Skip to content

Commit

Permalink
ci(engine): Add task role with efs permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@topher-lo
topher-lo committed Mar 19, 2024
1 parent d4863f9 commit de093de
Showing 1 changed file with 29 additions and 0 deletions.
29 changes: 29 additions & 0 deletions aws/stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,34 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None:
roles=[execution_role],
)

# Task role
task_role = iam.Role(
self,
"TaskRole",
role_name="TracecatTaskRole",
assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
)
iam.Policy(
self,
"TaskRolePolicy",
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
],
resources=[
f"arn:aws:elasticfilesystem:{self.region}:{self.account}:file-system/{vpc.vpc_id}"
],
),
],
roles=[task_role],
)

# Secrets
tracecat_secret = secretsmanager.Secret.from_secret_complete_arn(
self, "Secret", secret_complete_arn=AWS_SECRET__ARN
Expand Down Expand Up @@ -117,6 +145,7 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None:
self,
"TaskDefinition",
execution_role=execution_role,
task_role=task_role,
volumes=[
ecs.Volume(
name="Volume",
Expand Down

0 comments on commit de093de

Please sign in to comment.