Merge pull request #46 from DNXLabs/feature/dynamic_role

Feature/dynamic_role

README.md

@@ -143,13 +143,15 @@ In addition you have the option to create or not :
 | service\_deployment\_minimum\_healthy\_percent | Minimum healthy percentage during deployments | `number` | `100` | no |
 | service\_desired\_count | Desired count for this service (for use when auto scaling is disabled) | `number` | `1` | no |
 | service\_health\_check\_grace\_period\_seconds | Time until your container starts serving requests | `number` | `0` | no |
-| service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes |
+| service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | `null` | no |
 | source\_ips | List of source ip to use on listerner rule | `list` | `[]` | no |
 | ssm\_variables | Map of variables and SSM locations to add to the task definition | `map(string)` | `{}` | no |
 | static\_variables | Map of variables and static values to add to the task definition | `map(string)` | `{}` | no |
 | subnets | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
 | task\_definition\_arn | Task definition to use for this service (optional) | `string` | `""` | no |
-| task\_role\_arn | Existing task role ARN created by ECS cluster module | `any` | n/a | yes |
+| task\_role\_arn | Existing task role ARN created by ECS cluster module | `any` | `null` | no |
+| task\_role\_policies | Custom policies to be added on the task role. | `list` | `[]` | no |
+| task\_role\_policies\_managed | AWS Managed policies to be added on the task role. | `list` | `[]` | no |
 | test\_traffic\_route\_listener\_arn | ALB HTTPS Listener for Test Traffic created by ECS cluster module | `any` | n/a | yes |
 | ulimits | Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit" | <pre>list(object({<br>    name      = string<br>    hardLimit = number<br>    softLimit = number<br>  }))</pre> | `null` | no |
 | unhealthy\_threshold | The number of consecutive health check failures required before considering the target unhealthy | `number` | `3` | no |

_variables.tf

@@ -89,6 +89,7 @@ variable "cluster_name" {
 
 variable "service_role_arn" {
   description = "Existing service role ARN created by ECS cluster module"
+  default     = null
 }
 
 variable "codedeploy_role_arn" {
@@ -98,6 +99,7 @@ variable "codedeploy_role_arn" {
 
 variable "task_role_arn" {
   description = "Existing task role ARN created by ECS cluster module"
+  default     = null
 }
 
 variable "service_health_check_grace_period_seconds" {
@@ -503,4 +505,14 @@ variable "schedule_cron_stop" {
   type        = string
   default     = ""
   description = "Cron expression to define when to trigger a stop of the auto-scaling group. E.g. 'cron(00 09 ? * MON-FRI *)' to start at 8am UTC time"
+}
+
+variable "task_role_policies_managed" {
+  default     = []
+  description = "AWS Managed policies to be added on the task role."
+}
+
+variable "task_role_policies" {
+  default     = []
+  description = "Custom policies to be added on the task role."
 }

alb-target-group.tf

@@ -150,7 +150,7 @@ resource "random_string" "alb_prefix" {
 }
 
 resource "aws_lb_target_group" "green" {
-  name                 = var.compat_keep_target_group_naming ? "${var.cluster_name}-${var.name}-gr" : format("%s-gr-%s", substr("${var.cluster_name}-${var.name}", 0, 24), random_string.alb_prefix.result)
+  name                 = var.compat_keep_target_group_naming ? "${var.cluster_name}-${var.name}-gr" : format("%s-gr-%s", substr("${var.cluster_name}-${replace(var.name, "_", "-")}", 0, 24), random_string.alb_prefix.result)
   port                 = var.port
   protocol             = var.protocol
   vpc_id               = var.vpc_id
@@ -180,7 +180,7 @@ resource "aws_lb_target_group" "green" {
 }
 
 resource "aws_lb_target_group" "blue" {
-  name                 = var.compat_keep_target_group_naming ? "${var.cluster_name}-${var.name}-bl" : format("%s-bl-%s", substr("${var.cluster_name}-${var.name}", 0, 24), random_string.alb_prefix.result)
+  name                 = var.compat_keep_target_group_naming ? "${var.cluster_name}-${var.name}-bl" : format("%s-bl-%s", substr("${var.cluster_name}-${replace(var.name, "_", "-")}", 0, 24), random_string.alb_prefix.result)
   port                 = var.port
   protocol             = var.protocol
   vpc_id               = var.vpc_id
@@ -207,4 +207,4 @@ resource "aws_lb_target_group" "blue" {
       type            = stickiness.value.type
     }
   }
-}
+}

ecs-task-definition.tf

@@ -3,8 +3,8 @@ resource "aws_ecs_task_definition" "default" {
 
   family = "${var.cluster_name}-${var.name}"
 
-  execution_role_arn = var.task_role_arn
-  task_role_arn      = var.task_role_arn
+  execution_role_arn = var.task_role_arn != null ? var.task_role_arn : aws_iam_role.ecs_task[0].arn
+  task_role_arn      = var.task_role_arn != null ? var.task_role_arn : aws_iam_role.ecs_task[0].arn
 
   requires_compatibilities = [var.launch_type]
 

iam-ecs-service.tf

@@ -0,0 +1,45 @@
+resource "aws_iam_role" "ecs_service" {
+  count = var.service_role_arn != null ? 0 : 1
+  name  = "ecs-service-${var.cluster_name}-${var.name}-${data.aws_region.current.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+data "aws_iam_policy_document" "ecs_service_policy" {
+  count = var.service_role_arn != null ? 0 : 1
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+      "elasticloadbalancing:DeregisterTargets",
+      "elasticloadbalancing:Describe*",
+      "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+      "elasticloadbalancing:RegisterTargets",
+      "ec2:Describe*",
+      "ec2:AuthorizeSecurityGroupIngress",
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "ecs_service_role_policy" {
+  count  = var.service_role_arn != null ? 0 : 1
+  name   = "ecs_service_role_policy-${var.name}"
+  policy = data.aws_iam_policy_document.ecs_service_policy[0].json
+  role   = aws_iam_role.ecs_service[0].id
+}

iam-ecs-task-attach.tf

@@ -0,0 +1,43 @@
+# Attach AWS managed policies to the role
+resource "aws_iam_role_policy_attachment" "task_role_attach_policy_managed" {
+  for_each   = { for role in try(var.task_role_policies_managed, []) : role.name => role }
+  role       = aws_iam_role.ecs_task[0].name
+  policy_arn = each.value.policy_arn
+}
+
+data "aws_iam_policy_document" "task_role_policy_custom" {
+  for_each = { for policy in try(var.task_role_policies, []) : policy.name => policy }
+
+  dynamic "statement" {
+    for_each = try(each.value.statement, [])
+    content {
+      sid       = statement.value.sid
+      actions   = statement.value.actions
+      resources = statement.value.resources
+      effect    = statement.value.effect
+
+      dynamic "condition" {
+        for_each = try(statement.value.condition, [])
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+
+      }
+    }
+  }
+}
+
+resource "aws_iam_policy" "task_role_policy_custom" {
+  for_each    = { for policy in try(var.task_role_policies, []) : policy.name => policy }
+  name        = "ecs-${each.value.name}-${var.cluster_name}-${var.name}-${data.aws_region.current.name}"
+  description = try(each.value.description, "")
+  policy      = data.aws_iam_policy_document.task_role_policy_custom[each.value.name].json
+}
+
+resource "aws_iam_role_policy_attachment" "task_role_attach_policy_custom" {
+  for_each   = { for policy in try(var.task_role_policies, []) : policy.name => policy }
+  role       = aws_iam_role.ecs_task[0].name
+  policy_arn = aws_iam_policy.task_role_policy_custom[each.value.name].arn
+}

iam-ecs-task.tf

@@ -0,0 +1,77 @@
+resource "aws_iam_role" "ecs_task" {
+  count = var.task_role_arn != null ? 0 : 1
+  name  = "ecs-task-${var.cluster_name}-${var.name}-${data.aws_region.current.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task" {
+  count      = var.task_role_arn != null ? 0 : 1
+  role       = aws_iam_role.ecs_task[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+
+  depends_on = [aws_iam_role.ecs_task]
+}
+
+resource "aws_iam_role_policy" "ssm_policy" {
+  count = var.task_role_arn != null ? 0 : 1
+  name  = "ecs-ssm-policy"
+  role  = aws_iam_role.ecs_task[0].name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": [
+        "*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": [
+        "arn:aws:ssm:*:*:parameter/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+
+  depends_on = [aws_iam_role.ecs_task]
+}