From e91b008752746cdbfb767196984647a5d00fb214 Mon Sep 17 00:00:00 2001 From: nitro Date: Mon, 22 Jun 2020 18:04:15 -0400 Subject: [PATCH] Override task role (#58) * Override task_role * Add task_role_arn variable * Change task_role_arn output to be the same * Updated README.md Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com> --- README.md | 1 + docs/terraform.md | 1 + main.tf | 9 +++++---- outputs.tf | 2 +- variables.tf | 6 ++++++ 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 85e334c2..d17397d7 100644 --- a/README.md +++ b/README.md @@ -275,6 +275,7 @@ Available targets: | task\_cpu | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no | | task\_memory | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no | | task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments |
list(object({
type = string
expression = string
}))
| `[]` | no | +| task\_role\_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | `string` | `""` | no | | use\_alb\_security\_group | A flag to enable/disable adding the ingress rule to the ALB security group | `bool` | `false` | no | | use\_nlb\_cidr\_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | `bool` | `false` | no | | use\_old\_arn | A flag to enable/disable tagging the ecs resources that require the new arn format | `bool` | `false` | no | diff --git a/docs/terraform.md b/docs/terraform.md index f253219c..a41ae112 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -57,6 +57,7 @@ | task\_cpu | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no | | task\_memory | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no | | task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments |
list(object({
type = string
expression = string
}))
| `[]` | no | +| task\_role\_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | `string` | `""` | no | | use\_alb\_security\_group | A flag to enable/disable adding the ingress rule to the ALB security group | `bool` | `false` | no | | use\_nlb\_cidr\_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | `bool` | `false` | no | | use\_old\_arn | A flag to enable/disable tagging the ecs resources that require the new arn format | `bool` | `false` | no | diff --git a/main.tf b/main.tf index f3b331d1..d8c87e74 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,7 @@ module "default_label" { module "task_label" { source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.15.0" - enabled = var.enabled + enabled = var.enabled && length(var.task_role_arn) == 0 context = module.default_label.context attributes = compact(concat(var.attributes, ["task"])) } @@ -39,7 +39,7 @@ resource "aws_ecs_task_definition" "default" { cpu = var.task_cpu memory = var.task_memory execution_role_arn = join("", aws_iam_role.ecs_exec.*.arn) - task_role_arn = join("", aws_iam_role.ecs_task.*.arn) + task_role_arn = length(var.task_role_arn) > 0 ? var.task_role_arn : join("", aws_iam_role.ecs_task.*.arn) tags = module.default_label.tags dynamic "proxy_configuration" { @@ -81,7 +81,7 @@ resource "aws_ecs_task_definition" "default" { # IAM data "aws_iam_policy_document" "ecs_task" { - count = var.enabled ? 1 : 0 + count = var.enabled && length(var.task_role_arn) == 0 ? 1 : 0 statement { effect = "Allow" @@ -95,7 +95,8 @@ data "aws_iam_policy_document" "ecs_task" { } resource "aws_iam_role" "ecs_task" { - count = var.enabled ? 1 : 0 + count = var.enabled && length(var.task_role_arn) == 0 ? 1 : 0 + name = module.task_label.id assume_role_policy = join("", data.aws_iam_policy_document.ecs_task.*.json) permissions_boundary = var.permissions_boundary == "" ? null : var.permissions_boundary diff --git a/outputs.tf b/outputs.tf index a9c9a1c9..e5ebb3f9 100644 --- a/outputs.tf +++ b/outputs.tf @@ -35,7 +35,7 @@ output "task_role_name" { output "task_role_arn" { description = "ECS Task role ARN" - value = join("", aws_iam_role.ecs_task.*.arn) + value = length(var.task_role_arn) > 0 ? var.task_role_arn : join("", aws_iam_role.ecs_task.*.arn) } output "task_role_id" { diff --git a/variables.tf b/variables.tf index 65691bc4..425a5af5 100644 --- a/variables.tf +++ b/variables.tf @@ -157,6 +157,12 @@ variable "task_memory" { default = 512 } +variable "task_role_arn" { + type = string + description = "The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services" + default = "" +} + variable "desired_count" { type = number description = "The number of instances of the task definition to place and keep running"