Minimize aws permissions required for ecs/fargate cluster #385
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intended to address #381
Overview
The goal is to reduce the number of AWS actions/permissions required to run the ECSCluster or FargateCluster. While one can pass
skip_cleanup=True
to avoid needing many permissions, sometimes one may want cleanup to happen on relevant resources. For example, if one always passes specific iam task roles when launching the cluster, there's no need for the cluster to try to clean up stale iam task roles. By only cleaning up resources that the cluster creates on its own, we can reduce the minimal permissions set.Changes
_cleanup_stale_resources
to be a class method rather than a standalone function_cleanup_stale_resources
into helper functions for readability purposesTesting
I've not attempted to test this at all yet, so leaving this as a draft PR for now. But if you all are on board with this kind of approach, I will do some manual testing on my end.