From f32431ae4dfb3f7c98652afcf8b40d4582322c66 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Mon, 18 Mar 2019 13:59:21 +0100 Subject: [PATCH] fix(ecs): make TaskDefinition accept IRoles (#2034) The role input parameters are currently Roles but should be IRoles. Required adding the grant methods to the `IRole` definition, which weren't there before. Fixes #1925. --- .../aws-ecs/lib/base/task-definition.ts | 6 ++--- packages/@aws-cdk/aws-iam/lib/lazy-role.ts | 18 ++++++++++++-- packages/@aws-cdk/aws-iam/lib/role.ts | 24 +++++++++++++++++++ 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts b/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts index d1063e1c23ee9..541799f0a1b8e 100644 --- a/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts +++ b/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts @@ -23,14 +23,14 @@ export interface CommonTaskDefinitionProps { * * @default An execution role will be automatically created if you use ECR images in your task definition */ - executionRole?: iam.Role; + executionRole?: iam.IRole; /** * The IAM role assumable by your application code running inside the container * * @default A task role is automatically created for you */ - taskRole?: iam.Role; + taskRole?: iam.IRole; /** * See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide//task_definition_parameters.html#volumes @@ -112,7 +112,7 @@ export class TaskDefinition extends cdk.Construct { /** * Task role used by this task definition */ - public readonly taskRole: iam.Role; + public readonly taskRole: iam.IRole; /** * Network mode used by this task definition diff --git a/packages/@aws-cdk/aws-iam/lib/lazy-role.ts b/packages/@aws-cdk/aws-iam/lib/lazy-role.ts index ec48896d22553..846732dd985e5 100644 --- a/packages/@aws-cdk/aws-iam/lib/lazy-role.ts +++ b/packages/@aws-cdk/aws-iam/lib/lazy-role.ts @@ -1,5 +1,5 @@ import cdk = require('@aws-cdk/cdk'); -import { Policy } from './policy'; +import { IPrincipal, Policy } from './policy'; import { PolicyPrincipal, PolicyStatement } from './policy-document'; import { IRole, Role, RoleImportProps, RoleProps } from './role'; @@ -85,6 +85,20 @@ export class LazyRole extends cdk.Construct implements IRole { return this.instantiate().principal; } + /** + * Grant the actions defined in actions to the identity Principal on this resource. + */ + public grant(identity?: IPrincipal, ...actions: string[]): void { + return this.instantiate().grant(identity, ...actions); + } + + /** + * Grant permissions to the given principal to pass this role. + */ + public grantPassRole(identity?: IPrincipal): void { + return this.instantiate().grantPassRole(identity); + } + private instantiate(): Role { if (!this.role) { const role = new Role(this, 'Default', this.props); @@ -95,4 +109,4 @@ export class LazyRole extends cdk.Construct implements IRole { } return this.role; } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts index 065fa6e49e916..4b7479abbc15b 100644 --- a/packages/@aws-cdk/aws-iam/lib/role.ts +++ b/packages/@aws-cdk/aws-iam/lib/role.ts @@ -245,6 +245,16 @@ export interface IRole extends IConstruct, IPrincipal { * Export this role to another stack. */ export(): RoleImportProps; + + /** + * Grant the actions defined in actions to the identity Principal on this resource. + */ + grant(identity?: IPrincipal, ...actions: string[]): void; + + /** + * Grant permissions to the given principal to pass this role. + */ + grantPassRole(identity?: IPrincipal): void; } function createAssumeRolePolicy(principal: PolicyPrincipal, externalId?: string) { @@ -331,4 +341,18 @@ class ImportedRole extends Construct implements IRole { public attachManagedPolicy(_arn: string): void { // FIXME: Add warning that we're ignoring this } + + /** + * Grant the actions defined in actions to the identity Principal on this resource. + */ + public grant(_identity?: IPrincipal, ..._actions: string[]): void { + // FIXME: Add warning that we're ignoring this + } + + /** + * Grant permissions to the given principal to pass this role. + */ + public grantPassRole(_identity?: IPrincipal): void { + // FIXME: Add warning that we're ignoring this + } }