Minimize aws permissions required for ecs/fargate cluster #385
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intended to address #381
Overview
The goal is to reduce the number of AWS actions/permissions required to run the ECSCluster or FargateCluster. While one can pass
skip_cleanup=Trueto avoid needing many permissions, sometimes one may want cleanup to happen on relevant resources. For example, if one always passes specific iam task roles when launching the cluster, there's no need for the cluster to try to clean up stale iam task roles. By only cleaning up resources that the cluster creates on its own, we can reduce the minimal permissions set.Changes
_cleanup_stale_resourcesto be a class method rather than a standalone function_cleanup_stale_resourcesinto helper functions for readability purposesTesting
I've not attempted to test this at all yet, so leaving this as a draft PR for now. But if you all are on board with this kind of approach, I will do some manual testing on my end.