Merge pull request #21 from charliemcgrady/cdk-ecr

Add permissions for batch to execute private ecr image
OvertureMaps · Aug 7, 2024 · 229a16a · 229a16a
2 parents 898050b + 49b4fe5
commit 229a16a
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 10 deletions.
diff --git a/overture-tiles-cdk/bin/overture-tiles-cdk.ts b/overture-tiles-cdk/bin/overture-tiles-cdk.ts
@@ -7,8 +7,7 @@ import {
 } from '../lib/overture-tiles-cdk-stack';
 
 const props: OvertureTilesCdkStackProps = {
-  bucketName: 'overturemaps-tiles-us-west-2-beta',
-  imageName: 'protomaps/overture-tiles:latest',
+  bucketName: 'overturemaps-tiles-us-west-2-beta'
 }
 
 const app = new cdk.App();

diff --git a/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts b/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts
@@ -7,13 +7,13 @@ import {
 } from "aws-cdk-lib";
 import { aws_batch as batch, aws_ecs as ecs } from "aws-cdk-lib";
 import { aws_iam as iam } from "aws-cdk-lib";
+import { aws_ecr as ecr } from "aws-cdk-lib";
 
 const ID = "OvertureTiles";
 
 export type OvertureTilesCdkStackProps = cdk.StackProps & {
-  imageName: string;
   bucketName: string;
-}
+};
 
 export class OvertureTilesCdkStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props: OvertureTilesCdkStackProps) {
@@ -58,14 +58,20 @@ export class OvertureTilesCdkStack extends cdk.Stack {
     });
     bucket.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);
 
-    const distribution = new cloudfront.Distribution(this, `${ID}Distribution`, {
-      defaultBehavior: {
-        origin: new origins.S3Origin(bucket),
+    const distribution = new cloudfront.Distribution(
+      this,
+      `${ID}Distribution`,
+      {
+        defaultBehavior: {
+          origin: new origins.S3Origin(bucket),
+        },
       },
-    });
+    );
     distribution.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);
 
-    const role = new iam.Role(this, `${ID}WriteRole`, {
+    const repository = new ecr.Repository(this, `${ID}Repository`);
+
+    const role = new iam.Role(this, `${ID}JobRole`, {
       assumedBy: new iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
     });
 
@@ -76,6 +82,25 @@ export class OvertureTilesCdkStack extends cdk.Stack {
       }),
     );
 
+    const executionRole = new iam.Role(this, `${ID}ExecutionRole`, {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+
+    executionRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "sts:AssumeRole"
+        ],
+        resources: ["*"],
+      }),
+    );
+
+    executionRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly')
+    );
+
     for (let theme of [
       "addresses",
       "admins",
@@ -91,12 +116,13 @@ export class OvertureTilesCdkStack extends cdk.Stack {
           `${ID}Container_${theme}`,
           {
             image: ecs.ContainerImage.fromRegistry(
-             props.imageName,
+              `${repository.repositoryUri}:latest`,
             ),
             memory: cdk.Size.gibibytes(60),
             cpu: 30,
             command: [bucket.bucketName, theme],
             jobRole: role,
+            executionRole: executionRole
           },
         ),
       });