From 768fcb276614bcf7f4555df557b45a94e44296f0 Mon Sep 17 00:00:00 2001 From: Joerg Woehrle Date: Fri, 7 Jun 2024 08:58:29 +0000 Subject: [PATCH] chore: Add :* to IAM policy. Fixes #30390 --- .../aws-events-targets/lib/ecs-task.ts | 2 +- .../test/ecs/event-rule-target.test.ts | 39 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts b/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts index d17ef04e17e20..83ec2800611fd 100644 --- a/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts +++ b/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts @@ -280,7 +280,7 @@ export class EcsTask implements events.IRuleTarget { const policyStatements = [ new iam.PolicyStatement({ actions: ['ecs:RunTask'], - resources: [this.taskDefinition.taskDefinitionArn], + resources: [`${this.taskDefinition.taskDefinitionArn}:*`], conditions: { ArnEquals: { 'ecs:cluster': this.cluster.clusterArn }, }, diff --git a/packages/aws-cdk-lib/aws-events-targets/test/ecs/event-rule-target.test.ts b/packages/aws-cdk-lib/aws-events-targets/test/ecs/event-rule-target.test.ts index ebc88f0f91e9a..05e19757f495c 100644 --- a/packages/aws-cdk-lib/aws-events-targets/test/ecs/event-rule-target.test.ts +++ b/packages/aws-cdk-lib/aws-events-targets/test/ecs/event-rule-target.test.ts @@ -9,6 +9,7 @@ import * as iam from '../../../aws-iam'; import * as sqs from '../../../aws-sqs'; import * as cdk from '../../../core'; import * as targets from '../../lib'; +import { EcsTask } from "../../lib"; let stack: cdk.Stack; let vpc: ec2.Vpc; @@ -1095,3 +1096,41 @@ test.each([ ], }); }); + +test('Task role is targeting wildcard taskdefinitions', () => { + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef'); + taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('henk'), + }); + + const rule = new events.Rule(stack, 'Rule', { + schedule: events.Schedule.rate(cdk.Duration.hours(1)), + }); + + rule.addTarget( + new EcsTask({ + cluster: cluster, + taskDefinition: taskDefinition + }) + ); + + const policyMatch = Match.objectLike({ + "PolicyDocument": { + "Statement": Match.arrayWith([ + Match.objectLike({ + "Action": "ecs:RunTask", + "Resource": { + "Fn::Join" : [ + "", + [ + {"Ref": Match.anyValue()}, + ":*" + ] + ] + } + }) + ])}}); + const template = Template.fromStack(stack); + template.toJSON() + template.hasResource('AWS::IAM::Policy', {"Properties": policyMatch}); +})