home-assistant · klejejs · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024
diff --git a/.modules/service/ecs.tf b/.modules/service/ecs.tf
@@ -20,8 +20,8 @@ resource "aws_ecs_task_definition" "task" {
   family                   = var.service_name
   cpu                      = var.ecs_cpu
   memory                   = var.ecs_memory
-  execution_role_arn       = aws_iam_role.ecs-execution.arn
-  task_role_arn            = aws_iam_role.task-execution.arn
+  execution_role_arn       = element(concat(aws_iam_role.ecs-execution.*.arn, data.aws_iam_role.ecs-execution-external.*.arn), var.external_ecs_execution_role == "" ? 0 : 1)
+  task_role_arn            = element(concat(aws_iam_role.task-execution.*.arn, data.aws_iam_role.task-execution-external.*.arn), var.external_ecs_task_execution_role == "" ? 0 : 1)
   network_mode             = "awsvpc"
   requires_compatibilities = [var.launch_type]
 
@@ -56,4 +56,4 @@ resource "aws_ecs_task_definition" "task" {
       }
     }, var.container_definitions)
   ])
-}
+}
diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf
@@ -10,12 +10,16 @@ data "aws_iam_policy_document" "ecs-role-policy" {
 }
 
 resource "aws_iam_role" "ecs-execution" {
+  count = var.external_ecs_execution_role == "" ? 1 : 0
+
   name               = "${var.service_name}-ExecutionRole-role"
   assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "ecs-execution-managed" {
-  role       = aws_iam_role.ecs-execution.id
+  count = var.external_ecs_execution_role == "" ? 1 : 0
+
+  role       = element(concat(aws_iam_role.ecs-execution.*.id, tolist([""])), var.external_ecs_execution_role == "" ? 0 : 1)
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
@@ -46,11 +50,27 @@ data "aws_iam_policy_document" "task-assume-role" {
 }
 
 resource "aws_iam_role" "task-execution" {
+  count = var.external_ecs_task_execution_role == "" ? 1 : 0
+
   name               = "${var.service_name}-TaskRole-role"
   assume_role_policy = data.aws_iam_policy_document.task-assume-role.json
 }
 
 resource "aws_iam_role_policy" "task-role" {
+  count = var.external_ecs_task_execution_role == "" ? 1 : 0
+
   policy = data.aws_iam_policy_document.task-policy.json
-  role   = aws_iam_role.task-execution.id
-}
+  role   = element(concat(aws_iam_role.task-execution.*.id, tolist([""])), var.external_ecs_task_execution_role == "" ? 0 : 1)
+}
+
+data "aws_iam_role" "ecs-execution-external" {
+  count = var.external_ecs_execution_role == "" ? 0 : 1
+
+  name = var.external_ecs_execution_role
+}
+
+data "aws_iam_role" "task-execution-external" {
+  count = var.external_ecs_task_execution_role == "" ? 0 : 1
+
+  name = var.external_ecs_task_execution_role
+}
diff --git a/.modules/service/variables.tf b/.modules/service/variables.tf
@@ -65,3 +65,15 @@ variable "rolling_updates" {
   default     = false
   type        = bool
 }
+
+variable "external_ecs_execution_role" {
+  description = "The name of an external ECS execution role to use"
+  type        = string
+  default     = ""
+}
+
+variable "external_ecs_task_execution_role" {
+  description = "The name of an external ECS task execution role to use"
+  type        = string
+  default     = ""
+}
diff --git a/stun_server/main.tf b/stun_server/main.tf
@@ -15,23 +15,29 @@ provider "aws" {
 module "us_east_1" {
   source = "./region"
 
-  region      = "us-east-1"
-  domain_name = var.domain_name
-  image_tag   = var.image_tag
+  region                  = "us-east-1"
+  domain_name             = var.domain_name
+  image_tag               = var.image_tag
+  ecs_execution_role      = aws_iam_role.ecs-execution.name
+  ecs_task_execution_role = aws_iam_role.task-execution.name
 }
 
 module "eu_central_1" {
   source = "./region"
 
-  region      = "eu-central-1"
-  domain_name = var.domain_name
-  image_tag   = var.image_tag
+  region                  = "eu-central-1"
+  domain_name             = var.domain_name
+  image_tag               = var.image_tag
+  ecs_execution_role      = aws_iam_role.ecs-execution.name
+  ecs_task_execution_role = aws_iam_role.task-execution.name
 }
 
 module "ap_southeast_1" {
   source = "./region"
 
-  region      = "ap-southeast-1"
-  domain_name = var.domain_name
-  image_tag   = var.image_tag
+  region                  = "ap-southeast-1"
+  domain_name             = var.domain_name
+  image_tag               = var.image_tag
+  ecs_execution_role      = aws_iam_role.ecs-execution.name
+  ecs_task_execution_role = aws_iam_role.task-execution.name
 }
diff --git a/stun_server/policy.tf b/stun_server/policy.tf
@@ -0,0 +1,52 @@
+data "aws_iam_policy_document" "ecs-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs-execution" {
+
+  name               = "stun-server-ExecutionRole-role"
+  assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs-execution-managed" {
+
+  role       = aws_iam_role.ecs-execution.id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "task-policy" {
+  statement {
+    actions   = ["cloudwatch:putMetricData"]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "task-assume-role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "task-execution" {
+
+  name               = "stun-server-TaskRole-role"
+  assume_role_policy = data.aws_iam_policy_document.task-assume-role.json
+}
+
+resource "aws_iam_role_policy" "task-role" {
+
+  policy = data.aws_iam_policy_document.task-policy.json
+  role   = aws_iam_role.task-execution.id
+}
diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf
@@ -5,7 +5,6 @@ resource "aws_ecs_service" "stun-server" {
   desired_count                      = 1
   deployment_minimum_healthy_percent = 100
   deployment_maximum_percent         = 200
-  health_check_grace_period_seconds  = 90
   launch_type                        = "FARGATE"
 
   # Required to fetch the public IP address of the ECS service

diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf
@@ -37,5 +37,7 @@ module "stun_server" {
       }
     ],
   }
-  webservice = true
+  webservice                       = true
+  external_ecs_execution_role      = var.ecs_execution_role
+  external_ecs_task_execution_role = var.ecs_task_execution_role
 }
diff --git a/stun_server/region/variables.tf b/stun_server/region/variables.tf
@@ -12,3 +12,13 @@ variable "image_tag" {
   description = "Version of the Stun server to deploy"
   type        = string
 }
+
+variable "ecs_execution_role" {
+  description = "The name of the ECS execution role"
+  type        = string
+}
+
+variable "ecs_task_execution_role" {
+  description = "The name of the ECS task execution role"
+  type        = string
+}