Add support to define policy for timer and if it is not defined inherit policies from service

Author: nightfury1204

pkg/manifest/timer.go

@@ -8,9 +8,10 @@ import (
 type Timer struct {
 	Name string `yaml:"-"`
 
-	Command  string `yaml:"command"`
-	Schedule string `yaml:"schedule"`
-	Service  string `yaml:"service"`
+	Command  string   `yaml:"command"`
+	Schedule string   `yaml:"schedule"`
+	Service  string   `yaml:"service"`
+	Policies []string `yaml:"policies,omitempty"`
 }
 
 type Timers []Timer

provider/aws/formation/app.json.tmpl

@@ -571,6 +571,11 @@
           "LogDriver": { "Ref": "LogDriver" },
           "LogGroup": { "Fn::If": [ "EnableCloudWatch", { "Ref": "LogGroup" }, { "Ref": "AWS::NoValue" } ] },
           "Memory": { "Fn::Select": [ 2, { "Ref": "{{ upper .Service }}Formation" } ] },
+          {{ if gt (len .Policies) 0 }}
+          "Policies": "{{ join .Policies "," }}",
+          {{ else }}
+          "Policies": "{{ join ($.Manifest.Service .Service).Policies "," }}",
+          {{ end }}
           "Rack": { "Ref": "Rack" },
           "RackUrl": { "Ref": "RackUrl" },
           "Registry": { "Ref": "Registry" },

provider/aws/formation/timer.json.tmpl

@@ -2,6 +2,7 @@
   {
     "AWSTemplateFormatVersion" : "2010-09-09",
     "Conditions": {
+      "DedicatedRole": { "Fn::Not":[{"Fn::Equals":[{"Ref":"Policies"},""]} ] },
       "EnableCloudWatch": { "Fn::Equals": [ { "Ref": "LogDriver" }, "CloudWatch" ] },
       "EnableSyslog": { "Fn::Equals": [ { "Ref": "LogDriver" }, "Syslog" ] },
       "FargateEither": { "Fn::Or": [ { "Condition": "FargateBase" }, { "Condition": "FargateSpot" } ] },
@@ -51,6 +52,10 @@
       "Memory": {
         "Type": "Number"
       },
+      "Policies": {
+        "Description": "It will create a new role to be used instead of 'ServiceRole' parameter.",
+        "Type": "String"
+      },
       "Rack": {
         "Type": "String"
       },
@@ -159,6 +164,28 @@
           } ]
         }
       },
+      "DedicatedRole": {
+        "Condition": "DedicatedRole",
+        "Type": "AWS::IAM::Role",
+        "Properties": {
+          "AssumeRolePolicyDocument": {
+            "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ],
+            "Version": "2012-10-17"
+          },
+          "ManagedPolicyArns": {"Fn::Split":[",",{"Fn::Join":[",",[{"Ref":"Policies"},{"Fn::ImportValue":{"Fn::Sub":"${Rack}:CMKPolicy"}}]]}]},
+          "Path": "/convox/",
+          "Policies": [ {
+            "PolicyName": "convox-env",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                { "Effect": "Allow", "Action": "s3:GetObject", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:s3:::${Settings}/*" } },
+                { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:EncryptionKey" } } }
+              ]
+            }
+          } ]
+        }
+      },
       "TaskDefinition": {
         "Type": "AWS::ECS::TaskDefinition",
         "Properties": {
@@ -272,7 +299,7 @@
           "Memory": { "Fn::If": [ "FargateEither", { "Ref": "Memory" }, { "Ref": "AWS::NoValue" } ] },
           "NetworkMode": { "Fn::If": [ "FargateEither", "awsvpc", { "Ref": "AWS::NoValue" } ] },
           "RequiresCompatibilities": [ { "Fn::If": [ "FargateEither", "FARGATE", { "Ref": "AWS::NoValue" } ] } ],
-          "TaskRoleArn": { "Ref": "ServiceRole" },
+          "TaskRoleArn": { "Fn::If": [ "DedicatedRole", { "Fn::GetAtt": [ "DedicatedRole", "Arn" ] }, { "Ref": "ServiceRole" } ] },
           "Volumes": [
             {{ $resources := ($.Manifest.Service .Service).Resources }}
             {{ range $i, $v := ($.Manifest.Service .Service).Volumes }}