diff --git a/platform/src/components/aws/cluster.ts b/platform/src/components/aws/cluster.ts index 12392a3f1..34042b408 100644 --- a/platform/src/components/aws/cluster.ts +++ b/platform/src/components/aws/cluster.ts @@ -980,6 +980,26 @@ export interface ClusterServiceArgs { directory?: Input; }; }>[]; + /** + * Assigns the given IAM role name to the service. This allows you to pass in a previously created role. + * + * :::caution + * When you pass in a role, the service will not update it if you add `permissions` or `link` resources. + * ::: + * + * By default, the service creates a new IAM role when it's created. It'll update this role if you add `permissions` or `link` resources. + * + * However, if you pass in a role, you'll need to update it manually if you add `permissions` or `link` resources. + * + * @default Creates a new role + * @example + * ```js + * { + * taskRole: "my-role" + * } + * ``` + */ + taskRole?: Input; /** * [Transform](/docs/components#transform) how this component creates its underlying * resources. diff --git a/platform/src/components/aws/service.ts b/platform/src/components/aws/service.ts index 5b62020a1..d3af29e48 100644 --- a/platform/src/components/aws/service.ts +++ b/platform/src/components/aws/service.ts @@ -502,6 +502,14 @@ export class Service extends Component implements Link.Linkable { } function createTaskRole() { + if (args.taskRole) + return iam.Role.get( + `${name}TaskRole`, + args.taskRole, + {}, + { parent: self }, + ); + const policy = all([ args.permissions || [], Link.getInclude("aws.permission", args.link), @@ -906,9 +914,7 @@ export class Service extends Component implements Link.Linkable { /** * The Amazon ECS Task Role. */ - get taskRole() { - return self.taskRole; - }, + taskRole: this.taskRole, /** * The Amazon ECS Task Definition. */