fix(ecs): make TaskDefinition accept IRoles (#2034)

rix0rrr · web-flow · commit f32431ae4dfb · 2019-03-18T13:59:21.000+01:00
The role input parameters are currently Roles but should be IRoles. Required adding the grant methods to the `IRole` definition, which weren't there before. Fixes #1925.
diff --git a/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts b/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts
@@ -23,14 +23,14 @@ export interface CommonTaskDefinitionProps {
    *
    * @default An execution role will be automatically created if you use ECR images in your task definition
    */
-  executionRole?: iam.Role;
+  executionRole?: iam.IRole;
 
   /**
    * The IAM role assumable by your application code running inside the container
    *
    * @default A task role is automatically created for you
    */
-  taskRole?: iam.Role;
+  taskRole?: iam.IRole;
 
   /**
    * See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide//task_definition_parameters.html#volumes
@@ -112,7 +112,7 @@ export class TaskDefinition extends cdk.Construct {
   /**
    * Task role used by this task definition
    */
-  public readonly taskRole: iam.Role;
+  public readonly taskRole: iam.IRole;
 
   /**
    * Network mode used by this task definition
diff --git a/packages/@aws-cdk/aws-iam/lib/lazy-role.ts b/packages/@aws-cdk/aws-iam/lib/lazy-role.ts
@@ -1,5 +1,5 @@
 import cdk = require('@aws-cdk/cdk');
-import { Policy } from './policy';
+import { IPrincipal, Policy } from './policy';
 import { PolicyPrincipal, PolicyStatement } from './policy-document';
 import { IRole, Role, RoleImportProps, RoleProps } from './role';
 
@@ -85,6 +85,20 @@ export class LazyRole extends cdk.Construct implements IRole {
     return this.instantiate().principal;
   }
 
+  /**
+   * Grant the actions defined in actions to the identity Principal on this resource.
+   */
+  public grant(identity?: IPrincipal, ...actions: string[]): void {
+    return this.instantiate().grant(identity, ...actions);
+  }
+
+  /**
+   * Grant permissions to the given principal to pass this role.
+   */
+  public grantPassRole(identity?: IPrincipal): void {
+    return this.instantiate().grantPassRole(identity);
+  }
+
   private instantiate(): Role {
     if (!this.role) {
       const role = new Role(this, 'Default', this.props);
@@ -95,4 +109,4 @@ export class LazyRole extends cdk.Construct implements IRole {
     }
     return this.role;
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts
@@ -245,6 +245,16 @@ export interface IRole extends IConstruct, IPrincipal {
    * Export this role to another stack.
    */
   export(): RoleImportProps;
+
+  /**
+   * Grant the actions defined in actions to the identity Principal on this resource.
+   */
+  grant(identity?: IPrincipal, ...actions: string[]): void;
+
+  /**
+   * Grant permissions to the given principal to pass this role.
+   */
+  grantPassRole(identity?: IPrincipal): void;
 }
 
 function createAssumeRolePolicy(principal: PolicyPrincipal, externalId?: string) {
@@ -331,4 +341,18 @@ class ImportedRole extends Construct implements IRole {
   public attachManagedPolicy(_arn: string): void {
     // FIXME: Add warning that we're ignoring this
   }
+
+  /**
+   * Grant the actions defined in actions to the identity Principal on this resource.
+   */
+  public grant(_identity?: IPrincipal, ..._actions: string[]): void {
+    // FIXME: Add warning that we're ignoring this
+  }
+
+  /**
+   * Grant permissions to the given principal to pass this role.
+   */
+  public grantPassRole(_identity?: IPrincipal): void {
+    // FIXME: Add warning that we're ignoring this
+  }
 }
