fix(ecs): policy split for ecs tasks (#795)

- Fixes an issue where iam policies split into managed policies aren't assigned to the task role - Fixes an Id issue where the context id is used for policy naming which might not be unique
hamlet-io · Dec 19, 2023 · a6489ce · a6489ce
1 parent 0c8a52f
commit a6489ce
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/aws/components/ecs/setup.ftl b/aws/components/ecs/setup.ftl
@@ -1334,7 +1334,6 @@
         [#if solution.UseTaskRole]
             [#local roleId = resources["taskrole"].Id ]
             [#if deploymentSubsetRequired("iam", true) && isPartOfCurrentDeploymentUnit(roleId)]
-                [#local managedPolicy = []]
 
                 [#list containers as container]
                     [#-- Managed Policies --]
@@ -1348,16 +1347,16 @@
                     [#local policySet =
                         addInlinePolicyToSet(
                             policySet,
-                            formatDependentPolicyId(taskId, container.Id),
-                            container.Name,
+                            formatDependentPolicyId(taskId, container.ContaierId),
+                            container.ContaierId,
                             container.Policy
                         )
                     ]
 
                     [#local policySet =
                         addInlinePolicyToSet(
                             policySet,
-                            formatDependentPolicyId(taskId, container.Id, "links"),
+                            formatDependentPolicyId(taskId, container.ContaierId, "links"),
                             "links",
                             getLinkTargetsOutboundRoles(container.Links)
                         )
@@ -1395,7 +1394,7 @@
                 [@createRole
                     id=roleId
                     trustedServices=["ecs-tasks.amazonaws.com"]
-                    managedArns=managedPolicy
+                    managedArns=getManagedPoliciesFromSet(policySet)
                     tags=getOccurrenceTags(subOccurrence)
                 /]
 

diff --git a/aws/services/ecs/resource.ftl b/aws/services/ecs/resource.ftl
@@ -1099,6 +1099,7 @@
         [#local _context =
             containerDetails +
             {
+                "ContaierId": containerId,
                 "Essential" : container.Essential,
                 "Image": image.ImageLocation,
                 "MemoryReservation" : container.MemoryReservation,