From 63f6e9ff13210a6677f9f854531f87a838b6a2d1 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Thu, 20 Jun 2024 15:27:50 -0500 Subject: [PATCH] Add feature flag --- .../test/ecs/integ.ec2-run-task.ts | 3 +- .../test/ecs/integ.fargate-run-task.ts | 3 +- .../lib/ecs/run-task.ts | 32 +- .../test/ecs/run-tasks-feature-flag.test.ts | 488 ++++++++++++++++++ .../test/ecs/run-tasks.test.ts | 2 + packages/aws-cdk-lib/cx-api/lib/features.ts | 14 + 6 files changed, 534 insertions(+), 8 deletions(-) create mode 100644 packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts index 05cb571dbd3d7..e4af41e57113b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts @@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -20,6 +20,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); +stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'Ec2Cluster'); cluster.addCapacity('DefaultAutoScalingGroup', { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts index 3dad45d7604a3..98a31e84b9520 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts @@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -19,6 +19,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); +stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'FargateCluster'); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts index c752bb21c4deb..f23a0d68fc567 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts @@ -5,6 +5,7 @@ import * as ecs from '../../../aws-ecs'; import * as iam from '../../../aws-iam'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; +import * as cxapi from '../../../cx-api'; import { integrationResourceArn, validatePatternSupported } from '../private/task-utils'; /** @@ -346,12 +347,31 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { private makePolicyStatements(): iam.PolicyStatement[] { const stack = cdk.Stack.of(this); + const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn(); + const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS); + let policyStatements = []; + // https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html - const policyStatements = [ - new iam.PolicyStatement({ - actions: ['ecs:RunTask'], - resources: [`${this.getTaskDefinitionFamilyArn()}:*`], - }), + if (reduceRunTaskPermissions) { + policyStatements.push( + new iam.PolicyStatement({ + actions: ['ecs:RunTask'], + resources: [`${taskDefinitionFamilyArn}:*`], + }), + ); + } else { + policyStatements.push( + new iam.PolicyStatement({ + actions: ['ecs:RunTask'], + resources: [ + taskDefinitionFamilyArn, + `${taskDefinitionFamilyArn}:*`, + ], + }), + ); + } + + policyStatements.push( new iam.PolicyStatement({ actions: ['ecs:StopTask', 'ecs:DescribeTasks'], resources: ['*'], @@ -360,7 +380,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { actions: ['iam:PassRole'], resources: this.taskExecutionRoles().map((r) => r.roleArn), }), - ]; + ); if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) { policyStatements.push( diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts new file mode 100644 index 0000000000000..a4b8cf53b812e --- /dev/null +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts @@ -0,0 +1,488 @@ +import { Template } from '../../../assertions'; +import * as autoscaling from '../../../aws-autoscaling'; +import * as ec2 from '../../../aws-ec2'; +import * as ecs from '../../../aws-ecs'; +import * as sfn from '../../../aws-stepfunctions'; +import { Stack } from '../../../core'; +import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; +import * as tasks from '../../lib'; + +let stack: Stack; +let vpc: ec2.Vpc; +let cluster: ecs.Cluster; + +/* eslint-disable quote-props */ + +test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to false grants extra permissions', () => { + stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); + vpc = new ec2.Vpc(stack, 'Vpc'); + cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { + autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { + vpc, + instanceType: new ec2.InstanceType('t3.medium'), + machineImage: ec2.MachineImage.latestAmazonLinux2023(), + }), + })); + + const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { + memoryMiB: '512', + cpu: '256', + compatibility: ecs.Compatibility.FARGATE, + }); + const containerDefinition = taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('foo/bar'), + memoryLimitMiB: 256, + }); + + // WHEN + const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + cluster, + taskDefinition, + containerOverrides: [ + { + containerDefinition, + environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], + }, + ], + launchTarget: new tasks.EcsFargateLaunchTarget({ + platformVersion: ecs.FargatePlatformVersion.VERSION1_4, + }), + }); + + new sfn.StateMachine(stack, 'SM', { + definitionBody: sfn.DefinitionBody.fromChainable(runTask), + }); + + // THEN + expect(stack.resolve(runTask.toStateJson())).toEqual({ + End: true, + Parameters: { + Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, + LaunchType: 'FARGATE', + NetworkConfiguration: { + AwsvpcConfiguration: { + SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], + Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], + }, + }, + PlatformVersion: '1.4.0', + TaskDefinition: 'TD', + Overrides: { + ContainerOverrides: [ + { + Environment: [ + { + Name: 'SOME_KEY', + 'Value.$': '$.SomeKey', + }, + ], + Name: 'TheContainer', + }, + ], + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::ecs:runTask.sync', + ], + ], + }, + Type: 'Task', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecs:RunTask', + Effect: 'Allow', + Resource: [{ + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ], + ], + }, { + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ':*', + ], + ], + }], + }, + { + Action: ['ecs:StopTask', 'ecs:DescribeTasks'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'iam:PassRole', + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, + }, + { + Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':events:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':rule/StepFunctionsGetEventsForECSTaskRule', + ], + ], + }, + }, + ], + }, + }); +}); + +test('Leaving ECS_REDUCE_RUN_TASK_PERMISSIONS as the default (false) grants extra permissions', () => { + stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); + vpc = new ec2.Vpc(stack, 'Vpc'); + cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { + autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { + vpc, + instanceType: new ec2.InstanceType('t3.medium'), + machineImage: ec2.MachineImage.latestAmazonLinux2023(), + }), + })); + + const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { + memoryMiB: '512', + cpu: '256', + compatibility: ecs.Compatibility.FARGATE, + }); + const containerDefinition = taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('foo/bar'), + memoryLimitMiB: 256, + }); + + // WHEN + const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + cluster, + taskDefinition, + containerOverrides: [ + { + containerDefinition, + environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], + }, + ], + launchTarget: new tasks.EcsFargateLaunchTarget({ + platformVersion: ecs.FargatePlatformVersion.VERSION1_4, + }), + }); + + new sfn.StateMachine(stack, 'SM', { + definitionBody: sfn.DefinitionBody.fromChainable(runTask), + }); + + // THEN + expect(stack.resolve(runTask.toStateJson())).toEqual({ + End: true, + Parameters: { + Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, + LaunchType: 'FARGATE', + NetworkConfiguration: { + AwsvpcConfiguration: { + SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], + Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], + }, + }, + PlatformVersion: '1.4.0', + TaskDefinition: 'TD', + Overrides: { + ContainerOverrides: [ + { + Environment: [ + { + Name: 'SOME_KEY', + 'Value.$': '$.SomeKey', + }, + ], + Name: 'TheContainer', + }, + ], + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::ecs:runTask.sync', + ], + ], + }, + Type: 'Task', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecs:RunTask', + Effect: 'Allow', + Resource: [{ + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ], + ], + }, { + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ':*', + ], + ], + }], + }, + { + Action: ['ecs:StopTask', 'ecs:DescribeTasks'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'iam:PassRole', + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, + }, + { + Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':events:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':rule/StepFunctionsGetEventsForECSTaskRule', + ], + ], + }, + }, + ], + }, + }); +}); + +test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to true reduces permissions', () => { + stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); + vpc = new ec2.Vpc(stack, 'Vpc'); + cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { + autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { + vpc, + instanceType: new ec2.InstanceType('t3.medium'), + machineImage: ec2.MachineImage.latestAmazonLinux2023(), + }), + })); + + const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { + memoryMiB: '512', + cpu: '256', + compatibility: ecs.Compatibility.FARGATE, + }); + const containerDefinition = taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('foo/bar'), + memoryLimitMiB: 256, + }); + + // WHEN + const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + cluster, + taskDefinition, + containerOverrides: [ + { + containerDefinition, + environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], + }, + ], + launchTarget: new tasks.EcsFargateLaunchTarget({ + platformVersion: ecs.FargatePlatformVersion.VERSION1_4, + }), + }); + + new sfn.StateMachine(stack, 'SM', { + definitionBody: sfn.DefinitionBody.fromChainable(runTask), + }); + + // THEN + expect(stack.resolve(runTask.toStateJson())).toEqual({ + End: true, + Parameters: { + Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, + LaunchType: 'FARGATE', + NetworkConfiguration: { + AwsvpcConfiguration: { + SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], + Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], + }, + }, + PlatformVersion: '1.4.0', + TaskDefinition: 'TD', + Overrides: { + ContainerOverrides: [ + { + Environment: [ + { + Name: 'SOME_KEY', + 'Value.$': '$.SomeKey', + }, + ], + Name: 'TheContainer', + }, + ], + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::ecs:runTask.sync', + ], + ], + }, + Type: 'Task', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecs:RunTask', + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ':*', + ], + ], + }, + }, + { + Action: ['ecs:StopTask', 'ecs:DescribeTasks'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'iam:PassRole', + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, + }, + { + Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':events:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':rule/StepFunctionsGetEventsForECSTaskRule', + ], + ], + }, + }, + ], + }, + }); +}); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts index 9ef23e8e9a3d6..785a96ba4f075 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts @@ -4,6 +4,7 @@ import * as ec2 from '../../../aws-ec2'; import * as ecs from '../../../aws-ecs'; import * as sfn from '../../../aws-stepfunctions'; import { Stack } from '../../../core'; +import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; import * as tasks from '../../lib'; let stack: Stack; @@ -15,6 +16,7 @@ let cluster: ecs.Cluster; beforeEach(() => { // GIVEN stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); vpc = new ec2.Vpc(stack, 'Vpc'); cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 6163361f943f6..d115d0d405e16 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -102,6 +102,7 @@ export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/ export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2'; export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope'; export const PIPELINE_REDUCE_ASSET_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceAssetRoleTrustScope'; +export const ECS_REDUCE_RUN_TASK_PERMISSIONS = '@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions'; export const EKS_NODEGROUP_NAME = '@aws-cdk/aws-eks:nodegroupNameAttribute'; export const EBS_DEFAULT_GP3 = '@aws-cdk/aws-ec2:ebsDefaultGp3Volume'; export const ECS_REMOVE_DEFAULT_DEPLOYMENT_ALARM = '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm'; @@ -1107,6 +1108,19 @@ export const FLAGS: Record = { introducedIn: { v2: '2.145.0' }, recommendedValue: false, }, + + ////////////////////////////////////////////////////////////////////// + [ECS_REDUCE_RUN_TASK_PERMISSIONS]: { + type: FlagType.BugFix, + summary: 'When enabled, IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN.', + detailsMd: ` + When this feature flag is enabled, the IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN. + The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html + for more details. + `, + introducedIn: { v2: '2.147.0' }, + recommendedValue: true, + }, }; const CURRENT_MV = 'v2';