convox run supports policies added to service

[numcys]

What is the feature/update/fix?

Feature: Support for Policies in convox run Command

The convox run command now supports attaching IAM policies specified in your convox.yml file. When executing a command inside a newly started ECS task container, any policies defined under the policies key for a service will now be automatically attached to the container.

How to use it?

You can define policies for a service in your convox.yml file. For example:

services:
  web:
    build: .
    domain: ${HOST}
    port: 3000
    policies:
      - arn:aws:iam::aws:policy/AdministratorAccess
      - arn:aws:iam::<account>:policy/my-policy

With this configuration, running a command with convox run for the web service will start a new ECS task with my-policy attached, allowing the command to execute with the specified permissions.

convox run Command Usage

The convox run command can be used to execute one-off tasks, administrative scripts, or even interactive shells within the context of a Convox service. Some examples include:

• Running a simple command:

  $ convox run web ls
  

  This will start a new container for the web service and list the files in the working directory.

• Starting an interactive shell:

  $ convox run web bash
  

  This command spawns a bash shell in the container, allowing direct interaction.

• Running a long-running task:
  For tasks that may take longer than the default 1-hour timeout, you can set a custom timeout:

  $ convox run web --timeout 7200 bin/long_running_process
  

  • Detached Processes: For non-interactive tasks, use the --detach flag to run the command in the background without a timeout, with logs available in application logs:

    $ convox run web --detach bin/migrate
    

Why is this important?

This feature enhances the flexibility of convox run by enabling the use of custom IAM policies directly on the container running the command. This is particularly useful for tasks that need temporary access to AWS resources, like reading from S3 or accessing certain databases, without modifying the broader service configuration.

Does it have a breaking change?

There are no breaking changes introduced with this feature.

Requirements

To use this feature, you must be on at least rack version latest.
You can check your rack's version with the command convox rack -r rackName.
Update your rack to the latest version with the command convox rack update -r rackName.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 21 lines in your changes missing coverage. Please review.

Project coverage is 33.14%. Comparing base (01a2ab5) to head (bb5631e).
Report is 18 commits behind head on master.

Files with missing lines	Patch %	Lines
provider/aws/processes.go	0.00%	21 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3743      +/-   ##
==========================================
- Coverage   33.56%   33.14%   -0.42%     
==========================================
  Files         180      182       +2     
  Lines       20253    20558     +305     
==========================================
+ Hits         6797     6814      +17     
- Misses      12309    12596     +287     
- Partials     1147     1148       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[khoinguyenm]

our cluster doesn't have service web so it throw error ERROR: resource not found: ServiceWeb when we do convox run [other service name]

[nightfury1204]

@numcys can you fix this

[nightfury1204]

@khoinguyenm we have released the fix: https://github.com/convox/rack/releases/tag/20241104181809
Thanks for your patience