feat(apprunner): make Service implement IGrantable (#26130)

lpizzinidev · web-flow · commit 6033c9a01322 · 2023-07-24T12:33:05.000Z
Implementing `IGrantable` for cases when it's needed to grant permissions to a `Service` instance. For example: ``` declare const bucket: IBucket; const service = new apprunner.Service(this, 'Service', { source: apprunner.Source.fromEcrPublic({ imageConfiguration: { port: 8000 }, imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest', }), }); bucket.grantRead(service); ``` Closes #26089. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/README.md b/packages/@aws-cdk/aws-apprunner-alpha/README.md
@@ -35,6 +35,8 @@ The `Service` construct allows you to create AWS App Runner services with `ECR P
 - `Source.fromAsset()` - To define the source from local asset directory. 
 
 
+The `Service` construct implements `IGrantable`.
+
 ## ECR Public
 
 To create a `Service` with ECR Public:
@@ -124,7 +126,27 @@ new apprunner.Service(this, 'Service', {
 You are allowed to define `instanceRole` and `accessRole` for the `Service`.
 
 `instanceRole` - The IAM role that provides permissions to your App Runner service. These are permissions that
-your code needs when it calls any AWS APIs. 
+your code needs when it calls any AWS APIs. If not defined, a new instance role will be generated
+when required.
+
+To add IAM policy statements to this role, use `addToRolePolicy()`:
+
+```ts
+import * as iam from 'aws-cdk-lib/aws-iam';
+
+const service = new apprunner.Service(this, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: { port: 8000 },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+});
+
+service.addToRolePolicy(new iam.PolicyStatement({
+  effect: iam.Effect.ALLOW,
+  actions: ['s3:GetObject'],
+  resources: ['*'],
+}))
+```
 
 `accessRole` - The IAM role that grants the App Runner service access to a source repository. It's required for
 ECR image repositories (but not for ECR Public repositories). If not defined, a new access role will be generated
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts b/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
@@ -689,7 +689,7 @@ export interface ServiceProps {
    *
    * @see https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles-service.instance
    *
-   * @default - no instance role attached.
+   * @default - generate a new instance role.
    */
   readonly instanceRole?: iam.IRole;
 
@@ -959,7 +959,7 @@ export abstract class Secret {
 /**
  * The App Runner Service.
  */
-export class Service extends cdk.Resource {
+export class Service extends cdk.Resource implements iam.IGrantable {
   /**
    * Import from service name.
    */
@@ -993,9 +993,10 @@ export class Service extends cdk.Resource {
 
     return new Import(scope, id);
   }
+  public readonly grantPrincipal: iam.IPrincipal;
   private readonly props: ServiceProps;
   private accessRole?: iam.IRole;
-  private instanceRole?: iam.IRole;
+  private instanceRole: iam.IRole;
   private source: SourceConfig;
 
   /**
@@ -1051,7 +1052,8 @@ export class Service extends cdk.Resource {
     this.source = source;
     this.props = props;
 
-    this.instanceRole = this.props.instanceRole;
+    this.instanceRole = this.props.instanceRole ?? this.createInstanceRole();
+    this.grantPrincipal = this.instanceRole;
 
     const environmentVariables = this.getEnvironmentVariables();
     const environmentSecrets = this.getEnvironmentSecrets();
@@ -1117,6 +1119,13 @@ export class Service extends cdk.Resource {
     this.serviceName = cdk.Fn.select(1, cdk.Fn.split('/', resourceFullName));
   }
 
+  /**
+   * Adds a statement to the instance role.
+   */
+  public addToRolePolicy(statement: iam.PolicyStatement) {
+    this.instanceRole.addToPrincipalPolicy(statement);
+  }
+
   /**
    * This method adds an environment variable to the App Runner service.
    */
@@ -1134,9 +1143,6 @@ export class Service extends cdk.Resource {
     if (name.startsWith('AWSAPPRUNNER')) {
       throw new Error(`Environment secret key ${name} with a prefix of AWSAPPRUNNER is not allowed`);
     }
-    if (!this.instanceRole) {
-      this.instanceRole = this.createInstanceRole();
-    }
     secret.grantRead(this.instanceRole);
     this.secrets.push({ name: name, value: secret.arn });
   }
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr-public.js.snapshot/integ-apprunner-ecr-public.template.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr-public.js.snapshot/integ-apprunner-ecr-public.template.json
@@ -14,15 +14,39 @@
       "ImageRepositoryType": "ECR_PUBLIC"
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+        "Fn::GetAtt": [
+          "Service1InstanceRole8CBC81F1",
+          "Arn"
+        ]
+      }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "DEFAULT"
      }
     },
     "ServiceName": "service1"
    }
-  }
+  },
+  "Service1InstanceRole8CBC81F1": {
+    "Type": "AWS::IAM::Role",
+    "Properties": {
+     "AssumeRolePolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sts:AssumeRole",
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "tasks.apprunner.amazonaws.com"
+        }
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   }
  },
  "Outputs": {
   "URL1": {
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.template.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.template.json
@@ -92,7 +92,14 @@
       "ImageRepositoryType": "ECR"
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+        "Fn::GetAtt": [
+          "Service3InstanceRoleD40BEE82",
+          "Arn"
+        ]
+      }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "DEFAULT"
@@ -211,14 +218,55 @@
       "ImageRepositoryType": "ECR"
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+        "Fn::GetAtt": [
+          "Service2InstanceRole3F57F2AA",
+          "Arn"
+        ]
+      }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "DEFAULT"
      }
     }
    }
-  }
+  },
+  "Service3InstanceRoleD40BEE82": {
+    "Type": "AWS::IAM::Role",
+    "Properties": {
+     "AssumeRolePolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sts:AssumeRole",
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "tasks.apprunner.amazonaws.com"
+        }
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   },
+   "Service2InstanceRole3F57F2AA": {
+    "Type": "AWS::IAM::Role",
+    "Properties": {
+     "AssumeRolePolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sts:AssumeRole",
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "tasks.apprunner.amazonaws.com"
+        }
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   }
  },
  "Outputs": {
   "URL3": {
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-github.js.snapshot/integ-apprunner.template.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-github.js.snapshot/integ-apprunner.template.json
@@ -18,7 +18,14 @@
       }
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+         "Fn::GetAtt": [
+           "Service4InstanceRole26B443A0",
+           "Arn"
+         ]
+       }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "DEFAULT"
@@ -50,13 +57,54 @@
       }
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+         "Fn::GetAtt": [
+           "Service5InstanceRole94C07D84",
+           "Arn"
+         ]
+       }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "DEFAULT"
      }
     }
    }
+  },
+  "Service4InstanceRole26B443A0": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "Service5InstanceRole94C07D84": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
   }
  },
  "Outputs": {
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-vpc-connector.js.snapshot/integ-apprunner.template.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-vpc-connector.js.snapshot/integ-apprunner.template.json
@@ -442,7 +442,14 @@
       "ImageRepositoryType": "ECR_PUBLIC"
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+        "Fn::GetAtt": [
+          "Service6InstanceRole7220D460",
+          "Arn"
+        ]
+      }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "VPC",
@@ -469,7 +476,14 @@
       "ImageRepositoryType": "ECR_PUBLIC"
      }
     },
-    "InstanceConfiguration": {},
+    "InstanceConfiguration": {
+      "InstanceRoleArn": {
+        "Fn::GetAtt": [
+          "Service7InstanceRoleFD40F312",
+          "Arn"
+        ]
+      }
+    },
     "NetworkConfiguration": {
      "EgressConfiguration": {
       "EgressType": "VPC",
@@ -482,7 +496,41 @@
      }
     }
    }
-  }
+  },
+  "Service6InstanceRole7220D460": {
+    "Type": "AWS::IAM::Role",
+    "Properties": {
+     "AssumeRolePolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sts:AssumeRole",
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "tasks.apprunner.amazonaws.com"
+        }
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   },
+   "Service7InstanceRoleFD40F312": {
+    "Type": "AWS::IAM::Role",
+    "Properties": {
+     "AssumeRolePolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sts:AssumeRole",
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "tasks.apprunner.amazonaws.com"
+        }
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    }
+   }
  },
  "Outputs": {
   "URL6": {
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts b/packages/@aws-cdk/aws-apprunner-alpha/test/service.test.ts
