Skip to content

Commit

Permalink
chore: Add :* to IAM policy. Fixes aws#30390
Browse files Browse the repository at this point in the history
  • Loading branch information
Joerg Woehrle committed Jun 7, 2024
1 parent 4c3b6a0 commit 768fcb2
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 1 deletion.
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ export class EcsTask implements events.IRuleTarget {
const policyStatements = [
new iam.PolicyStatement({
actions: ['ecs:RunTask'],
resources: [this.taskDefinition.taskDefinitionArn],
resources: [`${this.taskDefinition.taskDefinitionArn}:*`],
conditions: {
ArnEquals: { 'ecs:cluster': this.cluster.clusterArn },
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import * as iam from '../../../aws-iam';
import * as sqs from '../../../aws-sqs';
import * as cdk from '../../../core';
import * as targets from '../../lib';
import { EcsTask } from "../../lib";

let stack: cdk.Stack;
let vpc: ec2.Vpc;
Expand Down Expand Up @@ -1095,3 +1096,41 @@ test.each([
],
});
});

test('Task role is targeting wildcard taskdefinitions', () => {
const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef');
taskDefinition.addContainer('TheContainer', {
image: ecs.ContainerImage.fromRegistry('henk'),
});

const rule = new events.Rule(stack, 'Rule', {
schedule: events.Schedule.rate(cdk.Duration.hours(1)),
});

rule.addTarget(
new EcsTask({
cluster: cluster,
taskDefinition: taskDefinition
})
);

const policyMatch = Match.objectLike({
"PolicyDocument": {
"Statement": Match.arrayWith([
Match.objectLike({
"Action": "ecs:RunTask",
"Resource": {
"Fn::Join" : [
"",
[
{"Ref": Match.anyValue()},
":*"
]
]
}
})
])}});
const template = Template.fromStack(stack);
template.toJSON()
template.hasResource('AWS::IAM::Policy', {"Properties": policyMatch});
})

0 comments on commit 768fcb2

Please sign in to comment.