Fixing policy creation for ecs (#55)

LeoDiazL · web-flow · commit a1b3ffde23fd · 2023-11-08T14:31:51.000-03:00
* Fixing policy creation for ecs

* Fixing role

* Fix index

* Shortening name
diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf
@@ -965,7 +965,7 @@ variable "aws_ecs_task_name" {
 variable "aws_ecs_task_execution_role" {
   type        = string
   description = "Elastic Container Service task execution role name."
-  default     = "ecsTaskExecutionRole"
+  default     = ""
 }
 
 variable "aws_ecs_task_json_definition_file" {
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf
@@ -31,7 +31,7 @@ resource "aws_ecs_task_definition" "ecs_task" {
   requires_compatibilities = [local.aws_ecs_task_type[count.index]]
   cpu                      = local.aws_ecs_task_cpu[count.index]
   memory                   = local.aws_ecs_task_mem[count.index]
-  execution_role_arn       = data.aws_iam_role.ecsTaskExecutionRole.arn
+  execution_role_arn       = local.ecsTaskExecutionRole
   container_definitions = sensitive(jsonencode([
     {
       "image": local.aws_ecs_app_image[count.index],
@@ -69,7 +69,7 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" {
   requires_compatibilities = ["${local.aws_ecs_task_type[count.index +length(local.aws_ecs_app_image)]}"]
   cpu                      = local.aws_ecs_task_cpu[count.index+length(local.aws_ecs_app_image)]
   memory                   = local.aws_ecs_task_mem[count.index+length(local.aws_ecs_app_image)]
-  execution_role_arn       = data.aws_iam_role.ecsTaskExecutionRole.arn
+  execution_role_arn       = local.ecsTaskExecutionRole
   container_definitions    = sensitive(file("../../ansible/clone_repo/app/${var.app_repo_name}/${local.aws_ecs_task_json_definition_file[count.index]}"))
 }
 
@@ -111,7 +111,35 @@ resource "aws_cloudwatch_log_group" "ecs_cw_log_group" {
 }
 
 # IAM
-
 data "aws_iam_role" "ecsTaskExecutionRole" {
+  count = var.aws_ecs_task_execution_role != "" ? 1 : 0
   name = var.aws_ecs_task_execution_role
+}
+
+resource "aws_iam_role" "ecsTaskExecutionRole" {
+  count = var.aws_ecs_task_execution_role != "" ? 0 : 1
+  name  = "${var.aws_resource_identifier}-ecs"
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "ecs-tasks.amazonaws.com"
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" {
+  count = var.aws_ecs_task_execution_role != "" ? 0 : 1
+  name       = "AmazonECSTaskExecutionRolePolicyAttachment"
+  roles      = [aws_iam_role.ecsTaskExecutionRole[0].name]
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+locals {
+  ecsTaskExecutionRole = var.aws_ecs_task_execution_role != "" ? data.aws_iam_role.ecsTaskExecutionRole[0].arn : aws_iam_role.ecsTaskExecutionRole[0].arn
 }

Original file line number	Diff line number	Diff line change
`@@ -965,7 +965,7 @@ variable "aws_ecs_task_name" {`
`965`	`965`	`variable "aws_ecs_task_execution_role" {`
`966`	`966`	`type = string`
`967`	`967`	`description = "Elastic Container Service task execution role name."`
`968`		`- default = "ecsTaskExecutionRole"`
	`968`	`+ default = ""`
`969`	`969`	`}`
`970`	`970`
`971`	`971`	`variable "aws_ecs_task_json_definition_file" {`