Skip to content

Commit

Permalink
fix: update policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@mazyu36
mazyu36 committed Jun 23, 2024
1 parent 3b95777 commit 1e922b8
Show file tree
Hide file tree
Showing 9 changed files with 276 additions and 103 deletions.
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1301,6 +1301,7 @@ export class Service extends cdk.Resource implements iam.IGrantable {
// grant required privileges for the role
if (this.source.ecrRepository && this.accessRole) {
this.source.ecrRepository.grantPull(this.accessRole);
this.source.ecrRepository.grant(this.accessRole, 'ecr:DescribeImages');
}

this.serviceArn = resource.attrServiceArn;
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/cdk.out
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions ...ws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.assets.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

122 changes: 62 additions & 60 deletions ...-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.template.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
{
"Resources": {
"Service3InstanceRoleD40BEE82": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"Service3AccessRole3ACBAAA0": {
"Type": "AWS::IAM::Role",
"Properties": {
Expand Down Expand Up @@ -31,6 +48,7 @@
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer"
],
"Effect": "Allow",
Expand Down Expand Up @@ -72,6 +90,19 @@
"Service342D067F2": {
"Type": "AWS::AppRunner::Service",
"Properties": {
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service3InstanceRoleD40BEE82",
"Arn"
]
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
},
"SourceConfiguration": {
"AuthenticationConfiguration": {
"AccessRoleArn": {
Expand All @@ -91,19 +122,23 @@
},
"ImageRepositoryType": "ECR"
}
},
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service3InstanceRoleD40BEE82",
"Arn"
]
}
}
},
"Service2InstanceRole3F57F2AA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
],
"Version": "2012-10-17"
}
}
},
Expand Down Expand Up @@ -138,6 +173,7 @@
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer"
],
"Effect": "Allow",
Expand Down Expand Up @@ -179,6 +215,19 @@
"Service2AB4D14D8": {
"Type": "AWS::AppRunner::Service",
"Properties": {
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service2InstanceRole3F57F2AA",
"Arn"
]
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
},
"SourceConfiguration": {
"AuthenticationConfiguration": {
"AccessRoleArn": {
Expand Down Expand Up @@ -217,56 +266,9 @@
},
"ImageRepositoryType": "ECR"
}
},
"InstanceConfiguration": {
"InstanceRoleArn": {
"Fn::GetAtt": [
"Service2InstanceRole3F57F2AA",
"Arn"
]
}
},
"NetworkConfiguration": {
"EgressConfiguration": {
"EgressType": "DEFAULT"
}
}
}
},
"Service3InstanceRoleD40BEE82": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"Service2InstanceRole3F57F2AA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
}
}
},
"Outputs": {
"URL3": {
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 15 additions & 2 deletions packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/manifest.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 1e922b8

Please sign in to comment.