Allow user to customize Roles / ManagedPolicy

Signed-off-by: Nicolas De Loof <[email protected]>

ecs/pkg/amazon/backend/cloudformation.go

@@ -440,15 +440,26 @@ func createTaskExecutionRole(service types.ServiceConfig, err error, definition
 			PolicyDocument: policy,
 			PolicyName:     fmt.Sprintf("%sGrantAccessToSecrets", service.Name),
 		})
+	}
 
+	if roles, ok := service.Extensions[compose.ExtensionRole]; ok {
+		rolePolicies = append(rolePolicies, iam.Role_Policy{
+			PolicyDocument: roles,
+		})
+	}
+	managedPolicies := []string{
+		ECSTaskExecutionPolicy,
+		ECRReadOnlyPolicy,
+	}
+	if v, ok := service.Extensions[compose.ExtensionManagedPolicies]; ok {
+		for _, s := range v.([]interface{}) {
+			managedPolicies = append(managedPolicies, s.(string))
+		}
 	}
 	template.Resources[taskExecutionRole] = &iam.Role{
 		AssumeRolePolicyDocument: assumeRolePolicyDocument,
 		Policies:                 rolePolicies,
-		ManagedPolicyArns: []string{
-			ECSTaskExecutionPolicy,
-			ECRReadOnlyPolicy,
-		},
+		ManagedPolicyArns:        managedPolicies,
 	}
 	return taskExecutionRole, nil
 }

ecs/pkg/amazon/backend/iam.go

@@ -22,7 +22,7 @@ var assumeRolePolicyDocument = PolicyDocument{
 	},
 }
 
-// could alternatively depend on https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/master/pkg/cloud/services/iam/types.go#L52
+// could alternatively depend on https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/master/cmd/clusterawsadm/api/iam/v1alpha1/types.go
 type PolicyDocument struct {
 	Version   string            `json:",omitempty"`
 	Statement []PolicyStatement `json:",omitempty"`

ecs/pkg/compose/x.go

@@ -10,4 +10,6 @@ const (
 	ExtensionMinPercent      = "x-aws-min_percent"
 	ExtensionMaxPercent      = "x-aws-max_percent"
 	ExtensionRetention       = "x-aws-logs_retention"
+	ExtensionRole            = "x-aws-role"
+	ExtensionManagedPolicies = "x-aws-policies"
 )