From ee5b6f0b1ec9253cc22d59e133ee7a482edc4b0b Mon Sep 17 00:00:00 2001 From: Bruno da Silva Valenga Date: Fri, 23 Feb 2024 17:06:24 +1100 Subject: [PATCH 1/4] Include IAM roles for task definition --- _variables.tf | 21 +++++------- ecs-task-definition.tf | 10 ++++-- iam-ecs-task-attach.tf | 43 ++++++++++++++++++++++++ iam-ecs-task.tf | 74 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 133 insertions(+), 15 deletions(-) create mode 100644 iam-ecs-task-attach.tf create mode 100644 iam-ecs-task.tf diff --git a/_variables.tf b/_variables.tf index a0dd661..747db79 100644 --- a/_variables.tf +++ b/_variables.tf @@ -12,16 +12,6 @@ variable "cpu" { description = "Hard limit for CPU for the container" } -variable "deployment_maximum_percent" { - default = "100" - description = "Deployment maximum percentage" -} - -variable "deployment_minimum_healthy_percent" { - default = "0" - description = "Deployment minumum health percentage" -} - variable "desired_count" { default = 1 description = "Number of containers (tasks) to run" @@ -138,7 +128,12 @@ variable "security_groups" { description = "The security groups associated with the task or service" } -variable "without_capacity_provider" { - default = false - description = "Launch service without capacity provider" +variable "task_role_policies_managed" { + default = [] + description = "AWS Managed policies to be added on the task role." +} + +variable "task_role_policies" { + default = [] + description = "Custom policies to be added on the task role." } \ No newline at end of file diff --git a/ecs-task-definition.tf b/ecs-task-definition.tf index 3e25512..32f69ce 100644 --- a/ecs-task-definition.tf +++ b/ecs-task-definition.tf @@ -3,8 +3,8 @@ resource "aws_ecs_task_definition" "default" { family = "${var.cluster_name}-${var.name}" - execution_role_arn = var.task_role_arn - task_role_arn = var.task_role_arn + execution_role_arn = aws_iam_role.ecs_task.arn + task_role_arn = aws_iam_role.ecs_task.arn requires_compatibilities = [var.launch_type] @@ -31,4 +31,10 @@ resource "aws_ecs_task_definition" "default" { } ] EOT + +lifecycle { + ignore_changes = [ + container_definitions + ] + } } diff --git a/iam-ecs-task-attach.tf b/iam-ecs-task-attach.tf new file mode 100644 index 0000000..de5fb91 --- /dev/null +++ b/iam-ecs-task-attach.tf @@ -0,0 +1,43 @@ +# Attach AWS managed policies to the role +resource "aws_iam_role_policy_attachment" "task_role_attach_policy_managed" { + for_each = { for role in try(var.task_role_policies_managed, []) : role.name => role } + role = aws_iam_role.ecs_task.name + policy_arn = each.value.policy_arn +} + +data "aws_iam_policy_document" "task_role_policy_custom" { + for_each = { for policy in try(var.task_role_policies, []) : policy.name => policy } + + dynamic "statement" { + for_each = try(each.value.statement, []) + content { + sid = statement.value.sid + actions = statement.value.actions + resources = statement.value.resources + effect = statement.value.effect + + dynamic "condition" { + for_each = try(statement.value.condition, []) + content { + test = condition.value.test + variable = condition.value.variable + values = condition.value.values + } + + } + } + } +} + +resource "aws_iam_policy" "task_role_policy_custom" { + for_each = { for policy in try(var.task_role_policies, []) : policy.name => policy } + name = "ecs-${each.value.name}-${var.cluster_name}-${var.name}-${data.aws_region.current.name}" + description = try(each.value.description, "") + policy = data.aws_iam_policy_document.task_role_policy_custom[each.value.name].json +} + +resource "aws_iam_role_policy_attachment" "task_role_attach_policy_custom" { + for_each = { for policy in try(var.task_role_policies, []) : policy.name => policy } + role = aws_iam_role.ecs_task.name + policy_arn = aws_iam_policy.task_role_policy_custom[each.value.name].arn +} \ No newline at end of file diff --git a/iam-ecs-task.tf b/iam-ecs-task.tf new file mode 100644 index 0000000..3340732 --- /dev/null +++ b/iam-ecs-task.tf @@ -0,0 +1,74 @@ +resource "aws_iam_role" "ecs_task" { + name = "ecs-task-${var.cluster_name}-${var.name}-${data.aws_region.current.name}" + + assume_role_policy = < Date: Fri, 23 Feb 2024 17:07:48 +1100 Subject: [PATCH 2/4] Remove old values --- _variables.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/_variables.tf b/_variables.tf index 747db79..90aa8e7 100644 --- a/_variables.tf +++ b/_variables.tf @@ -21,14 +21,6 @@ variable "cluster_name" { default = "Name of existing ECS Cluster to deploy this app to" } -variable "service_role_arn" { - description = "Existing service role ARN created by ECS cluster module" -} - -variable "task_role_arn" { - description = "Existing task role ARN created by ECS cluster module" -} - variable "image" { description = "Docker image to deploy (can be a placeholder)" default = "dnxsolutions/nginx-hello:latest" From c1083a40fb66e1788ab818e955d3daf3f9d47aed Mon Sep 17 00:00:00 2001 From: Bruno da Silva Valenga Date: Fri, 23 Feb 2024 17:08:02 +1100 Subject: [PATCH 3/4] lint --- ecs-service.tf | 2 +- ecs-task-definition.tf | 2 +- iam-ecs-task.tf | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ecs-service.tf b/ecs-service.tf index 9c57d88..45f193e 100644 --- a/ecs-service.tf +++ b/ecs-service.tf @@ -34,7 +34,7 @@ resource "aws_ecs_service" "default" { } dynamic "capacity_provider_strategy" { - for_each = try(var.without_capacity_provider,false) ? [] : ["1"] + for_each = try(var.without_capacity_provider, false) ? [] : ["1"] content { capacity_provider = var.launch_type == "FARGATE" ? (var.fargate_spot ? "FARGATE_SPOT" : "FARGATE") : "${var.cluster_name}-capacity-provider" weight = 1 diff --git a/ecs-task-definition.tf b/ecs-task-definition.tf index 32f69ce..b71aaaf 100644 --- a/ecs-task-definition.tf +++ b/ecs-task-definition.tf @@ -32,7 +32,7 @@ resource "aws_ecs_task_definition" "default" { ] EOT -lifecycle { + lifecycle { ignore_changes = [ container_definitions ] diff --git a/iam-ecs-task.tf b/iam-ecs-task.tf index 3340732..1eabf4f 100644 --- a/iam-ecs-task.tf +++ b/iam-ecs-task.tf @@ -1,5 +1,5 @@ resource "aws_iam_role" "ecs_task" { - name = "ecs-task-${var.cluster_name}-${var.name}-${data.aws_region.current.name}" + name = "ecs-task-${var.cluster_name}-${var.name}-${data.aws_region.current.name}" assume_role_policy = < Date: Fri, 23 Feb 2024 06:09:05 +0000 Subject: [PATCH 4/4] terraform-docs: automated update action --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 114d006..101a778 100644 --- a/README.md +++ b/README.md @@ -55,8 +55,6 @@ In addition you have the option to create or not : | cloudwatch\_logs\_retention | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `120` | no | | cluster\_name | n/a | `string` | `"Name of existing ECS Cluster to deploy this app to"` | no | | cpu | Hard limit for CPU for the container | `string` | `"0"` | no | -| deployment\_maximum\_percent | Deployment maximum percentage | `string` | `"100"` | no | -| deployment\_minimum\_healthy\_percent | Deployment minumum health percentage | `string` | `"0"` | no | | desired\_count | Number of containers (tasks) to run | `number` | `1` | no | | fargate\_spot | Set true to use FARGATE\_SPOT capacity provider by default (only when launch\_type=FARGATE) | `bool` | `false` | no | | image | Docker image to deploy (can be a placeholder) | `string` | `"dnxsolutions/nginx-hello:latest"` | no | @@ -71,11 +69,10 @@ In addition you have the option to create or not : | ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. | 
list(object({
    field      = string
    expression = string
  }))
| `[]` | no | | placement\_constraints | Rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. | 
list(object({
    type       = string
    expression = string
  }))
| `[]` | no | | security\_groups | The security groups associated with the task or service | `any` | `null` | no | -| service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes | | subnets | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no | -| task\_role\_arn | Existing task role ARN created by ECS cluster module | `any` | n/a | yes | +| task\_role\_policies | Custom policies to be added on the task role. | `list` | `[]` | no | +| task\_role\_policies\_managed | AWS Managed policies to be added on the task role. | `list` | `[]` | no | | vpc\_id | VPC ID to deploy this app to | `any` | n/a | yes | -| without\_capacity\_provider | Launch service without capacity provider | `bool` | n/a | no | ## Outputs