Tasks on ECS require an IAM role to be specified that will allow ECS to pull the docker image from ECR, send logs to CloudWatch, and perform other administrative actions. THIS IS NOT THE ROLE THAT IS USED BY YOUR TASK TO ACCESS OTHER AWS SERVICES.
This ECS role must be created as follows:
data "aws_iam_policy_document" "ecs_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "ecs_execution" {
name = "ECSExecutionRole"
assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json
}
resource "aws_iam_role_policy_attachment" "ecs_execution" {
role = aws_iam_role.ecs_execution.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
While it is possible to have the module create this role for you, it would be better for you to create this role without this module and pass it in to all modules that need it. This will help to keep your IAM roles decluttered for easy auditing.
Name | Version |
---|---|
terraform | >= 0.13.5 |
aws | >= 2.24.0 |
Name | Version |
---|---|
aws | 2.24.0 |
Name | Source | Version |
---|---|---|
ecs_execution_role | aisamji/ecs-execution-role/aws | 1.0.0 |
Name | Type |
---|---|
aws_cloudwatch_event_rule.default | resource |
aws_cloudwatch_event_target.default | resource |
aws_cloudwatch_log_group.default | resource |
aws_ecs_task_definition.default | resource |
aws_iam_role.event | resource |
aws_iam_role.task | resource |
aws_iam_role_policy.ecs_run_task | resource |
aws_iam_role_policy.task_inline | resource |
aws_iam_role_policy_attachment.task_managed | resource |
aws_iam_policy_document.ecs_run_task | data source |
aws_iam_policy_document.event_assume_role | data source |
aws_iam_policy_document.task_assume_role | data source |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cluster_arn | The ARN of the Fargate cluster where this task should be run. | string |
n/a | yes |
command_override | The arguments to pass to the image entrypoint instead of the defaults. | string |
"" |
no |
cpu | The number of CPU units available to this task. See the list of valid configurations: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | number |
256 |
no |
create_ecs_role | A value indicating whether to create an ECS execution role by default. | bool |
false |
no |
create_log_group | A value indicating whether to create the log group or assume that it has been created externally. | bool |
true |
no |
cron | A valid cron expression. AWS uses UTC time for cron expressions. https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchevents-expressions.html | string |
n/a | yes |
ecs_role_arn | The ARN of the role used by ECS to pull the docker image and send logs to CloudWatch. If not specified, the module will create an appropriate role. | string |
"" |
no |
environment | A map of environment variables in 'name = value' format. | map(string) |
{} |
no |
image | The image repository and tag in the format :. | string |
n/a | yes |
inline_policy_document | An inline policy document in JSON format to determine additional task permissions. | string |
"" |
no |
log_group_name | The name of the log group to create/use to stores logs from the task. | string |
null |
no |
managed_policy_arns | A list of ARNs for managed policies to determine the task permissions. | list(string) |
[] |
no |
memory | The number of memory units available to this task. See the list of valid configurations: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | number |
512 |
no |
name | The name that will be used for the resources created. | string |
n/a | yes |
secrets | A map of secret environment variables in 'name = sourceARN' format. Source ARN can reference AWS Secrets Manager or AWS Parameter Store. | map(string) |
{} |
no |
security_group_ids | A list of security groups that the runner will be a member of. | list(string) |
[] |
no |
subnet_ids | The task will be launched with an ENI connected to one of the subnets. | list(string) |
n/a | yes |
tags | The tags to apply to all created resources. | map(string) |
{} |
no |
cpu_architecture | CPU architecture for the task. Must be set to either X86_64 or ARM64. | string |
n/a |
yes |
operating_system | Must be one of these. | string |
n/a |
yes |
No outputs.