@@ -68,7 +68,124 @@ class PlatformECS {
6868 ) ;
6969
7070 global . artillery . s3BucketRegion = await getBucketRegion ( bucketName ) ;
71- await createIAMResources ( this . accountId , this . platformOpts . taskRoleName ) ;
71+ await this . createIAMResources (
72+ this . accountId ,
73+ this . platformOpts . taskRoleName
74+ ) ;
75+ }
76+
77+ async createIAMResources ( accountId , taskRoleName ) {
78+ const workerRoleArn = await this . createWorkerRole ( accountId , taskRoleName ) ;
79+
80+ return {
81+ workerRoleArn
82+ } ;
83+ }
84+
85+ async createWorkerRole ( accountId , taskRoleName ) {
86+ const iam = new IAMClient ( { region : global . artillery . awsRegion } ) ;
87+
88+ try {
89+ const res = await iam . send (
90+ new GetRoleCommand ( { RoleName : taskRoleName } )
91+ ) ;
92+ return res . Role . Arn ;
93+ } catch ( err ) {
94+ debug ( err ) ;
95+ }
96+
97+ const createRoleResp = await iam . send (
98+ new CreateRoleCommand ( {
99+ AssumeRolePolicyDocument : JSON . stringify ( {
100+ Version : '2012-10-17' ,
101+ Statement : [
102+ {
103+ Effect : 'Allow' ,
104+ Principal : {
105+ Service : [ 'ecs-tasks.amazonaws.com' , 'ecs.amazonaws.com' ]
106+ } ,
107+ Action : 'sts:AssumeRole'
108+ }
109+ ]
110+ } ) ,
111+ Path : '/' ,
112+ RoleName : taskRoleName
113+ } )
114+ ) ;
115+
116+ const policyDocument = {
117+ Version : '2012-10-17' ,
118+ Statement : [
119+ {
120+ Effect : 'Allow' ,
121+ Action : [ 'ssm:DescribeParameters' ] ,
122+ Resource : [ '*' ]
123+ } ,
124+ {
125+ Effect : 'Allow' ,
126+ Action : [
127+ 'ssm:GetParameters' ,
128+ 'ssm:GetParameter' ,
129+ 'ssm:PutParameter' ,
130+ 'ssm:DeleteParameter' ,
131+ 'ssm:DescribeParameters' ,
132+ 'ssm:GetParametersByPath'
133+ ] ,
134+ Resource : [
135+ `${ this . arnPrefx } ${ accountId }
136+ ]
137+ } ,
138+ {
139+ Effect : 'Allow' ,
140+ Action : [ 'ecr:GetAuthorizationToken' ] ,
141+ Resource : [ '*' ]
142+ } ,
143+ {
144+ Effect : 'Allow' ,
145+ Action : [ 'logs:*' ] ,
146+ Resource : [
147+ `${ this . arnPrefx } ${ accountId }
148+ ]
149+ } ,
150+ {
151+ Effect : 'Allow' ,
152+ Action : [ 'sqs:*' ] ,
153+ Resource : [ `${ this . arnPrefx } ${ accountId } ]
154+ } ,
155+ {
156+ Effect : 'Allow' ,
157+ Action : [ 's3:*' ] ,
158+ Resource : [
159+ `${ this . arnPrefx } ${ S3_BUCKET_NAME_PREFIX } ${ accountId } ,
160+ `${ this . arnPrefx } ${ S3_BUCKET_NAME_PREFIX } ${ accountId }
161+ ]
162+ } ,
163+ {
164+ Effect : 'Allow' ,
165+ Action : [ 'xray:PutTraceSegments' , 'xray:PutTelemetryRecords' ] ,
166+ Resource : [ '*' ]
167+ }
168+ ]
169+ } ;
170+
171+ const createPolicyResp = await iam . send (
172+ new CreatePolicyCommand ( {
173+ PolicyName : 'artilleryio-ecs-worker-policy' ,
174+ Path : '/' ,
175+ PolicyDocument : JSON . stringify ( policyDocument )
176+ } )
177+ ) ;
178+
179+ await iam . send (
180+ new AttachRolePolicyCommand ( {
181+ PolicyArn : createPolicyResp . Policy . Arn ,
182+ RoleName : taskRoleName
183+ } )
184+ ) ;
185+
186+ debug ( 'Waiting for IAM role to be ready' ) ;
187+ await sleep ( 30 * 1000 ) ;
188+ return createRoleResp . Role . Arn ;
72189 }
73190
74191 async createWorker ( ) { }
@@ -127,116 +244,4 @@ async function ensureSSMParametersExist(region) {
127244 ) ;
128245}
129246
130- async function createIAMResources ( accountId , taskRoleName ) {
131- const workerRoleArn = await createWorkerRole ( accountId , taskRoleName ) ;
132-
133- return {
134- workerRoleArn
135- } ;
136- }
137-
138- async function createWorkerRole ( accountId , taskRoleName ) {
139- const iam = new IAMClient ( { region : global . artillery . awsRegion } ) ;
140-
141- try {
142- const res = await iam . send ( new GetRoleCommand ( { RoleName : taskRoleName } ) ) ;
143- return res . Role . Arn ;
144- } catch ( err ) {
145- debug ( err ) ;
146- }
147-
148- const createRoleResp = await iam . send (
149- new CreateRoleCommand ( {
150- AssumeRolePolicyDocument : JSON . stringify ( {
151- Version : '2012-10-17' ,
152- Statement : [
153- {
154- Effect : 'Allow' ,
155- Principal : {
156- Service : [ 'ecs-tasks.amazonaws.com' , 'ecs.amazonaws.com' ]
157- } ,
158- Action : 'sts:AssumeRole'
159- }
160- ]
161- } ) ,
162- Path : '/' ,
163- RoleName : taskRoleName
164- } )
165- ) ;
166-
167- const policyDocument = {
168- Version : '2012-10-17' ,
169- Statement : [
170- {
171- Effect : 'Allow' ,
172- Action : [ 'ssm:DescribeParameters' ] ,
173- Resource : [ '*' ]
174- } ,
175- {
176- Effect : 'Allow' ,
177- Action : [
178- 'ssm:GetParameters' ,
179- 'ssm:GetParameter' ,
180- 'ssm:PutParameter' ,
181- 'ssm:DeleteParameter' ,
182- 'ssm:DescribeParameters' ,
183- 'ssm:GetParametersByPath'
184- ] ,
185- Resource : [
186- `${ this . arnPrefx } ${ accountId }
187- ]
188- } ,
189- {
190- Effect : 'Allow' ,
191- Action : [ 'ecr:GetAuthorizationToken' ] ,
192- Resource : [ '*' ]
193- } ,
194- {
195- Effect : 'Allow' ,
196- Action : [ 'logs:*' ] ,
197- Resource : [
198- `${ this . arnPrefx } ${ accountId }
199- ]
200- } ,
201- {
202- Effect : 'Allow' ,
203- Action : [ 'sqs:*' ] ,
204- Resource : [ `${ this . arnPrefx } ${ accountId } ]
205- } ,
206- {
207- Effect : 'Allow' ,
208- Action : [ 's3:*' ] ,
209- Resource : [
210- `${ this . arnPrefx } ${ S3_BUCKET_NAME_PREFIX } ${ accountId } ,
211- `${ this . arnPrefx } ${ S3_BUCKET_NAME_PREFIX } ${ accountId }
212- ]
213- } ,
214- {
215- Effect : 'Allow' ,
216- Action : [ 'xray:PutTraceSegments' , 'xray:PutTelemetryRecords' ] ,
217- Resource : [ '*' ]
218- }
219- ]
220- } ;
221-
222- const createPolicyResp = await iam . send (
223- new CreatePolicyCommand ( {
224- PolicyName : 'artilleryio-ecs-worker-policy' ,
225- Path : '/' ,
226- PolicyDocument : JSON . stringify ( policyDocument )
227- } )
228- ) ;
229-
230- await iam . send (
231- new AttachRolePolicyCommand ( {
232- PolicyArn : createPolicyResp . Policy . Arn ,
233- RoleName : taskRoleName
234- } )
235- ) ;
236-
237- debug ( 'Waiting for IAM role to be ready' ) ;
238- await sleep ( 30 * 1000 ) ;
239- return createRoleResp . Role . Arn ;
240- }
241-
242247module . exports = PlatformECS ;
0 commit comments