From 2544307f55c5b0f3a0da8479f5836eaef0a49b3b Mon Sep 17 00:00:00 2001 From: Nicolas De Loof Date: Mon, 4 May 2020 15:15:22 +0200 Subject: [PATCH] drop GetEcsTaskExecutionRole which is not in used anymore We need to define a way for compose-user to declare additional Policies to be added to TaskExecutionRole Signed-off-by: Nicolas De Loof --- ecs/pkg/amazon/cloudformation.go | 36 ------------------- ecs/pkg/amazon/iam.go | 2 ++ ecs/pkg/amazon/mock/api.go | 59 ++++++++++++++++++++++++++++---- ecs/pkg/amazon/sdk.go | 15 -------- 4 files changed, 54 insertions(+), 58 deletions(-) diff --git a/ecs/pkg/amazon/cloudformation.go b/ecs/pkg/amazon/cloudformation.go index 40bf8edd..c805e099 100644 --- a/ecs/pkg/amazon/cloudformation.go +++ b/ecs/pkg/amazon/cloudformation.go @@ -13,10 +13,8 @@ import ( "github.com/awslabs/goformation/v4/cloudformation/ec2" "github.com/awslabs/goformation/v4/cloudformation/ecs" "github.com/awslabs/goformation/v4/cloudformation/iam" - "github.com/compose-spec/compose-go/types" "github.com/docker/ecs-plugin/pkg/compose" "github.com/docker/ecs-plugin/pkg/convert" - "github.com/sirupsen/logrus" ) func (c client) Convert(ctx context.Context, project *compose.Project) (*cloudformation.Template, error) { @@ -118,43 +116,9 @@ func (c client) GetVPC(ctx context.Context, project *compose.Project) (string, e return defaultVPC, nil } -const ECSTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" - -var defaultTaskExecutionRole string - -// GetEcsTaskExecutionRole retrieve the role ARN to apply for task execution -func (c client) GetEcsTaskExecutionRole(ctx context.Context, spec types.ServiceConfig) (string, error) { - if arn, ok := spec.Extras["x-ecs-TaskExecutionRole"]; ok { - return arn.(string), nil - } - if defaultTaskExecutionRole != "" { - return defaultTaskExecutionRole, nil - } - - logrus.Debug("Retrieve Task Execution Role") - entities, err := c.api.ListRolesForPolicy(ctx, ECSTaskExecutionPolicy) - if err != nil { - return "", err - } - if len(entities) == 0 { - return "", fmt.Errorf("no Role is attached to AmazonECSTaskExecutionRole Policy, please provide an explicit task execution role") - } - if len(entities) > 1 { - return "", fmt.Errorf("multiple Roles are attached to AmazonECSTaskExecutionRole Policy, please provide an explicit task execution role") - } - - arn, err := c.api.GetRoleArn(ctx, entities[0]) - if err != nil { - return "", err - } - defaultTaskExecutionRole = arn - return arn, nil -} - type convertAPI interface { GetDefaultVPC(ctx context.Context) (string, error) VpcExists(ctx context.Context, vpcID string) (bool, error) GetSubNets(ctx context.Context, vpcID string) ([]string, error) - ListRolesForPolicy(ctx context.Context, policy string) ([]string, error) GetRoleArn(ctx context.Context, name string) (string, error) } diff --git a/ecs/pkg/amazon/iam.go b/ecs/pkg/amazon/iam.go index 38c4d833..c07e34fe 100644 --- a/ecs/pkg/amazon/iam.go +++ b/ecs/pkg/amazon/iam.go @@ -1,5 +1,7 @@ package amazon +const ECSTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" + var assumeRolePolicyDocument = PolicyDocument{ Version: "2012-10-17", // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html Statement: []PolicyStatement{ diff --git a/ecs/pkg/amazon/mock/api.go b/ecs/pkg/amazon/mock/api.go index 81b0829d..4a116331 100644 --- a/ecs/pkg/amazon/mock/api.go +++ b/ecs/pkg/amazon/mock/api.go @@ -8,6 +8,7 @@ import ( context "context" cloudformation "github.com/aws/aws-sdk-go/service/cloudformation" cloudformation0 "github.com/awslabs/goformation/v4/cloudformation" + docker "github.com/docker/ecs-plugin/pkg/docker" gomock "github.com/golang/mock/gomock" reflect "reflect" ) @@ -65,6 +66,21 @@ func (mr *MockAPIMockRecorder) CreateCluster(arg0, arg1 interface{}) *gomock.Cal return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateCluster", reflect.TypeOf((*MockAPI)(nil).CreateCluster), arg0, arg1) } +// CreateSecret mocks base method +func (m *MockAPI) CreateSecret(arg0 context.Context, arg1, arg2 string) (string, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "CreateSecret", arg0, arg1, arg2) + ret0, _ := ret[0].(string) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// CreateSecret indicates an expected call of CreateSecret +func (mr *MockAPIMockRecorder) CreateSecret(arg0, arg1, arg2 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateSecret", reflect.TypeOf((*MockAPI)(nil).CreateSecret), arg0, arg1, arg2) +} + // CreateStack mocks base method func (m *MockAPI) CreateStack(arg0 context.Context, arg1 string, arg2 *cloudformation0.Template) error { m.ctrl.T.Helper() @@ -93,6 +109,20 @@ func (mr *MockAPIMockRecorder) DeleteCluster(arg0, arg1 interface{}) *gomock.Cal return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteCluster", reflect.TypeOf((*MockAPI)(nil).DeleteCluster), arg0, arg1) } +// DeleteSecret mocks base method +func (m *MockAPI) DeleteSecret(arg0 context.Context, arg1 string, arg2 bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DeleteSecret", arg0, arg1, arg2) + ret0, _ := ret[0].(error) + return ret0 +} + +// DeleteSecret indicates an expected call of DeleteSecret +func (mr *MockAPIMockRecorder) DeleteSecret(arg0, arg1, arg2 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteSecret", reflect.TypeOf((*MockAPI)(nil).DeleteSecret), arg0, arg1, arg2) +} + // DeleteStack mocks base method func (m *MockAPI) DeleteStack(arg0 context.Context, arg1 string) error { m.ctrl.T.Helper() @@ -182,19 +212,34 @@ func (mr *MockAPIMockRecorder) GetSubNets(arg0, arg1 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSubNets", reflect.TypeOf((*MockAPI)(nil).GetSubNets), arg0, arg1) } -// ListRolesForPolicy mocks base method -func (m *MockAPI) ListRolesForPolicy(arg0 context.Context, arg1 string) ([]string, error) { +// InspectSecret mocks base method +func (m *MockAPI) InspectSecret(arg0 context.Context, arg1 string) (docker.Secret, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ListRolesForPolicy", arg0, arg1) - ret0, _ := ret[0].([]string) + ret := m.ctrl.Call(m, "InspectSecret", arg0, arg1) + ret0, _ := ret[0].(docker.Secret) ret1, _ := ret[1].(error) return ret0, ret1 } -// ListRolesForPolicy indicates an expected call of ListRolesForPolicy -func (mr *MockAPIMockRecorder) ListRolesForPolicy(arg0, arg1 interface{}) *gomock.Call { +// InspectSecret indicates an expected call of InspectSecret +func (mr *MockAPIMockRecorder) InspectSecret(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListRolesForPolicy", reflect.TypeOf((*MockAPI)(nil).ListRolesForPolicy), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InspectSecret", reflect.TypeOf((*MockAPI)(nil).InspectSecret), arg0, arg1) +} + +// ListSecrets mocks base method +func (m *MockAPI) ListSecrets(arg0 context.Context) ([]docker.Secret, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ListSecrets", arg0) + ret0, _ := ret[0].([]docker.Secret) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// ListSecrets indicates an expected call of ListSecrets +func (mr *MockAPIMockRecorder) ListSecrets(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListSecrets", reflect.TypeOf((*MockAPI)(nil).ListSecrets), arg0) } // StackExists mocks base method diff --git a/ecs/pkg/amazon/sdk.go b/ecs/pkg/amazon/sdk.go index 89d3ec31..74cb0448 100644 --- a/ecs/pkg/amazon/sdk.go +++ b/ecs/pkg/amazon/sdk.go @@ -132,21 +132,6 @@ func (s sdk) GetSubNets(ctx context.Context, vpcID string) ([]string, error) { return ids, nil } -func (s sdk) ListRolesForPolicy(ctx context.Context, policy string) ([]string, error) { - entities, err := s.IAM.ListEntitiesForPolicyWithContext(ctx, &iam.ListEntitiesForPolicyInput{ - EntityFilter: aws.String("Role"), - PolicyArn: aws.String(policy), - }) - if err != nil { - return nil, err - } - roles := []string{} - for _, e := range entities.PolicyRoles { - roles = append(roles, *e.RoleName) - } - return roles, nil -} - func (s sdk) GetRoleArn(ctx context.Context, name string) (string, error) { role, err := s.IAM.GetRoleWithContext(ctx, &iam.GetRoleInput{ RoleName: aws.String(name),