diff --git a/README.md b/README.md
index 8e20fbc0..8b8d6177 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,7 @@ No resources.
| [cluster\_configuration](#input\_cluster\_configuration) | The execute command configuration for the cluster | `any` | `{}` | no |
| [cluster\_name](#input\_cluster\_name) | Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) | `string` | `""` | no |
| [cluster\_service\_connect\_defaults](#input\_cluster\_service\_connect\_defaults) | Configures a default Service Connect namespace | `map(string)` | `{}` | no |
-| [cluster\_settings](#input\_cluster\_settings) | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | `any` | [
{
"name": "containerInsights",
"value": "enabled"
}
]
| no |
+| [cluster\_settings](#input\_cluster\_settings) | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | `any` | [
{
"name": "containerInsights",
"value": "enabled"
}
]
| no |
| [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no |
| [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
@@ -207,8 +207,8 @@ No resources.
| [task\_exec\_iam\_role\_tags](#input\_task\_exec\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| [task\_exec\_iam\_role\_use\_name\_prefix](#input\_task\_exec\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`task_exec_iam_role_name`) is used as a prefix | `bool` | `true` | no |
| [task\_exec\_iam\_statements](#input\_task\_exec\_iam\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
-| [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
-| [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
+| [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
+| [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
## Outputs
diff --git a/examples/complete/README.md b/examples/complete/README.md
index 3f105953..421a5b80 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -43,6 +43,7 @@ Note that this example may create resources which will incur monetary charges on
| [ecs](#module\_ecs) | ../../ | n/a |
| [ecs\_cluster\_disabled](#module\_ecs\_cluster\_disabled) | ../../modules/cluster | n/a |
| [ecs\_disabled](#module\_ecs\_disabled) | ../../ | n/a |
+| [secrets\_manager](#module\_secrets\_manager) | terraform-aws-modules/secrets-manager/aws | ~> 1.3 |
| [service\_disabled](#module\_service\_disabled) | ../../modules/service | n/a |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index b7353bbd..e46f52f5 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -21,6 +21,18 @@ locals {
}
}
+module "postgres" {
+ source = "../../modules/container-definition"
+
+ name = "postgres"
+ image = "postgres:latest"
+
+ secrets = [{
+ name = "POSTGRES_PASSWORD"
+ valueFrom = "arn:POSTGRES_PASSWORD"
+ }]
+}
+
################################################################################
# Cluster
################################################################################
@@ -50,6 +62,8 @@ module "ecs" {
cpu = 1024
memory = 4096
+ explicit_task_exec_secret_arns = true
+
# Container definition(s)
container_definitions = {
@@ -70,6 +84,11 @@ module "ecs" {
essential = true
image = "public.ecr.aws/aws-containers/ecsdemo-frontend:776fd50"
+ secrets = [{
+ name = "BAR"
+ valueFrom = "arn:BAR"
+ }]
+
health_check = {
command = ["CMD-SHELL", "curl -f http://localhost:${local.container_port}/health || exit 1"]
}
@@ -103,6 +122,8 @@ module "ecs" {
}
memory_reservation = 100
}
+
+ postgres = module.postgres.container_definition
}
service_connect_configuration = {
diff --git a/main.tf b/main.tf
index 5e380de7..c2b44254 100644
--- a/main.tf
+++ b/main.tf
@@ -134,10 +134,11 @@ module "service" {
task_exec_iam_role_max_session_duration = try(each.value.task_exec_iam_role_max_session_duration, null)
# Task execution IAM role policy
- create_task_exec_policy = try(each.value.create_task_exec_policy, true)
- task_exec_ssm_param_arns = lookup(each.value, "task_exec_ssm_param_arns", ["arn:aws:ssm:*:*:parameter/*"])
- task_exec_secret_arns = lookup(each.value, "task_exec_secret_arns", ["arn:aws:secretsmanager:*:*:secret:*"])
- task_exec_iam_statements = lookup(each.value, "task_exec_iam_statements", {})
+ create_task_exec_policy = try(each.value.create_task_exec_policy, true)
+ task_exec_ssm_param_arns = lookup(each.value, "task_exec_ssm_param_arns", ["arn:aws:ssm:*:*:parameter/*"])
+ task_exec_secret_arns = lookup(each.value, "task_exec_secret_arns", ["arn:aws:secretsmanager:*:*:secret:*"])
+ explicit_task_exec_secret_arns = lookup(each.value, "explicit_task_exec_secret_arns", false)
+ task_exec_iam_statements = lookup(each.value, "task_exec_iam_statements", {})
# Tasks - IAM role
create_tasks_iam_role = try(each.value.create_tasks_iam_role, true)
diff --git a/modules/cluster/README.md b/modules/cluster/README.md
index 282943b5..5556b88f 100644
--- a/modules/cluster/README.md
+++ b/modules/cluster/README.md
@@ -174,7 +174,7 @@ No modules.
| [cluster\_configuration](#input\_cluster\_configuration) | The execute command configuration for the cluster | `any` | `{}` | no |
| [cluster\_name](#input\_cluster\_name) | Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) | `string` | `""` | no |
| [cluster\_service\_connect\_defaults](#input\_cluster\_service\_connect\_defaults) | Configures a default Service Connect namespace | `map(string)` | `{}` | no |
-| [cluster\_settings](#input\_cluster\_settings) | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | `any` | [
{
"name": "containerInsights",
"value": "enabled"
}
]
| no |
+| [cluster\_settings](#input\_cluster\_settings) | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | `any` | [
{
"name": "containerInsights",
"value": "enabled"
}
]
| no |
| [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
| [create\_task\_exec\_iam\_role](#input\_create\_task\_exec\_iam\_role) | Determines whether the ECS task definition IAM role should be created | `bool` | `false` | no |
@@ -190,8 +190,8 @@ No modules.
| [task\_exec\_iam\_role\_tags](#input\_task\_exec\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| [task\_exec\_iam\_role\_use\_name\_prefix](#input\_task\_exec\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`task_exec_iam_role_name`) is used as a prefix | `bool` | `true` | no |
| [task\_exec\_iam\_statements](#input\_task\_exec\_iam\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
-| [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
-| [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
+| [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
+| [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
## Outputs
diff --git a/modules/container-definition/README.md b/modules/container-definition/README.md
index 6ed52ac7..3b5c8f29 100644
--- a/modules/container-definition/README.md
+++ b/modules/container-definition/README.md
@@ -146,7 +146,7 @@ No modules.
| [command](#input\_command) | The command that's passed to the container | `list(string)` | `[]` | no |
| [cpu](#input\_cpu) | The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of `cpu` of all containers in a task will need to be lower than the task-level cpu value | `number` | `null` | no |
| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
-| [dependencies](#input\_dependencies) | The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY | list(object({
condition = string
containerName = string
})) | `[]` | no |
+| [dependencies](#input\_dependencies) | The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY | list(object({
condition = string
containerName = string
})) | `[]` | no |
| [disable\_networking](#input\_disable\_networking) | When this parameter is true, networking is disabled within the container | `bool` | `null` | no |
| [dns\_search\_domains](#input\_dns\_search\_domains) | Container DNS search domains. A list of DNS search domains that are presented to the container | `list(string)` | `[]` | no |
| [dns\_servers](#input\_dns\_servers) | Container DNS servers. This is a list of strings specifying the IP addresses of the DNS servers | `list(string)` | `[]` | no |
@@ -155,10 +155,10 @@ No modules.
| [enable\_cloudwatch\_logging](#input\_enable\_cloudwatch\_logging) | Determines whether CloudWatch logging is configured for this container definition. Set to `false` to use other logging drivers | `bool` | `true` | no |
| [enable\_execute\_command](#input\_enable\_execute\_command) | Specifies whether to enable Amazon ECS Exec for the tasks within the service | `bool` | `false` | no |
| [entrypoint](#input\_entrypoint) | The entry point that is passed to the container | `list(string)` | `[]` | no |
-| [environment](#input\_environment) | The environment variables to pass to the container | list(object({
name = string
value = string
})) | `[]` | no |
-| [environment\_files](#input\_environment\_files) | A list of files containing the environment variables to pass to a container | list(object({
value = string
type = string
})) | `[]` | no |
+| [environment](#input\_environment) | The environment variables to pass to the container | list(object({
name = string
value = string
})) | `[]` | no |
+| [environment\_files](#input\_environment\_files) | A list of files containing the environment variables to pass to a container | list(object({
value = string
type = string
})) | `[]` | no |
| [essential](#input\_essential) | If the `essential` parameter of a container is marked as `true`, and that container fails or stops for any reason, all other containers that are part of the task are stopped | `bool` | `null` | no |
-| [extra\_hosts](#input\_extra\_hosts) | A list of hostnames and IP address mappings to append to the `/etc/hosts` file on the container | list(object({
hostname = string
ipAddress = string
})) | `[]` | no |
+| [extra\_hosts](#input\_extra\_hosts) | A list of hostnames and IP address mappings to append to the `/etc/hosts` file on the container | list(object({
hostname = string
ipAddress = string
})) | `[]` | no |
| [firelens\_configuration](#input\_firelens\_configuration) | The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more information, see [Custom Log Routing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) in the Amazon Elastic Container Service Developer Guide | `any` | `{}` | no |
| [health\_check](#input\_health\_check) | The container health check command and associated configuration parameters for the container. See [HealthCheck](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_HealthCheck.html) | `any` | `{}` | no |
| [hostname](#input\_hostname) | The hostname to use for your container | `string` | `null` | no |
@@ -177,14 +177,14 @@ No modules.
| [pseudo\_terminal](#input\_pseudo\_terminal) | When this parameter is true, a `TTY` is allocated | `bool` | `false` | no |
| [readonly\_root\_filesystem](#input\_readonly\_root\_filesystem) | When this parameter is true, the container is given read-only access to its root file system | `bool` | `true` | no |
| [repository\_credentials](#input\_repository\_credentials) | Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials | `map(string)` | `{}` | no |
-| [resource\_requirements](#input\_resource\_requirements) | The type and amount of a resource to assign to a container. The only supported resource is a GPU | list(object({
type = string
value = string
})) | `[]` | no |
-| [secrets](#input\_secrets) | The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the Amazon Elastic Container Service Developer Guide | list(object({
name = string
valueFrom = string
})) | `[]` | no |
+| [resource\_requirements](#input\_resource\_requirements) | The type and amount of a resource to assign to a container. The only supported resource is a GPU | list(object({
type = string
value = string
})) | `[]` | no |
+| [secrets](#input\_secrets) | The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the Amazon Elastic Container Service Developer Guide | list(object({
name = string
valueFrom = string
})) | `[]` | no |
| [service](#input\_service) | The name of the service that the container definition is associated with | `string` | `""` | no |
| [start\_timeout](#input\_start\_timeout) | Time duration (in seconds) to wait before giving up on resolving dependencies for a container | `number` | `30` | no |
| [stop\_timeout](#input\_stop\_timeout) | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | `number` | `120` | no |
| [system\_controls](#input\_system\_controls) | A list of namespaced kernel parameters to set in the container | `list(map(string))` | `[]` | no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
-| [ulimits](#input\_ulimits) | A list of ulimits to set in the container. If a ulimit value is specified in a task definition, it overrides the default values set by Docker | list(object({
hardLimit = number
name = string
softLimit = number
})) | `[]` | no |
+| [ulimits](#input\_ulimits) | A list of ulimits to set in the container. If a ulimit value is specified in a task definition, it overrides the default values set by Docker | list(object({
hardLimit = number
name = string
softLimit = number
})) | `[]` | no |
| [user](#input\_user) | The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set | `string` | `null` | no |
| [volumes\_from](#input\_volumes\_from) | Data volumes to mount from another container | `list(any)` | `[]` | no |
| [working\_directory](#input\_working\_directory) | The working directory to run commands inside the container | `string` | `null` | no |
@@ -196,6 +196,7 @@ No modules.
| [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | ARN of CloudWatch log group created |
| [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of CloudWatch log group created |
| [container\_definition](#output\_container\_definition) | Container definition |
+| [secrets\_arns](#output\_secrets\_arns) | The secrets ARNs for all containers defined |
## License
diff --git a/modules/container-definition/outputs.tf b/modules/container-definition/outputs.tf
index 2f26967a..7cbe2ec1 100644
--- a/modules/container-definition/outputs.tf
+++ b/modules/container-definition/outputs.tf
@@ -7,6 +7,11 @@ output "container_definition" {
value = local.container_definition
}
+output "secrets_arns" {
+ description = "The secrets ARNs for all containers defined"
+ value = [for v in try(local.container_definition.secrets, []) : v.valueFrom]
+}
+
################################################################################
# CloudWatch Log Group
################################################################################
diff --git a/modules/service/README.md b/modules/service/README.md
index 4faaf8f1..f410001a 100644
--- a/modules/service/README.md
+++ b/modules/service/README.md
@@ -225,7 +225,7 @@ module "ecs_service" {
| [assign\_public\_ip](#input\_assign\_public\_ip) | Assign a public IP address to the ENI (Fargate launch type only) | `bool` | `false` | no |
| [autoscaling\_max\_capacity](#input\_autoscaling\_max\_capacity) | Maximum number of tasks to run in your service | `number` | `10` | no |
| [autoscaling\_min\_capacity](#input\_autoscaling\_min\_capacity) | Minimum number of tasks to run in your service | `number` | `1` | no |
-| [autoscaling\_policies](#input\_autoscaling\_policies) | Map of autoscaling policies to create for the service | `any` | {
"cpu": {
"policy_type": "TargetTrackingScaling",
"target_tracking_scaling_policy_configuration": {
"predefined_metric_specification": {
"predefined_metric_type": "ECSServiceAverageCPUUtilization"
}
}
},
"memory": {
"policy_type": "TargetTrackingScaling",
"target_tracking_scaling_policy_configuration": {
"predefined_metric_specification": {
"predefined_metric_type": "ECSServiceAverageMemoryUtilization"
}
}
}
} | no |
+| [autoscaling\_policies](#input\_autoscaling\_policies) | Map of autoscaling policies to create for the service | `any` | {
"cpu": {
"policy_type": "TargetTrackingScaling",
"target_tracking_scaling_policy_configuration": {
"predefined_metric_specification": {
"predefined_metric_type": "ECSServiceAverageCPUUtilization"
}
}
},
"memory": {
"policy_type": "TargetTrackingScaling",
"target_tracking_scaling_policy_configuration": {
"predefined_metric_specification": {
"predefined_metric_type": "ECSServiceAverageMemoryUtilization"
}
}
}
} | no |
| [autoscaling\_scheduled\_actions](#input\_autoscaling\_scheduled\_actions) | Map of autoscaling scheduled actions to create for the service | `any` | `{}` | no |
| [capacity\_provider\_strategy](#input\_capacity\_provider\_strategy) | Capacity provider strategies to use for the service. Can be one or more | `any` | `{}` | no |
| [cluster\_arn](#input\_cluster\_arn) | ARN of the ECS cluster where the resources will be provisioned | `string` | `""` | no |
@@ -249,6 +249,7 @@ module "ecs_service" {
| [enable\_ecs\_managed\_tags](#input\_enable\_ecs\_managed\_tags) | Specifies whether to enable Amazon ECS managed tags for the tasks within the service | `bool` | `true` | no |
| [enable\_execute\_command](#input\_enable\_execute\_command) | Specifies whether to enable Amazon ECS Exec for the tasks within the service | `bool` | `false` | no |
| [ephemeral\_storage](#input\_ephemeral\_storage) | The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate | `any` | `{}` | no |
+| [explicit\_task\_exec\_secret\_arns](#input\_explicit\_task\_exec\_secret\_arns) | Change the task\_exec\_secret\_arns behavior to get the list of ARNs from the secrets defined in containers\_definitions | `bool` | `false` | no |
| [external\_id](#input\_external\_id) | The external ID associated with the task set | `string` | `null` | no |
| [family](#input\_family) | A unique name for your task definition | `string` | `null` | no |
| [force\_delete](#input\_force\_delete) | Whether to allow deleting the task set without waiting for scaling down to 0 | `bool` | `null` | no |
@@ -276,8 +277,8 @@ module "ecs_service" {
| [platform\_version](#input\_platform\_version) | Platform version on which to run your service. Only applicable for `launch_type` set to `FARGATE`. Defaults to `LATEST` | `string` | `null` | no |
| [propagate\_tags](#input\_propagate\_tags) | Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are `SERVICE` and `TASK_DEFINITION` | `string` | `null` | no |
| [proxy\_configuration](#input\_proxy\_configuration) | Configuration block for the App Mesh proxy | `any` | `{}` | no |
-| [requires\_compatibilities](#input\_requires\_compatibilities) | Set of launch types required by the task. The valid values are `EC2` and `FARGATE` | `list(string)` | [
"FARGATE"
]
| no |
-| [runtime\_platform](#input\_runtime\_platform) | Configuration block for `runtime_platform` that containers in your task may use | `any` | {
"cpu_architecture": "X86_64",
"operating_system_family": "LINUX"
} | no |
+| [requires\_compatibilities](#input\_requires\_compatibilities) | Set of launch types required by the task. The valid values are `EC2` and `FARGATE` | `list(string)` | [
"FARGATE"
]
| no |
+| [runtime\_platform](#input\_runtime\_platform) | Configuration block for `runtime_platform` that containers in your task may use | `any` | {
"cpu_architecture": "X86_64",
"operating_system_family": "LINUX"
} | no |
| [scale](#input\_scale) | A floating-point percentage of the desired number of tasks to place and keep running in the task set | `any` | `{}` | no |
| [scheduling\_strategy](#input\_scheduling\_strategy) | Scheduling strategy to use for the service. The valid values are `REPLICA` and `DAEMON`. Defaults to `REPLICA` | `string` | `null` | no |
| [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
@@ -305,8 +306,8 @@ module "ecs_service" {
| [task\_exec\_iam\_role\_tags](#input\_task\_exec\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| [task\_exec\_iam\_role\_use\_name\_prefix](#input\_task\_exec\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`task_exec_iam_role_name`) is used as a prefix | `bool` | `true` | no |
| [task\_exec\_iam\_statements](#input\_task\_exec\_iam\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
-| [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
-| [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
+| [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:secretsmanager:*:*:secret:*"
]
| no |
+| [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
| [task\_tags](#input\_task\_tags) | A map of additional tags to add to the task definition/set created | `map(string)` | `{}` | no |
| [tasks\_iam\_role\_arn](#input\_tasks\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
| [tasks\_iam\_role\_description](#input\_tasks\_iam\_role\_description) | Description of the role | `string` | `null` | no |
diff --git a/modules/service/main.tf b/modules/service/main.tf
index b7ecef9e..1fab530c 100644
--- a/modules/service/main.tf
+++ b/modules/service/main.tf
@@ -26,6 +26,9 @@ locals {
}
create_service = var.create && var.create_service
+
+ secrets_arns = flatten([for k, v in module.container_definition : v.secrets_arns])
+ task_exec_secret_arns = var.explicit_task_exec_secret_arns ? local.secrets_arns : var.task_exec_secret_arns
}
resource "aws_ecs_service" "this" {
@@ -836,12 +839,12 @@ data "aws_iam_policy_document" "task_exec" {
}
dynamic "statement" {
- for_each = length(var.task_exec_secret_arns) > 0 ? [1] : []
+ for_each = length(local.task_exec_secret_arns) > 0 ? [1] : []
content {
sid = "GetSecrets"
actions = ["secretsmanager:GetSecretValue"]
- resources = var.task_exec_secret_arns
+ resources = local.task_exec_secret_arns
}
}
diff --git a/modules/service/variables.tf b/modules/service/variables.tf
index 9a55e989..881986a4 100644
--- a/modules/service/variables.tf
+++ b/modules/service/variables.tf
@@ -462,6 +462,12 @@ variable "task_exec_secret_arns" {
default = ["arn:aws:secretsmanager:*:*:secret:*"]
}
+variable "explicit_task_exec_secret_arns" {
+ description = "Change the task_exec_secret_arns behavior to get the list of ARNs from the secrets defined in containers_definitions"
+ type = bool
+ default = false
+}
+
variable "task_exec_iam_statements" {
description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
type = any
diff --git a/wrappers/service/main.tf b/wrappers/service/main.tf
index 9a7d6aec..e748b4f4 100644
--- a/wrappers/service/main.tf
+++ b/wrappers/service/main.tf
@@ -50,6 +50,7 @@ module "wrapper" {
enable_ecs_managed_tags = try(each.value.enable_ecs_managed_tags, var.defaults.enable_ecs_managed_tags, true)
enable_execute_command = try(each.value.enable_execute_command, var.defaults.enable_execute_command, false)
ephemeral_storage = try(each.value.ephemeral_storage, var.defaults.ephemeral_storage, {})
+ explicit_task_exec_secret_arns = try(each.value.explicit_task_exec_secret_arns, var.defaults.explicit_task_exec_secret_arns, false)
external_id = try(each.value.external_id, var.defaults.external_id, null)
family = try(each.value.family, var.defaults.family, null)
force_delete = try(each.value.force_delete, var.defaults.force_delete, null)