Allow Task and Execution roles as inputs

.gitignore

@@ -233,6 +233,9 @@ Temporary Items
 # Local .terraform directories
 **/.terraform/*
 
+# Terraform lock file
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -646,4 +649,4 @@ healthchecksdb
 # Backup folder for Package Reference Convert tool in Visual Studio 2017
 MigrationBackup/
 
-# End of https://www.gitignore.io/api/linux,macos,windows,terraform,jetbrains,visualstudio,jetbrains+iml,jetbrains+all,visualstudiocode
+# End of https://www.gitignore.io/api/linux,macos,windows,terraform,jetbrains,visualstudio,jetbrains+iml,jetbrains+all,visualstudiocode

.pre-commit-config.yaml

@@ -1,7 +1,21 @@
+fail_fast: true
+
 repos:
  - repo: https:/antonbabenko/pre-commit-terraform
- rev: v1.71.0
+ rev: v1.77.1 # Get the latest from: https:/antonbabenko/pre-commit-terraform/releases
  hooks:
- - id: terraform_docs
  - id: terraform_fmt
+ - id: terraform_docs
+ args: ["--args=--lockfile=false"]
  - id: terraform_validate
+ - repo: https:/pre-commit/pre-commit-hooks
+ rev: v4.4.0 # Get the latest from: https:/pre-commit/pre-commit-hooks/releases
+ hooks:
+ - id: check-merge-conflict
+ - id: end-of-file-fixer
+ - id: trailing-whitespace
+ - id: check-added-large-files
+ - id: check-case-conflict
+ - id: detect-private-key
+ - id: check-yaml
+ files: ^(.github/workflows).*$

CODE_OF_CONDUCT.md

@@ -65,7 +65,7 @@ Additionally, community organizers are available to help community members engag
 
 ## 8. Addressing Grievances
 
-If you feel you have been falsely or unfairly accused of violating this Code of Conduct, you should notify CN Services with a concise description of your grievance. Your grievance will be handled in accordance with our existing governing policies. 
+If you feel you have been falsely or unfairly accused of violating this Code of Conduct, you should notify CN Services with a concise description of your grievance. Your grievance will be handled in accordance with our existing governing policies.
 
 
 
@@ -81,7 +81,7 @@ [email protected]
 
 ## 11. License and attribution
 
-The Citizen Code of Conduct is distributed by [Stumptown Syndicate](http://stumptownsyndicate.org) under a [Creative Commons Attribution-ShareAlike license](http://creativecommons.org/licenses/by-sa/3.0/). 
+The Citizen Code of Conduct is distributed by [Stumptown Syndicate](http://stumptownsyndicate.org) under a [Creative Commons Attribution-ShareAlike license](http://creativecommons.org/licenses/by-sa/3.0/).
 
 Portions of text derived from the [Django Code of Conduct](https://www.djangoproject.com/conduct/) and the [Geek Feminism Anti-Harassment Policy](http://geekfeminism.wikia.com/wiki/Conference_anti-harassment/Policy).
 

README.md

@@ -21,8 +21,8 @@ Pleas run this command right after cloning the repository.
 
  pre-commit install
 
-For that you may need to install the folowwing tools:
-* [Pre-commit](https://pre-commit.com/) 
+For that you may need to install the following tools:
+* [Pre-commit](https://pre-commit.com/)
 * [Terraform Docs](https://terraform-docs.io/)
 
 In order to run all checks at any point run the following command:
@@ -35,19 +35,19 @@ In order to run all checks at any point run the following command:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_container_definition"></a> [container\_definition](#module\_container\_definition) | cloudposse/ecs-container-definition/aws | 0.58.1 |
+| <a name="module_container_definition"></a> [container\_definition](#module\_container\_definition) | cloudposse/ecs-container-definition/aws | 0.58.2 |
 
 ## Resources
 
@@ -83,6 +83,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_environment_files"></a> [environment\_files](#input\_environment\_files) | One or more files containing the environment variables to pass to the container. This maps to the --env-file option to docker run. The file must be hosted in Amazon S3. This option is only available to tasks using the EC2 launch type. This is a list of maps | <pre>list(object({<br> value = string<br> type = string<br> }))</pre> | `[]` | no |
 | <a name="input_ephemeral_storage_size"></a> [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The number of GBs to provision for ephemeral storage on Fargate tasks. Must be greater than or equal to 21 and less than or equal to 200 | `number` | `0` | no |
 | <a name="input_essential"></a> [essential](#input\_essential) | Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value | `bool` | `true` | no |
+| <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Optional) The ARN of IAM role that grants permissions to start the containers defined in a task (e.g populate environment variables from AWS Secrets Manager). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used | `string` | `null` | no |
 | <a name="input_extra_hosts"></a> [extra\_hosts](#input\_extra\_hosts) | A list of hostnames and IP address mappings to append to the /etc/hosts file on the container. This is a list of maps | <pre>list(object({<br> ipAddress = string<br> hostname = string<br> }))</pre> | `null` | no |
 | <a name="input_firelens_configuration"></a> [firelens\_configuration](#input\_firelens\_configuration) | The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html | <pre>object({<br> type = string<br> options = map(string)<br> })</pre> | `null` | no |
 | <a name="input_healthcheck"></a> [healthcheck](#input\_healthcheck) | (Optional) A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | <pre>object({<br> command = list(string)<br> retries = number<br> timeout = number<br> interval = number<br> startPeriod = number<br> })</pre> | `null` | no |
@@ -115,7 +116,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_stop_timeout"></a> [stop\_timeout](#input\_stop\_timeout) | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | `number` | `null` | no |
 | <a name="input_system_controls"></a> [system\_controls](#input\_system\_controls) | A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""} | `list(map(string))` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no |
-| <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | (Optional) The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used | `string` | `null` | no |
+| <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | (Optional) The ARN of IAM role that grants permissions to the actual application once the container is started (e.g access an S3 bucket or DynamoDB database). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used | `string` | `null` | no |
 | <a name="input_ulimits"></a> [ulimits](#input\_ulimits) | Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit" | <pre>list(object({<br> name = string<br> hardLimit = number<br> softLimit = number<br> }))</pre> | `null` | no |
 | <a name="input_user"></a> [user](#input\_user) | The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set. | `string` | `null` | no |
 | <a name="input_volumes"></a> [volumes](#input\_volumes) | (Optional) A set of volume blocks that containers in your task may use | <pre>list(object({<br> host_path = string<br> name = string<br> docker_volume_configuration = list(object({<br> autoprovision = bool<br> driver = string<br> driver_opts = map(string)<br> labels = map(string)<br> scope = string<br> }))<br> efs_volume_configuration = list(object({<br> file_system_id = string<br> root_directory = string<br> transit_encryption = string<br> transit_encryption_port = string<br> authorization_config = list(object({<br> access_point_id = string<br> iam = string<br> }))<br> }))<br> }))</pre> | `[]` | no |

main.tf

@@ -2,28 +2,30 @@
 # AWS ECS Task Execution Role
 #------------------------------------------------------------------------------
 resource "aws_iam_role" "ecs_task_execution_role" {
+ count = var.execution_role_arn == null ? 1 : 0
  name = "${var.name_prefix}-ecs-task-execution-role"
  assume_role_policy = file("${path.module}/files/iam/ecs_task_execution_iam_role.json")
  permissions_boundary = var.permissions_boundary
  tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach" {
- role = aws_iam_role.ecs_task_execution_role.name
+ count = var.execution_role_arn == null ? 1 : 0
+ role = aws_iam_role.ecs_task_execution_role[0].name
  policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 resource "aws_iam_policy" "ecs_task_execution_role_custom_policy" {
- count = length(var.ecs_task_execution_role_custom_policies)
+ count = var.execution_role_arn == null ? length(var.ecs_task_execution_role_custom_policies) : 0
  name = "${var.name_prefix}-ecs-task-execution-role-custom-policy-${count.index}"
  description = "A custom policy for ${var.name_prefix}-ecs-task-execution-role IAM Role"
  policy = var.ecs_task_execution_role_custom_policies[count.index]
  tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_custom_policy" {
- count = length(var.ecs_task_execution_role_custom_policies)
- role = aws_iam_role.ecs_task_execution_role.name
+ count = var.execution_role_arn == null ? length(var.ecs_task_execution_role_custom_policies) : 0
+ role = aws_iam_role.ecs_task_execution_role[0].name
  policy_arn = aws_iam_policy.ecs_task_execution_role_custom_policy[count.index].arn
 }
 
@@ -85,7 +87,8 @@ resource "aws_ecs_task_definition" "td" {
  family = var.name_prefix
 
  cpu = var.container_cpu
- execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
+ task_role_arn = var.task_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].arn : var.task_role_arn
+ execution_role_arn = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].arn : var.execution_role_arn
  ipc_mode = var.ipc_mode
  memory = var.container_memory
  network_mode = "awsvpc" # awsvpc required for Fargate tasks
@@ -123,7 +126,6 @@ resource "aws_ecs_task_definition" "td" {
 
  requires_compatibilities = ["FARGATE"]
  skip_destroy = var.skip_destroy
- task_role_arn = var.task_role_arn == null ? aws_iam_role.ecs_task_execution_role.arn : var.task_role_arn
 
  dynamic "volume" {
  for_each = var.volumes

outputs.tf

@@ -3,27 +3,32 @@
 #------------------------------------------------------------------------------
 output "aws_iam_role_ecs_task_execution_role_arn" {
  description = "The Amazon Resource Name (ARN) specifying the role."
- value = aws_iam_role.ecs_task_execution_role.arn
+ value = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].arn : var.execution_role_arn
 }
+
 output "aws_iam_role_ecs_task_execution_role_create_date" {
  description = "The creation date of the IAM role."
- value = aws_iam_role.ecs_task_execution_role.create_date
+ value = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].create_date : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_description" {
  description = "The description of the role."
- value = aws_iam_role.ecs_task_execution_role.description
+ value = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].description : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_id" {
  description = "The ID of the role."
- value = aws_iam_role.ecs_task_execution_role.id
+ value = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].id : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_name" {
  description = "The name of the role."
- value = aws_iam_role.ecs_task_execution_role.name
+ value = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].name : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_unique_id" {
  description = "The stable and unique string identifying the role."
- value = aws_iam_role.ecs_task_execution_role.unique_id
+ value = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].unique_id : null
 }
 
 #------------------------------------------------------------------------------

variables.tf

@@ -433,7 +433,13 @@ variable "skip_destroy" {
 }
 
 variable "task_role_arn" {
- description = "(Optional) The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used"
+ description = "(Optional) The ARN of IAM role that grants permissions to the actual application once the container is started (e.g access an S3 bucket or DynamoDB database). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used"
+ type = string
+ default = null
+}
+
+variable "execution_role_arn" {
+ description = "(Optional) The ARN of IAM role that grants permissions to start the containers defined in a task (e.g populate environment variables from AWS Secrets Manager). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used"
  type = string
  default = null
 }

versions.tf

@@ -3,7 +3,7 @@ terraform {
  required_providers {
  aws = {
  source = "hashicorp/aws"
- version = ">= 4"
+ version = ">= 4.0.0"
  }
  }
 }