Add support for enable_execute_command (#33)

* Add support for enable_execute_command

* Add required SSM permissions to task role

Author: marcincuber

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.3.0
+  rev: v3.4.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.45.0
+  rev: v1.50.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
+
+
+<a name="6.0.0"></a>
+## [6.0.0] - 2021-02-09
+
+- Add missing 'target_group_name' parameter in examples ([#31](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/31))
+- Add support for registering multiple target groups with a service ([#29](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/29))
+- Update README.md
+
+
+<a name="5.1.0"></a>
+## [5.1.0] - 2020-12-09
+
+- update docs
 - Add secrets to task defintion ([#28](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/28))
 
 
@@ -167,7 +181,9 @@ All notable changes to this project will be documented in this file.
 - Initial commit
 
 
-[Unreleased]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/5.0.1...HEAD
+[Unreleased]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.0.0...HEAD
+[6.0.0]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/5.1.0...6.0.0
+[5.1.0]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/5.0.1...5.1.0
 [5.0.1]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/5.0.0...5.0.1
 [5.0.0]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/4.0.3...5.0.0
 [4.0.3]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/4.0.2...4.0.3

README.md

@@ -30,6 +30,24 @@ data "aws_iam_policy_document" "task_permissions" {
   }
 }
 
+# Task permissions to allow ECS Exec command
+data "aws_iam_policy_document" "task_ecs_exec_policy" {
+  count = var.enable_execute_command ? 1 : 0
+
+  statement {
+    effect = "Allow"
+
+    resources = ["*"]
+
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel"
+    ]
+  }
+}
+
 # Task ecr privileges
 data "aws_iam_policy_document" "task_execution_permissions" {
   statement {

data.tf

@@ -45,6 +45,14 @@ resource "aws_iam_role_policy" "log_agent" {
   policy = data.aws_iam_policy_document.task_permissions.json
 }
 
+resource "aws_iam_role_policy" "ecs_exec_inline_policy" {
+  count = var.enable_execute_command ? 1 : 0
+
+  name   = "${var.name_prefix}-ecs-exec-permissions"
+  role   = aws_iam_role.task.id
+  policy = data.aws_iam_policy_document.task_ecs_exec_policy[0].json
+}
+
 #####
 # Security groups
 #####
@@ -280,8 +288,9 @@ resource "aws_ecs_service" "service" {
   platform_version = var.platform_version
   launch_type      = length(var.capacity_provider_strategy) == 0 ? "FARGATE" : null
 
-  force_new_deployment  = var.force_new_deployment
-  wait_for_steady_state = var.wait_for_steady_state
+  force_new_deployment   = var.force_new_deployment
+  wait_for_steady_state  = var.wait_for_steady_state
+  enable_execute_command = var.enable_execute_command
 
   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
   deployment_maximum_percent         = var.deployment_maximum_percent

main.tf

@@ -270,3 +270,9 @@ variable "wait_for_steady_state" {
   description = "If true, Terraform will wait for the service to reach a steady state (like aws ecs wait services-stable) before continuing."
   default     = false
 }
+
+variable "enable_execute_command" {
+  type        = bool
+  description = "Specifies whether to enable Amazon ECS Exec for the tasks within the service."
+  default     = true
+}

variables.tf

@@ -2,6 +2,6 @@ terraform {
   required_version = ">= 0.13.0"
 
   required_providers {
-    aws = ">= 3.13"
+    aws = ">= 3.34"
   }
 }