cdklabs/cdk-ecs-service-extensions

Service does not expose taskRole

Opened this issue · 1 comments

The Service class does not expose the taskRole that it automatically creates.

This means that in order to grant access to resources, you need to explicitly create a task role. Whereas using the normal ECS constructs, it's trivial to grant access via the FargateTaskDefinition#taskRole.

I'm guessing the reason for this is that the intention is users grant their services access to resources using the InjecterExtension and creating their own implementations of IGrantInjectable. I'm also guessing the intention is to expand the set of services supported by InjecterExtension. If that is the case, it would be good to talk about that in the documentation.

One approach to exfiltrating the task role is to create a custom extension which sets the task role as a property:

class MyExtension extends ServiceExtension {
  public taskRole!: iam.IRole; // This assertion requires a guarantee that you won't reference this prop before serviceBuild
  constructor() {
    super('my-task-role-extractor-extension');
  }

  public useTaskDefinition(taskDefinition: ecs.TaskDefinition) {
    this.taskRole = taskDefinition.taskRole;
  }
}

Then in your implementation you can use the class:

declare const sd: ServiceDescription;
declare const myPolicyStatement: PolicyStatement;
const taskRoleExtractor = new MyExtension();

sd.add(taskRoleExtractor);

const service = new Service('service', serviceDescription, {
 // serviceProps
});

const tr = taskRoleExtractor.taskRole
tr.addtoPolicy(myPolicyStatement);

Alternatively, you can just inject the policy directly via the extension constructor props and useTaskDefinition call and avoid having to assign extra variables.

Thanks for the callout, we'll add something to the documentation about this.