Skip to content

Commit

Permalink
fix(batch): grant execution role logs:CreateLogStream by default (#26288
Browse files Browse the repository at this point in the history 
)

Grant `CreateLogStream` to the job definition's execution role by default. Without this permission, jobs will fail if they produce any output, unless `logging` is specified.

Closes #25675.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@comcalvi
comcalvi authored Jul 12, 2023
1 parent b799c82 commit c755f50
Show file tree
Hide file tree
Showing 38 changed files with 1,220 additions and 159 deletions.
6 changes: 3 additions & 3 deletions ...vents-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "31.0.0",
"version": "32.0.0",
"files": {
"d7dcc67b92ba98cf8898af8fd31d31f46001867bc6458f3c816a77850e10a990": {
"9ad3e49b4b05bbbb8d2ad91c2718d29b90ebcb493570a3f1c3e42005681045f4": {
"source": {
"path": "batch-events.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "d7dcc67b92ba98cf8898af8fd31d31f46001867bc6458f3c816a77850e10a990.json",
"objectKey": "9ad3e49b4b05bbbb8d2ad91c2718d29b90ebcb493570a3f1c3e42005681045f4.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
43 changes: 43 additions & 0 deletions ...nts-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,49 @@
}
}
},
"containerExecutionRoleDefaultPolicyF00DA4D6": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/batch/job:*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "containerExecutionRoleDefaultPolicyF00DA4D6",
"Roles": [
{
"Ref": "containerExecutionRoleFD602179"
}
]
}
},
"MyJob8719E923": {
"Type": "AWS::Batch::JobDefinition",
"Properties": {
Expand Down
2 changes: 1 addition & 1 deletion ...-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/cdk.out
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"version":"31.0.0"}
{"version":"32.0.0"}
2 changes: 1 addition & 1 deletion ...teg/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/integ.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "31.0.0",
"version": "32.0.0",
"testCases": {
"integ.job-definition-events": {
"stacks": [
Expand Down
19 changes: 8 additions & 11 deletions .../test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "31.0.0",
"version": "32.0.0",
"artifacts": {
"batch-events.assets": {
"type": "cdk:asset-manifest",
Expand All @@ -17,7 +17,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d7dcc67b92ba98cf8898af8fd31d31f46001867bc6458f3c816a77850e10a990.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9ad3e49b4b05bbbb8d2ad91c2718d29b90ebcb493570a3f1c3e42005681045f4.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down Expand Up @@ -57,6 +57,12 @@
"data": "containerExecutionRoleFD602179"
}
],
"/batch-events/container/ExecutionRole/DefaultPolicy/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "containerExecutionRoleDefaultPolicyF00DA4D6"
}
],
"/batch-events/MyJob/Resource": [
{
"type": "aws:cdk:logicalId",
Expand Down Expand Up @@ -110,15 +116,6 @@
"type": "aws:cdk:logicalId",
"data": "CheckBootstrapVersion"
}
],
"MyQueue4F9177CF": [
{
"type": "aws:cdk:logicalId",
"data": "MyQueue4F9177CF",
"trace": [
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
]
}
]
},
"displayName": "batch-events"
Expand Down
81 changes: 75 additions & 6 deletions ...nteg/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@
}
},
"constructInfo": {
"fqn": "@aws-cdk/aws-batch-alpha.UnmanagedComputeEnvironment",
"fqn": "aws-cdk-lib.Resource",
"version": "0.0.0"
}
},
Expand Down Expand Up @@ -128,7 +128,7 @@
}
},
"constructInfo": {
"fqn": "@aws-cdk/aws-batch-alpha.JobQueue",
"fqn": "aws-cdk-lib.Resource",
"version": "0.0.0"
}
},
Expand Down Expand Up @@ -172,17 +172,86 @@
"fqn": "aws-cdk-lib.aws_iam.CfnRole",
"version": "0.0.0"
}
},
"DefaultPolicy": {
"id": "DefaultPolicy",
"path": "batch-events/container/ExecutionRole/DefaultPolicy",
"children": {
"Resource": {
"id": "Resource",
"path": "batch-events/container/ExecutionRole/DefaultPolicy/Resource",
"attributes": {
"aws:cdk:cloudformation:type": "AWS::IAM::Policy",
"aws:cdk:cloudformation:props": {
"policyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/batch/job:*"
]
]
}
}
],
"Version": "2012-10-17"
},
"policyName": "containerExecutionRoleDefaultPolicyF00DA4D6",
"roles": [
{
"Ref": "containerExecutionRoleFD602179"
}
]
}
},
"constructInfo": {
"fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
"version": "0.0.0"
}
}
},
"constructInfo": {
"fqn": "aws-cdk-lib.aws_iam.Policy",
"version": "0.0.0"
}
}
},
"constructInfo": {
"fqn": "aws-cdk-lib.aws_iam.Role",
"version": "0.0.0"
}
},
"batchDefaultLogGroup": {
"id": "batchDefaultLogGroup",
"path": "batch-events/container/batchDefaultLogGroup",
"constructInfo": {
"fqn": "aws-cdk-lib.Resource",
"version": "0.0.0"
}
}
},
"constructInfo": {
"fqn": "@aws-cdk/aws-batch-alpha.EcsEc2ContainerDefinition",
"version": "0.0.0"
"fqn": "constructs.Construct",
"version": "10.2.55"
}
},
"MyJob": {
Expand Down Expand Up @@ -323,7 +392,7 @@
}
},
"constructInfo": {
"fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition",
"fqn": "aws-cdk-lib.Resource",
"version": "0.0.0"
}
},
Expand Down Expand Up @@ -541,7 +610,7 @@
"path": "Tree",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.1.270"
"version": "10.2.55"
}
}
},
Expand Down
6 changes: 3 additions & 3 deletions ...ions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "31.0.0",
"version": "32.0.0",
"files": {
"02f57d4a4fe6e856437076797ed3037dbed370ebb26574bc4a5d570ab0b0b478": {
"d52c690255570b27d7cc2b49792058ef0c678d1fd7345f8dda5ef9e9a5d9dc05": {
"source": {
"path": "aws-stepfunctions-integ.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "02f57d4a4fe6e856437076797ed3037dbed370ebb26574bc4a5d570ab0b0b478.json",
"objectKey": "d52c690255570b27d7cc2b49792058ef0c678d1fd7345f8dda5ef9e9a5d9dc05.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
27 changes: 27 additions & 0 deletions ...ns-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,33 @@
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/batch/job:*"
]
]
}
},
{
"Action": [
"ecr:BatchCheckLayerAvailability",
Expand Down
2 changes: 1 addition & 1 deletion ...ork-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/cdk.out
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"version":"31.0.0"}
{"version":"32.0.0"}
2 changes: 1 addition & 1 deletion ...-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/integ.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "31.0.0",
"version": "32.0.0",
"testCases": {
"integ.run-batch-job": {
"stacks": [
Expand Down
13 changes: 2 additions & 11 deletions ...teg/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "31.0.0",
"version": "32.0.0",
"artifacts": {
"aws-stepfunctions-integ.assets": {
"type": "cdk:asset-manifest",
Expand All @@ -17,7 +17,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/02f57d4a4fe6e856437076797ed3037dbed370ebb26574bc4a5d570ab0b0b478.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d52c690255570b27d7cc2b49792058ef0c678d1fd7345f8dda5ef9e9a5d9dc05.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down Expand Up @@ -260,15 +260,6 @@
"type": "aws:cdk:logicalId",
"data": "CheckBootstrapVersion"
}
],
"JobQueueC5644E0D": [
{
"type": "aws:cdk:logicalId",
"data": "JobQueueC5644E0D",
"trace": [
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
]
}
]
},
"displayName": "aws-stepfunctions-integ"
Expand Down
Loading

0 comments on commit c755f50

Please sign in to comment.