Contact Us | Stratusphere FinOps | StratusGrid Home | Blog
GitHub: StratusGrid/terraform-aws-ecs-iam-role-builder
This module helps create an iam role with or without a custom policy(ies). It adds cloudwatch log rights to IAM as well as being able to attach custom policies
Create a default role with permissions for ssm and cloudwatch agent
module "ecs_default_iam_role" {
source = "StratusGrid/ecs-iam-role-builder/aws"
version = ">= 1.0"
# source = "github.com/StratusGrid/terraform-aws-ecs-iam-role-builder"
cloudwatch_logs_policy = true
cloudwatch_logs_group_path = "/ecs/group-name"
ecr_policy = true
ecr_repos = [
aws_ecr_repository.this.arn
]
role_name = "${var.name_prefix}-default-ecs-iam-role${local.full_suffix}"
input_tags = merge(local.common_tags, {})
}Create a role with custom permissions in addition to ssm and cloudwatch agent permissions
module "ecs_default_iam_role" {
source = "StratusGrid/ecs-iam-role-builder/aws"
version = ">= 1.0"
# source = "github.com/StratusGrid/terraform-aws-ecs-iam-role-builder"
cloudwatch_logs_policy = true
cloudwatch_logs_group_path = "/ecs/group-name"
ecr_policy = true
ecr_repos = [
aws_ecr_repository.this.arn
]
role_name = "${var.name_prefix}-default-ecs-iam-role${local.full_suffix}"
custom_policy_jsons = ["${data.aws_iam_policy_document.my_custom_instance_policy.json}"]
input_tags = merge(local.common_tags, {})
}| Name | Type |
|---|---|
| aws_iam_policy.cloudwatch_logs | resource |
| aws_iam_policy.custom | resource |
| aws_iam_policy.ecr | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.cloudwatch_logs | resource |
| aws_iam_role_policy_attachment.custom | resource |
| aws_iam_role_policy_attachment.ecr | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudwatch_logs_group_path | Path to cloudwatch logs group which containers should create new log streams in | string |
n/a | yes |
| cloudwatch_logs_policy | True/False to attach permissions to CloudWatch Logs. If true (default), should also define cloudwatch_logs_group_path. If you need to have multiple groups (one per container for instance), you can do this by nesting them under a parent and doing something like /ecs/parent/* | bool |
true |
no |
| custom_policy_jsons | List of JSON strings of custom policies to be attached to the ecs iam role | list(string) |
[] |
no |
| ecr_policy | True/False to attach permissions for ECR. If true (default), should also define ecr_repo | bool |
false |
no |
| ecr_repos | List of ARNs to ECR repos that the tasks should be able to pull images from | list(string) |
null |
no |
| input_tags | Map of tags to apply to resources | map(string) |
{ |
no |
| role_name | Unique string name of iam role to be created. Also prepends supporting resource names | string |
n/a | yes |
| Name | Description |
|---|---|
| iam_role_arn | ARN of IAM Role created |
| iam_role_id | ID of IAM Role created |
- Chris Hurst GenesisChris
- Ivan Casco ivancasco-sg
- Jason Drouhard jason-drouhard
- Juan Sanches juansanchezv
Note: Manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml .