App Mesh Envoy Authorization Policies

[TheRealMkadmi]

Description

When deploying a service using the AppMesh extension, the Envoy container logs the following error:

gRPC config stream closed: 7

This issue is similar to the one documented in aws/aws-app-mesh-roadmap#80.

Steps to Reproduce

1. Deploy a service with the AppMesh extension.
2. Observe the Envoy container logs.

Expected Behavior

The Envoy container should not log any gRPC config stream closed: 7 errors.

Observed Behavior

The Envoy container logs an error: gRPC config stream closed: 7.

Proposed Solution

The issue can be resolved by adding the following lines in the useTaskDefinition method:

public useTaskDefinition(taskDefinition: ecs.TaskDefinition): void {
    super.useTaskDefinition(taskDefinition);

    // Reference: https://github.com/aws/aws-app-mesh-roadmap/issues/80
    taskDefinition.taskRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchFullAccess'));
    taskDefinition.taskRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSXRayDaemonWriteAccess'));
    taskDefinition.taskRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSAppMeshEnvoyAccess'));
}

This addition grants the necessary permissions to the task role, resolving the error.