Fix task private repository credentials variable issue (#14)

* Fix task private repository credentials variable issue

* update readme with new version

Author: marcincuber

.pre-commit-config.yaml

@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.29.0
+  rev: v1.30.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

README.md

@@ -28,7 +28,7 @@ resource "aws_ecs_cluster" "cluster" {
 
 module "ecs-farage" {
   source = "umotif-public/ecs-fargate/aws"
-  version = "~> 1.1"
+  version = "~> 1.3.0"
 
   name_prefix        = "ecs-fargate-example"
   vpc_id             = "vpc-abasdasd132"
@@ -88,6 +88,7 @@ No requirements.
 | capacity\_provider\_strategy | (Optional) The capacity\_provider\_strategy configuration block. This is a list of maps, where each map should contain "capacity\_provider ", "weight" and "base" | `list` | `[]` | no |
 | cluster\_id | The Amazon Resource Name (ARN) that identifies the cluster. | `string` | n/a | yes |
 | container\_name | Optional name for the container to be used instead of name\_prefix. | `string` | `""` | no |
+| create\_repository\_credentials\_iam\_policy | Set to true if you are specifying `repository_credentials` variable, it will attach IAM policy with necessary permissions to task role. | `bool` | `false` | no |
 | deployment\_controller\_type | Type of deployment controller. Valid values: CODE\_DEPLOY, ECS. | `string` | `"ECS"` | no |
 | deployment\_maximum\_percent | The upper limit of the number of running tasks that can be running in a service during a deployment | `number` | `200` | no |
 | deployment\_minimum\_healthy\_percent | The lower limit of the number of running tasks that must remain running and healthy in a service during a deployment | `number` | `50` | no |

data.tf

@@ -1 +1,74 @@
 data "aws_region" "current" {}
+
+# Task role assume policy
+data "aws_iam_policy_document" "task_assume" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+# Task logging privileges
+data "aws_iam_policy_document" "task_permissions" {
+  statement {
+    effect = "Allow"
+
+    resources = [
+      aws_cloudwatch_log_group.main.arn,
+    ]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+}
+
+# Task ecr privileges
+data "aws_iam_policy_document" "task_execution_permissions" {
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "*",
+    ]
+
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+}
+
+data "aws_kms_key" "secretsmanager_key" {
+  count = var.create_repository_credentials_iam_policy ? 1 : 0
+
+  key_id = var.repository_credentials_kms_key
+}
+
+data "aws_iam_policy_document" "read_repository_credentials" {
+  count = var.create_repository_credentials_iam_policy ? 1 : 0
+
+  statement {
+    effect = "Allow"
+
+    resources = [
+      var.repository_credentials,
+      data.aws_kms_key.secretsmanager_key[0].arn,
+    ]
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "kms:Decrypt",
+    ]
+  }
+}

examples/core/main.tf

@@ -67,6 +67,19 @@ resource "aws_security_group_rule" "task_ingress_80" {
   source_security_group_id = module.alb.security_group_id
 }
 
+#####
+# private repo credentials secretsmanager
+#####
+data "aws_kms_key" "secretsmanager_key" {
+  key_id = "alias/aws/secretsmanager"
+}
+
+resource "aws_secretsmanager_secret" "task_credentials" {
+  name = "task_repository_credentials"
+
+  kms_key_id = data.aws_kms_key.secretsmanager_key.arn
+}
+
 #####
 # ECS cluster and fargate
 #####
@@ -96,4 +109,8 @@ module "fargate" {
     port = "traffic-port"
     path = "/"
   }
+
+  ### To use task credentials, below paramaters are required
+  # create_repository_credentials_iam_policy = false
+  # repository_credentials                   = aws_secretsmanager_secret.task_credentials.arn
 }

main.tf

@@ -24,11 +24,11 @@ resource "aws_iam_role_policy" "task_execution" {
 }
 
 resource "aws_iam_role_policy" "read_repository_credentials" {
-  count = length(var.repository_credentials) != 0 ? 1 : 0
+  count = var.create_repository_credentials_iam_policy ? 1 : 0
 
   name   = "${var.name_prefix}-read-repository-credentials"
   role   = aws_iam_role.execution.id
-  policy = data.aws_iam_policy_document.read_repository_credentials.json
+  policy = data.aws_iam_policy_document.read_repository_credentials[0].json
 }
 
 #####

policies.tf

@@ -146,6 +146,11 @@ variable "repository_credentials_kms_key" {
   type        = string
 }
 
+variable "create_repository_credentials_iam_policy" {
+  default     = false
+  description = "Set to true if you are specifying `repository_credentials` variable, it will attach IAM policy with necessary permissions to task role."
+}
+
 variable "service_registry_arn" {
   default     = ""
   description = "ARN of aws_service_discovery_service resource"