From f59fb1ba2dcfa67915b813d7ecf8338fd7497886 Mon Sep 17 00:00:00 2001 From: Aiden Carpenter Date: Mon, 22 Jan 2024 11:23:44 -0800 Subject: [PATCH 1/2] append loop id to policy name --- .../stack/testdata/workloads/worker-test.stack.yml | 2 +- .../template/templates/workloads/partials/cf/taskrole.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml index aabd72ce3da..6395d8e992e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml @@ -319,7 +319,7 @@ Resources: - Effect: 'Allow' Action: ["logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents"] Resource: "*" - - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345']] + - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345', '-0']] PolicyDocument: Version: '2012-10-17' Statement: diff --git a/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml b/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml index 3b2317290b2..9b3f79ae6b2 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml @@ -46,11 +46,11 @@ TaskRole: Resource: "*" {{- end }} {{- if .Storage}} - {{- range $EFS := .Storage.EFSPerms}} + {{- range $i, $EFS := .Storage.EFSPerms}} {{- if not $EFS.FilesystemID.RequiresImport}} - - PolicyName: 'GrantEFSAccess{{$EFS.FilesystemID.Value}}' + - PolicyName: 'GrantEFSAccess{{$EFS.FilesystemID.Value}}-{{$i}}' {{- else}} - - PolicyName: !Join ['',[ 'GrantEFSAccess', !ImportValue {{$EFS.FilesystemID.Value}}]] + - PolicyName: !Join ['',[ 'GrantEFSAccess', !ImportValue {{$EFS.FilesystemID.Value}}, '-{{$i}}']] {{- end}} PolicyDocument: Version: '2012-10-17' From dce8c6e2d401ac89b7f28c4d1e278ad2a948283d Mon Sep 17 00:00:00 2001 From: Aiden Carpenter Date: Tue, 23 Jan 2024 10:01:53 -0800 Subject: [PATCH 2/2] integ test --- .../testdata/workloads/worker-manifest.yml | 7 ++++- .../testdata/workloads/worker-test.stack.yml | 28 +++++++++++++++++-- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml index 50a93cd0604..5a05adb2b00 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml @@ -83,7 +83,12 @@ storage: path: '/etc/mount1' efs: id: - from_cfn: stack-fs-12345 + from_cfn: stack-fs-12345 + externalEFSVolume2: + path: '/etc/mount2' + efs: + id: + from_cfn: stack-fs-12345 # Optional fields for more advanced use-cases. # diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml index 6395d8e992e..6af621abe6b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml @@ -90,7 +90,12 @@ Metadata: path: '/etc/mount1' efs: id: - from_cfn: stack-fs-12345 + from_cfn: stack-fs-12345 + externalEFSVolume2: + path: '/etc/mount2' + efs: + id: + from_cfn: stack-fs-12345 # Optional fields for more advanced use-cases. # @@ -190,7 +195,7 @@ Resources: yourtopicyourtopicfifoURL: !Ref yourtopicyourtopicfifoEventsQueue nonfifotopicnonfifotopicURL: !Ref nonfifotopicnonfifotopicEventsQueue - Name: COPILOT_MOUNT_POINTS - Value: '{"externalEFSVolume":"/etc/mount1"}' + Value: '{"externalEFSVolume":"/etc/mount1","externalEFSVolume2":"/etc/mount2"}' EnvironmentFiles: - !If - HasEnvFile @@ -207,6 +212,9 @@ Resources: - ContainerPath: '/etc/mount1' ReadOnly: true SourceVolume: externalEFSVolume + - ContainerPath: '/etc/mount2' + ReadOnly: true + SourceVolume: externalEFSVolume2 Volumes: - Name: externalEFSVolume EFSVolumeConfiguration: @@ -215,6 +223,13 @@ Resources: TransitEncryption: ENABLED AuthorizationConfig: IAM: DISABLED + - Name: externalEFSVolume2 + EFSVolumeConfiguration: + FilesystemId: !ImportValue 'stack-fs-12345' + RootDirectory: '/' + TransitEncryption: ENABLED + AuthorizationConfig: + IAM: DISABLED ExecutionRole: Metadata: 'aws:copilot:description': 'An IAM Role for the Fargate agent to make AWS API calls on your behalf' @@ -328,6 +343,15 @@ Resources: - 'elasticfilesystem:ClientMount' Resource: - !Join ['/', [!Sub 'arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system', !ImportValue 'stack-fs-12345']] + - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345', '-1']] + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Action: + - 'elasticfilesystem:ClientMount' + Resource: + - !Join ['/', [!Sub 'arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system', !ImportValue 'stack-fs-12345']] - PolicyName: 'Publish2SNS' PolicyDocument: Version: '2012-10-17'