Skip to content

Commit 525ac07

Browse files
makrsmarkmakrsmark
authored
fix(ecs): only works in 'aws' partition (#18496)
instead of assuming `aws` partition, use the stack to determine partition (which will result in a reference to `AWS::Partition`) fixes #18429 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent a408382 commit 525ac07

10 files changed

+1874
-1760
lines changed

packages/@aws-cdk/aws-ecs/lib/base/base-service.ts

+5-5
Original file line numberDiff line numberDiff line change
@@ -470,7 +470,7 @@ export abstract class BaseService extends Resource
470470
resources: ['*'],
471471
}));
472472

473-
const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:aws:logs:${this.stack.region}:${this.stack.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
473+
const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
474474
this.taskDefinition.addToTaskRolePolicy(new iam.PolicyStatement({
475475
actions: [
476476
'logs:CreateLogStream',
@@ -491,14 +491,14 @@ export abstract class BaseService extends Resource
491491
actions: [
492492
's3:PutObject',
493493
],
494-
resources: [`arn:aws:s3:::${logConfiguration.s3Bucket.bucketName}/*`],
494+
resources: [`arn:${this.stack.partition}:s3:::${logConfiguration.s3Bucket.bucketName}/*`],
495495
}));
496496
if (logConfiguration.s3EncryptionEnabled) {
497497
this.taskDefinition.addToTaskRolePolicy(new iam.PolicyStatement({
498498
actions: [
499499
's3:GetEncryptionConfiguration',
500500
],
501-
resources: [`arn:aws:s3:::${logConfiguration.s3Bucket.bucketName}`],
501+
resources: [`arn:${this.stack.partition}:s3:::${logConfiguration.s3Bucket.bucketName}`],
502502
}));
503503
}
504504
}
@@ -518,7 +518,7 @@ export abstract class BaseService extends Resource
518518
'kms:*',
519519
],
520520
resources: ['*'],
521-
principals: [new iam.ArnPrincipal(`arn:aws:iam::${this.stack.account}:root`)],
521+
principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.stack.account}:root`)],
522522
}));
523523

524524
if (logging === ExecuteCommandLogging.DEFAULT || this.cluster.executeCommandConfiguration?.logConfiguration?.cloudWatchEncryptionEnabled) {
@@ -533,7 +533,7 @@ export abstract class BaseService extends Resource
533533
resources: ['*'],
534534
principals: [new iam.ServicePrincipal(`logs.${this.stack.region}.amazonaws.com`)],
535535
conditions: {
536-
ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:aws:logs:${this.stack.region}:${this.stack.account}:*` },
536+
ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:*` },
537537
},
538538
}));
539539
}

packages/@aws-cdk/aws-ecs/lib/container-definition.ts

+3-3
Original file line numberDiff line numberDiff line change
@@ -685,7 +685,7 @@ export class ContainerDefinition extends CoreConstruct {
685685
workingDirectory: this.props.workingDirectory,
686686
logConfiguration: this.logDriverConfig,
687687
environment: this.environment && Object.keys(this.environment).length ? renderKV(this.environment, 'name', 'value') : undefined,
688-
environmentFiles: this.environmentFiles && renderEnvironmentFiles(this.environmentFiles),
688+
environmentFiles: this.environmentFiles && renderEnvironmentFiles(cdk.Stack.of(this).partition, this.environmentFiles),
689689
secrets: this.secrets,
690690
extraHosts: this.props.extraHosts && renderKV(this.props.extraHosts, 'hostname', 'ipAddress'),
691691
healthCheck: this.props.healthCheck && renderHealthCheck(this.props.healthCheck),
@@ -757,7 +757,7 @@ function renderKV(env: { [key: string]: string }, keyName: string, valueName: st
757757
return ret;
758758
}
759759

760-
function renderEnvironmentFiles(environmentFiles: EnvironmentFileConfig[]): any[] {
760+
function renderEnvironmentFiles(partition: string, environmentFiles: EnvironmentFileConfig[]): any[] {
761761
const ret = [];
762762
for (const environmentFile of environmentFiles) {
763763
const s3Location = environmentFile.s3Location;
@@ -768,7 +768,7 @@ function renderEnvironmentFiles(environmentFiles: EnvironmentFileConfig[]): any[
768768

769769
ret.push({
770770
type: environmentFile.fileType,
771-
value: `arn:aws:s3:::${s3Location.bucketName}/${s3Location.objectKey}`,
771+
value: `arn:${partition}:s3:::${s3Location.bucketName}/${s3Location.objectKey}`,
772772
});
773773
}
774774
return ret;

packages/@aws-cdk/aws-ecs/test/container-definition.test.ts

+25-5
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,11 @@ describe('container definition', () => {
131131
'Fn::Join': [
132132
'',
133133
[
134-
'arn:aws:s3:::',
134+
'arn:',
135+
{
136+
Ref: 'AWS::Partition',
137+
},
138+
':s3:::',
135139
{
136140
Ref: 'AssetParameters872561bf078edd1685d50c9ff821cdd60d2b2ddfb0013c4087e79bf2bb50724dS3Bucket7B2069B7',
137141
},
@@ -840,7 +844,11 @@ describe('container definition', () => {
840844
'Fn::Join': [
841845
'',
842846
[
843-
'arn:aws:s3:::',
847+
'arn:',
848+
{
849+
Ref: 'AWS::Partition',
850+
},
851+
':s3:::',
844852
{
845853
Ref: 'AssetParameters872561bf078edd1685d50c9ff821cdd60d2b2ddfb0013c4087e79bf2bb50724dS3Bucket7B2069B7',
846854
},
@@ -905,7 +913,11 @@ describe('container definition', () => {
905913
'Fn::Join': [
906914
'',
907915
[
908-
'arn:aws:s3:::',
916+
'arn:',
917+
{
918+
Ref: 'AWS::Partition',
919+
},
920+
':s3:::',
909921
{
910922
Ref: 'Bucket83908E77',
911923
},
@@ -943,7 +955,11 @@ describe('container definition', () => {
943955
'Fn::Join': [
944956
'',
945957
[
946-
'arn:aws:s3:::',
958+
'arn:',
959+
{
960+
Ref: 'AWS::Partition',
961+
},
962+
':s3:::',
947963
{
948964
Ref: 'AssetParameters872561bf078edd1685d50c9ff821cdd60d2b2ddfb0013c4087e79bf2bb50724dS3Bucket7B2069B7',
949965
},
@@ -1008,7 +1024,11 @@ describe('container definition', () => {
10081024
'Fn::Join': [
10091025
'',
10101026
[
1011-
'arn:aws:s3:::',
1027+
'arn:',
1028+
{
1029+
Ref: 'AWS::Partition',
1030+
},
1031+
':s3:::',
10121032
{
10131033
Ref: 'Bucket83908E77',
10141034
},

packages/@aws-cdk/aws-ecs/test/ec2/ec2-service.test.ts

+50-10
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,11 @@ describe('ec2 service', () => {
259259
'Fn::Join': [
260260
'',
261261
[
262-
'arn:aws:logs:',
262+
'arn:',
263+
{
264+
Ref: 'AWS::Partition',
265+
},
266+
':logs:',
263267
{
264268
Ref: 'AWS::Region',
265269
},
@@ -288,7 +292,11 @@ describe('ec2 service', () => {
288292
'Fn::Join': [
289293
'',
290294
[
291-
'arn:aws:s3:::',
295+
'arn:',
296+
{
297+
Ref: 'AWS::Partition',
298+
},
299+
':s3:::',
292300
{
293301
Ref: 'ExecBucket29559356',
294302
},
@@ -392,7 +400,11 @@ describe('ec2 service', () => {
392400
'Fn::Join': [
393401
'',
394402
[
395-
'arn:aws:logs:',
403+
'arn:',
404+
{
405+
Ref: 'AWS::Partition',
406+
},
407+
':logs:',
396408
{
397409
Ref: 'AWS::Region',
398410
},
@@ -421,7 +433,11 @@ describe('ec2 service', () => {
421433
'Fn::Join': [
422434
'',
423435
[
424-
'arn:aws:s3:::',
436+
'arn:',
437+
{
438+
Ref: 'AWS::Partition',
439+
},
440+
':s3:::',
425441
{
426442
Ref: 'EcsExecBucket4F468651',
427443
},
@@ -491,7 +507,11 @@ describe('ec2 service', () => {
491507
'Fn::Join': [
492508
'',
493509
[
494-
'arn:aws:iam::',
510+
'arn:',
511+
{
512+
Ref: 'AWS::Partition',
513+
},
514+
':iam::',
495515
{
496516
Ref: 'AWS::AccountId',
497517
},
@@ -598,7 +618,11 @@ describe('ec2 service', () => {
598618
'Fn::Join': [
599619
'',
600620
[
601-
'arn:aws:logs:',
621+
'arn:',
622+
{
623+
Ref: 'AWS::Partition',
624+
},
625+
':logs:',
602626
{
603627
Ref: 'AWS::Region',
604628
},
@@ -627,7 +651,11 @@ describe('ec2 service', () => {
627651
'Fn::Join': [
628652
'',
629653
[
630-
'arn:aws:s3:::',
654+
'arn:',
655+
{
656+
Ref: 'AWS::Partition',
657+
},
658+
':s3:::',
631659
{
632660
Ref: 'EcsExecBucket4F468651',
633661
},
@@ -643,7 +671,11 @@ describe('ec2 service', () => {
643671
'Fn::Join': [
644672
'',
645673
[
646-
'arn:aws:s3:::',
674+
'arn:',
675+
{
676+
Ref: 'AWS::Partition',
677+
},
678+
':s3:::',
647679
{
648680
Ref: 'EcsExecBucket4F468651',
649681
},
@@ -712,7 +744,11 @@ describe('ec2 service', () => {
712744
'Fn::Join': [
713745
'',
714746
[
715-
'arn:aws:iam::',
747+
'arn:',
748+
{
749+
Ref: 'AWS::Partition',
750+
},
751+
':iam::',
716752
{
717753
Ref: 'AWS::AccountId',
718754
},
@@ -737,7 +773,11 @@ describe('ec2 service', () => {
737773
'Fn::Join': [
738774
'',
739775
[
740-
'arn:aws:logs:',
776+
'arn:',
777+
{
778+
Ref: 'AWS::Partition',
779+
},
780+
':logs:',
741781
{
742782
Ref: 'AWS::Region',
743783
},

packages/@aws-cdk/aws-ecs/test/ec2/ec2-task-definition.test.ts

+5-1
Original file line numberDiff line numberDiff line change
@@ -323,7 +323,11 @@ describe('ec2 task definition', () => {
323323
'Fn::Join': [
324324
'',
325325
[
326-
'arn:aws:s3:::',
326+
'arn:',
327+
{
328+
Ref: 'AWS::Partition',
329+
},
330+
':s3:::',
327331
{
328332
Ref: 'AssetParameters872561bf078edd1685d50c9ff821cdd60d2b2ddfb0013c4087e79bf2bb50724dS3Bucket7B2069B7',
329333
},

0 commit comments

Comments
 (0)