From 338a3787f7153590806513827c448a236f725cd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Sodr=C3=A9?= Date: Sat, 19 Dec 2020 21:23:49 -0500 Subject: [PATCH 1/3] Add task_exec and task role policy attachments Creates two variables to accept a list of policies to attach to the generated task and task execution roles The policies are only attached if the the roles were created by this module. --- main.tf | 13 +++++++++++++ variables.tf | 12 ++++++++++++ 2 files changed, 25 insertions(+) diff --git a/main.tf b/main.tf index 3527e970..cdfeb466 100644 --- a/main.tf +++ b/main.tf @@ -118,6 +118,13 @@ resource "aws_iam_role" "ecs_task" { tags = module.task_label.tags } +resource "aws_iam_role_policy_attachment" "ecs_task" { + count = local.enabled && length(var.task_role_arn) == 0 ? length(var.task_policy_arns) : 0 + policy_arn = var.task_policy_arns[count.index] + role = join("", aws_iam_role.ecs_task.*.id) +} + + data "aws_iam_policy_document" "ecs_service" { count = local.enabled ? 1 : 0 @@ -215,6 +222,12 @@ resource "aws_iam_role_policy" "ecs_exec" { role = join("", aws_iam_role.ecs_exec.*.id) } +resource "aws_iam_role_policy_attachment" "ecs_exec" { + count = local.enabled && length(var.task_exec_role_arn) == 0 ? length(var.task_exec_policy_arns) : 0 + policy_arn = var.task_exec_policy_arns[count.index] + role = join("", aws_iam_role.ecs_exec.*.id) +} + # Service ## Security Groups resource "aws_security_group" "ecs_service" { diff --git a/variables.tf b/variables.tf index a5ac345f..832aee6c 100644 --- a/variables.tf +++ b/variables.tf @@ -128,12 +128,24 @@ variable "task_exec_role_arn" { default = "" } +variable "task_exec_policy_arns" { + type = list(string) + description = "A list of IAM Policy ARNs to attach to the generated task execution role." + default = [] +} + variable "task_role_arn" { type = string description = "The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services" default = "" } +variable "task_policy_arns" { + type = list(string) + description = "A list of IAM Policy ARNs to attach to the generated task role." + default = [] +} + variable "desired_count" { type = number description = "The number of instances of the task definition to place and keep running" From fc97a50bf28efe09247478945cf4a73208ccba62 Mon Sep 17 00:00:00 2001 From: Nuru Date: Sun, 20 Dec 2020 19:53:22 -0800 Subject: [PATCH 2/3] Update documentation links --- variables.tf | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/variables.tf b/variables.tf index 832aee6c..bc72487e 100644 --- a/variables.tf +++ b/variables.tf @@ -27,7 +27,13 @@ variable "ecs_load_balancers" { variable "container_definition_json" { type = string - description = "A string containing a JSON-encoded array of container definitions (`\"[{ \"name\": \"container1\", ... }, { \"name\": \"container2\", ... }]\"`). See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html, https://github.com/cloudposse/terraform-aws-ecs-container-definition, or https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions" + description = <<-EOT + A string containing a JSON-encoded array of container definitions + (`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`). + See [AWS docs](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html), + https://github.com/cloudposse/terraform-aws-ecs-container-definition, or + [Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) + EOT } variable "container_port" { @@ -67,14 +73,20 @@ variable "launch_type" { variable "platform_version" { type = string - description = "The platform version on which to run your service. Only applicable for launch_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide." default = "LATEST" + description = <<-EOT + The platform version on which to run your service. Only applicable for launch_type set to FARGATE. + More information about Fargate platform versions can be found in the AWS ECS User Guide. + EOT } variable "scheduling_strategy" { type = string - description = "The scheduling strategy to use for the service. The valid values are REPLICA and DAEMON. Note that Fargate tasks do not support the DAEMON scheduling strategy." default = "REPLICA" + description = <<-EOT + The scheduling strategy to use for the service. The valid values are REPLICA and DAEMON. + Note that Fargate tasks do not support the DAEMON scheduling strategy. + EOT } variable "ordered_placement_strategy" { @@ -82,8 +94,13 @@ variable "ordered_placement_strategy" { type = string field = string })) - description = "Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered_placement_strategy blocks is 5. See `ordered_placement_strategy` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#ordered_placement_strategy-1" default = [] + description = <<-EOT + Service level strategy rules that are taken into consideration during task placement. + List from top to bottom in order of precedence. The maximum number of ordered_placement_strategy blocks is 5. + See `ordered_placement_strategy` [Terraform docs]( + https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service#ordered_placement_strategy) + EOT } variable "task_placement_constraints" { @@ -91,8 +108,12 @@ variable "task_placement_constraints" { type = string expression = string })) - description = "A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments" default = [] + description = <<-EOT + A set of placement constraints rules that are taken into consideration during task placement. + Maximum number of placement_constraints is 10. See `placement_constraints` [Terraform docs]( + https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#placement-constraints-arguments) + EOT } variable "service_placement_constraints" { From 11f92825074d53ed25e7a352fec04e959d39ea61 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Mon, 21 Dec 2020 04:12:30 +0000 Subject: [PATCH 3/3] Auto Format --- README.md | 12 +++++++----- docs/terraform.md | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6901e2cf..d10b8354 100644 --- a/README.md +++ b/README.md @@ -253,7 +253,7 @@ Available targets: | assign\_public\_ip | Assign a public IP address to the ENI (Fargate launch type only). Valid values are `true` or `false`. Default `false` | `bool` | `false` | no | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | capacity\_provider\_strategies | The capacity provider strategies to use for the service. See `capacity_provider_strategy` configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy |
list(object({
capacity_provider = string
weight = number
base = number
}))
| `[]` | no | -| container\_definition\_json | A string containing a JSON-encoded array of container definitions (`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`). See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html, https://github.com/cloudposse/terraform-aws-ecs-container-definition, or https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions | `string` | n/a | yes | +| container\_definition\_json | A string containing a JSON-encoded array of container definitions
(`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`).
See [AWS docs](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html),
https://github.com/cloudposse/terraform-aws-ecs-container-definition, or
[Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) | `string` | n/a | yes | | container\_port | The port on the container to allow via the ingress security group | `number` | `80` | no | | context | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | @@ -278,13 +278,13 @@ Available targets: | network\_mode | The network mode to use for the task. This is required to be `awsvpc` for `FARGATE` `launch_type` | `string` | `"awsvpc"` | no | | nlb\_cidr\_blocks | A list of CIDR blocks to add to the ingress rule for the NLB container port | `list(string)` | `[]` | no | | nlb\_container\_port | The port on the container to allow via the ingress security group | `number` | `80` | no | -| ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. See `ordered_placement_strategy` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#ordered_placement_strategy-1 |
list(object({
type = string
field = string
}))
| `[]` | no | +| ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement.
List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5.
See `ordered_placement_strategy` [Terraform docs](
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service#ordered_placement_strategy) |
list(object({
type = string
field = string
}))
| `[]` | no | | permissions\_boundary | A permissions boundary ARN to apply to the 3 roles that are created. | `string` | `""` | no | -| platform\_version | The platform version on which to run your service. Only applicable for launch\_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide. | `string` | `"LATEST"` | no | +| platform\_version | The platform version on which to run your service. Only applicable for launch\_type set to FARGATE.
More information about Fargate platform versions can be found in the AWS ECS User Guide. | `string` | `"LATEST"` | no | | propagate\_tags | Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK\_DEFINITION | `string` | `null` | no | | proxy\_configuration | The proxy configuration details for the App Mesh proxy. See `proxy_configuration` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#proxy-configuration-arguments |
object({
type = string
container_name = string
properties = map(string)
})
| `null` | no | | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| scheduling\_strategy | The scheduling strategy to use for the service. The valid values are REPLICA and DAEMON. Note that Fargate tasks do not support the DAEMON scheduling strategy. | `string` | `"REPLICA"` | no | +| scheduling\_strategy | The scheduling strategy to use for the service. The valid values are REPLICA and DAEMON.
Note that Fargate tasks do not support the DAEMON scheduling strategy. | `string` | `"REPLICA"` | no | | security\_group\_ids | Security group IDs to allow in Service `network_configuration` | `list(string)` | `[]` | no | | service\_placement\_constraints | The rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#placement_constraints-1 |
list(object({
type = string
expression = string
}))
| `[]` | no | | service\_registries | The service discovery registries for the service. The maximum number of service\_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - `aws_service_discovery_service`; see `service_registries` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1 |
list(object({
registry_arn = string
port = number
container_name = string
container_port = number
}))
| `[]` | no | @@ -292,9 +292,11 @@ Available targets: | subnet\_ids | Subnet IDs | `list(string)` | n/a | yes | | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | | task\_cpu | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no | +| task\_exec\_policy\_arns | A list of IAM Policy ARNs to attach to the generated task execution role. | `list(string)` | `[]` | no | | task\_exec\_role\_arn | The ARN of IAM role that allows the ECS/Fargate agent to make calls to the ECS API on your behalf | `string` | `""` | no | | task\_memory | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no | -| task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments |
list(object({
type = string
expression = string
}))
| `[]` | no | +| task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement.
Maximum number of placement\_constraints is 10. See `placement_constraints` [Terraform docs](
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#placement-constraints-arguments) |
list(object({
type = string
expression = string
}))
| `[]` | no | +| task\_policy\_arns | A list of IAM Policy ARNs to attach to the generated task role. | `list(string)` | `[]` | no | | task\_role\_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | `string` | `""` | no | | use\_alb\_security\_group | A flag to enable/disable adding the ingress rule to the ALB security group | `bool` | `false` | no | | use\_nlb\_cidr\_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | `bool` | `false` | no | diff --git a/docs/terraform.md b/docs/terraform.md index cd5a9ddf..5c537e73 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -24,7 +24,7 @@ | assign\_public\_ip | Assign a public IP address to the ENI (Fargate launch type only). Valid values are `true` or `false`. Default `false` | `bool` | `false` | no | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | capacity\_provider\_strategies | The capacity provider strategies to use for the service. See `capacity_provider_strategy` configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy |
list(object({
capacity_provider = string
weight = number
base = number
}))
| `[]` | no | -| container\_definition\_json | A string containing a JSON-encoded array of container definitions (`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`). See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html, https://github.com/cloudposse/terraform-aws-ecs-container-definition, or https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions | `string` | n/a | yes | +| container\_definition\_json | A string containing a JSON-encoded array of container definitions
(`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`).
See [AWS docs](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html),
https://github.com/cloudposse/terraform-aws-ecs-container-definition, or
[Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) | `string` | n/a | yes | | container\_port | The port on the container to allow via the ingress security group | `number` | `80` | no | | context | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | @@ -49,13 +49,13 @@ | network\_mode | The network mode to use for the task. This is required to be `awsvpc` for `FARGATE` `launch_type` | `string` | `"awsvpc"` | no | | nlb\_cidr\_blocks | A list of CIDR blocks to add to the ingress rule for the NLB container port | `list(string)` | `[]` | no | | nlb\_container\_port | The port on the container to allow via the ingress security group | `number` | `80` | no | -| ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. See `ordered_placement_strategy` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#ordered_placement_strategy-1 |
list(object({
type = string
field = string
}))
| `[]` | no | +| ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement.
List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5.
See `ordered_placement_strategy` [Terraform docs](
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service#ordered_placement_strategy) |
list(object({
type = string
field = string
}))
| `[]` | no | | permissions\_boundary | A permissions boundary ARN to apply to the 3 roles that are created. | `string` | `""` | no | -| platform\_version | The platform version on which to run your service. Only applicable for launch\_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide. | `string` | `"LATEST"` | no | +| platform\_version | The platform version on which to run your service. Only applicable for launch\_type set to FARGATE.
More information about Fargate platform versions can be found in the AWS ECS User Guide. | `string` | `"LATEST"` | no | | propagate\_tags | Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK\_DEFINITION | `string` | `null` | no | | proxy\_configuration | The proxy configuration details for the App Mesh proxy. See `proxy_configuration` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#proxy-configuration-arguments |
object({
type = string
container_name = string
properties = map(string)
})
| `null` | no | | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| scheduling\_strategy | The scheduling strategy to use for the service. The valid values are REPLICA and DAEMON. Note that Fargate tasks do not support the DAEMON scheduling strategy. | `string` | `"REPLICA"` | no | +| scheduling\_strategy | The scheduling strategy to use for the service. The valid values are REPLICA and DAEMON.
Note that Fargate tasks do not support the DAEMON scheduling strategy. | `string` | `"REPLICA"` | no | | security\_group\_ids | Security group IDs to allow in Service `network_configuration` | `list(string)` | `[]` | no | | service\_placement\_constraints | The rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#placement_constraints-1 |
list(object({
type = string
expression = string
}))
| `[]` | no | | service\_registries | The service discovery registries for the service. The maximum number of service\_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - `aws_service_discovery_service`; see `service_registries` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1 |
list(object({
registry_arn = string
port = number
container_name = string
container_port = number
}))
| `[]` | no | @@ -63,9 +63,11 @@ | subnet\_ids | Subnet IDs | `list(string)` | n/a | yes | | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | | task\_cpu | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no | +| task\_exec\_policy\_arns | A list of IAM Policy ARNs to attach to the generated task execution role. | `list(string)` | `[]` | no | | task\_exec\_role\_arn | The ARN of IAM role that allows the ECS/Fargate agent to make calls to the ECS API on your behalf | `string` | `""` | no | | task\_memory | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no | -| task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments |
list(object({
type = string
expression = string
}))
| `[]` | no | +| task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement.
Maximum number of placement\_constraints is 10. See `placement_constraints` [Terraform docs](
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#placement-constraints-arguments) |
list(object({
type = string
expression = string
}))
| `[]` | no | +| task\_policy\_arns | A list of IAM Policy ARNs to attach to the generated task role. | `list(string)` | `[]` | no | | task\_role\_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | `string` | `""` | no | | use\_alb\_security\_group | A flag to enable/disable adding the ingress rule to the ALB security group | `bool` | `false` | no | | use\_nlb\_cidr\_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | `bool` | `false` | no |