From 6697ce0f60864b3b3dc7ade63741354d09fb866c Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 16:34:23 +0300 Subject: [PATCH 1/8] Modify service module to support external ECS execution and task roles --- .modules/service/ecs.tf | 6 ++-- .modules/service/policy.tf | 10 ++++++- .modules/service/variables.tf | 12 ++++++++ stun_server/main.tf | 24 +++++++++------ stun_server/policy.tf | 52 +++++++++++++++++++++++++++++++++ stun_server/region/ecs.tf | 1 - stun_server/region/module.tf | 4 ++- stun_server/region/variables.tf | 10 +++++++ 8 files changed, 104 insertions(+), 15 deletions(-) create mode 100644 stun_server/policy.tf diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index d01de91..fbd3031 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = aws_iam_role.ecs-execution.arn - task_role_arn = aws_iam_role.task-execution.arn + execution_role_arn = coalesce(var.ecs_execution_role_arn, aws_iam_role.ecs-execution.arn) + task_role_arn = coalesce(var.ecs_task_execution_role_arn, aws_iam_role.task-execution.arn) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] @@ -56,4 +56,4 @@ resource "aws_ecs_task_definition" "task" { } }, var.container_definitions) ]) -} \ No newline at end of file +} diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index cdbf186..3cdeec4 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -10,11 +10,15 @@ data "aws_iam_policy_document" "ecs-role-policy" { } resource "aws_iam_role" "ecs-execution" { + count = var.ecs_execution_role_arn == "" ? 1 : 0 + name = "${var.service_name}-ExecutionRole-role" assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json } resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { + count = var.ecs_execution_role_arn == "" ? 1 : 0 + role = aws_iam_role.ecs-execution.id policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -46,11 +50,15 @@ data "aws_iam_policy_document" "task-assume-role" { } resource "aws_iam_role" "task-execution" { + count = var.ecs_task_execution_role_arn == "" ? 1 : 0 + name = "${var.service_name}-TaskRole-role" assume_role_policy = data.aws_iam_policy_document.task-assume-role.json } resource "aws_iam_role_policy" "task-role" { + count = var.ecs_task_execution_role_arn == "" ? 1 : 0 + policy = data.aws_iam_policy_document.task-policy.json role = aws_iam_role.task-execution.id -} \ No newline at end of file +} diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf index e8910a0..a08feb1 100644 --- a/.modules/service/variables.tf +++ b/.modules/service/variables.tf @@ -65,3 +65,15 @@ variable "rolling_updates" { default = false type = bool } + +variable "ecs_execution_role_arn" { + description = "The ARN of the ECS execution role" + type = string + default = "" +} + +variable "ecs_task_execution_role_arn" { + description = "The ARN of the ECS task role" + type = string + default = "" +} diff --git a/stun_server/main.tf b/stun_server/main.tf index f524393..772b14b 100644 --- a/stun_server/main.tf +++ b/stun_server/main.tf @@ -15,23 +15,29 @@ provider "aws" { module "us_east_1" { source = "./region" - region = "us-east-1" - domain_name = var.domain_name - image_tag = var.image_tag + region = "us-east-1" + domain_name = var.domain_name + image_tag = var.image_tag + ecs_execution_role_arn = aws_iam_role.ecs-execution.arn + ecs_task_execution_role_arn = aws_iam_role.task-execution.arn } module "eu_central_1" { source = "./region" - region = "eu-central-1" - domain_name = var.domain_name - image_tag = var.image_tag + region = "eu-central-1" + domain_name = var.domain_name + image_tag = var.image_tag + ecs_execution_role_arn = aws_iam_role.ecs-execution.arn + ecs_task_execution_role_arn = aws_iam_role.task-execution.arn } module "ap_southeast_1" { source = "./region" - region = "ap-southeast-1" - domain_name = var.domain_name - image_tag = var.image_tag + region = "ap-southeast-1" + domain_name = var.domain_name + image_tag = var.image_tag + ecs_execution_role_arn = aws_iam_role.ecs-execution.arn + ecs_task_execution_role_arn = aws_iam_role.task-execution.arn } diff --git a/stun_server/policy.tf b/stun_server/policy.tf new file mode 100644 index 0000000..f2c0fc3 --- /dev/null +++ b/stun_server/policy.tf @@ -0,0 +1,52 @@ +data "aws_iam_policy_document" "ecs-role-policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + identifiers = ["ecs-tasks.amazonaws.com"] + type = "Service" + } + } +} + +resource "aws_iam_role" "ecs-execution" { + + name = "stun-server-ExecutionRole-role" + assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json +} + +resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { + + role = aws_iam_role.ecs-execution.id + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + +data "aws_iam_policy_document" "task-policy" { + statement { + actions = ["cloudwatch:putMetricData"] + resources = ["*"] + } +} + +data "aws_iam_policy_document" "task-assume-role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + identifiers = ["ecs-tasks.amazonaws.com"] + type = "Service" + } + } +} + +resource "aws_iam_role" "task-execution" { + + name = "stun-server-TaskRole-role" + assume_role_policy = data.aws_iam_policy_document.task-assume-role.json +} + +resource "aws_iam_role_policy" "task-role" { + + policy = data.aws_iam_policy_document.task-policy.json + role = aws_iam_role.task-execution.id +} diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf index 760a9ff..36b382c 100644 --- a/stun_server/region/ecs.tf +++ b/stun_server/region/ecs.tf @@ -5,7 +5,6 @@ resource "aws_ecs_service" "stun-server" { desired_count = 1 deployment_minimum_healthy_percent = 100 deployment_maximum_percent = 200 - health_check_grace_period_seconds = 90 launch_type = "FARGATE" # Required to fetch the public IP address of the ECS service diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf index c6e56f1..51a4052 100644 --- a/stun_server/region/module.tf +++ b/stun_server/region/module.tf @@ -37,5 +37,7 @@ module "stun_server" { } ], } - webservice = true + webservice = true + ecs_execution_role_arn = var.ecs_execution_role_arn + ecs_task_execution_role_arn = var.ecs_task_execution_role_arn } diff --git a/stun_server/region/variables.tf b/stun_server/region/variables.tf index ec10294..f7d8723 100644 --- a/stun_server/region/variables.tf +++ b/stun_server/region/variables.tf @@ -12,3 +12,13 @@ variable "image_tag" { description = "Version of the Stun server to deploy" type = string } + +variable "ecs_execution_role_arn" { + description = "The ARN of the ECS execution role" + type = string +} + +variable "ecs_task_execution_role_arn" { + description = "The ARN of the ECS task execution role" + type = string +} From bf182f5a6fe2dd208ddda55644670aaeae7c6887 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 16:38:49 +0300 Subject: [PATCH 2/8] Modify code to use external roles conditionally --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index fbd3031..696d508 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = coalesce(var.ecs_execution_role_arn, aws_iam_role.ecs-execution.arn) - task_role_arn = coalesce(var.ecs_task_execution_role_arn, aws_iam_role.task-execution.arn) + execution_role_arn = var.ecs_execution_role_arn != "" ? var.ecs_execution_role_arn : aws_iam_role.ecs-execution.arn + task_role_arn = var.ecs_task_execution_role_arn != "" ? var.ecs_task_execution_role_arn : aws_iam_role.task-execution.arn network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index 3cdeec4..6b4035d 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -19,7 +19,7 @@ resource "aws_iam_role" "ecs-execution" { resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { count = var.ecs_execution_role_arn == "" ? 1 : 0 - role = aws_iam_role.ecs-execution.id + role = var.ecs_execution_role_arn == "" ? aws_iam_role.ecs-execution.id : "" policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -60,5 +60,5 @@ resource "aws_iam_role_policy" "task-role" { count = var.ecs_task_execution_role_arn == "" ? 1 : 0 policy = data.aws_iam_policy_document.task-policy.json - role = aws_iam_role.task-execution.id + role = var.ecs_task_execution_role_arn == "" ? aws_iam_role.task-execution.id : "" } From 532536554ef5a187c62e7f37045d91ed642d30a0 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 16:47:58 +0300 Subject: [PATCH 3/8] Attempt ficing TF issues with conditional roles --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index 696d508..c582599 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = var.ecs_execution_role_arn != "" ? var.ecs_execution_role_arn : aws_iam_role.ecs-execution.arn - task_role_arn = var.ecs_task_execution_role_arn != "" ? var.ecs_task_execution_role_arn : aws_iam_role.task-execution.arn + execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, list(var.ecs_execution_role_arn)), var.ecs_execution_role_arn == "" ? 0 : 1) + task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, list(var.ecs_task_execution_role_arn)), var.ecs_task_execution_role_arn == "" ? 0 : 1) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index 6b4035d..e45d89d 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -19,7 +19,7 @@ resource "aws_iam_role" "ecs-execution" { resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { count = var.ecs_execution_role_arn == "" ? 1 : 0 - role = var.ecs_execution_role_arn == "" ? aws_iam_role.ecs-execution.id : "" + role = element(concat(aws_iam_role.ecs-execution.*.id, list("")), var.ecs_execution_role_arn == "" ? 0 : 1) policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -60,5 +60,5 @@ resource "aws_iam_role_policy" "task-role" { count = var.ecs_task_execution_role_arn == "" ? 1 : 0 policy = data.aws_iam_policy_document.task-policy.json - role = var.ecs_task_execution_role_arn == "" ? aws_iam_role.task-execution.id : "" + role = element(concat(aws_iam_role.task-execution.*.id, list("")), var.ecs_task_execution_role_arn == "" ? 0 : 1) } From b55648ba408de4330d20f3f2e0a947ab36d52d3a Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 16:50:33 +0300 Subject: [PATCH 4/8] Use tolist instead of deprecated list --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index c582599..e71acd0 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, list(var.ecs_execution_role_arn)), var.ecs_execution_role_arn == "" ? 0 : 1) - task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, list(var.ecs_task_execution_role_arn)), var.ecs_task_execution_role_arn == "" ? 0 : 1) + execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, tolist([var.ecs_execution_role_arn])), var.ecs_execution_role_arn == "" ? 0 : 1) + task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, tolist([var.ecs_task_execution_role_arn])), var.ecs_task_execution_role_arn == "" ? 0 : 1) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index e45d89d..93d558e 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -19,7 +19,7 @@ resource "aws_iam_role" "ecs-execution" { resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { count = var.ecs_execution_role_arn == "" ? 1 : 0 - role = element(concat(aws_iam_role.ecs-execution.*.id, list("")), var.ecs_execution_role_arn == "" ? 0 : 1) + role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.ecs_execution_role_arn == "" ? 0 : 1) policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -60,5 +60,5 @@ resource "aws_iam_role_policy" "task-role" { count = var.ecs_task_execution_role_arn == "" ? 1 : 0 policy = data.aws_iam_policy_document.task-policy.json - role = element(concat(aws_iam_role.task-execution.*.id, list("")), var.ecs_task_execution_role_arn == "" ? 0 : 1) + role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.ecs_task_execution_role_arn == "" ? 0 : 1) } From a30b4062b60f1aa1de2382bad8a43b19614efd4f Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 17:17:24 +0300 Subject: [PATCH 5/8] Test using separate variable for policy count --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 12 ++++++------ .modules/service/variables.tf | 6 ++++++ stun_server/region/module.tf | 1 + 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index e71acd0..8e1b961 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, tolist([var.ecs_execution_role_arn])), var.ecs_execution_role_arn == "" ? 0 : 1) - task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, tolist([var.ecs_task_execution_role_arn])), var.ecs_task_execution_role_arn == "" ? 0 : 1) + execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, tolist([var.ecs_execution_role_arn])), var.create_policy ? 0 : 1) + task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, tolist([var.ecs_task_execution_role_arn])), var.create_policy ? 0 : 1) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index 93d558e..f5c4f17 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -10,16 +10,16 @@ data "aws_iam_policy_document" "ecs-role-policy" { } resource "aws_iam_role" "ecs-execution" { - count = var.ecs_execution_role_arn == "" ? 1 : 0 + count = var.create_policy ? 1 : 0 name = "${var.service_name}-ExecutionRole-role" assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json } resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { - count = var.ecs_execution_role_arn == "" ? 1 : 0 + count = var.create_policy ? 1 : 0 - role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.ecs_execution_role_arn == "" ? 0 : 1) + role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.create_policy ? 0 : 1) policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -50,15 +50,15 @@ data "aws_iam_policy_document" "task-assume-role" { } resource "aws_iam_role" "task-execution" { - count = var.ecs_task_execution_role_arn == "" ? 1 : 0 + count = var.create_policy ? 1 : 0 name = "${var.service_name}-TaskRole-role" assume_role_policy = data.aws_iam_policy_document.task-assume-role.json } resource "aws_iam_role_policy" "task-role" { - count = var.ecs_task_execution_role_arn == "" ? 1 : 0 + count = var.create_policy ? 1 : 0 policy = data.aws_iam_policy_document.task-policy.json - role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.ecs_task_execution_role_arn == "" ? 0 : 1) + role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.create_policy ? 0 : 1) } diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf index a08feb1..c0341ff 100644 --- a/.modules/service/variables.tf +++ b/.modules/service/variables.tf @@ -66,6 +66,12 @@ variable "rolling_updates" { type = bool } +variable "create_policy" { + description = "Boolean to create the policy" + default = true + type = bool +} + variable "ecs_execution_role_arn" { description = "The ARN of the ECS execution role" type = string diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf index 51a4052..b09db0a 100644 --- a/stun_server/region/module.tf +++ b/stun_server/region/module.tf @@ -38,6 +38,7 @@ module "stun_server" { ], } webservice = true + create_policy = false ecs_execution_role_arn = var.ecs_execution_role_arn ecs_task_execution_role_arn = var.ecs_task_execution_role_arn } From b6787ca0c7c37caacfa857332d9428e65771417c Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 17:29:08 +0300 Subject: [PATCH 6/8] Refactor code --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 12 ++++++------ .modules/service/variables.tf | 12 ++++++------ stun_server/region/module.tf | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index 8e1b961..fc920d1 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, tolist([var.ecs_execution_role_arn])), var.create_policy ? 0 : 1) - task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, tolist([var.ecs_task_execution_role_arn])), var.create_policy ? 0 : 1) + execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, tolist([var.external_ecs_execution_role_arn])), var.create_policies ? 0 : 1) + task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, tolist([var.external_ecs_task_execution_role_arn])), var.create_policies ? 0 : 1) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index f5c4f17..1e1c517 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -10,16 +10,16 @@ data "aws_iam_policy_document" "ecs-role-policy" { } resource "aws_iam_role" "ecs-execution" { - count = var.create_policy ? 1 : 0 + count = var.create_policies ? 1 : 0 name = "${var.service_name}-ExecutionRole-role" assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json } resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { - count = var.create_policy ? 1 : 0 + count = var.create_policies ? 1 : 0 - role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.create_policy ? 0 : 1) + role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.create_policies ? 0 : 1) policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -50,15 +50,15 @@ data "aws_iam_policy_document" "task-assume-role" { } resource "aws_iam_role" "task-execution" { - count = var.create_policy ? 1 : 0 + count = var.create_policies ? 1 : 0 name = "${var.service_name}-TaskRole-role" assume_role_policy = data.aws_iam_policy_document.task-assume-role.json } resource "aws_iam_role_policy" "task-role" { - count = var.create_policy ? 1 : 0 + count = var.create_policies ? 1 : 0 policy = data.aws_iam_policy_document.task-policy.json - role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.create_policy ? 0 : 1) + role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.create_policies ? 0 : 1) } diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf index c0341ff..083ddfa 100644 --- a/.modules/service/variables.tf +++ b/.modules/service/variables.tf @@ -66,20 +66,20 @@ variable "rolling_updates" { type = bool } -variable "create_policy" { - description = "Boolean to create the policy" +variable "create_policies" { + description = "Boolean whether to create the policy" default = true type = bool } -variable "ecs_execution_role_arn" { - description = "The ARN of the ECS execution role" +variable "external_ecs_execution_role_arn" { + description = "The ARN of an external ECS execution role to use" type = string default = "" } -variable "ecs_task_execution_role_arn" { - description = "The ARN of the ECS task role" +variable "external_ecs_task_execution_role_arn" { + description = "The ARN of an external ECS task execution role to use" type = string default = "" } diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf index b09db0a..913316c 100644 --- a/stun_server/region/module.tf +++ b/stun_server/region/module.tf @@ -37,8 +37,8 @@ module "stun_server" { } ], } - webservice = true - create_policy = false - ecs_execution_role_arn = var.ecs_execution_role_arn - ecs_task_execution_role_arn = var.ecs_task_execution_role_arn + webservice = true + create_policies = false + external_ecs_execution_role_arn = var.ecs_execution_role_arn + external_ecs_task_execution_role_arn = var.ecs_task_execution_role_arn } From 3a784bb7a914e21b09cfa184b06db76baed724fb Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Mon, 30 Sep 2024 12:38:38 +0300 Subject: [PATCH 7/8] Migrate to using esternal role names for service module --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 12 ++++++++++++ .modules/service/variables.tf | 8 ++++---- stun_server/main.tf | 30 +++++++++++++++--------------- stun_server/region/module.tf | 8 ++++---- stun_server/region/variables.tf | 8 ++++---- 6 files changed, 41 insertions(+), 29 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index fc920d1..10b1b52 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, tolist([var.external_ecs_execution_role_arn])), var.create_policies ? 0 : 1) - task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, tolist([var.external_ecs_task_execution_role_arn])), var.create_policies ? 0 : 1) + execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, data.aws_iam_role.ecs-execution-external.*.arn), var.create_policies ? 0 : 1) + task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, data.aws_iam_role.task-execution-external.*.arn), var.create_policies ? 0 : 1) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index 1e1c517..830f898 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -62,3 +62,15 @@ resource "aws_iam_role_policy" "task-role" { policy = data.aws_iam_policy_document.task-policy.json role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.create_policies ? 0 : 1) } + +data "aws_iam_role" "ecs-execution-external" { + count = var.create_policies ? 0 : 1 + + name = var.external_ecs_execution_role +} + +data "aws_iam_role" "task-execution-external" { + count = var.create_policies ? 0 : 1 + + name = var.external_ecs_task_execution_role +} diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf index 083ddfa..89de3b9 100644 --- a/.modules/service/variables.tf +++ b/.modules/service/variables.tf @@ -72,14 +72,14 @@ variable "create_policies" { type = bool } -variable "external_ecs_execution_role_arn" { - description = "The ARN of an external ECS execution role to use" +variable "external_ecs_execution_role" { + description = "The name of an external ECS execution role to use" type = string default = "" } -variable "external_ecs_task_execution_role_arn" { - description = "The ARN of an external ECS task execution role to use" +variable "external_ecs_task_execution_role" { + description = "The name of an external ECS task execution role to use" type = string default = "" } diff --git a/stun_server/main.tf b/stun_server/main.tf index 772b14b..cca1b27 100644 --- a/stun_server/main.tf +++ b/stun_server/main.tf @@ -15,29 +15,29 @@ provider "aws" { module "us_east_1" { source = "./region" - region = "us-east-1" - domain_name = var.domain_name - image_tag = var.image_tag - ecs_execution_role_arn = aws_iam_role.ecs-execution.arn - ecs_task_execution_role_arn = aws_iam_role.task-execution.arn + region = "us-east-1" + domain_name = var.domain_name + image_tag = var.image_tag + ecs_execution_role = aws_iam_role.ecs-execution.name + ecs_task_execution_role = aws_iam_role.task-execution.name } module "eu_central_1" { source = "./region" - region = "eu-central-1" - domain_name = var.domain_name - image_tag = var.image_tag - ecs_execution_role_arn = aws_iam_role.ecs-execution.arn - ecs_task_execution_role_arn = aws_iam_role.task-execution.arn + region = "eu-central-1" + domain_name = var.domain_name + image_tag = var.image_tag + ecs_execution_role = aws_iam_role.ecs-execution.name + ecs_task_execution_role = aws_iam_role.task-execution.name } module "ap_southeast_1" { source = "./region" - region = "ap-southeast-1" - domain_name = var.domain_name - image_tag = var.image_tag - ecs_execution_role_arn = aws_iam_role.ecs-execution.arn - ecs_task_execution_role_arn = aws_iam_role.task-execution.arn + region = "ap-southeast-1" + domain_name = var.domain_name + image_tag = var.image_tag + ecs_execution_role = aws_iam_role.ecs-execution.name + ecs_task_execution_role = aws_iam_role.task-execution.name } diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf index 913316c..1351ea6 100644 --- a/stun_server/region/module.tf +++ b/stun_server/region/module.tf @@ -37,8 +37,8 @@ module "stun_server" { } ], } - webservice = true - create_policies = false - external_ecs_execution_role_arn = var.ecs_execution_role_arn - external_ecs_task_execution_role_arn = var.ecs_task_execution_role_arn + webservice = true + create_policies = false + external_ecs_execution_role = var.ecs_execution_role + external_ecs_task_execution_role = var.ecs_task_execution_role } diff --git a/stun_server/region/variables.tf b/stun_server/region/variables.tf index f7d8723..0932466 100644 --- a/stun_server/region/variables.tf +++ b/stun_server/region/variables.tf @@ -13,12 +13,12 @@ variable "image_tag" { type = string } -variable "ecs_execution_role_arn" { - description = "The ARN of the ECS execution role" +variable "ecs_execution_role" { + description = "The name of the ECS execution role" type = string } -variable "ecs_task_execution_role_arn" { - description = "The ARN of the ECS task execution role" +variable "ecs_task_execution_role" { + description = "The name of the ECS task execution role" type = string } From c9a961dece7a263cee1b97cd7aa778454d647ac6 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Mon, 30 Sep 2024 12:46:27 +0300 Subject: [PATCH 8/8] Attempt calculating role creation need in service module based on role name variables --- .modules/service/ecs.tf | 4 ++-- .modules/service/policy.tf | 16 ++++++++-------- .modules/service/variables.tf | 6 ------ stun_server/region/module.tf | 1 - 4 files changed, 10 insertions(+), 17 deletions(-) diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf index 10b1b52..ffc9ee9 100644 --- a/.modules/service/ecs.tf +++ b/.modules/service/ecs.tf @@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" { family = var.service_name cpu = var.ecs_cpu memory = var.ecs_memory - execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, data.aws_iam_role.ecs-execution-external.*.arn), var.create_policies ? 0 : 1) - task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, data.aws_iam_role.task-execution-external.*.arn), var.create_policies ? 0 : 1) + execution_role_arn = element(concat(aws_iam_role.ecs-execution.*.arn, data.aws_iam_role.ecs-execution-external.*.arn), var.external_ecs_execution_role == "" ? 0 : 1) + task_role_arn = element(concat(aws_iam_role.task-execution.*.arn, data.aws_iam_role.task-execution-external.*.arn), var.external_ecs_task_execution_role == "" ? 0 : 1) network_mode = "awsvpc" requires_compatibilities = [var.launch_type] diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index 830f898..34d641b 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -10,16 +10,16 @@ data "aws_iam_policy_document" "ecs-role-policy" { } resource "aws_iam_role" "ecs-execution" { - count = var.create_policies ? 1 : 0 + count = var.external_ecs_execution_role == "" ? 1 : 0 name = "${var.service_name}-ExecutionRole-role" assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json } resource "aws_iam_role_policy_attachment" "ecs-execution-managed" { - count = var.create_policies ? 1 : 0 + count = var.external_ecs_execution_role == "" ? 1 : 0 - role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.create_policies ? 0 : 1) + role = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.external_ecs_execution_role == "" ? 0 : 1) policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -50,27 +50,27 @@ data "aws_iam_policy_document" "task-assume-role" { } resource "aws_iam_role" "task-execution" { - count = var.create_policies ? 1 : 0 + count = var.external_ecs_task_execution_role == "" ? 1 : 0 name = "${var.service_name}-TaskRole-role" assume_role_policy = data.aws_iam_policy_document.task-assume-role.json } resource "aws_iam_role_policy" "task-role" { - count = var.create_policies ? 1 : 0 + count = var.external_ecs_task_execution_role == "" ? 1 : 0 policy = data.aws_iam_policy_document.task-policy.json - role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.create_policies ? 0 : 1) + role = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.external_ecs_task_execution_role == "" ? 0 : 1) } data "aws_iam_role" "ecs-execution-external" { - count = var.create_policies ? 0 : 1 + count = var.external_ecs_execution_role == "" ? 0 : 1 name = var.external_ecs_execution_role } data "aws_iam_role" "task-execution-external" { - count = var.create_policies ? 0 : 1 + count = var.external_ecs_task_execution_role == "" ? 0 : 1 name = var.external_ecs_task_execution_role } diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf index 89de3b9..d00b9a9 100644 --- a/.modules/service/variables.tf +++ b/.modules/service/variables.tf @@ -66,12 +66,6 @@ variable "rolling_updates" { type = bool } -variable "create_policies" { - description = "Boolean whether to create the policy" - default = true - type = bool -} - variable "external_ecs_execution_role" { description = "The name of an external ECS execution role to use" type = string diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf index 1351ea6..4d219fd 100644 --- a/stun_server/region/module.tf +++ b/stun_server/region/module.tf @@ -38,7 +38,6 @@ module "stun_server" { ], } webservice = true - create_policies = false external_ecs_execution_role = var.ecs_execution_role external_ecs_task_execution_role = var.ecs_task_execution_role }