Skip to content

Commit

Permalink
Merge pull request #12 from aviatrix/ACS-4308-role-policy-names
Browse files Browse the repository at this point in the history 
feat: Update role & policy names
  • Loading branch information
@rlee-aviatrix
rlee-aviatrix authored Apr 17, 2024
2 parents 7435145 + 233c149 commit e49c966
Show file tree
Hide file tree
Showing 5 changed files with 71 additions and 29 deletions.
5 changes: 5 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,11 @@ To deploy Aviatrix Platform HA with an existing Controller, perform the followin
| dr_vpc_name | "" | The name for the VPC to create for the DR Controller. Only applicable if `ha_distribution` is "inter-region" and `use_existing_vpc` is false. |
| ebs_optimized | false | Whether EBS optimization is enabled. Applies to both the Controller and CoPilot. |
| ec2_role_name | aviatrix-role-ec2 | The name of the Aviatrix EC2 role |
| ecs_role_name | aviatrix-role-ecs | The name of the ECS role |
| ecs_policy_name | aviatrix-ecs-policy | The name of the ECS policy |
| ecs_task_execution_role_name | aviatrix-role-ecs-task-exec | The name of the ECS task execution role |
| eventbridge_role_name | aviatrix-role-eventbridge | The name of the EventBridge role |
| eventbridge_policy_name | aviatrix-eventbridge-policy | The name of the EventBridge policy |
| existing_copilot_dr_eip | "" | The existing EIP to use for the DR CoPilot. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_copilot_eip` is true. |
| existing_copilot_eip | "" | The existing EIP to use for CoPilot. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_copilot_eip` is true. |
| existing_dr_eip | "" | The existing EIP to use for the DR Controller. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_eip` is true. |
Expand Down
39 changes: 35 additions & 4 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ module "region1" {
name_prefix = var.name_prefix
license_type = var.license_type
iam_for_ecs_arn = aws_iam_role.iam_for_ecs[0].arn
ecs_task_execution_arn = aws_iam_role.iam_for_ecs_task_execution[0].arn
inter_region_primary = var.region
inter_region_standby = var.dr_region
zone_name = var.zone_name
Expand Down Expand Up @@ -172,6 +173,7 @@ module "region2" {
name_prefix = var.name_prefix
license_type = var.license_type
iam_for_ecs_arn = aws_iam_role.iam_for_ecs[0].arn
ecs_task_execution_arn = aws_iam_role.iam_for_ecs_task_execution[0].arn
inter_region_primary = var.region
inter_region_standby = var.dr_region
zone_name = var.zone_name
Expand Down Expand Up @@ -207,6 +209,10 @@ module "region2" {
depends_on = [null_resource.region_conflict]
}

resource "random_id" "aviatrix" {
byte_length = 4
}

module "aviatrix-iam-roles" {
count = var.ha_distribution == "basic" ? 0 : var.create_iam_roles ? 1 : 0
source = "./aviatrix-controller-iam-roles"
Expand All @@ -217,7 +223,7 @@ module "aviatrix-iam-roles" {

resource "aws_iam_role" "iam_for_ecs" {
count = var.ha_distribution == "basic" ? 0 : 1
name = "aviatrix-controller-ecs"
name = "${var.ecs_role_name}-${random_id.aviatrix.hex}"

assume_role_policy = <<EOF
{
Expand All @@ -238,7 +244,7 @@ EOF

resource "aws_iam_policy" "ecs-policy" {
count = var.ha_distribution == "basic" ? 0 : 1
name = "aviatrix-ctrl-ecs-policy"
name = "${var.ecs_policy_name}-${random_id.aviatrix.hex}"
path = "/"
description = "Policy for creating aviatrix-controller"
policy = <<EOF
Expand Down Expand Up @@ -334,7 +340,7 @@ resource "aws_iam_role_policy_attachment" "attach-policy" {

resource "aws_iam_role" "iam_for_eventbridge" {
count = var.ha_distribution == "basic" ? 0 : 1
name = "aviatrix-eventbridge-role"
name = "${var.eventbridge_role_name}-${random_id.aviatrix.hex}"

assume_role_policy = <<EOF
{
Expand All @@ -355,7 +361,7 @@ EOF

resource "aws_iam_policy" "eventbridge-policy" {
count = var.ha_distribution == "basic" ? 0 : 1
name = "aviatrix-eventbridge-policy"
name = "${var.eventbridge_policy_name}-${random_id.aviatrix.hex}"
path = "/"
description = "Policy for EventBridge to run ECS tasks"
policy = <<EOF
Expand Down Expand Up @@ -385,6 +391,31 @@ resource "aws_iam_role_policy_attachment" "eventbridge-attach-policy" {
policy_arn = aws_iam_policy.eventbridge-policy[0].arn
}

resource "aws_iam_role" "iam_for_ecs_task_execution" {
count = var.ha_distribution == "basic" ? 0 : 1
name = "${var.ecs_task_execution_role_name}-${random_id.aviatrix.hex}"
assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_assume_role.json
}

data "aws_iam_policy_document" "ecs_task_execution_assume_role" {
statement {
actions = [
"sts:AssumeRole"
]

principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}

resource "aws_iam_role_policy_attachment" "ecs-task-execution-attach-policy" {
count = var.ha_distribution == "basic" ? 0 : 1
role = aws_iam_role.iam_for_ecs_task_execution[0].name
policy_arn = "arn:${local.iam_type}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

resource "aws_s3_bucket" "backup" {
provider = aws.s3_region
count = var.ha_distribution == "basic" ? 0 : var.use_existing_s3 ? 0 : 1
Expand Down
26 changes: 1 addition & 25 deletions region-build/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ resource "aws_ecs_task_definition" "task_def" {
network_mode = "awsvpc"
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
execution_role_arn = var.ecs_task_execution_arn
task_role_arn = var.iam_for_ecs_arn
container_definitions = jsonencode([
{
Expand Down Expand Up @@ -347,30 +347,6 @@ resource "aws_ecs_task_definition" "task_def" {
}
}

resource "aws_iam_role" "ecs_task_execution_role" {
name = "ecsTaskExecutionRole-${var.region}"
assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_assume_role.json
}

data "aws_iam_policy_document" "ecs_task_execution_assume_role" {
statement {
actions = [
"sts:AssumeRole"
]

principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}

resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = "arn:${local.iam_type}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}


resource "aws_eip" "controller_eip" {
count = var.use_existing_eip ? 0 : 1
domain = "vpc"
Expand Down
5 changes: 5 additions & 0 deletions region-build/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,6 +374,11 @@ variable "iam_for_ecs_arn" {
description = "The ARN of the IAM for ECS"
}

variable "ecs_task_execution_arn" {
type = string
description = "The ARN of the ECS task exection role"
}

variable "inter_region_primary" {
type = string
description = "For the inter-region scenario, this is the primary region."
Expand Down
25 changes: 25 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,31 @@ variable "app_role_max_session_duration" {
default = 43200
}

variable "ecs_role_name" {
type = string
default = "aviatrix-role-ecs"
}

variable "ecs_policy_name" {
type = string
default = "aviatrix-ecs-policy"
}

variable "eventbridge_role_name" {
type = string
default = "aviatrix-role-eventbridge"
}

variable "eventbridge_policy_name" {
type = string
default = "aviatrix-eventbridge-policy"
}

variable "ecs_task_execution_role_name" {
type = string
default = "aviatrix-role-ecs-task-exec"
}

variable "vpc_name" {
type = string
default = "Aviatrix-VPC"
Expand Down

0 comments on commit e49c966

Please sign in to comment.