refactored cdk code

briancaffey · briancaffey · commit e0ec010c1bbd · 2020-05-23T18:32:54.000-04:00
diff --git a/awscdk/awscdk/backend.py b/awscdk/awscdk/backend.py
@@ -36,6 +36,13 @@ def __init__(
             command=["/start_prod.sh"],
         )
 
+        scope.assets.assets_bucket.grant_read_write(
+            self.backend_task.task_role
+        )
+
+        for secret in [scope.variables.django_secret_key, scope.rds.db_secret]:
+            secret.grant_read(self.backend_task.task_role)
+
         port_mapping = ecs.PortMapping(
             container_port=8000, protocol=ecs.Protocol.TCP
         )
diff --git a/awscdk/awscdk/backend_tasks.py b/awscdk/awscdk/backend_tasks.py
@@ -25,6 +25,9 @@ def __init__(
             self, "MigrateTask", family=f"{full_app_name}-migrate"
         )
 
+        for secret in [scope.variables.django_secret_key, scope.rds.db_secret]:
+            secret.grant_read(self.migrate_task.task_role)
+
         self.migrate_task.add_container(
             "MigrateCommand",
             image=image,
@@ -38,6 +41,13 @@ def __init__(
             self, "CollecstaticTask", family=f"{full_app_name}-collectstatic"
         )
 
+        scope.assets.assets_bucket.grant_read_write(
+            self.collectstatic_task.task_role
+        )
+
+        for secret in [scope.variables.django_secret_key, scope.rds.db_secret]:
+            secret.grant_read(self.collectstatic_task.task_role)
+
         self.collectstatic_task.add_container(
             "CollecstaticCommand",
             image=image,
@@ -55,6 +65,9 @@ def __init__(
             family=f"{full_app_name}-create-superuser",
         )
 
+        for secret in [scope.variables.django_secret_key, scope.rds.db_secret]:
+            secret.grant_read(self.create_superuser_task.task_role)
+
         self.create_superuser_task.add_container(
             "CreateSuperuserCommand",
             image=image,
diff --git a/awscdk/awscdk/cdk_app_root.py b/awscdk/awscdk/cdk_app_root.py
@@ -139,9 +139,9 @@ def __init__(
         # TODO: loop over all task roles to grant bucket permissions
         # give the backend service read/write access to the assets bucket
         task_roles = [
-            self.backend.backend_task.task_role,
-            self.backend_tasks.collectstatic_task.task_role,
-            self.backend_tasks.create_superuser_task.task_role,
+            # self.backend.backend_task.task_role,
+            # self.backend_tasks.collectstatic_task.task_role,
+            # self.backend_tasks.create_superuser_task.task_role,
             # self.celery_worker_service.celery_default_worker_task.task_role,
             self.celery_worker_service.celery_default_worker_service.task_definition.task_role,
         ]
diff --git a/awscdk/stack.yml b/awscdk/stack.yml
@@ -1400,6 +1400,25 @@ Resources:
           Value: dev-mysite-com
     Metadata:
       aws:cdk:path: dev-mysite-com-stack/BackendTasks/MigrateTask/TaskRole/Resource
+  BackendTasksMigrateTaskTaskRoleDefaultPolicyB1599105:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: secretsmanager:GetSecretValue
+            Effect: Allow
+            Resource:
+              Ref: VariablesDjangoSecretKeyE4FA41EE
+          - Action: secretsmanager:GetSecretValue
+            Effect: Allow
+            Resource:
+              Ref: RdsDBClusterDBSecret28397CCA
+        Version: "2012-10-17"
+      PolicyName: BackendTasksMigrateTaskTaskRoleDefaultPolicyB1599105
+      Roles:
+        - Ref: BackendTasksMigrateTaskTaskRoleAE7059C2
+    Metadata:
+      aws:cdk:path: dev-mysite-com-stack/BackendTasks/MigrateTask/TaskRole/DefaultPolicy/Resource
   BackendTasksMigrateTask9BDCB431:
     Type: AWS::ECS::TaskDefinition
     Properties:
@@ -1746,24 +1765,6 @@ Resources:
     Properties:
       PolicyDocument:
         Statement:
-          - Action:
-              - s3:GetObject*
-              - s3:GetBucket*
-              - s3:List*
-              - s3:DeleteObject*
-              - s3:PutObject*
-              - s3:Abort*
-            Effect: Allow
-            Resource:
-              - Fn::GetAtt:
-                  - BackendAssetsAssetsBucket62473847
-                  - Arn
-              - Fn::Join:
-                  - ""
-                  - - Fn::GetAtt:
-                        - BackendAssetsAssetsBucket62473847
-                        - Arn
-                    - /*
           - Action: secretsmanager:GetSecretValue
             Effect: Allow
             Resource:

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,13 @@ def __init__(`
`36`	`36`	`command=["/start_prod.sh"],`
`37`	`37`	`)`
`38`	`38`
	`39`	`+ scope.assets.assets_bucket.grant_read_write(`
	`40`	`+ self.backend_task.task_role`
	`41`	`+ )`
	`42`	`+`
	`43`	`+ for secret in [scope.variables.django_secret_key, scope.rds.db_secret]:`
	`44`	`+ secret.grant_read(self.backend_task.task_role)`
	`45`	`+`
`39`	`46`	`port_mapping = ecs.PortMapping(`
`40`	`47`	`container_port=8000, protocol=ecs.Protocol.TCP`
`41`	`48`	`)`