ADDS Support to define IAM roles in yml by ARN

[rosven]

What I did
Added extension to support IAM policys in config to be referred to by ARN.

Related issue
resolves: 1500

[ndeloof]

As discussed on #1411 I'm not in favour to introduce more x-aws- extensions that will never get into the compose specification.
On the other hand I understand your use case.

A possible way to address this would be to rely on the already supported x-aws-role, but let this one define a plain ARN in addition to a policy document. You can use arn.IsARN() to check the attribute value defines an ARN, vs a nested document.

[rosven]

Found another solution to this problem! :) Pm me if you ever have a similar issue

[ndeloof]

@rosven could you please add a note on #1500 to explain the solution you adopted? Could be usefull for others, and maybe we could include this in the documentation

[rosven]

@ndeloof I simply bypassed it by looking over my role and extended the role policys instead. There seems to be a way to overlay a specific rolename in x-aws-cloudformation but it wont be possible due to how the stack is updated/created.

https://github.com/docker/compose-cli/blob/b6df84f56a270cf3fb35bc67d4e8f0eca258f903/ecs/sdk.go#L363-L371

Seems that capabilities should be set to CAPABILITY_NAMED_IAM if that should work.

https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
https://github.com/docker/compose-cli/blob/b6df84f56a270cf3fb35bc67d4e8f0eca258f903/ecs/sdk.go#L369-L371

But since its hardcoded to CapabilityCapabilityIam
https://github.com/aws/aws-sdk-go/blob/3961e6ef50ca64ae09f0e935f7aa7ffbffde5f5b/service/cloudformation/api.go#L17784-L17788

if it was made possible to choose one of:

https://github.com/aws/aws-sdk-go/blob/3961e6ef50ca64ae09f0e935f7aa7ffbffde5f5b/service/cloudformation/api.go#L17783-L17792

It would probably be possible to set an explicit RoleName when it is created if I don't misunderstand how this works.