Merge branch 'dev' into fargate-spot

.github/workflows/deploy-dev.yaml

@@ -13,6 +13,6 @@ jobs:
   aws-deploy:
     uses: "./.github/workflows/aws-deploy.yaml"
     with:
-      role-to-assume: "arn:aws:iam::607346494281:role/sagebase-github-oidc-sage-bionetworks-it-agora-infra-v3"
+      role-to-assume: "arn:aws:iam::607346494281:role/sagebase-github-oidc-agora-infra-v3"
       role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
       environment: dev

.github/workflows/deploy-prod.yaml

@@ -13,6 +13,6 @@ jobs:
   aws-deploy:
     uses: "./.github/workflows/aws-deploy.yaml"
     with:
-      role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-sage-bionetworks-it-agora-infra-v3"
+      role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-agora-infra-v3"
       role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
       environment: prod

.github/workflows/deploy-stage.yaml

@@ -13,6 +13,6 @@ jobs:
   aws-deploy:
     uses: "./.github/workflows/aws-deploy.yaml"
     with:
-      role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-sage-bionetworks-it-agora-infra-v3"
+      role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-agora-infra-v3"
       role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
       environment: stage

.pre-commit-config.yaml

@@ -1,3 +1,6 @@
+ci:
+  autoupdate_schedule: monthly
+
 default_language_version:
   python: python3
 
@@ -17,7 +20,7 @@ repos:
     hooks:
       - id: yamllint
   - repo: https://github.com/awslabs/cfn-python-lint
-    rev: v1.19.0
+    rev: v1.20.1
     hooks:
       - id: cfn-python-lint
         args:
@@ -36,7 +39,7 @@ repos:
     hooks:
       - id: black
   - repo: https://github.com/sirosen/check-jsonschema
-    rev: 0.29.4
+    rev: 0.30.0
     hooks:
       - id: check-github-workflows
       - id: check-github-actions

src/load_balancer_stack.py

@@ -21,4 +21,9 @@ def __init__(
         self.alb = elbv2.ApplicationLoadBalancer(
             self, "AppLoadBalancer", vpc=vpc, internet_facing=True
         )
-        cdk.CfnOutput(self, "dns", value=self.alb.load_balancer_dns_name)
+        cdk.CfnOutput(
+            self,
+            "LoadBalancerDns",
+            value=self.alb.load_balancer_dns_name,
+            export_name=f"{construct_id}-dns",
+        )

src/service_stack.py

@@ -58,13 +58,36 @@ def __init__(
             )
         )
 
+        # default ECS execution policy plus Guardduty access
+        execution_role = iam.Role(
+            self,
+            "ExecutionRole",
+            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name(
+                    "service-role/AmazonECSTaskExecutionRolePolicy"
+                ),
+            ],
+        )
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                ],
+                resources=["*"],
+                effect=iam.Effect.ALLOW,
+            )
+        )
+
         # ECS task with fargate
         self.task_definition = ecs.FargateTaskDefinition(
             self,
             "TaskDef",
             cpu=1024,
             memory_limit_mib=4096,
             task_role=task_role,
+            execution_role=execution_role,
         )
 
         image = ecs.ContainerImage.from_registry(props.container_location)