Merge pull request #37 from envato/support-execution-role

Allow passing in execution role

README.md

@@ -81,6 +81,14 @@ The Container Name to forward ALB requests to.
 
 The Container Port to forward requests to.
 
+### `execution-role` (optional)
+
+The Execution Role ARN used by ECS to pull container images and secrets.
+
+Example: `"arn:aws:iam::012345678910:role/execution-role"`
+
+Requires the `iam:PassRole` permission for the execution role.
+
 ### `deployment-configuration` (optional)
 
 The minimum and maximum percentage of tasks that should be maintained during a deployment. Defaults to `100/200`

hooks/command

@@ -38,6 +38,7 @@ target_group=${BUILDKITE_PLUGIN_ECS_DEPLOY_TARGET_GROUP:-""}
 load_balancer_name=${BUILDKITE_PLUGIN_ECS_DEPLOY_LOAD_BALANCER_NAME:-""}
 target_container=${BUILDKITE_PLUGIN_ECS_DEPLOY_TARGET_CONTAINER_NAME:-""}
 target_port=${BUILDKITE_PLUGIN_ECS_DEPLOY_TARGET_CONTAINER_PORT:-""}
+execution_role=${BUILDKITE_PLUGIN_ECS_DEPLOY_EXECUTION_ROLE:-""}
 
 # Resolve any runtime environment variables it has
 target_group=$(eval "echo $target_group")
@@ -113,6 +114,11 @@ register_command="aws ecs register-task-definition \
 if [[ -n "${task_role_arn}" ]]; then
     register_command+=" --task-role-arn ${task_role_arn}"
 fi
+
+if [[ -n "${execution_role}" ]]; then
+    register_command+=" --execution-role-arn ${execution_role}"
+fi
+
 json_output=$(eval "$register_command")
 register_exit_code=$?
 

plugin.yml

@@ -28,6 +28,8 @@ configuration:
       type: string
     target-container-port:
       type: integer
+    execution-role:
+      type: string
     deployment-config:
       type: string
   required:

tests/command.bats

@@ -235,6 +235,42 @@ load '/usr/local/lib/bats/load.bash'
   unset BUILDKITE_PLUGIN_ECS_DEPLOY_LOAD_BALANCER_NAME
 }
 
+@test "Run a deploy with execution role" {
+  export BUILDKITE_BUILD_NUMBER=1
+  export BUILDKITE_PLUGIN_ECS_DEPLOY_CLUSTER=my-cluster
+  export BUILDKITE_PLUGIN_ECS_DEPLOY_SERVICE=my-service
+  export BUILDKITE_PLUGIN_ECS_DEPLOY_TASK_FAMILY=hello-world
+  export BUILDKITE_PLUGIN_ECS_DEPLOY_IMAGE=hello-world:llamas
+  export BUILDKITE_PLUGIN_ECS_DEPLOY_TASK_DEFINITION=examples/hello-world.json
+  export BUILDKITE_PLUGIN_ECS_DEPLOY_EXECUTION_ROLE=arn:aws:iam::012345678910:role/world
+
+  stub jq \
+    "--arg IMAGE hello-world:llamas '.[0].image=\$IMAGE' : echo '{\"json\":true}'" \
+    "'.taskDefinition.revision' : echo 1" \
+    "-r '.[0].loadBalancers[0]' : echo null"
+
+  stub aws \
+    "ecs register-task-definition --family hello-world --container-definitions '{\"json\":true}' --execution-role-arn arn:aws:iam::012345678910:role/world : echo '{\"taskDefinition\":{\"revision\":1}}'" \
+    "ecs describe-services --cluster my-cluster --service my-service --query 'services[?status==\`ACTIVE\`].status' --output text : echo '1'" \
+    "ecs describe-services --cluster my-cluster --services my-service --query 'services[?status==\`ACTIVE\`]' : echo 'null'" \
+    "ecs update-service --cluster my-cluster --service my-service --task-definition hello-world:1 : echo ok" \
+    "ecs wait services-stable --cluster my-cluster --services my-service : echo ok" \
+    "ecs describe-services --cluster my-cluster --service my-service : echo ok"
+
+  run "$PWD/hooks/command"
+
+  assert_success
+  assert_output --partial "Service is up 🚀"
+
+  unstub aws
+  unstub jq
+  unset BUILDKITE_PLUGIN_ECS_DEPLOY_CLUSTER
+  unset BUILDKITE_PLUGIN_ECS_DEPLOY_SERVICE
+  unset BUILDKITE_PLUGIN_ECS_DEPLOY_TASK_DEFINITION
+  unset BUILDKITE_PLUGIN_ECS_DEPLOY_IMAGE
+  unset BUILDKITE_PLUGIN_ECS_DEPLOY_EXECUTION_ROLE
+}
+
 @test "Create a service with deployment configuration" {
   export BUILDKITE_BUILD_NUMBER=1
   export BUILDKITE_PLUGIN_ECS_DEPLOY_CLUSTER=my-cluster
@@ -270,4 +306,4 @@ load '/usr/local/lib/bats/load.bash'
   unset BUILDKITE_PLUGIN_ECS_DEPLOY_TASK_DEFINITION
   unset BUILDKITE_PLUGIN_ECS_DEPLOY_IMAGE
   unset BUILDKITE_PLUGIN_ECS_DEPLOY_DEPLOYMENT_CONFIGURATION
-}
+}