Add support for EnvironmentFiles in container definition (#60)

Sherdycoder · Abdul Wahid · web-flow · commit ce9727aa4057 · 2022-05-12T15:39:25.000+01:00
* Add support for environment files

* formatting

* add iam permissions

* typo

* add GetBucketLocation permissions to iam policy

* Update Changelog

Co-authored-by: Abdul Wahid &lt;abdul.wahid@umotif.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,10 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
-- added option to allow customisation of os/cpu architecture
+- add GetBucketLocation permissions to iam policy
+- add iam permissions
+- Add support for environment files
+- Allow option to customise run_time platform ([#56](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/56))
 - Enable containerDefinitions portMappings to use target_groups container_ports ([#59](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/59))
 
 
diff --git a/README.md b/README.md
@@ -107,13 +107,15 @@ No modules.
 | [aws_iam_role.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.ecs_exec_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.get_environment_files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.log_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.read_repository_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_lb_target_group.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
 | [aws_security_group.ecs_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.egress_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_ecs_task_definition.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_task_definition) | data source |
+| [aws_iam_policy_document.get_environment_files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.read_repository_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_ecs_exec_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -159,6 +161,7 @@ No modules.
 | <a name="input_task_container_command"></a> [task\_container\_command](#input\_task\_container\_command) | The command that is passed to the container. | `list(string)` | `[]` | no |
 | <a name="input_task_container_cpu"></a> [task\_container\_cpu](#input\_task\_container\_cpu) | Amount of CPU to reserve for the container. | `number` | `null` | no |
 | <a name="input_task_container_environment"></a> [task\_container\_environment](#input\_task\_container\_environment) | The environment variables to pass to a container. | `map(string)` | `{}` | no |
+| <a name="input_task_container_environment_files"></a> [task\_container\_environment\_files](#input\_task\_container\_environment\_files) | The environment variable files (s3 object arns) to pass to a container. Files must use .env file extension. | `list(string)` | `[]` | no |
 | <a name="input_task_container_image"></a> [task\_container\_image](#input\_task\_container\_image) | The image used to start a container. | `string` | n/a | yes |
 | <a name="input_task_container_memory"></a> [task\_container\_memory](#input\_task\_container\_memory) | The hard limit (in MiB) of memory for the container. | `number` | `null` | no |
 | <a name="input_task_container_memory_reservation"></a> [task\_container\_memory\_reservation](#input\_task\_container\_memory\_reservation) | The soft limit (in MiB) of memory to reserve for the container. | `number` | `null` | no |
diff --git a/data.tf b/data.tf
@@ -92,6 +92,30 @@ data "aws_iam_policy_document" "read_repository_credentials" {
   }
 }
 
+data "aws_iam_policy_document" "get_environment_files" {
+  count = length(var.task_container_environment_files) != 0 ? 1 : 0
+
+  statement {
+    effect = "Allow"
+
+    resources = var.task_container_environment_files
+
+    actions = [
+      "s3:GetObject"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+
+    resources = [for file in var.task_container_environment_files : split("/", file)[0]]
+
+    actions = [
+      "s3:GetBucketLocation"
+    ]
+  }
+}
+
 data "aws_ecs_task_definition" "task" {
   task_definition = aws_ecs_task_definition.task.family
 }
diff --git a/main.tf b/main.tf
@@ -34,6 +34,14 @@ resource "aws_iam_role_policy" "read_repository_credentials" {
   policy = data.aws_iam_policy_document.read_repository_credentials[0].json
 }
 
+resource "aws_iam_role_policy" "get_environment_files" {
+  count = length(var.task_container_environment_files) != 0 ? 1 : 0
+
+  name   = "${var.name_prefix}-read-repository-credentials"
+  role   = aws_iam_role.execution.id
+  policy = data.aws_iam_policy_document.get_environment_files[0].json
+}
+
 #####
 # IAM - Task role, basic. Append policies to this role for S3, DynamoDB etc.
 #####
@@ -147,6 +155,13 @@ locals {
       protocol      = contains(keys(tg), "protocol") ? lower(tg.protocol) : "tcp"
     }
   ]) : []
+
+  task_environment_files = [
+    for file in var.task_container_environment_files : {
+      value = file
+      type  = "s3"
+    }
+  ]
 }
 
 resource "aws_ecs_task_definition" "task" {
@@ -237,7 +252,8 @@ resource "aws_ecs_task_definition" "task" {
   %{if var.task_pseudo_terminal != null~}
   "pseudoTerminal": ${var.task_pseudo_terminal},
   %{~endif}
-  "environment": ${jsonencode(local.task_environment)}
+  "environment": ${jsonencode(local.task_environment)},
+  "environmentFiles": ${jsonencode(local.task_environment_files)}
 }]
 EOF
 
diff --git a/variables.tf b/variables.tf
@@ -99,6 +99,12 @@ variable "task_container_environment" {
   type        = map(string)
 }
 
+variable "task_container_environment_files" {
+  description = "The environment variable files (s3 object arns) to pass to a container. Files must use .env file extension."
+  default     = []
+  type        = list(string)
+}
+
 variable "task_container_secrets" {
   description = "The secrets variables to pass to a container."
   default     = null
