Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

f-aws_ecs_service-service_connect_tls #35684

Merged
merged 20 commits into from
Feb 12, 2024
Merged

f-aws_ecs_service-service_connect_tls #35684

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
4a9d90a
Add support for TLS for ECS Service Connect
Feb 6, 2024
db09cc5
Merge branch 'hashicorp:main' into main
dgr237 Feb 6, 2024
2fb904f
Merge branch 'hashicorp:main' into main
dgr237 Feb 7, 2024
936e5ce
Add support for TLS for ECS Service Connect
Feb 7, 2024
3028092
Merge remote-tracking branch 'origin/main'
Feb 7, 2024
0c0ded0
Fix go.mod
Feb 7, 2024
f8ba1b6
Added timeout configuration for ECS Service Connect
Feb 9, 2024
642ac5b
Added timeout configuration for ECS Service Connect
Feb 9, 2024
aa1ab31
Fix Lint issues
Feb 9, 2024
3ab7235
Fix Lint issues
Feb 10, 2024
86cdcd4
Fix Lint issues
Feb 10, 2024
d5858a7
Fix Optionality on role_arn and acm_pca_authority_arn as per spec:
Feb 10, 2024
5826871
Fix Docs to reflect optionality
Feb 10, 2024
1ef627a
Fix Docs to reflect optionality
Feb 10, 2024
2636578
Update internal/service/ecs/service.go
dgr237 Feb 12, 2024
66c8c0b
Update internal/service/ecs/service.go
dgr237 Feb 12, 2024
eafc583
Gofmt error
Feb 12, 2024
574fcce
Merge branch 'main' into HEAD
ewbankkit Feb 12, 2024
e76010e
Tweak CHANGELOG entry.
ewbankkit Feb 12, 2024
d99168a
r/aws_ecs_service: Alphabetize attributes.
ewbankkit Feb 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/35684.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_ecs_service: Add TLS support for ECS Service Connect
```
73 changes: 70 additions & 3 deletions internal/service/ecs/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,6 +414,36 @@ func ResourceService() *schema.Resource {
Type: schema.TypeString,
Required: true,
},
"tls": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"issuer_cert_authority": {
Type: schema.TypeList,
Required: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"aws_pca_authority_arn": {
Type: schema.TypeString,
Required: true,
},
},
},
},
"kms_key": {
Type: schema.TypeString,
Optional: true,
},
"role_arn": {
Type: schema.TypeString,
Required: true,
},
},
},
},
},
},
},
Expand Down Expand Up @@ -764,9 +794,9 @@ func resourceServiceRead(ctx context.Context, d *schema.ResourceData, meta inter
return sdkdiag.AppendErrorf(diags, "setting network_configuration: %s", err)
}

// if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil {
// return fmt.Errorf("setting service_connect_configuration for (%s): %w", d.Id(), err)
// }
//if err := d.Set("service_connect_configuration", flattenServiceConnectConfiguration(service.ServiceConnectConfiguration)); err != nil {
// return sdkdiag.AppendErrorf(diags, "setting service_connect_configuration: %s", err)
//}

if err := d.Set("service_registries", flattenServiceRegistries(service.ServiceRegistries)); err != nil {
return sdkdiag.AppendErrorf(diags, "setting service_registries: %s", err)
Expand Down Expand Up @@ -1441,12 +1471,49 @@ func expandServices(srv []interface{}) []*ecs.ServiceConnectService {
config.PortName = aws.String(v)
}

if v, ok := raw["tls"].([]interface{}); ok && len(v) > 0 {
ewbankkit marked this conversation as resolved.
Show resolved Hide resolved
config.Tls = expandTls(v)
}

out = append(out, &config)
}

return out
}

func expandTls(tls []interface{}) *ecs.ServiceConnectTlsConfiguration {
if len(tls) == 0 {
return nil
}

raw := tls[0].(map[string]interface{})
tlsConfig := &ecs.ServiceConnectTlsConfiguration{}
if v, ok := raw["issuer_cert_authority"].([]interface{}); ok && len(v) > 0 {
tlsConfig.IssuerCertificateAuthority = expandIssuerCertAuthority(v)
}
if v, ok := raw["kms_key"].(string); ok && v != "" {
tlsConfig.KmsKey = aws.String(v)
}
if v, ok := raw["role_arn"].(string); ok && v != "" {
tlsConfig.RoleArn = aws.String(v)
}
return tlsConfig
}

func expandIssuerCertAuthority(pca []interface{}) *ecs.ServiceConnectTlsCertificateAuthority {
if len(pca) == 0 {
return nil
}

raw := pca[0].(map[string]interface{})
config := &ecs.ServiceConnectTlsCertificateAuthority{}

if v, ok := raw["aws_pca_authority_arn"].(string); ok && v != "" {
config.AwsPcaAuthorityArn = aws.String(v)
}
return config
}

func expandClientAliases(srv []interface{}) []*ecs.ServiceConnectClientAlias {
if len(srv) == 0 {
return nil
Expand Down
107 changes: 107 additions & 0 deletions internal/service/ecs/service_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4237,6 +4237,66 @@ resource "aws_ecs_service" "test" {

func testAccServiceConfig_serviceConnectAllAttributes(rName string) string {
return fmt.Sprintf(`
resource "aws_kms_key" "test" {
description = %[1]q
deletion_window_in_days = 7
policy = data.aws_iam_policy_document.test.json
}


data "aws_iam_policy_document" "test" {
policy_id = "KMSPolicy"

statement {
sid = "Root User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = [
"kms:*"]
resources = [ "*"]
}

statement {
sid = "EC2 kms permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = [ aws_iam_role.test.arn ]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair"]
resources = ["*"]
}
}

resource "aws_iam_role" "test" {
name = %[1]q

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity"]
}

resource "aws_service_discovery_http_namespace" "test" {
name = %[1]q
}
Expand Down Expand Up @@ -4297,9 +4357,56 @@ resource "aws_ecs_service" "test" {
discovery_name = "test"
ingress_port_override = 8443
port_name = "tf-test"
tls {
issuer_cert_authority {
aws_pca_authority_arn = aws_acmpca_certificate_authority.test.arn
}
kms_key = aws_kms_key.test.arn
role_arn = aws_iam_role.test.arn
}
}
}
}

resource "aws_acmpca_certificate_authority_certificate" "test" {
certificate_authority_arn = aws_acmpca_certificate_authority.test.arn

certificate = aws_acmpca_certificate.test.certificate
certificate_chain = aws_acmpca_certificate.test.certificate_chain
}

resource "aws_acmpca_certificate" "test" {
certificate_authority_arn = aws_acmpca_certificate_authority.test.arn
certificate_signing_request = aws_acmpca_certificate_authority.test.certificate_signing_request
signing_algorithm = "SHA512WITHRSA"

template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1"

validity {
type = "YEARS"
value = 1
}
}

resource "aws_acmpca_certificate_authority" "test" {
permanent_deletion_time_in_days = 7
type = "ROOT"
usage_mode = "SHORT_LIVED_CERTIFICATE"
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"

subject {
common_name = %[1]q
}
}
tags = {
AmazonECSManaged = "true"
}
}

data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
`, rName)
}

Expand Down
15 changes: 15 additions & 0 deletions website/docs/r/ecs_service.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,20 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC
* `namespace` - (Optional) The namespace name or ARN of the [`aws_service_discovery_http_namespace`](/docs/providers/aws/r/service_discovery_http_namespace.html) for use with Service Connect.
* `service` - (Optional) The list of Service Connect service objects. See below.

### tls

`tls` supports the following:

* `issuer_cert_authority` - (Required) The details of the certificate authority which will issue the certificate.
* `kms_key` - (Required) The KMS key used to encrypt the private key in Secrets Manager.
* `role_arn` - (Required) The ARN of the IAM Role that's associated with the Service Connect TLS.

### issuer_cert_authority

`issuer_cert_authority` supports the following:

* `aws_pca_authority_arn`: The ARN of the [`aws_acmpca_certificate_authority`](/docs/providers/aws/r/acmpca_certificate_authority.html) used to create the TLS Certificates.

### log_configuration

`log_configuration` supports the following:
Expand All @@ -264,6 +278,7 @@ For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonEC
* `discovery_name` - (Optional) The name of the new AWS Cloud Map service that Amazon ECS creates for this Amazon ECS service.
* `ingress_port_override` - (Optional) The port number for the Service Connect proxy to listen on.
* `port_name` - (Required) The name of one of the `portMappings` from all the containers in the task definition of this Amazon ECS service.
* `tls` - (Optional) The configuration for enabling Transport Layer Security (TLS)

### client_alias

Expand Down
Loading