hashicorp · ewbankkit · Feb 12, 2024 · Feb 6, 2024 · Feb 6, 2024 · Feb 7, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_ecs_service: Add `service_connect_configuration.service.timeout` and `service_connect_configuration.service.tls` configuration blocks
+```
@@ -414,6 +414,57 @@ func ResourceService() *schema.Resource {
 										Type:     schema.TypeString,
 										Required: true,
 									},
+									"timeout": {
+										Type:     schema.TypeList,
+										Optional: true,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"idle_timeout_seconds": {
+													Type:         schema.TypeInt,
+													Optional:     true,
+													ValidateFunc: validation.IntBetween(0, 2147483647),
+												},
+												"per_request_timeout_seconds": {
+													Type:         schema.TypeInt,
+													Optional:     true,
+													ValidateFunc: validation.IntBetween(0, 2147483647),
+												},
+											},
+										},
+									},
+									"tls": {
+										Type:     schema.TypeList,
+										Optional: true,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"issuer_cert_authority": {
+													Type:     schema.TypeList,
+													Required: true,
+													MaxItems: 1,
+													Elem: &schema.Resource{
+														Schema: map[string]*schema.Schema{
+															"aws_pca_authority_arn": {
+																Type:         schema.TypeString,
+																Optional:     true,
+																ValidateFunc: verify.ValidARN,
+															},
+														},
+													},
+												},
+												"kms_key": {
+													Type:     schema.TypeString,
+													Optional: true,
+												},
+												"role_arn": {
+													Type:         schema.TypeString,
+													Optional:     true,
+													ValidateFunc: verify.ValidARN,
+												},
+											},
+										},
+									},
 								},
 							},
 						},
@@ -764,9 +815,9 @@ func resourceServiceRead(ctx context.Context, d *schema.ResourceData, meta inter
 		return sdkdiag.AppendErrorf(diags, "setting network_configuration: %s", err)
 	}
 
-	// if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil {
-	// 	return fmt.Errorf("setting service_connect_configuration for (%s): %w", d.Id(), err)
-	// }
+	//if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil {
+	//	return sdkdiag.AppendErrorf(diags, "setting service_connect_configuration: %s", err)
+	//}
 
 	if err := d.Set("service_registries", flattenServiceRegistries(service.ServiceRegistries)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting service_registries: %s", err)
@@ -1441,12 +1492,68 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService {
 			config.PortName = aws.String(v)
 		}
 
+		if v, ok := raw["timeout"].([]interface{}); ok && len(v) > 0 {
+			config.Timeout = expandTimeout(v)
+		}
+
+		if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 {
+			config.Tls = expandTLS(v)
+		}
+
 		out = append(out, &config)
 	}
 
 	return out
 }
 
+func expandTimeout(timeout []interface{}) *ecs.TimeoutConfiguration {
+	if len(timeout) == 0 {
+		return nil
+	}
+	raw := timeout[0].(map[string]interface{})
+	timeoutConfig := &ecs.TimeoutConfiguration{}
+	if v, ok := raw["idle_timeout_seconds"].(int); ok {
+		timeoutConfig.IdleTimeoutSeconds = aws.Int64(int64(v))
+	}
+	if v, ok := raw["per_request_timeout_seconds"].(int); ok {
+		timeoutConfig.PerRequestTimeoutSeconds = aws.Int64(int64(v))
+	}
+	return timeoutConfig
+}
+
+func expandTLS(tls []interface{}) *ecs.ServiceConnectTlsConfiguration {
+	if len(tls) == 0 {
+		return nil
+	}
+
+	raw := tls[0].(map[string]interface{})
+	tlsConfig := &ecs.ServiceConnectTlsConfiguration{}
+	if v, ok := raw["issuer_cert_authority"].([]interface{}); ok && len(v) > 0 {
+		tlsConfig.IssuerCertificateAuthority = expandIssuerCertAuthority(v)
+	}
+	if v, ok := raw["kms_key"].(string); ok && v != "" {
+		tlsConfig.KmsKey = aws.String(v)
+	}
+	if v, ok := raw["role_arn"].(string); ok && v != "" {
+		tlsConfig.RoleArn = aws.String(v)
+	}
+	return tlsConfig
+}
+
+func expandIssuerCertAuthority(pca []interface{}) *ecs.ServiceConnectTlsCertificateAuthority {
+	if len(pca) == 0 {
+		return nil
+	}
+
+	raw := pca[0].(map[string]interface{})
+	config := &ecs.ServiceConnectTlsCertificateAuthority{}
+
+	if v, ok := raw["aws_pca_authority_arn"].(string); ok && v != "" {
+		config.AwsPcaAuthorityArn = aws.String(v)
+	}
+	return config
+}
+
 func expandClientAliases(srv []interface{}) []*ecs.ServiceConnectClientAlias {
 	if len(srv) == 0 {
 		return nil

@@ -4237,6 +4237,66 @@ resource "aws_ecs_service" "test" {
 
 func testAccServiceConfig_serviceConnectAllAttributes(rName string) string {
 	return fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+  description             = %[1]q
+  deletion_window_in_days = 7
+  policy                  = data.aws_iam_policy_document.test.json
+}
+
+
+data "aws_iam_policy_document" "test" {
+  policy_id = "KMSPolicy"
+
+  statement {
+    sid    = "Root User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+      "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = [
+    "kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "EC2 kms permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.test.arn]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    "kms:GenerateDataKeyPair"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role" "test" {
+  name = %[1]q
+
+  assume_role_policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+  managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity"]
+}
+
 resource "aws_service_discovery_http_namespace" "test" {
   name = %[1]q
 }
@@ -4260,9 +4320,10 @@ resource "aws_ecs_task_definition" "test" {
     "portMappings": [
     {
       "hostPort": 0,
-      "protocol": "tcp",
+      "appProtocol": "http",
       "containerPort": 27017,
-      "name": "tf-test"
+      "name": "tf-test",
+      "protocol": "tcp"
     }
     ]
   }
@@ -4297,9 +4358,60 @@ resource "aws_ecs_service" "test" {
       discovery_name        = "test"
       ingress_port_override = 8443
       port_name             = "tf-test"
+      tls {
+        issuer_cert_authority {
+          aws_pca_authority_arn = aws_acmpca_certificate_authority.test.arn
+        }
+        kms_key  = aws_kms_key.test.arn
+        role_arn = aws_iam_role.test.arn
+      }
+      timeout {
+        idle_timeout_seconds        = 120
+        per_request_timeout_seconds = 60
+      }
+    }
+  }
+}
+
+resource "aws_acmpca_certificate_authority_certificate" "test" {
+  certificate_authority_arn = aws_acmpca_certificate_authority.test.arn
+
+  certificate       = aws_acmpca_certificate.test.certificate
+  certificate_chain = aws_acmpca_certificate.test.certificate_chain
+}
+
+resource "aws_acmpca_certificate" "test" {
+  certificate_authority_arn   = aws_acmpca_certificate_authority.test.arn
+  certificate_signing_request = aws_acmpca_certificate_authority.test.certificate_signing_request
+  signing_algorithm           = "SHA512WITHRSA"
+
+  template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1"
+
+  validity {
+    type  = "YEARS"
+    value = 1
+  }
+}
+
+resource "aws_acmpca_certificate_authority" "test" {
+  permanent_deletion_time_in_days = 7
+  type                            = "ROOT"
+  usage_mode                      = "SHORT_LIVED_CERTIFICATE"
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+    signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = %[1]q
     }
   }
+  tags = {
+    AmazonECSManaged = "true"
+  }
 }
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
 `, rName)
 }
 

@@ -264,6 +264,29 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC
 * `discovery_name` - (Optional) The name of the new AWS Cloud Map service that Amazon ECS creates for this Amazon ECS service.
 * `ingress_port_override` - (Optional) The port number for the Service Connect proxy to listen on.
 * `port_name` - (Required) The name of one of the `portMappings` from all the containers in the task definition of this Amazon ECS service.
+* `timeout` - (Optional) Configuration timeouts for Service Connect
+* `tls` - (Optional) The configuration for enabling Transport Layer Security (TLS)
+
+### timeout
+
+`timeout` supports the following:
+
+* `idle_timeout_seconds` - (Optional) The amount of time in seconds a connection will stay active while idle. A value of 0 can be set to disable idleTimeout.
+* `per_request_timeout_seconds` - (Optional) The amount of time in seconds for the upstream to respond with a complete response per request. A value of 0 can be set to disable perRequestTimeout. Can only be set when appProtocol isn't TCP.
+
+### tls
+
+`tls` supports the following:
+
+* `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate.
+* `kms_key` - (Optional) The KMS key used to encrypt the private key in Secrets Manager.
+* `role_arn` - (Optional) The ARN of the IAM Role that's associated with the Service Connect TLS.
+
+### issuer_cert_authority
+
+`issuer_cert_authority` supports the following:
+
+* `aws_pca_authority_arn` - (Optional) The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates.
 
 ### client_alias