9.1.0 - IAM role management (#395)

* add options.autoscalingRole * combine lambda roles into primary watchbot role * document new autoscalingRoleArn option * 9.1.0-dev.1 * pipline version 2 * just github v2 * actually v2 * update branch source * 9.1.0-dev.2 * 9.1.0-dev.3 * 9.x branch build * 9.1.0 * update snapshots * add some tests
mapbox · Jun 13, 2024 · da57105 · da57105
1 parent 1088763
commit da57105
Show file tree

Hide file tree

Showing 9 changed files with 3,321 additions and 1,079 deletions.
diff --git a/bin/dead-letter.js b/bin/dead-letter.js
@@ -3,7  3,7 @@
 
 /* eslint-disable no-console */
 
-const { CloudFormation } = require('@aws-sdk/client-cloudformation')
 const { CloudFormation } = require('@aws-sdk/client-cloudformation');
 const { SQS } = require('@aws-sdk/client-sqs');
 const inquirer = require('inquirer');
 const stream = require('stream');

diff --git a/changelog.md b/changelog.md
@@ -1,3  1,26 @@
 ### 9.1.0
 
 - Merge ScalingLambdaRole and LambdaTotalMessagesRole into the primary WatchbotRole resource to reduce number of distinct IAM roles
 - Add option `autoScalingRole` for using a predefined auto scaling role instead of creating one for the stack. This role should have the following permissions, with the resouce scope being as strict as desired: 
 
 ```JSON
 {
   "Statement": [
     {
       "Action": [
         "application-autoscaling:*",
         "cloudwatch:DescribeAlarms",
         "cloudwatch:PutMetricAlarm",
         "ecs:UpdateService",
         "ecs:DescribeServices"
       ],
       "Resource": "*",
       "Effect": "Allow"
     }
   ]
 }
 ```
 
 ### 9.0.1
 
 -  Bug fix: TotalMessagesLambda now working as expected; watchbot stacks now scaling down when no tasks in queue

diff --git a/cloudformation/ecs-watchbot-generate-binaries.template.js b/cloudformation/ecs-watchbot-generate-binaries.template.js
@@ -233,7  233,7 @@ const Resources = {
                 Owner: 'mapbox',
                 Repo: 'ecs-watchbot',
                 PollForSourceChanges: 'false',
-                Branch: 'master',
                 Branch: '9.x',
                 OAuthToken: '{{resolve:secretsmanager:code-pipeline-helper/access-token}}'
               }
             }

diff --git a/docs/building-a-template.md b/docs/building-a-template.md
@@ -99,6  99,7 @@ When creating your watchbot stacks with the `watchbot.template()` method, you no
 **placementConstraints** | ECS service [placement constraints](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-placementconstraint.html). This value is ignored for `capacity` values other than `'EC2'`. | Object[]/Ref | No | false
 **placementStrategies** | ECS service [placement strategies](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-placementstrategy.html). This value is ignored for `capacity` values other than `'EC2'`. | Object[]/Ref | No | false
 **structuredLogging** | Whether to emit logs in JSON format or not | Boolean | No | `false`
 **autoscalingRoleArn** | A custom autoscaling role to use instead of building a distinct role for the stack | String/Ref | No | If not provided, an autoscaling role will be built with the permissions described in [Custom Autoscaling Role](#custom-autoscaling-role)
 
 ### writableFilesystem mode explained
 
@@ -137,3  138,25 @@ var outputs = {
 
 cloudfriend.merge(myTemplate, watcher, outputs);
 ```
 
 ### Custom Autoscaling Role
 
 You can provide a custom autoscaling role for your service. If you do not provide a custom role, a role with the following permissions will be created, which can only be assumed by the `application-autoscaling.amazonaws.com` principal.
 
 ```JSON
 {
   "Statement": [
     {
       "Action": [
         "application-autoscaling:*",
         "cloudwatch:DescribeAlarms",
         "cloudwatch:PutMetricAlarm",
         "ecs:UpdateService",
         "ecs:DescribeServices"
       ],
       "Resource": "*",
       "Effect": "Allow"
     }
   ]
 }
 ```
diff --git a/lib/template.js b/lib/template.js
@@ -38,7  38,8 @@ module.exports = (options = {}) => {
       dashboard: true,
       fifo: false,
       fargatePublicIp: 'DISABLED',
-      structuredLogging: false
       structuredLogging: false,
       autoscalingRoleArn: false
     },
     options
   );
@@ -246,7  247,7 @@ module.exports = (options = {}) => {
         Statement: [
           {
             Effect: 'Allow',
-            Principal: { Service: ['ecs-tasks.amazonaws.com'] },
             Principal: { Service: ['ecs-tasks.amazonaws.com', 'lambda.amazonaws.com'] },
             Action: ['sts:AssumeRole']
           }
         ]
@@ -285,6  286,39 @@ module.exports = (options = {}) => {
               )
             ]
           }
         },
         // roles for log-based lambda scaling utility
         {
           PolicyName: cf.join([cf.stackName, '-lambda-scaling']),
           PolicyDocument: {
             Statement: [
               {
                 Effect: 'Allow',
                 Action: [
                   'logs:*'
                 ],
                 Resource: cf.join([
                   'arn:',
                   cf.partition,
                   ':logs:*:*:*'
                 ])
               },
               {
                 Effect: 'Allow',
                 Action: [
                   'cloudwatch:PutMetricData'
                 ],
                 Resource: '*'
               },
               {
                 Effect: 'Allow',
                 Action: [
                   'sqs:GetQueueAttributes'
                 ],
                 Resource: cf.getAtt(prefixed('Queue'), 'Arn')
               }
             ]
           }
         }
       ]
     }
@@ -433,41  467,43 @@ module.exports = (options = {}) => {
     Resources[prefixed('Service')].Properties.PlacementStrategies =
       options.placementStrategies;
 
-  Resources[prefixed('ScalingRole')] = {
-    Type: 'AWS::IAM::Role',
-    Properties: {
-      AssumeRolePolicyDocument: {
-        Statement: [
   if (!options.autoscalingRoleArn) {
     Resources[prefixed('ScalingRole')] = {
       Type: 'AWS::IAM::Role',
       Properties: {
         AssumeRolePolicyDocument: {
           Statement: [
             {
               Effect: 'Allow',
               Principal: { Service: ['application-autoscaling.amazonaws.com'] },
               Action: ['sts:AssumeRole']
             }
           ]
         },
         Path: '/',
         Policies: [
           {
-            Effect: 'Allow',
-            Principal: { Service: ['application-autoscaling.amazonaws.com'] },
-            Action: ['sts:AssumeRole']
             PolicyName: 'watchbot-autoscaling',
             PolicyDocument: {
               Statement: [
                 {
                   Effect: 'Allow',
                   Action: [
                     'application-autoscaling:*',
                     'cloudwatch:DescribeAlarms',
                     'cloudwatch:PutMetricAlarm',
                     'ecs:UpdateService',
                     'ecs:DescribeServices'
                   ],
                   Resource: '*'
                 }
               ]
             }
           }
         ]
-      },
-      Path: '/',
-      Policies: [
-        {
-          PolicyName: 'watchbot-autoscaling',
-          PolicyDocument: {
-            Statement: [
-              {
-                Effect: 'Allow',
-                Action: [
-                  'application-autoscaling:*',
-                  'cloudwatch:DescribeAlarms',
-                  'cloudwatch:PutMetricAlarm',
-                  'ecs:UpdateService',
-                  'ecs:DescribeServices'
-                ],
-                Resource: '*'
-              }
-            ]
-          }
-        }
-      ]
-    }
-  };
       }
     };
   }
 
   Resources[prefixed('ScalingTarget')] = {
     Type: 'AWS::ApplicationAutoScaling::ScalableTarget',
@@ -482,7  518,7 @@ module.exports = (options = {}) => {
       ]),
       MinCapacity: options.minSize,
       MaxCapacity: options.maxSize,
-      RoleARN: cf.getAtt(prefixed('ScalingRole'), 'Arn')
       RoleARN: options.autoscalingRoleArn || cf.getAtt(prefixed('ScalingRole'), 'Arn')
     }
   };
 
@@ -712,44  748,11 @@ module.exports = (options = {}) => {
     }
   };
 
-  Resources[prefixed('LambdaScalingRole')] = {
-    Type: 'AWS::IAM::Role',
-    Properties: {
-      AssumeRolePolicyDocument: {
-        Statement: [
-          {
-            Effect: 'Allow',
-            Principal: { Service: ['lambda.amazonaws.com'] },
-            Action: ['sts:AssumeRole']
-          }
-        ]
-      },
-      Policies: [{
-        PolicyName: 'CustomcfnScalingLambdaLogs',
-        PolicyDocument: {
-          Statement: [
-            {
-              Effect: 'Allow',
-              Action: [
-                'logs:*'
-              ],
-              Resource: cf.join([
-                'arn:',
-                cf.partition,
-                ':logs:*:*:*'
-              ])
-            }
-          ]
-        }
-      }]
-    }
-  };
-
   Resources[prefixed('ScalingLambda')] = {
     Type: 'AWS::Lambda::Function',
     Properties: {
       Handler: 'index.handler',
-      Role: cf.getAtt(prefixed('LambdaScalingRole'), 'Arn'),
       Role: cf.getAtt(prefixed('Role'), 'Arn'),
       Code: {
         ZipFile: cf.sub(`
           const response = require('./cfn-response');
@@ -775,7  778,7 @@ module.exports = (options = {}) => {
     Type: 'AWS::Lambda::Function',
     Properties: {
       Handler: 'index.handler',
-      Role: cf.getAtt(prefixed('LambdaTotalMessagesRole'), 'Arn'),
       Role: cf.getAtt(prefixed('Role'), 'Arn'),
       Timeout: 60,
       Code: {
         ZipFile: cf.sub(`
@@ -812,53  815,6 @@ module.exports = (options = {}) => {
     }
   };
 
-  Resources[prefixed('LambdaTotalMessagesRole')] = {
-    Type: 'AWS::IAM::Role',
-    Properties: {
-      AssumeRolePolicyDocument: {
-        Statement: [
-          {
-            Effect: 'Allow',
-            Principal: { Service: ['lambda.amazonaws.com'] },
-            Action: ['sts:AssumeRole']
-          }
-        ]
-      },
-      Policies: [{
-        PolicyName: 'LambdaTotalMessagesMetric',
-        PolicyDocument: {
-          Statement: [
-            {
-              Effect: 'Allow',
-              Action: [
-                'logs:*'
-              ],
-              Resource: cf.join([
-                'arn:',
-                cf.partition,
-                ':logs:*:*:*'
-              ])
-            },
-            {
-              Effect: 'Allow',
-              Action: [
-                'cloudwatch:PutMetricData'
-              ],
-              Resource: '*'
-            },
-            {
-              Effect: 'Allow',
-              Action: [
-                'sqs:GetQueueAttributes'
-              ],
-              Resource: cf.getAtt(prefixed('Queue'), 'Arn')
-            }
-          ]
-        }
-      }]
-    }
-  };
-
   Resources[prefixed('TotalMessagesSchedule')] = {
     Type: 'AWS::Events::Rule',
     Properties: {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6  1,6 @@
 {
   "name": "@mapbox/watchbot",
-  "version": "9.0.1",
   "version": "9.1.0",
   "description": "",
   "main": "index.js",
   "engines": {