PR feedback

Author: Michae1CC

packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts

@@ -461,21 +461,21 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
     this.connections.addSecurityGroup(...this.securityGroups);
   }
 
-  private validateNoNetworkingProps(networkMode: ecs.NetworkMode | undefined) {
+  private validateNoNetworkingProps(networkMode?: ecs.NetworkMode) {
     if (this.props.subnets !== undefined || this.props.securityGroups !== undefined) {
       // Condition on the taskDefinition to set the message to maintain backwards
       // compatibility
+      const formattedNetworkMode = networkMode === undefined ? '\'networkMode\' is not defined' : `Received: ${networkMode}`;
       const validationErrorMsg = this.props.taskDefinition !== undefined
         ? `Supplied TaskDefinition must have 'networkMode' of 'AWS_VPC' to use 'vpcSubnets' and 'securityGroup'. Received: ${this.props.taskDefinition.networkMode}`
-        : `A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. Received: ${networkMode}.`;
+        : `A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. ${formattedNetworkMode}.`;
       throw new ValidationError(
         validationErrorMsg, this,
       );
     }
   }
 
-  private makeEcsPolicyStatements(taskDefinition: ecs.TaskDefinition | undefined,
-    taskDefinitionInput: sfn.TaskInput | undefined): iam.PolicyStatement[] {
+  private makeEcsPolicyStatements(taskDefinition?: ecs.TaskDefinition, taskDefinitionInput?: sfn.TaskInput): iam.PolicyStatement[] {
     const policyStatements: Array<iam.PolicyStatement> = [];
 
     if (taskDefinition !== undefined) {
@@ -512,8 +512,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
     return policyStatements;
   }
 
-  private makeIamPassRolePolicyStatements(taskDefinition: ecs.TaskDefinition | undefined,
-    taskDefinitionInput: sfn.TaskInput | undefined): iam.PolicyStatement[] {
+  private makeIamPassRolePolicyStatements(taskDefinition?: ecs.TaskDefinition, taskDefinitionInput?: sfn.TaskInput): iam.PolicyStatement[] {
     const policyStatements: Array<iam.PolicyStatement> = [];
 
     if (taskDefinition !== undefined) {
@@ -578,8 +577,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
     return policyStatements;
   }
 
-  private makePolicyStatements(taskDefinition: ecs.TaskDefinition | undefined,
-    taskDefinitionInput: sfn.TaskInput | undefined): iam.PolicyStatement[] {
+  private makePolicyStatements(taskDefinition?: ecs.TaskDefinition, taskDefinitionInput?: sfn.TaskInput): iam.PolicyStatement[] {
     return [
       ...this.makeEcsPolicyStatements(taskDefinition, taskDefinitionInput),
       ...this.makeIamPassRolePolicyStatements(taskDefinition, taskDefinitionInput),

packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts

@@ -125,6 +125,7 @@ test('Cannot supply revisionNumber when using taskDefinitionInput', () => {
       cluster,
       taskDefinitionInput: sfn.TaskInput.fromText('arn:aws:ecs:us-east-1:111122223333:task-definition/TestTaskFamilyName:*'),
       revisionNumber: 1,
+      networkMode: ecs.NetworkMode.AWS_VPC,
       launchTarget: new tasks.EcsFargateLaunchTarget(),
     }).toStateJson(),
   ).toThrow(/Cannot supply 'revisionNumber' when using 'taskDefinitionInput'./);
@@ -187,7 +188,7 @@ test('Cannot supply taskExecutionRole when using taskDefinition', () => {
   ).toThrow(/Cannot supply 'taskExecutionRole' when using 'taskDefinition'./);
 });
 
-test('Cannot supply subnets when networkMode is not AWS_VPC', () => {
+test('Cannot supply subnets when networkMode is not set', () => {
   expect(() =>
     new tasks.EcsRunTask(stack, 'task', {
       cluster,
@@ -197,15 +198,27 @@ test('Cannot supply subnets when networkMode is not AWS_VPC', () => {
       subnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }),
       launchTarget: new tasks.EcsFargateLaunchTarget(),
     }).toStateJson(),
-  ).toThrow(/A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. Received: undefined./);
+  ).toThrow(/A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. 'networkMode' is not defined./);
+});
+
+test('Cannot supply subnets when networkMode is bridge', () => {
+  expect(() =>
+    new tasks.EcsRunTask(stack, 'task', {
+      cluster,
+      taskDefinitionInput: sfn.TaskInput.fromText('arn:aws:ecs:us-east-1:111122223333:task-definition/TestTaskFamilyName:*'),
+      networkMode: ecs.NetworkMode.BRIDGE,
+      securityGroups: undefined,
+      subnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }),
+      launchTarget: new tasks.EcsFargateLaunchTarget(),
+    }).toStateJson(),
+  ).toThrow(/A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. Received: bridge./);
 });
 
 test('Cannot supply securityGroups when networkMode is not AWS_VPC', () => {
   expect(() =>
     new tasks.EcsRunTask(stack, 'task', {
       cluster,
       taskDefinitionInput: sfn.TaskInput.fromText('arn:aws:ecs:us-east-1:111122223333:task-definition/TestTaskFamilyName:*'),
-      networkMode: undefined,
       securityGroups: [new ec2.SecurityGroup(stack, 'SecurityGroup1', {
         allowAllOutbound: true,
         description: 'Test Security Group',
@@ -215,7 +228,7 @@ test('Cannot supply securityGroups when networkMode is not AWS_VPC', () => {
       subnets: undefined,
       launchTarget: new tasks.EcsFargateLaunchTarget(),
     }).toStateJson(),
-  ).toThrow(/A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. Received: undefined./);
+  ).toThrow(/A 'networkMode' of 'AWS_VPC' is required to use 'vpcSubnets' and 'securityGroup'. 'networkMode' is not defined./);
 });
 
 test('Running a task with container override and container has explicitly set a container name', () => {
@@ -604,6 +617,12 @@ test('Running a Fargate Task - using JSONata', () => {
 
 test('Running a Fargate Task using taskDefinitionInput', () => {
   const taskDefinitionInput = sfn.TaskInput.fromText('arn:aws:ecs:us-east-1:111122223333:task-definition/TestTaskFamilyName:1');
+  const taskRole = new iam.Role(stack, 'TaskRole', {
+    assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+  });
+  const taskExecutionRole = new iam.Role(stack, 'ExecutionRole', {
+    assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+  });
 
   // WHEN
   const runTask = new tasks.EcsRunTask(stack, 'RunFargate', {
@@ -615,6 +634,8 @@ test('Running a Fargate Task using taskDefinitionInput', () => {
     launchTarget: new tasks.EcsFargateLaunchTarget({
       platformVersion: ecs.FargatePlatformVersion.VERSION1_4,
     }),
+    taskRole,
+    taskExecutionRole,
   });
 
   new sfn.StateMachine(stack, 'SM', {
@@ -669,6 +690,19 @@ test('Running a Fargate Task using taskDefinitionInput', () => {
           Effect: 'Allow',
           Resource: '*',
         },
+        {
+          Action: 'iam:PassRole',
+          Condition: {
+            StringEquals: {
+              'iam:PassedToService': 'ecs-tasks.amazonaws.com',
+            },
+          },
+          Effect: 'Allow',
+          Resource: [
+            { 'Fn::GetAtt': ['TaskRole30FC0FBB', 'Arn'] },
+            { 'Fn::GetAtt': ['ExecutionRole605A040B', 'Arn'] },
+          ],
+        },
         {
           Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
           Effect: 'Allow',
@@ -750,6 +784,59 @@ test('Running a Fargate Task using JSONata for taskDefinitionInput', () => {
     },
     Type: 'Task',
   });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'ecs:RunTask',
+          Condition: {
+            ArnLike: {
+              'ecs:cluster': { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] },
+            },
+          },
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: ['ecs:StopTask', 'ecs:DescribeTasks'],
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: 'iam:PassRole',
+          Condition: {
+            StringEquals: {
+              'iam:PassedToService': 'ecs-tasks.amazonaws.com',
+            },
+          },
+          Effect: 'Allow',
+          Resource: [
+            { 'Fn::GetAtt': ['TaskRole30FC0FBB', 'Arn'] },
+            { 'Fn::GetAtt': ['ExecutionRole605A040B', 'Arn'] },
+          ],
+        },
+        {
+          Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
+          Effect: 'Allow',
+          Resource: {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                { Ref: 'AWS::Partition' },
+                ':events:',
+                { Ref: 'AWS::Region' },
+                ':',
+                { Ref: 'AWS::AccountId' },
+                ':rule/StepFunctionsGetEventsForECSTaskRule',
+              ],
+            ],
+          },
+        },
+      ],
+    },
+  });
 });
 
 test('Running an EC2 Task with bridge network', () => {
@@ -1013,6 +1100,56 @@ test('Running an EC2 Task with bridge network using JSONata taskDefinitionInput'
     },
     Type: 'Task',
   });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'ecs:RunTask',
+          Condition: {
+            ArnLike: {
+              'ecs:cluster': { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] },
+            },
+          },
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: ['ecs:StopTask', 'ecs:DescribeTasks'],
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: 'iam:PassRole',
+          Condition: {
+            StringEquals: {
+              'iam:PassedToService': 'ecs-tasks.amazonaws.com',
+            },
+          },
+          Effect: 'Allow',
+          Resource: { 'Fn::GetAtt': ['TaskRole30FC0FBB', 'Arn'] },
+        },
+        {
+          Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
+          Effect: 'Allow',
+          Resource: {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                { Ref: 'AWS::Partition' },
+                ':events:',
+                { Ref: 'AWS::Region' },
+                ':',
+                { Ref: 'AWS::AccountId' },
+                ':rule/StepFunctionsGetEventsForECSTaskRule',
+              ],
+            ],
+          },
+        },
+      ],
+    },
+  });
 });
 
 test('Running an EC2 Task with placement strategies', () => {