Merge pull request #12 from DNXLabs/feature/iam_role

Feature/iam role

README.md

@@ -55,8 +55,6 @@ In addition you have the option to create or not :
 | cloudwatch\_logs\_retention | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `120` | no |
 | cluster\_name | n/a | `string` | `"Name of existing ECS Cluster to deploy this app to"` | no |
 | cpu | Hard limit for CPU for the container | `string` | `"0"` | no |
-| deployment\_maximum\_percent | Deployment maximum percentage | `string` | `"100"` | no |
-| deployment\_minimum\_healthy\_percent | Deployment minumum health percentage | `string` | `"0"` | no |
 | desired\_count | Number of containers (tasks) to run | `number` | `1` | no |
 | fargate\_spot | Set true to use FARGATE\_SPOT capacity provider by default (only when launch\_type=FARGATE) | `bool` | `false` | no |
 | image | Docker image to deploy (can be a placeholder) | `string` | `"dnxsolutions/nginx-hello:latest"` | no |
@@ -71,11 +69,10 @@ In addition you have the option to create or not :
 | ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. | <pre>list(object({<br>    field      = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | placement\_constraints | Rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | security\_groups | The security groups associated with the task or service | `any` | `null` | no |
-| service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes |
 | subnets | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
-| task\_role\_arn | Existing task role ARN created by ECS cluster module | `any` | n/a | yes |
+| task\_role\_policies | Custom policies to be added on the task role. | `list` | `[]` | no |
+| task\_role\_policies\_managed | AWS Managed policies to be added on the task role. | `list` | `[]` | no |
 | vpc\_id | VPC ID to deploy this app to | `any` | n/a | yes |
-| without\_capacity\_provider | Launch service without capacity provider | `bool` | n/a | no |
 
 ## Outputs
 

_variables.tf

@@ -12,16 +12,6 @@ variable "cpu" {
   description = "Hard limit for CPU for the container"
 }
 
-variable "deployment_maximum_percent" {
-  default     = "100"
-  description = "Deployment maximum percentage"
-}
-
-variable "deployment_minimum_healthy_percent" {
-  default     = "0"
-  description = "Deployment minumum health percentage"
-}
-
 variable "desired_count" {
   default     = 1
   description = "Number of containers (tasks) to run"
@@ -31,14 +21,6 @@ variable "cluster_name" {
   default = "Name of existing ECS Cluster to deploy this app to"
 }
 
-variable "service_role_arn" {
-  description = "Existing service role ARN created by ECS cluster module"
-}
-
-variable "task_role_arn" {
-  description = "Existing task role ARN created by ECS cluster module"
-}
-
 variable "image" {
   description = "Docker image to deploy (can be a placeholder)"
   default     = "dnxsolutions/nginx-hello:latest"
@@ -138,7 +120,12 @@ variable "security_groups" {
   description = "The security groups associated with the task or service"
 }
 
-variable "without_capacity_provider" {
-  default = false
-  description = "Launch service without capacity provider"
+variable "task_role_policies_managed" {
+  default     = []
+  description = "AWS Managed policies to be added on the task role."
+}
+
+variable "task_role_policies" {
+  default     = []
+  description = "Custom policies to be added on the task role."
 }

ecs-service.tf

@@ -34,7 +34,7 @@ resource "aws_ecs_service" "default" {
   }
 
   dynamic "capacity_provider_strategy" {
-    for_each = try(var.without_capacity_provider,false) ? [] : ["1"]
+    for_each = try(var.without_capacity_provider, false) ? [] : ["1"]
     content {
       capacity_provider = var.launch_type == "FARGATE" ? (var.fargate_spot ? "FARGATE_SPOT" : "FARGATE") : "${var.cluster_name}-capacity-provider"
       weight            = 1

ecs-task-definition.tf

@@ -3,8 +3,8 @@ resource "aws_ecs_task_definition" "default" {
 
   family = "${var.cluster_name}-${var.name}"
 
-  execution_role_arn = var.task_role_arn
-  task_role_arn      = var.task_role_arn
+  execution_role_arn = aws_iam_role.ecs_task.arn
+  task_role_arn      = aws_iam_role.ecs_task.arn
 
   requires_compatibilities = [var.launch_type]
 
@@ -31,4 +31,10 @@ resource "aws_ecs_task_definition" "default" {
   }
 ]
 EOT
+
+  lifecycle {
+    ignore_changes = [
+      container_definitions
+    ]
+  }
 }

iam-ecs-task-attach.tf

@@ -0,0 +1,43 @@
+# Attach AWS managed policies to the role
+resource "aws_iam_role_policy_attachment" "task_role_attach_policy_managed" {
+  for_each   = { for role in try(var.task_role_policies_managed, []) : role.name => role }
+  role       = aws_iam_role.ecs_task.name
+  policy_arn = each.value.policy_arn
+}
+
+data "aws_iam_policy_document" "task_role_policy_custom" {
+  for_each = { for policy in try(var.task_role_policies, []) : policy.name => policy }
+
+  dynamic "statement" {
+    for_each = try(each.value.statement, [])
+    content {
+      sid       = statement.value.sid
+      actions   = statement.value.actions
+      resources = statement.value.resources
+      effect    = statement.value.effect
+
+      dynamic "condition" {
+        for_each = try(statement.value.condition, [])
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+
+      }
+    }
+  }
+}
+
+resource "aws_iam_policy" "task_role_policy_custom" {
+  for_each    = { for policy in try(var.task_role_policies, []) : policy.name => policy }
+  name        = "ecs-${each.value.name}-${var.cluster_name}-${var.name}-${data.aws_region.current.name}"
+  description = try(each.value.description, "")
+  policy      = data.aws_iam_policy_document.task_role_policy_custom[each.value.name].json
+}
+
+resource "aws_iam_role_policy_attachment" "task_role_attach_policy_custom" {
+  for_each   = { for policy in try(var.task_role_policies, []) : policy.name => policy }
+  role       = aws_iam_role.ecs_task.name
+  policy_arn = aws_iam_policy.task_role_policy_custom[each.value.name].arn
+}

iam-ecs-task.tf

@@ -0,0 +1,74 @@
+resource "aws_iam_role" "ecs_task" {
+  name = "ecs-task-${var.cluster_name}-${var.name}-${data.aws_region.current.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task" {
+  role       = aws_iam_role.ecs_task.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+
+  depends_on = [aws_iam_role.ecs_task]
+}
+
+resource "aws_iam_role_policy" "ssm_policy" {
+  name = "ecs-ssm-policy"
+  role = aws_iam_role.ecs_task.name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": [
+        "*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": [
+        "arn:aws:ssm:*:*:parameter/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+
+  depends_on = [aws_iam_role.ecs_task]
+}