Allow Task and Execution roles as inputs (#38)

* feat: Allow Task and Execution roles as inputs

* fix: Error: Inconsistent conditional result types

Author: amontalban

.gitignore

@@ -233,6 +233,9 @@ Temporary Items
 # Local .terraform directories
 **/.terraform/*
 
+# Terraform lock file
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -646,4 +649,4 @@ healthchecksdb
 # Backup folder for Package Reference Convert tool in Visual Studio 2017
 MigrationBackup/
 
-# End of https://www.gitignore.io/api/linux,macos,windows,terraform,jetbrains,visualstudio,jetbrains+iml,jetbrains+all,visualstudiocode
+# End of https://www.gitignore.io/api/linux,macos,windows,terraform,jetbrains,visualstudio,jetbrains+iml,jetbrains+all,visualstudiocode

.pre-commit-config.yaml

@@ -1,7 +1,21 @@
+fail_fast: true
+
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.71.0
+    rev: v1.77.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
-      - id: terraform_docs
       - id: terraform_fmt
+      - id: terraform_docs
+        args: ["--args=--lockfile=false"]
       - id: terraform_validate
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: detect-private-key
+      - id: check-yaml
+        files: ^(.github/workflows).*$

CODE_OF_CONDUCT.md

@@ -65,7 +65,7 @@ Additionally, community organizers are available to help community members engag
 
 ## 8. Addressing Grievances
 
-If you feel you have been falsely or unfairly accused of violating this Code of Conduct, you should notify CN Services with a concise description of your grievance. Your grievance will be handled in accordance with our existing governing policies. 
+If you feel you have been falsely or unfairly accused of violating this Code of Conduct, you should notify CN Services with a concise description of your grievance. Your grievance will be handled in accordance with our existing governing policies.
 
 
 
@@ -81,7 +81,7 @@ [email protected]
 
 ## 11. License and attribution
 
-The Citizen Code of Conduct is distributed by [Stumptown Syndicate](http://stumptownsyndicate.org) under a [Creative Commons Attribution-ShareAlike license](http://creativecommons.org/licenses/by-sa/3.0/). 
+The Citizen Code of Conduct is distributed by [Stumptown Syndicate](http://stumptownsyndicate.org) under a [Creative Commons Attribution-ShareAlike license](http://creativecommons.org/licenses/by-sa/3.0/).
 
 Portions of text derived from the [Django Code of Conduct](https://www.djangoproject.com/conduct/) and the [Geek Feminism Anti-Harassment Policy](http://geekfeminism.wikia.com/wiki/Conference_anti-harassment/Policy).
 

README.md

@@ -21,8 +21,8 @@ Pleas run this command right after cloning the repository.
 
         pre-commit install
 
-For that you may need to install the folowwing tools:
-* [Pre-commit](https://pre-commit.com/) 
+For that you may need to install the following tools:
+* [Pre-commit](https://pre-commit.com/)
 * [Terraform Docs](https://terraform-docs.io/)
 
 In order to run all checks at any point run the following command:
@@ -35,19 +35,19 @@ In order to run all checks at any point run the following command:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_container_definition"></a> [container\_definition](#module\_container\_definition) | cloudposse/ecs-container-definition/aws | 0.58.1 |
+| <a name="module_container_definition"></a> [container\_definition](#module\_container\_definition) | cloudposse/ecs-container-definition/aws | 0.58.2 |
 
 ## Resources
 
@@ -83,6 +83,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_environment_files"></a> [environment\_files](#input\_environment\_files) | One or more files containing the environment variables to pass to the container. This maps to the --env-file option to docker run. The file must be hosted in Amazon S3. This option is only available to tasks using the EC2 launch type. This is a list of maps | <pre>list(object({<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_ephemeral_storage_size"></a> [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The number of GBs to provision for ephemeral storage on Fargate tasks. Must be greater than or equal to 21 and less than or equal to 200 | `number` | `0` | no |
 | <a name="input_essential"></a> [essential](#input\_essential) | Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value | `bool` | `true` | no |
+| <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Optional) The ARN of IAM role that grants permissions to start the containers defined in a task (e.g populate environment variables from AWS Secrets Manager). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used | `string` | `null` | no |
 | <a name="input_extra_hosts"></a> [extra\_hosts](#input\_extra\_hosts) | A list of hostnames and IP address mappings to append to the /etc/hosts file on the container. This is a list of maps | <pre>list(object({<br>    ipAddress = string<br>    hostname  = string<br>  }))</pre> | `null` | no |
 | <a name="input_firelens_configuration"></a> [firelens\_configuration](#input\_firelens\_configuration) | The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html | <pre>object({<br>    type    = string<br>    options = map(string)<br>  })</pre> | `null` | no |
 | <a name="input_healthcheck"></a> [healthcheck](#input\_healthcheck) | (Optional) A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | <pre>object({<br>    command     = list(string)<br>    retries     = number<br>    timeout     = number<br>    interval    = number<br>    startPeriod = number<br>  })</pre> | `null` | no |
@@ -115,7 +116,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_stop_timeout"></a> [stop\_timeout](#input\_stop\_timeout) | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | `number` | `null` | no |
 | <a name="input_system_controls"></a> [system\_controls](#input\_system\_controls) | A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""} | `list(map(string))` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no |
-| <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | (Optional) The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used | `string` | `null` | no |
+| <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | (Optional) The ARN of IAM role that grants permissions to the actual application once the container is started (e.g access an S3 bucket or DynamoDB database). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used | `string` | `null` | no |
 | <a name="input_ulimits"></a> [ulimits](#input\_ulimits) | Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit" | <pre>list(object({<br>    name      = string<br>    hardLimit = number<br>    softLimit = number<br>  }))</pre> | `null` | no |
 | <a name="input_user"></a> [user](#input\_user) | The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set. | `string` | `null` | no |
 | <a name="input_volumes"></a> [volumes](#input\_volumes) | (Optional) A set of volume blocks that containers in your task may use | <pre>list(object({<br>    host_path = string<br>    name      = string<br>    docker_volume_configuration = list(object({<br>      autoprovision = bool<br>      driver        = string<br>      driver_opts   = map(string)<br>      labels        = map(string)<br>      scope         = string<br>    }))<br>    efs_volume_configuration = list(object({<br>      file_system_id          = string<br>      root_directory          = string<br>      transit_encryption      = string<br>      transit_encryption_port = string<br>      authorization_config = list(object({<br>        access_point_id = string<br>        iam             = string<br>      }))<br>    }))<br>  }))</pre> | `[]` | no |

examples/test/.terraform.lock.hcl

@@ -2,28 +2,30 @@
 # AWS ECS Task Execution Role
 #------------------------------------------------------------------------------
 resource "aws_iam_role" "ecs_task_execution_role" {
+  count                = var.execution_role_arn == null ? 1 : 0
   name                 = "${var.name_prefix}-ecs-task-execution-role"
   assume_role_policy   = file("${path.module}/files/iam/ecs_task_execution_iam_role.json")
   permissions_boundary = var.permissions_boundary
   tags                 = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach" {
-  role       = aws_iam_role.ecs_task_execution_role.name
+  count      = var.execution_role_arn == null ? 1 : 0
+  role       = aws_iam_role.ecs_task_execution_role[0].name
   policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 resource "aws_iam_policy" "ecs_task_execution_role_custom_policy" {
-  count       = length(var.ecs_task_execution_role_custom_policies)
+  count       = var.execution_role_arn == null ? length(var.ecs_task_execution_role_custom_policies) : 0
   name        = "${var.name_prefix}-ecs-task-execution-role-custom-policy-${count.index}"
   description = "A custom policy for ${var.name_prefix}-ecs-task-execution-role IAM Role"
   policy      = var.ecs_task_execution_role_custom_policies[count.index]
   tags        = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_custom_policy" {
-  count      = length(var.ecs_task_execution_role_custom_policies)
-  role       = aws_iam_role.ecs_task_execution_role.name
+  count      = var.execution_role_arn == null ? length(var.ecs_task_execution_role_custom_policies) : 0
+  role       = aws_iam_role.ecs_task_execution_role[0].name
   policy_arn = aws_iam_policy.ecs_task_execution_role_custom_policy[count.index].arn
 }
 
@@ -85,7 +87,8 @@ resource "aws_ecs_task_definition" "td" {
   family                = var.name_prefix
 
   cpu                = var.container_cpu
-  execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
+  task_role_arn      = var.task_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].arn : var.task_role_arn
+  execution_role_arn = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].arn : var.execution_role_arn
   ipc_mode           = var.ipc_mode
   memory             = var.container_memory
   network_mode       = "awsvpc" # awsvpc required for Fargate tasks
@@ -123,7 +126,6 @@ resource "aws_ecs_task_definition" "td" {
 
   requires_compatibilities = ["FARGATE"]
   skip_destroy             = var.skip_destroy
-  task_role_arn            = var.task_role_arn == null ? aws_iam_role.ecs_task_execution_role.arn : var.task_role_arn
 
   dynamic "volume" {
     for_each = var.volumes

main.tf

@@ -3,27 +3,32 @@
 #------------------------------------------------------------------------------
 output "aws_iam_role_ecs_task_execution_role_arn" {
   description = "The Amazon Resource Name (ARN) specifying the role."
-  value       = aws_iam_role.ecs_task_execution_role.arn
+  value       = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].arn : var.execution_role_arn
 }
+
 output "aws_iam_role_ecs_task_execution_role_create_date" {
   description = "The creation date of the IAM role."
-  value       = aws_iam_role.ecs_task_execution_role.create_date
+  value       = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].create_date : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_description" {
   description = "The description of the role."
-  value       = aws_iam_role.ecs_task_execution_role.description
+  value       = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].description : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_id" {
   description = "The ID of the role."
-  value       = aws_iam_role.ecs_task_execution_role.id
+  value       = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].id : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_name" {
   description = "The name of the role."
-  value       = aws_iam_role.ecs_task_execution_role.name
+  value       = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].name : null
 }
+
 output "aws_iam_role_ecs_task_execution_role_unique_id" {
   description = "The stable and unique string identifying the role."
-  value       = aws_iam_role.ecs_task_execution_role.unique_id
+  value       = var.execution_role_arn == null ? aws_iam_role.ecs_task_execution_role[0].unique_id : null
 }
 
 #------------------------------------------------------------------------------

outputs.tf

@@ -433,7 +433,13 @@ variable "skip_destroy" {
 }
 
 variable "task_role_arn" {
-  description = "(Optional) The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services. If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used"
+  description = "(Optional) The ARN of IAM role that grants permissions to the actual application once the container is started (e.g access an S3 bucket or DynamoDB database). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used"
+  type        = string
+  default     = null
+}
+
+variable "execution_role_arn" {
+  description = "(Optional) The ARN of IAM role that grants permissions to start the containers defined in a task (e.g populate environment variables from AWS Secrets Manager). If not specified, `aws_iam_role.ecs_task_execution_role.arn` is used"
   type        = string
   default     = null
 }

variables.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4"
+      version = ">= 4.0.0"
     }
   }
 }