From 22a1dca96c066d817a2bb78e23e02dd1df8f7c71 Mon Sep 17 00:00:00 2001
From: Sarkis Varozian <42673+sarkis@users.noreply.github.com>
Date: Tue, 17 Jul 2018 15:57:54 -0700
Subject: [PATCH] Add IAM Role for ECS Task (#7)

* add task role and outputs for task and service role

* refactor naming

* add healthcheck parameter

* update readme
---
 README.md         | 16 ++++++++++-
 docs/terraform.md |  5 +++-
 main.tf           | 72 ++++++++++++++++++++++++++++++++++++-----------
 outputs.tf        | 14 +++++++--
 variables.tf      |  6 ++++
 5 files changed, 91 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index aeeb919..a4917fb 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,10 @@ It's 100% Open Source and licensed under the [APACHE2](LICENSE).
 
 
 
+
+
+
+
 ## Usage
 
 ```hcl
@@ -69,6 +73,7 @@ Available targets:
 | ecr_repository_name | The name of the ECR repository to store images. | string | - | yes |
 | ecs_cluster_arn | The ARN of the ECS cluster where service will be provisioned. | string | - | yes |
 | family | The name used for multiple versions of a task definition. | string | `web` | no |
+| healthcheck | A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | map | `<map>` | no |
 | launch_type | The launch type on which to run your service. Valid values are EC2 and FARGATE. | string | `FARGATE` | no |
 | name | The name of the app to be used in labels. | string | - | yes |
 | namespace | The namespace to be used in labels. | string | - | yes |
@@ -85,7 +90,9 @@ Available targets:
 
 | Name | Description |
 |------|-------------|
-| service_name | ECS Service name. |
+| service_name | ECS Service name |
+| service_role_arn | ECS Service role ARN |
+| task_role_arn | ECS Task role ARN |
 
 
 
@@ -184,6 +191,13 @@ See [LICENSE](LICENSE) for full details.
     under the License.
 
 
+
+
+
+
+
+
+
 ## Trademarks
 
 All other trademarks referenced herein are the property of their respective owners.
diff --git a/docs/terraform.md b/docs/terraform.md
index 32a2679..c74f797 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -15,6 +15,7 @@
 | ecr_repository_name | The name of the ECR repository to store images. | string | - | yes |
 | ecs_cluster_arn | The ARN of the ECS cluster where service will be provisioned. | string | - | yes |
 | family | The name used for multiple versions of a task definition. | string | `web` | no |
+| healthcheck | A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | map | `<map>` | no |
 | launch_type | The launch type on which to run your service. Valid values are EC2 and FARGATE. | string | `FARGATE` | no |
 | name | The name of the app to be used in labels. | string | - | yes |
 | namespace | The namespace to be used in labels. | string | - | yes |
@@ -31,5 +32,7 @@
 
 | Name | Description |
 |------|-------------|
-| service_name | ECS Service name. |
+| service_name | ECS Service name |
+| service_role_arn | ECS Service role ARN |
+| task_role_arn | ECS Task role ARN |
 
diff --git a/main.tf b/main.tf
index f975798..de09108 100644
--- a/main.tf
+++ b/main.tf
@@ -1,5 +1,5 @@
 module "default_label" {
-  source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=0.1.2"
+  source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=0.1.3"
   attributes = "${var.attributes}"
   delimiter  = "${var.delimiter}"
   name       = "${var.name}"
@@ -8,9 +8,29 @@ module "default_label" {
   tags       = "${var.tags}"
 }
 
+module "task_role_label" {
+  source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=0.1.3"
+  attributes = ["${compact(concat(var.attributes, list("task")))}"]
+  delimiter  = "${var.delimiter}"
+  name       = "${var.name}"
+  namespace  = "${var.namespace}"
+  stage      = "${var.stage}"
+  tags       = "${var.tags}"
+}
+
+module "service_role_label" {
+  source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=0.1.3"
+  attributes = ["${compact(concat(var.attributes, list("service")))}"]
+  delimiter  = "${var.delimiter}"
+  name       = "${var.name}"
+  namespace  = "${var.namespace}"
+  stage      = "${var.stage}"
+  tags       = "${var.tags}"
+}
+
 module "exec_role_label" {
-  source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=0.1.2"
-  attributes = ["${compact(concat(var.attributes, list("exec", "role")))}"]
+  source     = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=0.1.3"
+  attributes = ["${compact(concat(var.attributes, list("exec")))}"]
   delimiter  = "${var.delimiter}"
   name       = "${var.name}"
   namespace  = "${var.namespace}"
@@ -25,12 +45,30 @@ resource "aws_ecs_task_definition" "default" {
   network_mode             = "${var.network_mode}"
   cpu                      = "${var.task_cpu}"
   memory                   = "${var.task_memory}"
-  execution_role_arn       = "${aws_iam_role.ecs_exec_role.arn}"
-  task_role_arn            = "${aws_iam_role.ecs_exec_role.arn}"
+  execution_role_arn       = "${aws_iam_role.ecs_exec.arn}"
+  task_role_arn            = "${aws_iam_role.ecs_task.arn}"
+  healthcheck              = "${var.healthcheck}"
 }
 
 # IAM
-data "aws_iam_policy_document" "ecs_service_role" {
+data "aws_iam_policy_document" "ecs_task" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs_task" {
+  name               = "${module.task_role_label.id}"
+  assume_role_policy = "${data.aws_iam_policy_document.ecs_task.json}"
+}
+
+data "aws_iam_policy_document" "ecs_service" {
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
@@ -42,9 +80,9 @@ data "aws_iam_policy_document" "ecs_service_role" {
   }
 }
 
-resource "aws_iam_role" "ecs_role" {
+resource "aws_iam_role" "ecs_service" {
   name               = "${module.default_label.id}"
-  assume_role_policy = "${data.aws_iam_policy_document.ecs_service_role.json}"
+  assume_role_policy = "${data.aws_iam_policy_document.ecs_service.json}"
 }
 
 data "aws_iam_policy_document" "ecs_service_policy" {
@@ -62,14 +100,14 @@ data "aws_iam_policy_document" "ecs_service_policy" {
   }
 }
 
-resource "aws_iam_role_policy" "ecs_service_role_policy" {
+resource "aws_iam_role_policy" "ecs_service" {
   name   = "${module.default_label.id}"
   policy = "${data.aws_iam_policy_document.ecs_service_policy.json}"
-  role   = "${aws_iam_role.ecs_role.id}"
+  role   = "${aws_iam_role.ecs_service.id}"
 }
 
 # IAM role that the Amazon ECS container agent and the Docker daemon can assume
-data "aws_iam_policy_document" "ecs_task_exec_role" {
+data "aws_iam_policy_document" "ecs_task_exec" {
   statement {
     actions = ["sts:AssumeRole"]
 
@@ -80,12 +118,12 @@ data "aws_iam_policy_document" "ecs_task_exec_role" {
   }
 }
 
-resource "aws_iam_role" "ecs_exec_role" {
+resource "aws_iam_role" "ecs_exec" {
   name               = "${module.exec_role_label.id}"
-  assume_role_policy = "${data.aws_iam_policy_document.ecs_task_exec_role.json}"
+  assume_role_policy = "${data.aws_iam_policy_document.ecs_task_exec.json}"
 }
 
-data "aws_iam_policy_document" "ecs_exec_role" {
+data "aws_iam_policy_document" "ecs_exec" {
   statement {
     effect    = "Allow"
     resources = ["*"]
@@ -101,10 +139,10 @@ data "aws_iam_policy_document" "ecs_exec_role" {
   }
 }
 
-resource "aws_iam_role_policy" "ecs_exec_role_policy" {
+resource "aws_iam_role_policy" "ecs_exec" {
   name   = "${module.exec_role_label.id}"
-  policy = "${data.aws_iam_policy_document.ecs_exec_role.json}"
-  role   = "${aws_iam_role.ecs_exec_role.id}"
+  policy = "${data.aws_iam_policy_document.ecs_exec.json}"
+  role   = "${aws_iam_role.ecs_exec.id}"
 }
 
 # Service
diff --git a/outputs.tf b/outputs.tf
index de9d4ae..067ce25 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,6 +1,14 @@
-# TODO: (output) security group IDs
-
 output "service_name" {
-  description = "ECS Service name."
+  description = "ECS Service name"
   value       = "${aws_ecs_service.default.name}"
 }
+
+output "service_role_arn" {
+  description = "ECS Service role ARN"
+  value       = "${aws_iam_role.ecs_service.arn}"
+}
+
+output "task_role_arn" {
+  description = "ECS Task role ARN"
+  value       = "${aws_iam_role.ecs_task.arn}"
+}
diff --git a/variables.tf b/variables.tf
index 9c2e383..00b724e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -105,3 +105,9 @@ variable "deployment_minimum_healthy_percent" {
   description = "The lower limit (as a percentage of desired_count) of the number of tasks that must remain running and healthy in a service during a deployment."
   default     = 100
 }
+
+variable "healthcheck" {
+  type        = "map"
+  description = "A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)"
+  default     = {}
+}