping[db.logical_name]
     ):
-        for service in target[2]:
-            add_secret_to_containers(
-                target[0].template,
+        valid_ones = [
+            service
+            for service in target[2]
+            if service not in target[0].ignored_services
+        ]
+        for service in valid_ones:
+            add_secret_to_container(
                 db,
                 FindInMap("Rds", db.logical_name, "SecretArn"),
-                service.name,
-                target[1],
+                service.container_definition,
             )
         add_rds_policy(
             target[0].template,
@@ -118,31 +117,43 @@ def add_new_dbs(db, rds_root_stack):
         )
 
 
-def import_dbs(db, db_mappings, settings):
+def import_dbs(db, db_mappings):
     """
     Function to go over each service defined in the DB and assign found DB settings to service
 
     :param ecs_composex.rds.rds_stack.Rds db:
     :param dict db_mappings:
-    :param ecs_composex.common.settings.ComposeXSettings settings: The settings for ComposeX Execution
     :return:
     """
-    validate_rds_lookup(db.name, db.lookup)
-    db_config = lookup_rds_resource(db.lookup, settings.session)
-    if not db_config:
-        LOG.warn(
-            f"No RDS DB Configuration could be defined from provided lookup. Skipping {db.name}"
-        )
-        return
-    db_mappings.update(create_rds_db_config_mapping(db, db_config))
     for target in db.families_targets:
+        target[0].template.add_mapping("Rds", db_mappings)
         handle_import_dbs_to_services(
             db,
             db_mappings,
             target,
         )
 
 
+def create_lookup_mappings(mappings, lookup_dbs, settings):
+    """
+    Function to create the RDS mappings to add to services templates
+
+    :param dict mappings:
+    :param list lookup_dbs:
+    :param ecs_composex.common.settings.ComposeXSettings settings: The settings for ComposeX Execution
+    """
+    for db in lookup_dbs:
+        validate_rds_lookup(db.name, db.lookup)
+        db_config = lookup_rds_resource(db.lookup, settings.session)
+        if not db_config:
+            LOG.warn(
+                f"No RDS DB Configuration could be defined from provided lookup. Skipping {db.name}"
+            )
+            return
+        config = create_rds_db_config_mapping(db, db_config)
+        mappings.update(config)
+
+
 def rds_to_ecs(rds_dbs, services_stack, res_root_stack, settings):
     """
     Function to apply onto existing ECS Templates the various settings
@@ -169,5 +180,7 @@ def rds_to_ecs(rds_dbs, services_stack, res_root_stack, settings):
         LOG.info(f"Added dependency between services and {res_root_stack.title}")
     for new_res in new_resources:
         add_new_dbs(new_res, res_root_stack)
+    create_lookup_mappings(db_mappings, lookup_resources, settings)
     for lookup_res in lookup_resources:
-        import_dbs(lookup_res, db_mappings, settings)
+        if keyisset(lookup_res.logical_name, db_mappings):
+            import_dbs(lookup_res, db_mappings)

ecs_composex/rds/rds_perms.py

@@ -165,3 +165,21 @@ def add_secret_to_containers(
             for db_secret in db_secrets:
                 extend_container_secrets(container, db_secret)
             break
+
+
+def add_secret_to_container(db, secret_import, container_definition):
+    """
+    Function to add DB secret to container
+
+    :param troposphere.Template service_template: the ecs_service template
+    :param ecs_composex.common.compose_resources.Rds db: the RDS DB object
+    :param str,AWSHelper secret_import: secret arn
+    :param str service_name: Name of the service that was explicitely listed as consuming the DB
+    :param bool family_wide: Whether or not apply the secret to all services of the family.
+    """
+
+    db_secrets = [
+        EcsSecret(Name=name, ValueFrom=secret_import) for name in db_secrets_names(db)
+    ]
+    for db_secret in db_secrets:
+        extend_container_secrets(container_definition, db_secret)