Service: use existing IAM role for task role

sst · Oct 10, 2024 · 45d97e2 · 45d97e2
1 parent 993349c
commit 45d97e2
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 3 deletions.
diff --git a/platform/src/components/aws/cluster.ts b/platform/src/components/aws/cluster.ts
@@ -980,6 +980,26 @@ export interface ClusterServiceArgs {
       directory?: Input<string>;
     };
   }>[];
+  /**
+   * Assigns the given IAM role name to the service. This allows you to pass in a previously created role.
+   *
+   * :::caution
+   * When you pass in a role, the service will not update it if you add `permissions` or `link` resources.
+   * :::
+   *
+   * By default, the service creates a new IAM role when it's created. It'll update this role if you add `permissions` or `link` resources.
+   *
+   * However, if you pass in a role, you'll need to update it manually if you add `permissions` or `link` resources.
+   *
+   * @default Creates a new role
+   * @example
+   * ```js
+   * {
+   *   taskRole: "my-role"
+   * }
+   * ```
+   */
+  taskRole?: Input<string>;
   /**
    * [Transform](/docs/components#transform) how this component creates its underlying
    * resources.

diff --git a/platform/src/components/aws/service.ts b/platform/src/components/aws/service.ts
@@ -502,6 +502,14 @@ export class Service extends Component implements Link.Linkable {
     }
 
     function createTaskRole() {
+      if (args.taskRole)
+        return iam.Role.get(
+          `${name}TaskRole`,
+          args.taskRole,
+          {},
+          { parent: self },
+        );
+
       const policy = all([
         args.permissions || [],
         Link.getInclude<Permission>("aws.permission", args.link),
@@ -906,9 +914,7 @@ export class Service extends Component implements Link.Linkable {
       /**
        * The Amazon ECS Task Role.
        */
-      get taskRole() {
-        return self.taskRole;
-      },
+      taskRole: this.taskRole,
       /**
        * The Amazon ECS Task Definition.
        */