From 3114b2b289599f128e176e78a8e4f65415da8448 Mon Sep 17 00:00:00 2001 From: Ronald Lee Date: Mon, 15 Apr 2024 16:06:29 -0700 Subject: [PATCH 1/3] feat: Allow custom ECS/EventBridge role/policy names --- README.md | 4 ++++ main.tf | 8 ++++---- variables.tf | 20 ++++++++++++++++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 68fb33f..e10323a 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,10 @@ To deploy Aviatrix Platform HA with an existing Controller, perform the followin | dr_vpc_name | "" | The name for the VPC to create for the DR Controller. Only applicable if `ha_distribution` is "inter-region" and `use_existing_vpc` is false. | | ebs_optimized | false | Whether EBS optimization is enabled. Applies to both the Controller and CoPilot. | | ec2_role_name | aviatrix-role-ec2 | The name of the Aviatrix EC2 role | +| ecs_role_name | aviatrix-role-ecs | The name of the ECS role | +| ecs_policy_name | aviatrix-ecs-policy | The name of the ECS policy | +| eventbridge_role_name | aviatrix-role-eventbridge | The name of the EventBridge role | +| eventbridge_policy_name | aviatrix-eventbridge-policy | The name of the EventBridge policy | | existing_copilot_dr_eip | "" | The existing EIP to use for the DR CoPilot. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_copilot_eip` is true. | | existing_copilot_eip | "" | The existing EIP to use for CoPilot. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_copilot_eip` is true. | | existing_dr_eip | "" | The existing EIP to use for the DR Controller. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_eip` is true. | diff --git a/main.tf b/main.tf index 992f626..309c22b 100755 --- a/main.tf +++ b/main.tf @@ -217,7 +217,7 @@ module "aviatrix-iam-roles" { resource "aws_iam_role" "iam_for_ecs" { count = var.ha_distribution == "basic" ? 0 : 1 - name = "aviatrix-controller-ecs" + name = var.ecs_role_name assume_role_policy = < Date: Tue, 16 Apr 2024 15:00:50 -0700 Subject: [PATCH 2/3] feat: Append random string to ECS/EventBridge role/policy names --- main.tf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 309c22b..1d7fb9d 100755 --- a/main.tf +++ b/main.tf @@ -207,6 +207,10 @@ module "region2" { depends_on = [null_resource.region_conflict] } +resource "random_id" "aviatrix" { + byte_length = 4 +} + module "aviatrix-iam-roles" { count = var.ha_distribution == "basic" ? 0 : var.create_iam_roles ? 1 : 0 source = "./aviatrix-controller-iam-roles" @@ -217,7 +221,7 @@ module "aviatrix-iam-roles" { resource "aws_iam_role" "iam_for_ecs" { count = var.ha_distribution == "basic" ? 0 : 1 - name = var.ecs_role_name + name = "${var.ecs_role_name}-${random_id.aviatrix.hex}" assume_role_policy = < Date: Wed, 17 Apr 2024 09:02:57 -0700 Subject: [PATCH 3/3] feat: Create a single ECS task execution role --- README.md | 1 + main.tf | 27 +++++++++++++++++++++++++++ region-build/main.tf | 26 +------------------------- region-build/variables.tf | 5 +++++ variables.tf | 5 +++++ 5 files changed, 39 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index e10323a..6bf5f96 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,7 @@ To deploy Aviatrix Platform HA with an existing Controller, perform the followin | ec2_role_name | aviatrix-role-ec2 | The name of the Aviatrix EC2 role | | ecs_role_name | aviatrix-role-ecs | The name of the ECS role | | ecs_policy_name | aviatrix-ecs-policy | The name of the ECS policy | +| ecs_task_execution_role_name | aviatrix-role-ecs-task-exec | The name of the ECS task execution role | | eventbridge_role_name | aviatrix-role-eventbridge | The name of the EventBridge role | | eventbridge_policy_name | aviatrix-eventbridge-policy | The name of the EventBridge policy | | existing_copilot_dr_eip | "" | The existing EIP to use for the DR CoPilot. The EIP must already be allocated in the AWS account. Only applicable if `use_existing_copilot_eip` is true. | diff --git a/main.tf b/main.tf index 1d7fb9d..0ccb13e 100755 --- a/main.tf +++ b/main.tf @@ -85,6 +85,7 @@ module "region1" { name_prefix = var.name_prefix license_type = var.license_type iam_for_ecs_arn = aws_iam_role.iam_for_ecs[0].arn + ecs_task_execution_arn = aws_iam_role.iam_for_ecs_task_execution[0].arn inter_region_primary = var.region inter_region_standby = var.dr_region zone_name = var.zone_name @@ -172,6 +173,7 @@ module "region2" { name_prefix = var.name_prefix license_type = var.license_type iam_for_ecs_arn = aws_iam_role.iam_for_ecs[0].arn + ecs_task_execution_arn = aws_iam_role.iam_for_ecs_task_execution[0].arn inter_region_primary = var.region inter_region_standby = var.dr_region zone_name = var.zone_name @@ -389,6 +391,31 @@ resource "aws_iam_role_policy_attachment" "eventbridge-attach-policy" { policy_arn = aws_iam_policy.eventbridge-policy[0].arn } +resource "aws_iam_role" "iam_for_ecs_task_execution" { + count = var.ha_distribution == "basic" ? 0 : 1 + name = "${var.ecs_task_execution_role_name}-${random_id.aviatrix.hex}" + assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_assume_role.json +} + +data "aws_iam_policy_document" "ecs_task_execution_assume_role" { + statement { + actions = [ + "sts:AssumeRole" + ] + + principals { + type = "Service" + identifiers = ["ecs-tasks.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy_attachment" "ecs-task-execution-attach-policy" { + count = var.ha_distribution == "basic" ? 0 : 1 + role = aws_iam_role.iam_for_ecs_task_execution[0].name + policy_arn = "arn:${local.iam_type}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + resource "aws_s3_bucket" "backup" { provider = aws.s3_region count = var.ha_distribution == "basic" ? 0 : var.use_existing_s3 ? 0 : 1 diff --git a/region-build/main.tf b/region-build/main.tf index 3512c62..ae62e7a 100755 --- a/region-build/main.tf +++ b/region-build/main.tf @@ -10,7 +10,7 @@ resource "aws_ecs_task_definition" "task_def" { network_mode = "awsvpc" cpu = "256" memory = "512" - execution_role_arn = aws_iam_role.ecs_task_execution_role.arn + execution_role_arn = var.ecs_task_execution_arn task_role_arn = var.iam_for_ecs_arn container_definitions = jsonencode([ { @@ -347,30 +347,6 @@ resource "aws_ecs_task_definition" "task_def" { } } -resource "aws_iam_role" "ecs_task_execution_role" { - name = "ecsTaskExecutionRole-${var.region}" - assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_assume_role.json -} - -data "aws_iam_policy_document" "ecs_task_execution_assume_role" { - statement { - actions = [ - "sts:AssumeRole" - ] - - principals { - type = "Service" - identifiers = ["ecs-tasks.amazonaws.com"] - } - } -} - -resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" { - role = aws_iam_role.ecs_task_execution_role.name - policy_arn = "arn:${local.iam_type}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" -} - - resource "aws_eip" "controller_eip" { count = var.use_existing_eip ? 0 : 1 domain = "vpc" diff --git a/region-build/variables.tf b/region-build/variables.tf index 5a1dace..497e848 100755 --- a/region-build/variables.tf +++ b/region-build/variables.tf @@ -374,6 +374,11 @@ variable "iam_for_ecs_arn" { description = "The ARN of the IAM for ECS" } +variable "ecs_task_execution_arn" { + type = string + description = "The ARN of the ECS task exection role" +} + variable "inter_region_primary" { type = string description = "For the inter-region scenario, this is the primary region." diff --git a/variables.tf b/variables.tf index 2f3dc96..5a8042b 100755 --- a/variables.tf +++ b/variables.tf @@ -86,6 +86,11 @@ variable "eventbridge_policy_name" { default = "aviatrix-eventbridge-policy" } +variable "ecs_task_execution_role_name" { + type = string + default = "aviatrix-role-ecs-task-exec" +} + variable "vpc_name" { type = string default = "Aviatrix-VPC"