copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Export service's TaskRole in Cloudformation output for add-on importing

Open gautam-nutalapati opened this issue 1 year ago • 4 comments

We create KMS key in add-ons, and would like to restrict it to service task role. Can we expose task role ARN in Cloudformation so we can use it in KMC access policy in addons?

UPDATE: Please note that unlike applying policy to task role via addons, in this case we need to use task role ARN in addons. Refer: KMS key-policies

gautam-nutalapati avatar May 17 '24 20:05 gautam-nutalapati

Hi, @gautam-nutalapati!

You can create a Parameters file for your addons template that refers to your Task Role ARN. See https://aws.github.io/copilot-cli/docs/developing/addons/workload/#customizing-the-parameters-section.

huanjani avatar May 17 '24 21:05 huanjani

In .../addons/addons.parameters.yml:

Parameters:
    TaskRoleArn: !GetAtt TaskRole.Arn

huanjani avatar May 17 '24 21:05 huanjani

I tried this and got the error ValidationError: Circular dependency between resources: [TaskDefinition, AddonsStack, Service, TaskRole]

Steps:

  • In /addons/addons.parameters.yml I added 
    Parameters:
  TaskRoleArn: !GetAtt TaskRole.Arn
  • In /addons/kms.yml 
    Parameters:
  ECSTaskArn:
    Type: String
    Description: TaskRoleArn created by main Stack.
    .
    .
Resources:
  DataEncryptionKey:
    Type: AWS::KMS::Key
    Properties:
      ...
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
          - Sid: Encrypt and decrypt permission for service
            Effect: Allow
            Principal:
              AWS: !Ref ECSTaskArn
            Action:
          ...

I guess this approach may not work as TaskRole resource refers to policies created by AddOns and referring to TaskRole in turn in AddOns may be causing this issue.

I don't know if there's a way to solve this unless we create KMS key in main stack itself. For now, we will continue to hard code ARNs. :/

Let us know your thoughts.

gautam-nutalapati avatar May 26 '24 18:05 gautam-nutalapati

@gautam-nutalapati Hi hi! Have you tried moving DataEncryptionKey into the main stack via. yaml patch?

Lou1415926 avatar Jun 03 '24 16:06 Lou1415926

This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar Aug 03 '24 00:08 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!

github-actions[bot] avatar Aug 18 '24 00:08 github-actions[bot]