-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ecs): credentialSpecs in ContainerDefinitionOptions #29085
Merged
Merged
Changes from 2 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
ae681a2
Adding L2 construct support for setting the AWS::ECS::TaskDefinition …
cresvi 6a21674
Added integration test for previous commit
cresvi 2b49d5c
Added Readme update
cresvi e0b3e1e
Added integration test snapshot
cresvi 7edc755
Update packages/aws-cdk-lib/aws-ecs/README.md
cresvi cde5c1a
Fixes error in name for integration tests
cresvi 077781c
Fixe example on Readme
cresvi b6a4cc0
Updated credential spec implementation. Untested
cresvi 55dd28a
UPdated credential spec code and added additional unit tests
cresvi b1c92a6
Updated integration test with new credSpec API
cresvi 8f565ba
Removed versioning from s3 objects
cresvi 73ea435
Attended comments; Updated integ test
cresvi 67a97ae
Added logic to validate only 1 credspec is provided
cresvi 8698eb2
Merge branch 'main' into cresvi/ecs-credentialSpecs
mergify[bot] File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
...ting/framework-integ/test/aws-ecs/test/integ.task-definition-container-credentialspecs.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
import * as cdk from 'aws-cdk-lib'; | ||
import * as ecs from 'aws-cdk-lib/aws-ecs'; | ||
import * as iam from 'aws-cdk-lib/aws-iam'; | ||
import { IntegTest } from '@aws-cdk/integ-tests-alpha'; | ||
|
||
const app = new cdk.App(); | ||
const stack = new cdk.Stack(app, 'aws-ecs-task-definition-container-credentialspecs'); | ||
|
||
const taskExecutionRole = new iam.Role(stack, 'task-execution-role', { | ||
roleName: 'aws-ecs-task-definition-container-credentialspecs-task-exec-role', | ||
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), | ||
}); | ||
taskExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonECSTaskExecutionRolePolicy')); | ||
taskExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonS3ReadOnlyAccess')); | ||
|
||
const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef', { | ||
executionRole: taskExecutionRole, | ||
}); | ||
|
||
taskDefinition.addContainer('Container', { | ||
image: ecs.ContainerImage.fromRegistry('public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest'), | ||
memoryReservationMiB: 32, | ||
memoryLimitMiB: 512, | ||
credentialSpecs: ['credentialspecdomainless:arn:aws:s3:::bucket_name/key_name'], | ||
}); | ||
|
||
new IntegTest(app, 'TaskDefinitionContainerCredSpecs', { | ||
testCases: [stack], | ||
}); | ||
|
||
app.synth(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know you're pulling this directly from the docs themselves, but this is confusing to me. It sounds like the max number of ARNs this
credentialSpecs
property takes is 1, and then why type it as a string at all?I see two scenarios:
a) I misunderstand. In that case, lets make the docs a bit clearer.
b) The max number of ARNs for now is 1, but might be more in the future. Lets document that if thats the decision behind the array type.
But given that we aren't doing any synth time checks for this limit of 1, I think we are in scenario a)...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think the way the engineer team implemented this, but in the API the
credentialSpecs
accepts an array of strings. Still they only use the first one...I updated the comment a little to make it clearer. I don't want to limit the L2 construct to only 1 CredSpec because if later the service team decide to use the rest of the entries, it will be a breaking change for customers.