Modify service module to support external ECS execution and task roles

home-assistant · Sep 27, 2024 · 6697ce0 · 6697ce0
1 parent 1b9d95a
commit 6697ce0
Show file tree

Hide file tree

Showing 8 changed files with 104 additions and 15 deletions.
diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf
@@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" {
   family                   = var.service_name
   cpu                      = var.ecs_cpu
   memory                   = var.ecs_memory
-  execution_role_arn       = aws_iam_role.ecs-execution.arn
-  task_role_arn            = aws_iam_role.task-execution.arn
+  execution_role_arn       = coalesce(var.ecs_execution_role_arn, aws_iam_role.ecs-execution.arn)
+  task_role_arn            = coalesce(var.ecs_task_execution_role_arn, aws_iam_role.task-execution.arn)
   network_mode             = "awsvpc"
   requires_compatibilities = [var.launch_type]
 
@@ -56,4 +56,4 @@ resource "aws_ecs_task_definition" "task" {
       }
     }, var.container_definitions)
   ])
-}
+}
diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf
@@ -10,11 +10,15 @@ data "aws_iam_policy_document" "ecs-role-policy" {
 }
 
 resource "aws_iam_role" "ecs-execution" {
+  count = var.ecs_execution_role_arn == "" ? 1 : 0
+
   name               = "${var.service_name}-ExecutionRole-role"
   assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "ecs-execution-managed" {
+  count = var.ecs_execution_role_arn == "" ? 1 : 0
+
   role       = aws_iam_role.ecs-execution.id
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
@@ -46,11 +50,15 @@ data "aws_iam_policy_document" "task-assume-role" {
 }
 
 resource "aws_iam_role" "task-execution" {
+  count = var.ecs_task_execution_role_arn == "" ? 1 : 0
+
   name               = "${var.service_name}-TaskRole-role"
   assume_role_policy = data.aws_iam_policy_document.task-assume-role.json
 }
 
 resource "aws_iam_role_policy" "task-role" {
+  count = var.ecs_task_execution_role_arn == "" ? 1 : 0
+
   policy = data.aws_iam_policy_document.task-policy.json
   role   = aws_iam_role.task-execution.id
-}
+}
diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf
@@ -65,3 +65,15 @@ variable "rolling_updates" {
   default     = false
   type        = bool
 }
+
+variable "ecs_execution_role_arn" {
+  description = "The ARN of the ECS execution role"
+  type        = string
+  default     = ""
+}
+
+variable "ecs_task_execution_role_arn" {
+  description = "The ARN of the ECS task role"
+  type        = string
+  default     = ""
+}
diff --git a/stun_server/main.tf b/stun_server/main.tf
@@ -15,23 +15,29 @@ provider "aws" {
 module "us_east_1" {
   source = "./region"
 
-  region      = "us-east-1"
-  domain_name = var.domain_name
-  image_tag   = var.image_tag
+  region                      = "us-east-1"
+  domain_name                 = var.domain_name
+  image_tag                   = var.image_tag
+  ecs_execution_role_arn      = aws_iam_role.ecs-execution.arn
+  ecs_task_execution_role_arn = aws_iam_role.task-execution.arn
 }
 
 module "eu_central_1" {
   source = "./region"
 
-  region      = "eu-central-1"
-  domain_name = var.domain_name
-  image_tag   = var.image_tag
+  region                      = "eu-central-1"
+  domain_name                 = var.domain_name
+  image_tag                   = var.image_tag
+  ecs_execution_role_arn      = aws_iam_role.ecs-execution.arn
+  ecs_task_execution_role_arn = aws_iam_role.task-execution.arn
 }
 
 module "ap_southeast_1" {
   source = "./region"
 
-  region      = "ap-southeast-1"
-  domain_name = var.domain_name
-  image_tag   = var.image_tag
+  region                      = "ap-southeast-1"
+  domain_name                 = var.domain_name
+  image_tag                   = var.image_tag
+  ecs_execution_role_arn      = aws_iam_role.ecs-execution.arn
+  ecs_task_execution_role_arn = aws_iam_role.task-execution.arn
 }
diff --git a/stun_server/policy.tf b/stun_server/policy.tf
@@ -0,0 +1,52 @@
+data "aws_iam_policy_document" "ecs-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs-execution" {
+
+  name               = "stun-server-ExecutionRole-role"
+  assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs-execution-managed" {
+
+  role       = aws_iam_role.ecs-execution.id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "task-policy" {
+  statement {
+    actions   = ["cloudwatch:putMetricData"]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "task-assume-role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "task-execution" {
+
+  name               = "stun-server-TaskRole-role"
+  assume_role_policy = data.aws_iam_policy_document.task-assume-role.json
+}
+
+resource "aws_iam_role_policy" "task-role" {
+
+  policy = data.aws_iam_policy_document.task-policy.json
+  role   = aws_iam_role.task-execution.id
+}
diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf
@@ -5,7 +5,6 @@ resource "aws_ecs_service" "stun-server" {
   desired_count                      = 1
   deployment_minimum_healthy_percent = 100
   deployment_maximum_percent         = 200
-  health_check_grace_period_seconds  = 90
   launch_type                        = "FARGATE"
 
   # Required to fetch the public IP address of the ECS service

diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf
@@ -37,5 +37,7 @@ module "stun_server" {
       }
     ],
   }
-  webservice = true
+  webservice                  = true
+  ecs_execution_role_arn      = var.ecs_execution_role_arn
+  ecs_task_execution_role_arn = var.ecs_task_execution_role_arn
 }
diff --git a/stun_server/region/variables.tf b/stun_server/region/variables.tf
@@ -12,3 +12,13 @@ variable "image_tag" {
   description = "Version of the Stun server to deploy"
   type        = string
 }
+
+variable "ecs_execution_role_arn" {
+  description = "The ARN of the ECS execution role"
+  type        = string
+}
+
+variable "ecs_task_execution_role_arn" {
+  description = "The ARN of the ECS task execution role"
+  type        = string
+}