fix(ecs): allow passing execution role to imported TaskDefinitions (#24987)

blimmer · web-flow · commit 0d156a810a7a · 2023-04-18T15:20:18.000Z
See #24984 for details. TLDR; there's not a way currently exposed to define the `executionRole` on an imported `TaskDefinition`. This change allows optionally passing an `executionRole`. Fixes issue #24984. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/base/_imported-task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/base/_imported-task-definition.ts
@@ -34,6 +34,15 @@ export interface ImportedTaskDefinitionProps {
    * @default Permissions cannot be granted to the imported task.
    */
   readonly taskRole?: IRole;
+
+  /**
+   * The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+   *
+   * Some tasks do not have an execution role.
+   *
+   * @default - undefined
+   */
+  readonly executionRole?: IRole;
 }
 
 /**
@@ -70,6 +79,7 @@ export class ImportedTaskDefinition extends Resource implements IEc2TaskDefiniti
 
     this.compatibility = props.compatibility ?? Compatibility.EC2_AND_FARGATE;
     this.taskDefinitionArn = props.taskDefinitionArn;
+    this.executionRole = props.executionRole;
     this._taskRole = props.taskRole;
     this._networkMode = props.networkMode;
   }
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts
@@ -250,6 +250,15 @@ export interface CommonTaskDefinitionAttributes {
    * @default Permissions cannot be granted to the imported task.
    */
   readonly taskRole?: iam.IRole;
+
+  /**
+   * The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+   *
+   * Some tasks do not have an execution role.
+   *
+   * @default - undefined
+   */
+  readonly executionRole?: iam.IRole;
 }
 
 /**
@@ -317,6 +326,7 @@ export class TaskDefinition extends TaskDefinitionBase {
       compatibility: attrs.compatibility,
       networkMode: attrs.networkMode,
       taskRole: attrs.taskRole,
+      executionRole: attrs.executionRole,
     });
   }
 
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/ec2/ec2-task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/ec2/ec2-task-definition.ts
@@ -106,6 +106,7 @@ export class Ec2TaskDefinition extends TaskDefinition implements IEc2TaskDefinit
       compatibility: Compatibility.EC2,
       networkMode: attrs.networkMode,
       taskRole: attrs.taskRole,
+      executionRole: attrs.executionRole,
     });
   }
 
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/external/external-task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/external/external-task-definition.ts
@@ -66,6 +66,7 @@ export class ExternalTaskDefinition extends TaskDefinition implements IExternalT
       compatibility: Compatibility.EXTERNAL,
       networkMode: attrs.networkMode,
       taskRole: attrs.taskRole,
+      executionRole: attrs.executionRole,
     });
   }
 
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-task-definition.ts
@@ -120,6 +120,7 @@ export class FargateTaskDefinition extends TaskDefinition implements IFargateTas
       compatibility: Compatibility.FARGATE,
       networkMode: attrs.networkMode,
       taskRole: attrs.taskRole,
+      executionRole: attrs.executionRole,
     });
   }
 
diff --git a/packages/aws-cdk-lib/aws-ecs/test/ec2/ec2-task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/ec2/ec2-task-definition.test.ts
@@ -1201,12 +1201,16 @@ describe('ec2 task definition', () => {
       const expectTaskRole = new iam.Role(stack, 'TaskRole', {
         assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
       });
+      const expectExecutionRole = new iam.Role(stack, 'ExecutionRole', {
+        assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      });
 
       // WHEN
       const taskDefinition = ecs.Ec2TaskDefinition.fromEc2TaskDefinitionAttributes(stack, 'TD_ID', {
         taskDefinitionArn: expectTaskDefinitionArn,
         networkMode: expectNetworkMode,
         taskRole: expectTaskRole,
+        executionRole: expectExecutionRole,
       });
 
       // THEN
@@ -1216,6 +1220,7 @@ describe('ec2 task definition', () => {
       expect(taskDefinition.isFargateCompatible).toBeFalsy();
       expect(taskDefinition.networkMode).toBe(expectNetworkMode);
       expect(taskDefinition.taskRole).toBe(expectTaskRole);
+      expect(taskDefinition.executionRole).toEqual(expectExecutionRole);
     });
 
     test('returns an Ec2 TaskDefinition that will throw an error when trying to access its yet to defined networkMode', () => {
diff --git a/packages/aws-cdk-lib/aws-ecs/test/external/external-task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/external/external-task-definition.test.ts
@@ -617,4 +617,33 @@ describe('external task definition', () => {
       deviceType: 'eia2.medium',
     })).toThrow('Cannot use inference accelerators on tasks that run on External service');
   });
+
+  test('can import an External Task Definition using attributes', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const expectTaskDefinitionArn = 'TD_ARN';
+    const expectCompatibility = ecs.Compatibility.EXTERNAL;
+    const expectNetworkMode = ecs.NetworkMode.AWS_VPC;
+    const expectTaskRole = new iam.Role(stack, 'TaskRole', {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+    const expectExecutionRole = new iam.Role(stack, 'ExecutionRole', {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+
+    // WHEN
+    const taskDefinition = ecs.ExternalTaskDefinition.fromExternalTaskDefinitionAttributes(stack, 'TD_ID', {
+      taskDefinitionArn: expectTaskDefinitionArn,
+      networkMode: expectNetworkMode,
+      taskRole: expectTaskRole,
+      executionRole: expectExecutionRole,
+    });
+
+    // THEN
+    expect(taskDefinition.taskDefinitionArn).toEqual(expectTaskDefinitionArn);
+    expect(taskDefinition.compatibility).toEqual(expectCompatibility);
+    expect(taskDefinition.executionRole).toEqual(expectExecutionRole);
+    expect(taskDefinition.networkMode).toEqual(expectNetworkMode);
+    expect(taskDefinition.taskRole).toEqual(expectTaskRole);
+  });
 });
diff --git a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts
@@ -190,12 +190,16 @@ describe('fargate task definition', () => {
       const expectTaskRole = new iam.Role(stack, 'TaskRole', {
         assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
       });
+      const expectExecutionRole = new iam.Role(stack, 'ExecutionRole', {
+        assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      });
 
       // WHEN
       const taskDefinition = ecs.FargateTaskDefinition.fromFargateTaskDefinitionAttributes(stack, 'TD_ID', {
         taskDefinitionArn: expectTaskDefinitionArn,
         networkMode: expectNetworkMode,
         taskRole: expectTaskRole,
+        executionRole: expectExecutionRole,
       });
 
       // THEN
@@ -205,6 +209,7 @@ describe('fargate task definition', () => {
       expect(taskDefinition.isEc2Compatible).toEqual(false);
       expect(taskDefinition.networkMode).toEqual(expectNetworkMode);
       expect(taskDefinition.taskRole).toEqual(expectTaskRole);
+      expect(taskDefinition.executionRole).toEqual(expectExecutionRole);
 
 
     });
@@ -380,4 +385,4 @@ describe('fargate task definition', () => {
     });
 
   });
-});
+});
diff --git a/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts
@@ -303,19 +303,23 @@ describe('task definition', () => {
       const expectTaskRole = new iam.Role(stack, 'TaskRole', {
         assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
       });
+      const expectExecutionRole = new iam.Role(stack, 'ExecutionRole', {
+        assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      });
 
       // WHEN
       const taskDefinition = ecs.TaskDefinition.fromTaskDefinitionAttributes(stack, 'TD_ID', {
         taskDefinitionArn: expectTaskDefinitionArn,
         compatibility: expectCompatibility,
         networkMode: expectNetworkMode,
         taskRole: expectTaskRole,
+        executionRole: expectExecutionRole,
       });
 
       // THEN
       expect(taskDefinition.taskDefinitionArn).toEqual(expectTaskDefinitionArn);
       expect(taskDefinition.compatibility).toEqual(expectCompatibility);
-      expect(taskDefinition.executionRole).toEqual(undefined);
+      expect(taskDefinition.executionRole).toEqual(expectExecutionRole);
       expect(taskDefinition.networkMode).toEqual(expectNetworkMode);
       expect(taskDefinition.taskRole).toEqual(expectTaskRole);
 

Original file line number	Diff line number	Diff line change
`@@ -106,6 +106,7 @@ export class Ec2TaskDefinition extends TaskDefinition implements IEc2TaskDefinit`
`106`	`106`	`compatibility: Compatibility.EC2,`
`107`	`107`	`networkMode: attrs.networkMode,`
`108`	`108`	`taskRole: attrs.taskRole,`
	`109`	`+ executionRole: attrs.executionRole,`
`109`	`110`	`});`
`110`	`111`	`}`
`111`	`112`
Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ export class ExternalTaskDefinition extends TaskDefinition implements IExternalT`
`66`	`66`	`compatibility: Compatibility.EXTERNAL,`
`67`	`67`	`networkMode: attrs.networkMode,`
`68`	`68`	`taskRole: attrs.taskRole,`
	`69`	`+ executionRole: attrs.executionRole,`
`69`	`70`	`});`
`70`	`71`	`}`
`71`	`72`
Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,7 @@ export class FargateTaskDefinition extends TaskDefinition implements IFargateTas`
`120`	`120`	`compatibility: Compatibility.FARGATE,`
`121`	`121`	`networkMode: attrs.networkMode,`
`122`	`122`	`taskRole: attrs.taskRole,`
	`123`	`+ executionRole: attrs.executionRole,`
`123`	`124`	`});`
`124`	`125`	`}`
`125`	`126`