Resolve issues related to task credentialsParameter (#5)

* Resolve issues related to task credentialsParameter * fix typo
umotif-public · May 4, 2020 · 4980912 · 4980912
1 parent ae159c8
commit 4980912
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 5 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.29.0
+  rev: v1.30.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ Terraform 0.12. Pin module version to `~> v1.0`. Submit pull-requests to `master
 ```hcl
 module "ecs-task-definition" {
   source = "umotif-public/ecs-fargate-task-definition/aws"
-  version = "~> 1.1.0"
+  version = "~> 1.2.0"
 
   enabled              = true
   name_prefix          = "test-container"
@@ -58,6 +58,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | cloudwatch\_log\_group\_name | CloudWatch log group name required to enabled logDriver in container definitions for ecs task. | `string` | `""` | no |
 | container\_name | Optional name for the container to be used instead of name\_prefix. | `string` | `""` | no |
+| create\_repository\_credentials\_iam\_policy | Set to true if you are specifying `repository_credentials` variable, it will attach IAM policy with necessary permissions to task role. | `bool` | `false` | no |
 | docker\_volume\_configuration | (Optional) Used to configure a docker volume option "docker\_volume\_configuration". Full set of options can be found at https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html | `list` | `[]` | no |
 | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
 | name\_prefix | A prefix used for naming resources. | `string` | n/a | yes |

diff --git a/data.tf b/data.tf
@@ -26,16 +26,20 @@ data "aws_iam_policy_document" "task_permissions" {
 }
 
 data "aws_kms_key" "secretsmanager_key" {
+  count = var.create_repository_credentials_iam_policy && var.enabled ? 1 : 0
+
   key_id = var.repository_credentials_kms_key
 }
 
 data "aws_iam_policy_document" "read_repository_credentials" {
+  count = var.create_repository_credentials_iam_policy && var.enabled ? 1 : 0
+
   statement {
     effect = "Allow"
 
     resources = [
       var.repository_credentials,
-      data.aws_kms_key.secretsmanager_key.arn,
+      data.aws_kms_key.secretsmanager_key[0].arn,
     ]
 
     actions = [

diff --git a/examples/core/main.tf b/examples/core/main.tf
@@ -2,6 +2,17 @@ provider "aws" {
   region = "eu-west-1"
 }
 
+data "aws_kms_key" "secretsmanager_key" {
+  key_id = "alias/aws/secretsmanager"
+}
+
+
+resource "aws_secretsmanager_secret" "task_credentials" {
+  name = "task_repository_credentials"
+
+  kms_key_id = data.aws_kms_key.secretsmanager_key.arn
+}
+
 #####
 # task definition
 #####
@@ -25,5 +36,8 @@ module "ecs-task-definition" {
 
   cloudwatch_log_group_name = "/test-cloudwatch/log-group"
   task_container_command    = ["/bin/sh -c \"echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\""]
+
+  create_repository_credentials_iam_policy = true
+  repository_credentials                   = aws_secretsmanager_secret.task_credentials.arn # also set create_repository_credentials_iam_policy = true
 }
 
diff --git a/main.tf b/main.tf
@@ -18,11 +18,11 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach
 }
 
 resource "aws_iam_role_policy" "read_repository_credentials" {
-  count = length(var.repository_credentials) != 0 && var.enabled ? 1 : 0
+  count = var.create_repository_credentials_iam_policy && var.enabled ? 1 : 0
 
   name   = "${var.name_prefix}-read-repository-credentials"
   role   = aws_iam_role.execution[0].id
-  policy = data.aws_iam_policy_document.read_repository_credentials.json
+  policy = data.aws_iam_policy_document.read_repository_credentials[0].json
 }
 
 #####

diff --git a/variables.tf b/variables.tf
@@ -105,6 +105,11 @@ variable "repository_credentials_kms_key" {
   type        = string
 }
 
+variable "create_repository_credentials_iam_policy" {
+  default     = false
+  description = "Set to true if you are specifying `repository_credentials` variable, it will attach IAM policy with necessary permissions to task role."
+}
+
 variable "placement_constraints" {
   type        = list
   description = "(Optional) A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement_constraints is 10. This is a list of maps, where each map should contain \"type\" and \"expression\""