Hi, would someone be able to tell me what I'm doin...
# generalr
refined-printer-82490
03/30/2023, 11:56 AMHi, would someone be able to tell me what I'm doing wrong with the role definition below:
Copy code
const policy: aws.iam.PolicyDocument = {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
Service: "<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>"
},
Effect: "Allow",
Sid: "",
},
],
};
const taskPolicy: aws.iam.PolicyDocument = {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:*",
"ecs:RegisterTaskDefinition",
],
Resource: "*",
}],
}
const role = new aws.iam.Role("my-role", {
assumeRolePolicy: policy,
inlinePolicies: [
{
name: "fsdfsd",
policy: taskPolicy
}
]
});PolicyDocumentrefined-printer-82490
03/30/2023, 12:42 PM Copy code
const role = new aws.iam.Role("my-role", {
assumeRolePolicy: policy,
inlinePolicies: [{
name: "name",
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:*",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTasks",
"ecs:RunTask",
"logs:GetLogEvents",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
],
Resource: "*",
}]
}
}]
});refined-printer-82490
03/30/2023, 12:54 PM Copy code
Diagnostics:
aws:iam:Role (prefect-ecs-task-role):
error: aws:iam/role:Role resource 'prefect-ecs-task-role' has a problem: Expected Object Type: Expected object, got string. Examine values at 'Role.InlinePolicies'.refined-printer-82490
03/30/2023, 1:07 PMHere's the full script:
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
const config = new pulumi.Config();
const cpu = config.getNumber("cpu") || 512;
const memory = config.getNumber("memory") || 128;
const image = config.get("image") || "prefecthq/prefect:2-python3.9";
const prefectApiUrl = config.require("prefect-api-url")
const prefectApiKey = config.require("prefect-api-key")
const prefectQueue = config.get("prefect-queue") || "default";
// An ECS cluster to deploy into
const cluster = new aws.ecs.Cluster("prefect-cluster", {});
const assumeRolePolicy: aws.iam.PolicyDocument = {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
Service: "<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>"
},
Effect: "Allow",
Sid: "",
},
],
};
const executionPolicy = new aws.iam.Policy("prefect-ecs-execution-policy", {
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"ssm:GetParameters",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
],
Resource: "*",
}]
}
}
);
const executionRole = new aws.iam.Role("prefect-ecs-execution-role", {
assumeRolePolicy: assumeRolePolicy,
inlinePolicies: [executionPolicy]
});
const taskPolicy = new aws.iam.Policy("prefect-ecs-task-policy", {
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:*",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTasks",
"ecs:RunTask",
"logs:GetLogEvents",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
],
Resource: "*",
}]
}
}
);
const taskRole = new aws.iam.Role("prefect-ecs-task-role", {
assumeRolePolicy: assumeRolePolicy,
inlinePolicies: [taskPolicy]
});
// Deploy an ECS Service on Fargate to host the application container
const service = new awsx.ecs.FargateService("prefect-ecs-service", {
cluster: cluster.arn,
taskDefinitionArgs: {
container: {
image: image,
cpu: cpu,
memory: memory,
essential: true,
entryPoint: [
"bash",
"-c",
],
stopTimeout: 120,
environment: [
{
name: "PREFECT_LOGGING_LEVEL",
value: "INFO",
},
{
name: "AWS_RETRY_MODE",
value: "adaptive",
},
{
name: "AWS_MAX_ATTEMPTS",
value: "10",
},
],
command: [`prefect agent start -q ${prefectQueue}`],
// logConfiguration: {
// logDriver: "awslogs",
// options: {
// "awslogs-region": awsRegion,
// "awslogs-group": prefectLogGroup.id,
// "awslogs-stream-prefix": project,
// },
// },
secrets: [
{
name: "PREFECT_API_URL",
valueFrom: prefectApiUrl,
},
{
name: "PREFECT_API_KEY",
valueFrom: prefectApiKey
},
],
},
// The execution role that the Amazon ECS container agent and the Docker daemon can assume.
executionRole: {
roleArn: executionRole.arn
},
// IAM role that allows your Amazon ECS container task to make calls to other AWS services.
taskRole: {
roleArn: taskRole.arn
},
},
});pulumi up Copy code
❯ pulumi up
Previewing update (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/markns/my-container-service/dev/previews/6403bdbc-ea02-4240-8407-bdbd6d17de44>
Type Name Plan
+ pulumi:pulumi:Stack my-container-service-dev create
+ ├─ aws:ecs:Cluster prefect-cluster create
+ ├─ aws:iam:Policy prefect-ecs-task-policy create
+ ├─ aws:iam:Policy prefect-ecs-execution-policy create
+ ├─ aws:iam:Role prefect-ecs-task-role create
+ ├─ aws:iam:Role prefect-ecs-execution-role create
+ └─ awsx:ecs:FargateService prefect-ecs-service create
+ ├─ awsx:ecs:FargateTaskDefinition prefect-ecs-service create
+ │ ├─ aws:cloudwatch:LogGroup prefect-ecs-service create
+ │ └─ aws:ecs:TaskDefinition prefect-ecs-service create
+ ├─ aws:ec2:SecurityGroup prefect-ecs-service-sg create
+ └─ aws:ecs:Service prefect-ecs-service create
Resources:
+ 12 to create
Do you want to perform this update? yes
Updating (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/markns/my-container-service/dev/updates/16>
Type Name Status Info
+ pulumi:pulumi:Stack my-container-service-dev created (1s)
+ ├─ aws:ecs:Cluster prefect-cluster created (12s)
+ ├─ aws:iam:Policy prefect-ecs-execution-policy created (3s)
+ ├─ aws:iam:Policy prefect-ecs-task-policy created (3s)
└─ aws:iam:Role prefect-ecs-task-role **failed** 1 error
Diagnostics:
aws:iam:Role (prefect-ecs-task-role):
error: aws:iam/role:Role resource 'prefect-ecs-task-role' has a problem: Expected Object Type: Expected object, got string. Examine values at 'Role.InlinePolicies'.
Resources:
+ 4 created
Duration: 18srefined-printer-82490
03/30/2023, 1:08 PMStrange that the preview succeeds, but the actual calls to the AWS api fail
refined-printer-82490
03/30/2023, 2:13 PM Copy code
const executionPolicy = new aws.iam.Policy("prefect-ecs-execution-policy", {
name: "prefect-ecs-execution-policy",
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"ssm:GetParameters",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
],
Resource: "*",
}]
}
}
);
const executionRole = new aws.iam.Role("prefect-ecs-execution-role", {
assumeRolePolicy: assumeRolePolicy,
// inlinePolicies: [executionPolicy]
});
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("prefect-ecs-execution-rpa", {
role: executionRole,
policyArn: executionPolicy.arn,
});inlinePolicies7 Views