Skip to content

Add extra rules for role to support ECS#113

Merged
simonrw merged 2 commits intomainfrom
feat/extra-role-rules
Feb 16, 2024
Merged

Add extra rules for role to support ECS#113
simonrw merged 2 commits intomainfrom
feat/extra-role-rules

Conversation

@simonrw
Copy link
Copy Markdown
Contributor

@simonrw simonrw commented Feb 15, 2024
edited
Loading

Motivation

When running ECS tasks, the service role needs more permissions than what is specified in the template. Specifically, in addition to the existing rules we need:

- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]

Changes

  • Add extra role rules to support running ECS tasks

@simonrw simonrw added the type: enhancement Improvement to usability or performance label Feb 15, 2024
@simonrw simonrw self-assigned this Feb 15, 2024
@simonrw simonrw requested a review from alexrashed February 15, 2024 15:23
@simonrw simonrw marked this pull request as ready for review February 15, 2024 15:25
@simonrw simonrw requested a review from lakkeger as a code owner February 15, 2024 15:25
alexrashed
alexrashed reviewed Feb 16, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@alexrashed alexrashed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change is looking good, but it feels like this should be the default in order to have a working configuration of LocalStack. With the currently suggested change, I would have to explicitly configure these roles to fix ECS tasks in LocalStack, right?
Maybe we should just add them? Or set them as default with the possibility of removing them?

@lakkeger
Copy link
Copy Markdown
Contributor

lakkeger commented Feb 16, 2024

@alexrashed I agree, however at the same time it's harder to remove something than adding rules. But perhaps time boxed it might worth to look into it @simonrw. I can live with either one.

@simonrw
Copy link
Copy Markdown
Contributor Author

simonrw commented Feb 16, 2024
edited
Loading

Perhaps something like:

(values.toml)

role:
  defaultRules: true
  extraRules: []

and we default to these rules in the PR. Then the user can opt out of whatever we add with defaultRules: true and add their own with extraRules?

(inspired by Rust's handling of "features": https://doc.rust-lang.org/cargo/reference/features.html#the-default-feature and the "default" feature)

@alexrashed
Copy link
Copy Markdown
Member

alexrashed commented Feb 16, 2024

I would actually just add it to the roles without having it configurable. If it gets requested to be configurable (i.e. the possibility to remove roles while risking to break LocalStack), then we can extract the whole content of the roles (including the already existing ones) to the default value of a newly introduced variable.

@simonrw simonrw changed the title Support extra rules for the role Add extra rules for role to support ECS Feb 16, 2024
@simonrw simonrw requested a review from alexrashed February 16, 2024 09:22
@simonrw simonrw merged commit 7d7004f into main Feb 16, 2024
@simonrw simonrw deleted the feat/extra-role-rules branch February 16, 2024 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexrashed alexrashed alexrashed approved these changes

+1 more reviewer

@lakkeger lakkeger lakkeger approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@simonrw simonrw

Labels

type: enhancement Improvement to usability or performance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simonrw @lakkeger @alexrashed