Merge pull request #1354 from aligent/feature/ecs-tag-permission

feat: add ecs tag permission to pipe
aligent · May 7, 2024 · c0d4867 · c0d4867
2 parents dc1d19e + fdb3a5f
commit c0d4867
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/packages/graphql-mesh-server/lib/pipeline.ts b/packages/graphql-mesh-server/lib/pipeline.ts
@@ -10,7 +10,12 @@ import * as path from "path";
 import * as YAML from "yaml";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import {
+  Effect,
+  PolicyStatement,
+  Role,
+  ServicePrincipal,
+} from "aws-cdk-lib/aws-iam";
 import { Topic } from "aws-cdk-lib/aws-sns";
 import { LambdaSubscription } from "aws-cdk-lib/aws-sns-subscriptions";
 import {
@@ -113,6 +118,22 @@ export class CodePipelineService extends Construct {
         }),
       ],
     });
+
+    const tagECSPermission = new PolicyStatement({
+      sid: "AllowTaggingEcsResource",
+      actions: ["ecs:TagResource"],
+      resources: [
+        `arn:aws:ecs:${Stack.of(this).region}:*:task/${
+          props.service.cluster.clusterName
+        }/*`,
+      ],
+    });
+
+    const tagECSRole = new Role(this, "tagEcsRole", {
+      assumedBy: new ServicePrincipal("ecs-tasks.amazonaws.com"),
+    });
+    tagECSRole.addToPolicy(tagECSPermission);
+
     this.pipeline.addStage({
       stageName: "Deploy",
       actions: [
@@ -121,6 +142,7 @@ export class CodePipelineService extends Construct {
           service: props.service,
           input: buildOutput,
           deploymentTimeout: Duration.minutes(10),
+          role: tagECSRole,
         }),
       ],
     });