Merge pull request #223 from fdmsantos/create_execution_role_ec2_task…

…s_feature Add ability to create Execution Role for Tasks deployed in EC2
trussworks · Jun 4, 2021 · ceee1cd · ceee1cd
2 parents 548bdc4 + 898d67a
commit ceee1cd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -160,6 +160,7 @@ No modules.
 | <a name="input_cloudwatch_alarm_name"></a> [cloudwatch\_alarm\_name](#input\_cloudwatch\_alarm\_name) | Generic name used for CPU and Memory Cloudwatch Alarms | `string` | `""` | no |
 | <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | Container definitions provided as valid JSON document. Default uses golang:alpine running a simple hello world. | `string` | `""` | no |
 | <a name="input_container_image"></a> [container\_image](#input\_container\_image) | The image of the container. | `string` | `"golang:alpine"` | no |
+| <a name="input_ec2_create_task_execution_role"></a> [ec2\_create\_task\_execution\_role](#input\_ec2\_create\_task\_execution\_role) | Set to true to create ecs task execution role to ECS EC2 Tasks. | `bool` | `false` | no |
 | <a name="input_ecr_repo_arns"></a> [ecr\_repo\_arns](#input\_ecr\_repo\_arns) | The ARNs of the ECR repos.  By default, allows all repositories. | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | ECS cluster object for this task. | <pre>object({<br>    arn  = string<br>    name = string<br>  })</pre> | n/a | yes |
 | <a name="input_ecs_instance_role"></a> [ecs\_instance\_role](#input\_ecs\_instance\_role) | The name of the ECS instance role. | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -354,14 +354,20 @@ resource "aws_iam_role" "task_role" {
 }
 
 resource "aws_iam_role" "task_execution_role" {
-  count = var.ecs_use_fargate ? 1 : 0
+  # if ecs_use_fargate is True, create aws_iam_role resource
+  # if ecs_use_fargate is False, check whether value of ec2_create_task_execution_role is True/False.
+  # if True, set to 1 creating the resource, if False, set to 0, not creating the resource
+  count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
   name               = "ecs-task-execution-role-${var.name}-${var.environment}"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
 }
 
 resource "aws_iam_role_policy" "task_execution_role_policy" {
-  count = var.ecs_use_fargate ? 1 : 0
+  # if ecs_use_fargate is True, create aws_iam_role_policy resource
+  # if ecs_use_fargate is False, check whether value of ec2_create_task_execution_role is True/False.
+  # if True, set to 1 creating the resource, if False, set to 0, not creating the resource
+  count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
   name   = "${aws_iam_role.task_execution_role[0].name}-policy"
   role   = aws_iam_role.task_execution_role[0].name

diff --git a/variables.tf b/variables.tf
@@ -92,6 +92,12 @@ variable "ecs_subnet_ids" {
   type        = list(string)
 }
 
+variable "ec2_create_task_execution_role" {
+  description = "Set to true to create ecs task execution role to ECS EC2 Tasks."
+  type        = bool
+  default     = false
+}
+
 variable "assign_public_ip" {
   description = "Whether this instance should be accessible from the public internet. Default is false."
   default     = false