Skip to content

Commit

Permalink
Merge pull request #35684 from dgr237/main
Browse files Browse the repository at this point in the history 
f-aws_ecs_service-service_connect_tls
  • Loading branch information
@ewbankkit
ewbankkit authored Feb 12, 2024
2 parents aee67d6 + d99168a commit 0b8cc1e
Show file tree
Hide file tree
Showing 4 changed files with 250 additions and 5 deletions.
3 changes: 3 additions & 0 deletions .changelog/35684.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_ecs_service: Add `service_connect_configuration.service.timeout` and `service_connect_configuration.service.tls` configuration blocks
```
113 changes: 110 additions & 3 deletions internal/service/ecs/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -414,6 +414,57 @@ func ResourceService() *schema.Resource {
Type: schema.TypeString,
Required: true,
},
"timeout": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"idle_timeout_seconds": {
Type: schema.TypeInt,
Optional: true,
ValidateFunc: validation.IntBetween(0, 2147483647),
},
"per_request_timeout_seconds": {
Type: schema.TypeInt,
Optional: true,
ValidateFunc: validation.IntBetween(0, 2147483647),
},
},
},
},
"tls": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"issuer_cert_authority": {
Type: schema.TypeList,
Required: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"aws_pca_authority_arn": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidARN,
},
},
},
},
"kms_key": {
Type: schema.TypeString,
Optional: true,
},
"role_arn": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidARN,
},
},
},
},
},
},
},
Expand Down Expand Up @@ -764,9 +815,9 @@ func resourceServiceRead(ctx context.Context, d *schema.ResourceData, meta inter
return sdkdiag.AppendErrorf(diags, "setting network_configuration: %s", err)
}

// if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil {
// return fmt.Errorf("setting service_connect_configuration for (%s): %w", d.Id(), err)
// }
//if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil {
// return sdkdiag.AppendErrorf(diags, "setting service_connect_configuration: %s", err)
//}

if err := d.Set("service_registries", flattenServiceRegistries(service.ServiceRegistries)); err != nil {
return sdkdiag.AppendErrorf(diags, "setting service_registries: %s", err)
Expand Down Expand Up @@ -1441,12 +1492,68 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService {
config.PortName = aws.String(v)
}

if v, ok := raw["timeout"].([]interface{}); ok && len(v) > 0 {
config.Timeout = expandTimeout(v)
}

if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 {
config.Tls = expandTLS(v)
}

out = append(out, &config)
}

return out
}

func expandTimeout(timeout []interface{}) *ecs.TimeoutConfiguration {
if len(timeout) == 0 {
return nil
}
raw := timeout[0].(map[string]interface{})
timeoutConfig := &ecs.TimeoutConfiguration{}
if v, ok := raw["idle_timeout_seconds"].(int); ok {
timeoutConfig.IdleTimeoutSeconds = aws.Int64(int64(v))
}
if v, ok := raw["per_request_timeout_seconds"].(int); ok {
timeoutConfig.PerRequestTimeoutSeconds = aws.Int64(int64(v))
}
return timeoutConfig
}

func expandTLS(tls []interface{}) *ecs.ServiceConnectTlsConfiguration {
if len(tls) == 0 {
return nil
}

raw := tls[0].(map[string]interface{})
tlsConfig := &ecs.ServiceConnectTlsConfiguration{}
if v, ok := raw["issuer_cert_authority"].([]interface{}); ok && len(v) > 0 {
tlsConfig.IssuerCertificateAuthority = expandIssuerCertAuthority(v)
}
if v, ok := raw["kms_key"].(string); ok && v != "" {
tlsConfig.KmsKey = aws.String(v)
}
if v, ok := raw["role_arn"].(string); ok && v != "" {
tlsConfig.RoleArn = aws.String(v)
}
return tlsConfig
}

func expandIssuerCertAuthority(pca []interface{}) *ecs.ServiceConnectTlsCertificateAuthority {
if len(pca) == 0 {
return nil
}

raw := pca[0].(map[string]interface{})
config := &ecs.ServiceConnectTlsCertificateAuthority{}

if v, ok := raw["aws_pca_authority_arn"].(string); ok && v != "" {
config.AwsPcaAuthorityArn = aws.String(v)
}
return config
}

func expandClientAliases(srv []interface{}) []*ecs.ServiceConnectClientAlias {
if len(srv) == 0 {
return nil
Expand Down
116 changes: 114 additions & 2 deletions internal/service/ecs/service_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4237,6 +4237,66 @@ resource "aws_ecs_service" "test" {

func testAccServiceConfig_serviceConnectAllAttributes(rName string) string {
return fmt.Sprintf(`
resource "aws_kms_key" "test" {
description = %[1]q
deletion_window_in_days = 7
policy = data.aws_iam_policy_document.test.json
}
data "aws_iam_policy_document" "test" {
policy_id = "KMSPolicy"
statement {
sid = "Root User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = [
"kms:*"]
resources = ["*"]
}
statement {
sid = "EC2 kms permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = [aws_iam_role.test.arn]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair"]
resources = ["*"]
}
}
resource "aws_iam_role" "test" {
name = %[1]q
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity"]
}
resource "aws_service_discovery_http_namespace" "test" {
name = %[1]q
}
Expand All @@ -4260,9 +4320,10 @@ resource "aws_ecs_task_definition" "test" {
"portMappings": [
{
"hostPort": 0,
"protocol": "tcp",
"appProtocol": "http",
"containerPort": 27017,
"name": "tf-test"
"name": "tf-test",
"protocol": "tcp"
}
]
}
Expand Down Expand Up @@ -4297,9 +4358,60 @@ resource "aws_ecs_service" "test" {
discovery_name = "test"
ingress_port_override = 8443
port_name = "tf-test"
tls {
issuer_cert_authority {
aws_pca_authority_arn = aws_acmpca_certificate_authority.test.arn
}
kms_key = aws_kms_key.test.arn
role_arn = aws_iam_role.test.arn
}
timeout {
idle_timeout_seconds = 120
per_request_timeout_seconds = 60
}
}
}
}
resource "aws_acmpca_certificate_authority_certificate" "test" {
certificate_authority_arn = aws_acmpca_certificate_authority.test.arn
certificate = aws_acmpca_certificate.test.certificate
certificate_chain = aws_acmpca_certificate.test.certificate_chain
}
resource "aws_acmpca_certificate" "test" {
certificate_authority_arn = aws_acmpca_certificate_authority.test.arn
certificate_signing_request = aws_acmpca_certificate_authority.test.certificate_signing_request
signing_algorithm = "SHA512WITHRSA"
template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1"
validity {
type = "YEARS"
value = 1
}
}
resource "aws_acmpca_certificate_authority" "test" {
permanent_deletion_time_in_days = 7
type = "ROOT"
usage_mode = "SHORT_LIVED_CERTIFICATE"
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"
subject {
common_name = %[1]q
}
}
tags = {
AmazonECSManaged = "true"
}
}
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
`, rName)
}

Expand Down
23 changes: 23 additions & 0 deletions website/docs/r/ecs_service.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,29 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC
* `discovery_name` - (Optional) The name of the new AWS Cloud Map service that Amazon ECS creates for this Amazon ECS service.
* `ingress_port_override` - (Optional) The port number for the Service Connect proxy to listen on.
* `port_name` - (Required) The name of one of the `portMappings` from all the containers in the task definition of this Amazon ECS service.
* `timeout` - (Optional) Configuration timeouts for Service Connect
* `tls` - (Optional) The configuration for enabling Transport Layer Security (TLS)

### timeout

`timeout` supports the following:

* `idle_timeout_seconds` - (Optional) The amount of time in seconds a connection will stay active while idle. A value of 0 can be set to disable idleTimeout.
* `per_request_timeout_seconds` - (Optional) The amount of time in seconds for the upstream to respond with a complete response per request. A value of 0 can be set to disable perRequestTimeout. Can only be set when appProtocol isn't TCP.

### tls

`tls` supports the following:

* `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate.
* `kms_key` - (Optional) The KMS key used to encrypt the private key in Secrets Manager.
* `role_arn` - (Optional) The ARN of the IAM Role that's associated with the Service Connect TLS.

### issuer_cert_authority

`issuer_cert_authority` supports the following:

* `aws_pca_authority_arn` - (Optional) The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates.

### client_alias

Expand Down

0 comments on commit 0b8cc1e

Please sign in to comment.