From 6c6641ea62c39eeef4c2b773ab29de5badb7c4d7 Mon Sep 17 00:00:00 2001
From: Fabio Santos <fabiodanielmonteirosantos@gmail.com>
Date: Thu, 13 May 2021 12:24:08 +0100
Subject: [PATCH 1/3] Add ability to create Execution Role for Tasks deployed
 in EC2

---
 README.md    | 1 +
 main.tf      | 4 ++--
 variables.tf | 6 ++++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6097097..070fe3d 100644
--- a/README.md
+++ b/README.md
@@ -170,6 +170,7 @@ No modules.
 | <a name="input_fargate_platform_version"></a> [fargate\_platform\_version](#input\_fargate\_platform\_version) | The platform version on which to run your service. Only applicable when using Fargate launch type. | `string` | `"LATEST"` | no |
 | <a name="input_fargate_task_cpu"></a> [fargate\_task\_cpu](#input\_fargate\_task\_cpu) | Number of cpu units used in initial task definition. Default is minimum. | `number` | `256` | no |
 | <a name="input_fargate_task_memory"></a> [fargate\_task\_memory](#input\_fargate\_task\_memory) | Amount (in MiB) of memory used in initial task definition. Default is minimum. | `number` | `512` | no |
+| <a name="input_ec2_create_task_execution_role"></a> [ec2\_create\_task\_execution\_role](#ec2\_create\_task\_execution\_role) | Set to true to create ecs task execution role to ECS EC2 Tasks. Default is false. | `bool` | `false` | no |
 | <a name="input_health_check_grace_period_seconds"></a> [health\_check\_grace\_period\_seconds](#input\_health\_check\_grace\_period\_seconds) | Grace period within which failed health checks will be ignored at container start. Only applies to services with an attached loadbalancer. | `number` | `null` | no |
 | <a name="input_hello_world_container_ports"></a> [hello\_world\_container\_ports](#input\_hello\_world\_container\_ports) | List of ports for the hello world container app to listen on. The app currently supports listening on two ports. | `list(number)` | <pre>[<br>  8080,<br>  8081<br>]</pre> | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS customer managed key (CMK) ARN for encrypting application logs. | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 9bf738d..047af8b 100644
--- a/main.tf
+++ b/main.tf
@@ -352,14 +352,14 @@ resource "aws_iam_role" "task_role" {
 }
 
 resource "aws_iam_role" "task_execution_role" {
-  count = var.ecs_use_fargate ? 1 : 0
+  count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
   name               = "ecs-task-execution-role-${var.name}-${var.environment}"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
 }
 
 resource "aws_iam_role_policy" "task_execution_role_policy" {
-  count = var.ecs_use_fargate ? 1 : 0
+  count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
   name   = "${aws_iam_role.task_execution_role[0].name}-policy"
   role   = aws_iam_role.task_execution_role[0].name
diff --git a/variables.tf b/variables.tf
index 369616b..8df9cd2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -92,6 +92,12 @@ variable "ecs_subnet_ids" {
   type        = list(string)
 }
 
+variable "ec2_create_task_execution_role" {
+  description = "Set to true to create ecs task execution role to ECS EC2 Tasks."
+  type        = bool
+  default     = false
+}
+
 variable "assign_public_ip" {
   description = "Whether this instance should be accessible from the public internet. Default is false."
   default     = false

From a34a02d2b88aad22d74cd6cc56e22ed2780aec90 Mon Sep 17 00:00:00 2001
From: Avanti Joshi <avanti@truss.works>
Date: Fri, 4 Jun 2021 10:48:02 -0400
Subject: [PATCH 2/3] add comments

---
 README.md | 2 +-
 main.tf   | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 070fe3d..036d3b0 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,7 @@ No modules.
 | <a name="input_cloudwatch_alarm_name"></a> [cloudwatch\_alarm\_name](#input\_cloudwatch\_alarm\_name) | Generic name used for CPU and Memory Cloudwatch Alarms | `string` | `""` | no |
 | <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | Container definitions provided as valid JSON document. Default uses golang:alpine running a simple hello world. | `string` | `""` | no |
 | <a name="input_container_image"></a> [container\_image](#input\_container\_image) | The image of the container. | `string` | `"golang:alpine"` | no |
+| <a name="input_ec2_create_task_execution_role"></a> [ec2\_create\_task\_execution\_role](#input\_ec2\_create\_task\_execution\_role) | Set to true to create ecs task execution role to ECS EC2 Tasks. | `bool` | `false` | no |
 | <a name="input_ecr_repo_arns"></a> [ecr\_repo\_arns](#input\_ecr\_repo\_arns) | The ARNs of the ECR repos.  By default, allows all repositories. | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | ECS cluster object for this task. | <pre>object({<br>    arn  = string<br>    name = string<br>  })</pre> | n/a | yes |
 | <a name="input_ecs_instance_role"></a> [ecs\_instance\_role](#input\_ecs\_instance\_role) | The name of the ECS instance role. | `string` | `""` | no |
@@ -170,7 +171,6 @@ No modules.
 | <a name="input_fargate_platform_version"></a> [fargate\_platform\_version](#input\_fargate\_platform\_version) | The platform version on which to run your service. Only applicable when using Fargate launch type. | `string` | `"LATEST"` | no |
 | <a name="input_fargate_task_cpu"></a> [fargate\_task\_cpu](#input\_fargate\_task\_cpu) | Number of cpu units used in initial task definition. Default is minimum. | `number` | `256` | no |
 | <a name="input_fargate_task_memory"></a> [fargate\_task\_memory](#input\_fargate\_task\_memory) | Amount (in MiB) of memory used in initial task definition. Default is minimum. | `number` | `512` | no |
-| <a name="input_ec2_create_task_execution_role"></a> [ec2\_create\_task\_execution\_role](#ec2\_create\_task\_execution\_role) | Set to true to create ecs task execution role to ECS EC2 Tasks. Default is false. | `bool` | `false` | no |
 | <a name="input_health_check_grace_period_seconds"></a> [health\_check\_grace\_period\_seconds](#input\_health\_check\_grace\_period\_seconds) | Grace period within which failed health checks will be ignored at container start. Only applies to services with an attached loadbalancer. | `number` | `null` | no |
 | <a name="input_hello_world_container_ports"></a> [hello\_world\_container\_ports](#input\_hello\_world\_container\_ports) | List of ports for the hello world container app to listen on. The app currently supports listening on two ports. | `list(number)` | <pre>[<br>  8080,<br>  8081<br>]</pre> | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS customer managed key (CMK) ARN for encrypting application logs. | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 047af8b..5dbc996 100644
--- a/main.tf
+++ b/main.tf
@@ -352,6 +352,9 @@ resource "aws_iam_role" "task_role" {
 }
 
 resource "aws_iam_role" "task_execution_role" {
+  # if using fargate, create aws_iam_role resource
+  # if not using fargate, check whether value of ec2_create_task_execution_role is True/False.
+  # if True, set to 1 creating the resource, if False, set to 0, not creating the resource
   count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
   name               = "ecs-task-execution-role-${var.name}-${var.environment}"
@@ -359,6 +362,9 @@ resource "aws_iam_role" "task_execution_role" {
 }
 
 resource "aws_iam_role_policy" "task_execution_role_policy" {
+  # if using fargate, create aws_iam_role_policy resource
+  # if not using fargate, check whether value of ec2_create_task_execution_role is True/False.
+  # if True, set to 1 creating the resource, if False, set to 0, not creating the resource
   count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
   name   = "${aws_iam_role.task_execution_role[0].name}-policy"

From 898d67a29cd3506251cfc864a426be892ce5b07c Mon Sep 17 00:00:00 2001
From: Avanti Joshi <avanti@truss.works>
Date: Fri, 4 Jun 2021 11:25:06 -0400
Subject: [PATCH 3/3] modify explanation

---
 main.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index 5dbc996..c3fe5ee 100644
--- a/main.tf
+++ b/main.tf
@@ -352,8 +352,8 @@ resource "aws_iam_role" "task_role" {
 }
 
 resource "aws_iam_role" "task_execution_role" {
-  # if using fargate, create aws_iam_role resource
-  # if not using fargate, check whether value of ec2_create_task_execution_role is True/False.
+  # if ecs_use_fargate is True, create aws_iam_role resource
+  # if ecs_use_fargate is False, check whether value of ec2_create_task_execution_role is True/False.
   # if True, set to 1 creating the resource, if False, set to 0, not creating the resource
   count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0
 
@@ -362,8 +362,8 @@ resource "aws_iam_role" "task_execution_role" {
 }
 
 resource "aws_iam_role_policy" "task_execution_role_policy" {
-  # if using fargate, create aws_iam_role_policy resource
-  # if not using fargate, check whether value of ec2_create_task_execution_role is True/False.
+  # if ecs_use_fargate is True, create aws_iam_role_policy resource
+  # if ecs_use_fargate is False, check whether value of ec2_create_task_execution_role is True/False.
   # if True, set to 1 creating the resource, if False, set to 0, not creating the resource
   count = var.ecs_use_fargate ? 1 : var.ec2_create_task_execution_role ? 1 : 0