Skip to content

Commit c81d115

Browse files
lpizzinidevlpizzinidev
authored
fix(batch): ManagedEc2EcsComputeEnvironment instance role missing managed policy (#25279)
`ManagedEc2EcsComputeEnvironment.createInstanceRoleAndProfile` method was creating an instance role without the `AmazonEC2ContainerServiceforEC2Role` managed policy. This caused problems with the job trying to connect to ECS. This fix adds the required managed policy.  Closes #25256. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 75967e1 commit c81d115

File tree

10 files changed

+237
-14
lines changed

10 files changed

+237
-14
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.template.json

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,21 @@
421421
}
422422
],
423423
"Version": "2012-10-17"
424-
}
424+
},
425+
"ManagedPolicyArns": [
426+
{
427+
"Fn::Join": [
428+
"",
429+
[
430+
"arn:",
431+
{
432+
"Ref": "AWS::Partition"
433+
},
434+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
435+
]
436+
]
437+
}
438+
]
425439
}
426440
},
427441
"ComputeEnvInstanceProfileB98CEF4C": {

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/tree.json

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -718,7 +718,21 @@
718718
}
719719
],
720720
"Version": "2012-10-17"
721-
}
721+
},
722+
"managedPolicyArns": [
723+
{
724+
"Fn::Join": [
725+
"",
726+
[
727+
"arn:",
728+
{
729+
"Ref": "AWS::Partition"
730+
},
731+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
732+
]
733+
]
734+
}
735+
]
722736
}
723737
},
724738
"constructInfo": {

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.template.json

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,21 @@
421421
}
422422
],
423423
"Version": "2012-10-17"
424-
}
424+
},
425+
"ManagedPolicyArns": [
426+
{
427+
"Fn::Join": [
428+
"",
429+
[
430+
"arn:",
431+
{
432+
"Ref": "AWS::Partition"
433+
},
434+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
435+
]
436+
]
437+
}
438+
]
425439
}
426440
},
427441
"ComputeEnvInstanceProfileB98CEF4C": {

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/tree.json

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -718,7 +718,21 @@
718718
}
719719
],
720720
"Version": "2012-10-17"
721-
}
721+
},
722+
"managedPolicyArns": [
723+
{
724+
"Fn::Join": [
725+
"",
726+
[
727+
"arn:",
728+
{
729+
"Ref": "AWS::Partition"
730+
},
731+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
732+
]
733+
]
734+
}
735+
]
722736
}
723737
},
724738
"constructInfo": {

packages/@aws-cdk/aws-batch-alpha/lib/managed-compute-environment.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1120,6 +1120,7 @@ function createInstanceRoleAndProfile(scope: Construct, instanceRole?: iam.IRole
11201120

11211121
result.instanceRole = instanceRole ?? new iam.Role(scope, 'InstanceProfileRole', {
11221122
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
1123+
managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonEC2ContainerServiceforEC2Role')],
11231124
});
11241125

11251126
result.instanceProfile = new iam.CfnInstanceProfile(scope, 'InstanceProfile', {

packages/@aws-cdk/aws-batch-alpha/test/integ.job-queue.js.snapshot/stack.template.json

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -441,7 +441,21 @@
441441
}
442442
],
443443
"Version": "2012-10-17"
444-
}
444+
},
445+
"ManagedPolicyArns": [
446+
{
447+
"Fn::Join": [
448+
"",
449+
[
450+
"arn:",
451+
{
452+
"Ref": "AWS::Partition"
453+
},
454+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
455+
]
456+
]
457+
}
458+
]
445459
}
446460
},
447461
"managedEc2CEInstanceProfile720729B7": {
@@ -558,7 +572,21 @@
558572
}
559573
],
560574
"Version": "2012-10-17"
561-
}
575+
},
576+
"ManagedPolicyArns": [
577+
{
578+
"Fn::Join": [
579+
"",
580+
[
581+
"arn:",
582+
{
583+
"Ref": "AWS::Partition"
584+
},
585+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
586+
]
587+
]
588+
}
589+
]
562590
}
563591
},
564592
"newManagedEc2CEInstanceProfile9101ED44": {

packages/@aws-cdk/aws-batch-alpha/test/integ.job-queue.js.snapshot/tree.json

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -756,7 +756,21 @@
756756
}
757757
],
758758
"Version": "2012-10-17"
759-
}
759+
},
760+
"managedPolicyArns": [
761+
{
762+
"Fn::Join": [
763+
"",
764+
[
765+
"arn:",
766+
{
767+
"Ref": "AWS::Partition"
768+
},
769+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
770+
]
771+
]
772+
}
773+
]
760774
}
761775
},
762776
"constructInfo": {
@@ -961,7 +975,21 @@
961975
}
962976
],
963977
"Version": "2012-10-17"
964-
}
978+
},
979+
"managedPolicyArns": [
980+
{
981+
"Fn::Join": [
982+
"",
983+
[
984+
"arn:",
985+
{
986+
"Ref": "AWS::Partition"
987+
},
988+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
989+
]
990+
]
991+
}
992+
]
965993
}
966994
},
967995
"constructInfo": {

packages/@aws-cdk/aws-batch-alpha/test/integ.managed-compute-environment.js.snapshot/batch-stack.template.json

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -516,7 +516,21 @@
516516
}
517517
],
518518
"Version": "2012-10-17"
519-
}
519+
},
520+
"ManagedPolicyArns": [
521+
{
522+
"Fn::Join": [
523+
"",
524+
[
525+
"arn:",
526+
{
527+
"Ref": "AWS::Partition"
528+
},
529+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
530+
]
531+
]
532+
}
533+
]
520534
}
521535
},
522536
"minimalPropsEc2InstanceProfile635FB12D": {
@@ -649,7 +663,21 @@
649663
}
650664
],
651665
"Version": "2012-10-17"
652-
}
666+
},
667+
"ManagedPolicyArns": [
668+
{
669+
"Fn::Join": [
670+
"",
671+
[
672+
"arn:",
673+
{
674+
"Ref": "AWS::Partition"
675+
},
676+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
677+
]
678+
]
679+
}
680+
]
653681
}
654682
},
655683
"LaunchTemplateInstanceProfile81A7EF12": {
@@ -772,7 +800,21 @@
772800
}
773801
],
774802
"Version": "2012-10-17"
775-
}
803+
},
804+
"ManagedPolicyArns": [
805+
{
806+
"Fn::Join": [
807+
"",
808+
[
809+
"arn:",
810+
{
811+
"Ref": "AWS::Partition"
812+
},
813+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
814+
]
815+
]
816+
}
817+
]
776818
}
777819
},
778820
"SpotEc2InstanceProfileD921ABA1": {

packages/@aws-cdk/aws-batch-alpha/test/integ.managed-compute-environment.js.snapshot/tree.json

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -885,7 +885,21 @@
885885
}
886886
],
887887
"Version": "2012-10-17"
888-
}
888+
},
889+
"managedPolicyArns": [
890+
{
891+
"Fn::Join": [
892+
"",
893+
[
894+
"arn:",
895+
{
896+
"Ref": "AWS::Partition"
897+
},
898+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
899+
]
900+
]
901+
}
902+
]
889903
}
890904
},
891905
"constructInfo": {
@@ -1141,7 +1155,21 @@
11411155
}
11421156
],
11431157
"Version": "2012-10-17"
1144-
}
1158+
},
1159+
"managedPolicyArns": [
1160+
{
1161+
"Fn::Join": [
1162+
"",
1163+
[
1164+
"arn:",
1165+
{
1166+
"Ref": "AWS::Partition"
1167+
},
1168+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
1169+
]
1170+
]
1171+
}
1172+
]
11451173
}
11461174
},
11471175
"constructInfo": {
@@ -1360,7 +1388,21 @@
13601388
}
13611389
],
13621390
"Version": "2012-10-17"
1363-
}
1391+
},
1392+
"managedPolicyArns": [
1393+
{
1394+
"Fn::Join": [
1395+
"",
1396+
[
1397+
"arn:",
1398+
{
1399+
"Ref": "AWS::Partition"
1400+
},
1401+
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
1402+
]
1403+
]
1404+
}
1405+
]
13641406
}
13651407
},
13661408
"constructInfo": {

packages/@aws-cdk/aws-batch-alpha/test/managed-compute-environment.test.ts

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -573,6 +573,32 @@ describe.each([ManagedEc2EcsComputeEnvironment, ManagedEc2EksComputeEnvironment]
573573
expect(ce.computeEnvironmentArn).toEqual('arn:aws:batch:us-east-1:123456789012:compute-environment/ce-name');
574574
});
575575

576+
test('attach necessary managed policy to instance role', () => {
577+
// WHEN
578+
new ComputeEnvironment(stack, 'MyCE', {
579+
...defaultProps,
580+
vpc,
581+
});
582+
583+
// THEN
584+
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
585+
ManagedPolicyArns: [
586+
{
587+
'Fn::Join': [
588+
'',
589+
[
590+
'arn:',
591+
{
592+
Ref: 'AWS::Partition',
593+
},
594+
':iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role',
595+
],
596+
],
597+
},
598+
],
599+
});
600+
});
601+
576602
test('throws when no instance types are provided', () => {
577603
new ComputeEnvironment(stack, 'MyCE', {
578604
...defaultProps,

0 commit comments

Comments
 (0)