Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Change to managed IAM policy for ecs tasks with path attrribute support over inline role policy #267

Closed

Conversation

partlythomas
Copy link

Description

The following changes are proposed:

  • Change the ECS tasks role policy to be managed as a separate aws_iam_policy resource rather than the inline type aws_iam_role_policy
  • Add explicit role policy attachment to attach the managed ECS tasks policy to the role.
  • Add support for specifying path of the ECS tasks policy.

Motivation and Context

The change opens for more flexibility in the ECS tasks role for specifying the path of the policy.
This also aligns the ECS tasks role and policy with the same pattern that the existing role and policy for the ECS task execution role in the module.

Breaking Changes

  • If ECS task role is not used (i.e. conditions for creating task role is not met), no changes will be picked up by Terraform.
  • If ECS task role is used (i.e. conditions for creating task role is not met), the inline iam role policy will be replaced by the iam policy and role policy attachment.

Both cases applies both with or without the path configuration of the policy being set with the new variable tasks_iam_policy_path.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using the examples/complete project deployed cleanly first, with later addition of ecs service variable input of tasks_iam_policy_path prompting to take the changes into effect. The changes was deployed sucessfully.
  • I have executed pre-commit run -a on my pull request

rmolson and others added 6 commits November 29, 2024 14:37
…odules#243)

* allow a path on aws_iam_policy.task_exec

* feat: allowing an IAM Path for task_exec policy

* pre-commit

* updated terraform-docs localy

* fix: for wrappers pre-commit hook
* Add ALB endpoint to outputs - this makes it easier to test for successful deployment

* fix trailing whitespace

* update README to conform with conventions

* Add ALB endpoint to outputs - this makes it easier to test for successful deployment

* EOF fix

* updates in response to bryantbiggs review

* docs updates to go with CR feedback

---------

Co-authored-by: Seth Eliot <[email protected]>
feat! Change to use of managed IAM policy for ecs tasks with path attribute support over inline role policy
@bryantbiggs
Copy link
Member

please fixup to go into the correct branch due to breaking change

@partlythomas
Copy link
Author

partlythomas commented Mar 17, 2025

please fixup to go into the correct branch due to breaking change

There are conflicts not related to my changes, all but the ones in modules/service/main.tf. Should I rather open a PR with changes based on the wip/v6 branch (and close this)?

@partlythomas
Copy link
Author

Closing this PR and opened a correct one for the correct breaking change branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants