From 4e7d6381228970d5d401091834e1792eb899335f Mon Sep 17 00:00:00 2001
From: Clare Liguori <liguori@amazon.com>
Date: Fri, 1 Oct 2021 10:06:07 -0700
Subject: [PATCH] fix: use role ARN (not name) for execution/task role in ECS
 task defs (#2887)

Using the role name in the ECS task definition results in CloudFormation stack drift.  ECS returns the fully-qualified ARN when describing the task def, which fails the comparison to the stack template's value.

Example drift seen in the CFN console for a Copilot-created service stack:

```
Expected:
  "ExecutionRoleArn": "proton-pilot-example-test-front-end-ExecutionRole-1CY6ZXWZU4YQF",
  "TaskRoleArn": "proton-pilot-example-test-front-end-TaskRole-1NMILHSCBDBTT"

Actual:
  "ExecutionRoleArn": "arn:aws:iam::123456789012:role/proton-pilot-example-test-front-end-ExecutionRole-1CY6ZXWZU4YQF",
  "TaskRoleArn": "arn:aws:iam::123456789012:role/proton-pilot-example-test-front-end-TaskRole-1NMILHSCBDBTT"
```

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
---
 .../cloudformation/stack/testdata/stacklocal/override-cf.yml  | 4 ++--
 .../stack/testdata/workloads/job-test.stack.yml               | 4 ++--
 .../stack/testdata/workloads/svc-prod.stack.yml               | 4 ++--
 .../stack/testdata/workloads/svc-staging.stack.yml            | 4 ++--
 .../stack/testdata/workloads/svc-test.stack.yml               | 4 ++--
 .../stack/testdata/workloads/worker-test.stack.yml            | 4 ++--
 internal/pkg/template/templates/task/cf.yml                   | 4 ++--
 .../workloads/partials/cf/fargate-taskdef-base-properties.yml | 4 ++--
 8 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/override-cf.yml b/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/override-cf.yml
index f1ecc15dd94..fdb4ec83e68 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/override-cf.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/override-cf.yml
@@ -10,8 +10,8 @@
         - FARGATE
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !Ref ExecutionRole
-      TaskRoleArn: !Ref TaskRole
+      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+      TaskRoleArn: !GetAtt TaskRole.Arn
       ContainerDefinitions:
         - Name: !Ref WorkloadName
           Image: !Ref ContainerImage
diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml
index 01583272204..56b35335496 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml
@@ -117,8 +117,8 @@ Resources:
       Memory: !Ref TaskMemory
       EphemeralStorage:
         SizeInGiB: 200
-      ExecutionRoleArn: !Ref ExecutionRole
-      TaskRoleArn: !Ref TaskRole
+      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+      TaskRoleArn: !GetAtt TaskRole.Arn
       ContainerDefinitions:
         - Name: !Ref WorkloadName
           Image: !Ref ContainerImage
diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml
index dd989ac16bc..26c4f9625f5 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml
@@ -68,8 +68,8 @@ Resources:
         - FARGATE
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !Ref ExecutionRole
-      TaskRoleArn: !Ref TaskRole
+      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+      TaskRoleArn: !GetAtt TaskRole.Arn
       ContainerDefinitions:
         - Name: !Ref WorkloadName
           Image: !Ref ContainerImage
diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml
index 1e84e83c6e7..668f98c58b0 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml
@@ -68,8 +68,8 @@ Resources:
         - FARGATE
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !Ref ExecutionRole
-      TaskRoleArn: !Ref TaskRole
+      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+      TaskRoleArn: !GetAtt TaskRole.Arn
       ContainerDefinitions:
         - Name: !Ref WorkloadName
           Image: !Ref ContainerImage
diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml
index 3afa42a46ae..8b716f77090 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml
@@ -68,8 +68,8 @@ Resources:
         - FARGATE
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !Ref ExecutionRole
-      TaskRoleArn: !Ref TaskRole
+      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+      TaskRoleArn: !GetAtt TaskRole.Arn
       ContainerDefinitions:
         - Name: !Ref WorkloadName
           Image: !Ref ContainerImage
diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml
index f89d619e8bc..65249e595ef 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml
@@ -48,8 +48,8 @@ Resources:
         - FARGATE
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !Ref ExecutionRole
-      TaskRoleArn: !Ref TaskRole
+      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+      TaskRoleArn: !GetAtt TaskRole.Arn
       ContainerDefinitions:
         - Name: !Ref WorkloadName
           Image: !Ref ContainerImage
diff --git a/internal/pkg/template/templates/task/cf.yml b/internal/pkg/template/templates/task/cf.yml
index ed32e15058b..f3b8a8846de 100644
--- a/internal/pkg/template/templates/task/cf.yml
+++ b/internal/pkg/template/templates/task/cf.yml
@@ -67,8 +67,8 @@ Resources:
       NetworkMode: awsvpc
       Cpu: !Ref TaskCPU
       Memory: !Ref TaskMemory
-      ExecutionRoleArn: !If [HasExecutionRole, !Ref ExecutionRole, !Ref DefaultExecutionRole]
-      TaskRoleArn: !If [HasTaskRole, !Ref TaskRole, !Ref DefaultTaskRole]
+      ExecutionRoleArn: !If [HasExecutionRole, !Ref ExecutionRole, !GetAtt DefaultExecutionRole.Arn]
+      TaskRoleArn: !If [HasTaskRole, !Ref TaskRole, !GetAtt DefaultTaskRole.Arn]
   DefaultExecutionRole:
     Metadata:
       'aws:copilot:description': 'An IAM Role for the Fargate agent to make AWS API calls on your behalf'
diff --git a/internal/pkg/template/templates/workloads/partials/cf/fargate-taskdef-base-properties.yml b/internal/pkg/template/templates/workloads/partials/cf/fargate-taskdef-base-properties.yml
index 02fcbfc0349..0ca675975ee 100644
--- a/internal/pkg/template/templates/workloads/partials/cf/fargate-taskdef-base-properties.yml
+++ b/internal/pkg/template/templates/workloads/partials/cf/fargate-taskdef-base-properties.yml
@@ -10,5 +10,5 @@ EphemeralStorage:
   SizeInGiB: {{.Storage.Ephemeral}}
 {{- end}}
 {{- end}}
-ExecutionRoleArn: !Ref ExecutionRole
-TaskRoleArn: !Ref TaskRole
\ No newline at end of file
+ExecutionRoleArn: !GetAtt ExecutionRole.Arn
+TaskRoleArn: !GetAtt TaskRole.Arn
\ No newline at end of file