batch role changes re #149

cirrus-geo · Sep 13, 2022 · 60781c4 · 60781c4
1 parent ac5c9fd
commit 60781c4
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 21 deletions.
diff --git a/src/cirrus/builtins/cloudformation/basic-compute-environments.yml b/src/cirrus/builtins/cloudformation/basic-compute-environments.yml
@@ -4,8 +4,6 @@ Resources:
     Type: AWS::Batch::ComputeEnvironment
     Properties:
       Type: MANAGED
-      ServiceRole:
-        Fn::GetAtt: [ BatchServiceRole, Arn ]
       ComputeEnvironmentName: '#{AWS::StackName}-basic-ondemand'
       ComputeResources:
         MaxvCpus: ${self:custom.batch.BasicComputeEnvironments.MaxvCpus}
@@ -35,8 +33,6 @@ Resources:
     Type: AWS::Batch::ComputeEnvironment
     Properties:
       Type: MANAGED
-      ServiceRole:
-        Fn::GetAtt: [ BatchServiceRole, Arn ]
       ComputeEnvironmentName: '#{AWS::StackName}-basic-spot'
       ComputeResources:
         MaxvCpus: ${self:custom.batch.BasicComputeEnvironments.MaxvCpus}
@@ -62,4 +58,4 @@ Resources:
           ComputeEnvironment: !Ref BasicSpotComputeEnvironment
       State: ENABLED
       Priority: 1
-      JobQueueName: '#{AWS::StackName}-basic-spot'
+      JobQueueName: '#{AWS::StackName}-basic-spot'
diff --git a/src/cirrus/builtins/cloudformation/resources.yml b/src/cirrus/builtins/cloudformation/resources.yml
@@ -121,14 +121,7 @@ Resources:
             ProjectionType: ALL
       BillingMode: PAY_PER_REQUEST
       TableName: "#{AWS::StackName}-state"
-  # Batch IAM Roles
-  BatchInstanceProfile:
-    Type: AWS::IAM::InstanceProfile
-    Properties:
-      Path: '/'
-      Roles:
-        - Ref: BatchInstanceRole
-  BatchInstanceRole:
+  BatchJobRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
@@ -137,12 +130,15 @@ Resources:
           - Effect: 'Allow'
             Principal:
               Service:
-                - 'ec2.amazonaws.com'
+                - 'ecs-tasks.amazonaws.com'
             Action:
               - 'sts:AssumeRole'
+            Condition:
+              ArnLike:
+                aws:SourceArn: "arn:aws:ecs:#{AWS::Region}:#{AWS::AccountId}:*"
+              StringEquals:
+                aws:SourceAccount: "#{AWS::AccountId}"
       Path: '/'
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
       Policies:
         - PolicyName: 'Cirrus'
           PolicyDocument:
@@ -177,7 +173,13 @@ Resources:
                   - lambda:GetFunction
                 Resource:
                   - arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:#{AWS::StackName}-*
-  BatchServiceRole:
+  BatchInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: '/'
+      Roles:
+        - Ref: BatchInstanceRole
+  BatchInstanceRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
@@ -186,12 +188,12 @@ Resources:
           - Effect: 'Allow'
             Principal:
               Service:
-                - 'batch.amazonaws.com'
+                - 'ec2.amazonaws.com'
             Action:
               - 'sts:AssumeRole'
       Path: '/'
       ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole
+        - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
   EC2SpotRole:
     Type: AWS::IAM::Role
     Properties:

diff --git a/src/cirrus/core/components/files/definitions.py b/src/cirrus/core/components/files/definitions.py
@@ -44,8 +44,6 @@
           Type: AWS::Batch::ComputeEnvironment
           Properties:
             Type: MANAGED
-            ServiceRole:
-              Fn::GetAtt: [ BatchServiceRole, Arn ]
             ComputeResources:
               MaxvCpus: 1000
               SecurityGroupIds: ${{self:custom.batch.SecurityGroupIds}}
@@ -70,6 +68,58 @@
                 ComputeEnvironment: !Ref {name}ComputeEnvironment
             State: ENABLED
             Priority: 1
+        {name}JobRole:
+          Type: AWS::IAM::Role
+          Properties:
+            AssumeRolePolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: 'Allow'
+                  Principal:
+                    Service:
+                      - 'ecs-tasks.amazonaws.com'
+                  Action:
+                    - 'sts:AssumeRole'
+                  Condition:
+                    ArnLike:
+                      aws:SourceArn: "arn:aws:ecs:#{{AWS::Region}}:#{{AWS::AccountId}}:*"
+                    StringEquals:
+                      aws:SourceAccount: "#{{AWS::AccountId}}"
+            Path: '/'
+            Policies:
+              - PolicyName: 'Cirrus'
+                PolicyDocument:
+                  Version: '2012-10-17'
+                  Statement:
+                    - Effect: "Allow"
+                      Action:
+                        - "s3:PutObject"
+                      Resource:
+                        - !Join
+                          - ''
+                          - - 'arn:aws:s3:::'
+                            - ${{self:provider.environment.CIRRUS_DATA_BUCKET}}
+                            - '*'
+                        - !Join
+                          - ''
+                          - - 'arn:aws:s3:::'
+                            - ${{self:provider.environment.CIRRUS_PAYLOAD_BUCKET}}
+                            - '*'
+                    - Effect: "Allow"
+                      Action:
+                        - "s3:ListBucket"
+                        - "s3:GetObject"
+                        - "s3:GetBucketLocation"
+                      Resource: "*"
+                    - Effect: "Allow"
+                      Action: secretsmanager:GetSecretValue
+                      Resource:
+                        - arn:aws:secretsmanager:#{{AWS::Region}}:#{{AWS::AccountId}}:secret:cirrus*
+                    - Effect: "Allow"
+                      Action:
+                        - lambda:GetFunction
+                      Resource:
+                        - arn:aws:lambda:#{{AWS::Region}}:#{{AWS::AccountId}}:function:#{{AWS::StackName}}-*
         {name}AsBatchJob:
           Type: "AWS::Batch::JobDefinition"
           Properties:
@@ -86,6 +136,7 @@
               Memory: 128
               Vcpus: 1
               Image: 'cirrusgeo/run-lambda:0.2.1'
+              JobRoleArn: !Fn::GetAtt {name}JobRole.Arn
             RetryStrategy:
               Attempts: 1
 '''.format