-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathecs.tf
77 lines (65 loc) · 2.55 KB
/
ecs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# ECS Cluster
#
# Most UNIVAF code is deployed as tasks that run on an ECS cluster, either as
# scheduled cron-like scheduled tasks that run to completion, or as services
# that the cluster will keep running. This file defines the cluster and
# associated roles/policies needed to run tasks in it.
resource "aws_ecs_cluster" "main" {
name = "univaf-cluster"
# Container Insights is *very* expensive for our configuration, but can be
# useful to turn on if granular metrics on cron job resource usage is needed.
setting {
name = "containerInsights"
value = "disabled"
}
}
# Roles -----------------------------------------------------------------------
# Things that need to execute tasks in the ECS cluster should use this role.
resource "aws_iam_role" "ecs_task_execution_role" {
# TODO: consider using jsonencode and/or `inline_policy` blocks to put policy
# definitions inline: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
name = "univaf-ecs-task-execution"
assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
}
# Gives the role access to things needed to execute tasks. The policy referenced
# here is predefined by Amazon.
resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
# Gives the role the ability to run actual tasks.
resource "aws_iam_role_policy_attachment" "ecs_runtask_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = aws_iam_policy.ecs_runtask_policy.arn
}
# Policies used in the role/attachments above ---------------------------------
# Defines what resources are allowed to assume a given role.
data "aws_iam_policy_document" "ecs_task_execution_role" {
version = "2012-10-17"
statement {
sid = "1"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com", "events.amazonaws.com"]
}
}
}
# Defines the ability to run a task in ECS.
data "aws_iam_policy_document" "ecs_task_additional_permissions" {
version = "2012-10-17"
statement {
sid = "1"
effect = "Allow"
actions = ["ecs:RunTask", "iam:PassRole"]
resources = [
"*" # TODO: lock this down
]
}
}
resource "aws_iam_policy" "ecs_runtask_policy" {
name = "runtask_policy"
path = "/"
policy = data.aws_iam_policy_document.ecs_task_additional_permissions.json
}