Override task role (#58)

* Override task_role * Add task_role_arn variable * Change task_role_arn output to be the same * Updated README.md Co-authored-by: actions-bot <[email protected]>
cloudposse · Jun 22, 2020 · e91b008 · e91b008
1 parent 0abdbc4
commit e91b008
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -275,6 +275,7 @@ Available targets:
 | task\_cpu | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no |
 | task\_memory | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no |
 | task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
+| task\_role\_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | `string` | `""` | no |
 | use\_alb\_security\_group | A flag to enable/disable adding the ingress rule to the ALB security group | `bool` | `false` | no |
 | use\_nlb\_cidr\_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | `bool` | `false` | no |
 | use\_old\_arn | A flag to enable/disable tagging the ecs resources that require the new arn format | `bool` | `false` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -57,6 +57,7 @@
 | task\_cpu | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no |
 | task\_memory | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no |
 | task\_placement\_constraints | A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. See `placement_constraints` docs https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#placement-constraints-arguments | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
+| task\_role\_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | `string` | `""` | no |
 | use\_alb\_security\_group | A flag to enable/disable adding the ingress rule to the ALB security group | `bool` | `false` | no |
 | use\_nlb\_cidr\_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | `bool` | `false` | no |
 | use\_old\_arn | A flag to enable/disable tagging the ecs resources that require the new arn format | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -11,7 +11,7 @@ module "default_label" {
 
 module "task_label" {
   source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.15.0"
-  enabled    = var.enabled
+  enabled    = var.enabled && length(var.task_role_arn) == 0
   context    = module.default_label.context
   attributes = compact(concat(var.attributes, ["task"]))
 }
@@ -39,7 +39,7 @@ resource "aws_ecs_task_definition" "default" {
   cpu                      = var.task_cpu
   memory                   = var.task_memory
   execution_role_arn       = join("", aws_iam_role.ecs_exec.*.arn)
-  task_role_arn            = join("", aws_iam_role.ecs_task.*.arn)
+  task_role_arn            = length(var.task_role_arn) > 0 ? var.task_role_arn : join("", aws_iam_role.ecs_task.*.arn)
   tags                     = module.default_label.tags
 
   dynamic "proxy_configuration" {
@@ -81,7 +81,7 @@ resource "aws_ecs_task_definition" "default" {
 
 # IAM
 data "aws_iam_policy_document" "ecs_task" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && length(var.task_role_arn) == 0 ? 1 : 0
 
   statement {
     effect  = "Allow"
@@ -95,7 +95,8 @@ data "aws_iam_policy_document" "ecs_task" {
 }
 
 resource "aws_iam_role" "ecs_task" {
-  count                = var.enabled ? 1 : 0
+  count = var.enabled && length(var.task_role_arn) == 0 ? 1 : 0
+
   name                 = module.task_label.id
   assume_role_policy   = join("", data.aws_iam_policy_document.ecs_task.*.json)
   permissions_boundary = var.permissions_boundary == "" ? null : var.permissions_boundary

diff --git a/outputs.tf b/outputs.tf
@@ -35,7 +35,7 @@ output "task_role_name" {
 
 output "task_role_arn" {
   description = "ECS Task role ARN"
-  value       = join("", aws_iam_role.ecs_task.*.arn)
+  value       = length(var.task_role_arn) > 0 ? var.task_role_arn : join("", aws_iam_role.ecs_task.*.arn)
 }
 
 output "task_role_id" {

diff --git a/variables.tf b/variables.tf
@@ -157,6 +157,12 @@ variable "task_memory" {
   default     = 512
 }
 
+variable "task_role_arn" {
+  type        = string
+  description = "The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services"
+  default     = ""
+}
+
 variable "desired_count" {
   type        = number
   description = "The number of instances of the task definition to place and keep running"