feat: add ability to specify existing IAM role for ECS task execution #128
Conversation
|
Hello @antonbabenko, can you provide feedback on this PR? Wondering if there is any chance of getting this and my other PR (#127) merged or is it not in line with your goals for this project? |
|
Hi @druchoo ! This PR and another looks pretty good, but I will be able to process them at the end of August. |
|
@antonbabenko completely understand that you're busy. Would it be possible to add additional maintainers for this terraform module? This way the module can be continuously maintained without putting pressure on you. |
|
@bryantbiggs Could you please take a look at this PR? @nitrocode I was on vacation, but since June there are several of us ( @terraform-aws-modules/triage-supporters ) who can do code reviews and close issues. |
|
@antonbabenko yes I can take a look this week. @druchoo would you mind updating your branch with master please? |
|
@bryantbiggs can you advise on how to fix the semantic check? |
|
@druchoo I think it wants the |
druchoo
changed the title
druchoo
force-pushed
the
feature/ecs_task_execution_iam_role_arn
branch
from
53446c1 to
26b74c0
Compare
druchoo
force-pushed
the
feature/ecs_task_execution_iam_role_arn
branch
from
26b74c0 to
9bba610
Compare
|
@bryantbiggs, Should be good now. I was failing with trying to fix the merge and ended up force-pushing. |
|
|
||
| role = aws_iam_role.ecs_task_execution.id | ||
| role = aws_iam_role.ecs_task_execution.0.id |
There was a problem hiding this comment.
| role = aws_iam_role.ecs_task_execution.0.id | |
| role = aws_iam_role.ecs_task_execution[0].id |
| name = "${var.name}-ecs_task_execution" | ||
| assume_role_policy = data.aws_iam_policy_document.ecs_tasks.json | ||
| assume_role_policy = data.aws_iam_policy_document.ecs_tasks.0.json |
There was a problem hiding this comment.
| assume_role_policy = data.aws_iam_policy_document.ecs_tasks.0.json | |
| assume_role_policy = data.aws_iam_policy_document.ecs_tasks[0].json |
| @@ -14,6 +14,9 @@ locals { | |||
| )}" | |||
| atlantis_url_events = "${local.atlantis_url}/events" | |||
|
|
|||
| # IAM | |||
| ecs_task_execution_iam_role_arn = var.ecs_task_execution_iam_role_arn != "" ? var.ecs_task_execution_iam_role_arn : aws_iam_role.ecs_task_execution.0.id | |||
There was a problem hiding this comment.
| ecs_task_execution_iam_role_arn = var.ecs_task_execution_iam_role_arn != "" ? var.ecs_task_execution_iam_role_arn : aws_iam_role.ecs_task_execution.0.id | |
| ecs_task_execution_iam_role_arn = var.ecs_task_execution_iam_role_arn != "" ? var.ecs_task_execution_iam_role_arn : aws_iam_role.ecs_task_execution[0].id |
| @@ -403,7 +412,7 @@ data "aws_iam_policy_document" "ecs_task_access_secrets" { | |||
| data "aws_iam_policy_document" "ecs_task_access_secrets_with_kms" { | |||
| count = var.ssm_kms_key_arn == "" ? 0 : 1 | |||
|
|
|||
| source_json = data.aws_iam_policy_document.ecs_task_access_secrets.json | |||
| source_json = data.aws_iam_policy_document.ecs_task_access_secrets.0.json | |||
There was a problem hiding this comment.
| source_json = data.aws_iam_policy_document.ecs_task_access_secrets.0.json | |
| source_json = data.aws_iam_policy_document.ecs_task_access_secrets[0].json |
|
|
||
| name = "ECSTaskAccessSecretsPolicy" | ||
|
|
||
| role = aws_iam_role.ecs_task_execution.id | ||
| role = aws_iam_role.ecs_task_execution.0.id |
There was a problem hiding this comment.
| role = aws_iam_role.ecs_task_execution.0.id | |
| role = aws_iam_role.ecs_task_execution[0].id |
| @@ -22,7 +22,7 @@ output "webhook_secret" { | |||
| # ECS | |||
| output "task_role_arn" { | |||
| description = "The Atlantis ECS task role arn" | |||
| value = aws_iam_role.ecs_task_execution.arn | |||
| value = local.ecs_task_execution_iam_role_arn | |||
| } | |||
|
|
|||
| output "task_role_id" { | |||
There was a problem hiding this comment.
the role outputs will all need to be updated to follow the [0].x access pattern.
| @@ -365,6 +365,10 @@ variable "firelens_configuration" { | |||
| options = map(string) | |||
| }) | |||
| default = null | |||
| variable "ecs_task_execution_iam_role_arn" { | |||
There was a problem hiding this comment.
you're missing a closing } above.
lets ask the user for the existing role name (rather than the ARN) and then add the following:
data "aws_iam_role" "existing" {
count = var.ecs_task_role_name != "" ? 1 : 0
name = var.ecs_task_role_name
}then with our outputs we should be able to do something like:
output "task_role_id" {
description = "The Atlantis ECS task role id"
value = var.ecs_task_role_name == "" ? aws_iam_role.ecs_task_execution[0].id : data.aws_iam_role.existing[0].id
}while also still getting access to the ARN to use. note - you'll need to update the locals variable for this.
|
hey @druchoo I left some comments - please feel free to use the |
|
@bryantbiggs, ok cool. thanks for reviewing. I don't think I'll be able to update and test for a few days though unfortunately. |
|
@druchoo no worries - I have an idea I might put up in a PR tonight that will help solve this and some of the other issues around using existing resources. we can circle back to this when you get time |
|
This PR has been automatically marked as stale because it has been open 30 days |
|
This PR was automatically closed because of stale in 10 days |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
Add ability to specify existing IAM role for ECS task execution.
Motivation and Context
Allow module to be used in scenarios where IAM roles cannot be created or already exist.
Breaking Changes
No.
How Has This Been Tested?