diff --git a/CHANGELOG.md b/CHANGELOG.md
index ed8bdd9..684c5f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,18 @@
All notable changes to this project will be documented in this file.
+## [5.12.0](https://github.com/terraform-aws-modules/terraform-aws-ecs/compare/v5.11.4...v5.12.0) (2024-11-29)
+
+
+### Features
+
+* Allow task exec IAM policy to have an IAM path ([#243](https://github.com/terraform-aws-modules/terraform-aws-ecs/issues/243)) ([c9dc889](https://github.com/terraform-aws-modules/terraform-aws-ecs/commit/c9dc889a4b081105fb7567ca12a2d32ac36caa29))
+
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#236](https://github.com/terraform-aws-modules/terraform-aws-ecs/issues/236)) ([fd0f0ec](https://github.com/terraform-aws-modules/terraform-aws-ecs/commit/fd0f0ecd7fd3a85d8d738320d37a22644b5f129a))
+
## [5.11.4](https://github.com/terraform-aws-modules/terraform-aws-ecs/compare/v5.11.3...v5.11.4) (2024-08-07)
diff --git a/examples/complete/README.md b/examples/complete/README.md
index 3f10595..9d20e63 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -62,6 +62,7 @@ No inputs.
| Name | Description |
|------|-------------|
+| [alb\_dns\_name](#output\_alb\_dns\_name) | The DNS name of the load balancer |
| [cluster\_arn](#output\_cluster\_arn) | ARN that identifies the cluster |
| [cluster\_autoscaling\_capacity\_providers](#output\_cluster\_autoscaling\_capacity\_providers) | Map of capacity providers created and their attributes |
| [cluster\_capacity\_providers](#output\_cluster\_capacity\_providers) | Map of cluster capacity providers attributes |
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index 3503169..dd0cdd2 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -35,3 +35,12 @@ output "services" {
description = "Map of services created and their attributes"
value = module.ecs.services
}
+
+################################################################################
+# Application Load Balancer
+################################################################################
+
+output "alb_dns_name" {
+ description = "The DNS name of the load balancer"
+ value = module.alb.dns_name
+}
diff --git a/examples/ec2-autoscaling/README.md b/examples/ec2-autoscaling/README.md
index c7a04af..ff7a998 100644
--- a/examples/ec2-autoscaling/README.md
+++ b/examples/ec2-autoscaling/README.md
@@ -61,6 +61,7 @@ No inputs.
| Name | Description |
|------|-------------|
+| [alb\_dns\_name](#output\_alb\_dns\_name) | The DNS name of the load balancer |
| [cluster\_arn](#output\_cluster\_arn) | ARN that identifies the cluster |
| [cluster\_autoscaling\_capacity\_providers](#output\_cluster\_autoscaling\_capacity\_providers) | Map of capacity providers created and their attributes |
| [cluster\_capacity\_providers](#output\_cluster\_capacity\_providers) | Map of cluster capacity providers attributes |
diff --git a/examples/ec2-autoscaling/outputs.tf b/examples/ec2-autoscaling/outputs.tf
index 2f6f85a..80903ad 100644
--- a/examples/ec2-autoscaling/outputs.tf
+++ b/examples/ec2-autoscaling/outputs.tf
@@ -130,3 +130,12 @@ output "service_autoscaling_scheduled_actions" {
description = "Map of autoscaling scheduled actions and their attributes"
value = module.ecs_service.autoscaling_scheduled_actions
}
+
+################################################################################
+# Application Load Balancer
+################################################################################
+
+output "alb_dns_name" {
+ description = "The DNS name of the load balancer"
+ value = module.alb.dns_name
+}
diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf
index c263e0b..7cae2e0 100644
--- a/examples/fargate/main.tf
+++ b/examples/fargate/main.tf
@@ -185,8 +185,9 @@ module "ecs_task_definition" {
source = "../../modules/service"
# Service
- name = "${local.name}-standalone"
- cluster_arn = module.ecs_cluster.arn
+ name = "${local.name}-standalone"
+ cluster_arn = module.ecs_cluster.arn
+ create_service = false
# Task Definition
volume = {
diff --git a/main.tf b/main.tf
index 5e380de..6fb0400 100644
--- a/main.tf
+++ b/main.tf
@@ -148,6 +148,7 @@ module "service" {
tasks_iam_role_description = try(each.value.tasks_iam_role_description, null)
tasks_iam_role_permissions_boundary = try(each.value.tasks_iam_role_permissions_boundary, null)
tasks_iam_role_tags = try(each.value.tasks_iam_role_tags, {})
+ tasks_iam_policy_path = try(each.value.tasks_iam_policy_path, null)
tasks_iam_role_policies = lookup(each.value, "tasks_iam_role_policies", {})
tasks_iam_role_statements = lookup(each.value, "tasks_iam_role_statements", {})
diff --git a/modules/service/README.md b/modules/service/README.md
index 799e999..4faaf8f 100644
--- a/modules/service/README.md
+++ b/modules/service/README.md
@@ -294,6 +294,7 @@ module "ecs_service" {
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| [task\_definition\_arn](#input\_task\_definition\_arn) | Existing task definition ARN. Required when `create_task_definition` is `false` | `string` | `null` | no |
| [task\_definition\_placement\_constraints](#input\_task\_definition\_placement\_constraints) | Configuration block for rules that are taken into consideration during task placement (up to max of 10). This is set at the task definition, see `placement_constraints` for setting at the service | `any` | `{}` | no |
+| [task\_exec\_iam\_policy\_path](#input\_task\_exec\_iam\_policy\_path) | Path for the iam role | `string` | `null` | no |
| [task\_exec\_iam\_role\_arn](#input\_task\_exec\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
| [task\_exec\_iam\_role\_description](#input\_task\_exec\_iam\_role\_description) | Description of the role | `string` | `null` | no |
| [task\_exec\_iam\_role\_max\_session\_duration](#input\_task\_exec\_iam\_role\_max\_session\_duration) | Maximum session duration (in seconds) for ECS task execution role. Default is 3600. | `number` | `null` | no |
diff --git a/modules/service/main.tf b/modules/service/main.tf
index 4843473..6c042d2 100644
--- a/modules/service/main.tf
+++ b/modules/service/main.tf
@@ -894,8 +894,8 @@ resource "aws_iam_policy" "task_exec" {
name_prefix = var.task_exec_iam_role_use_name_prefix ? "${local.task_exec_iam_role_name}-" : null
description = coalesce(var.task_exec_iam_role_description, "Task execution role IAM policy")
policy = data.aws_iam_policy_document.task_exec[0].json
-
- tags = merge(var.tags, var.task_exec_iam_role_tags)
+ path = var.task_exec_iam_policy_path
+ tags = merge(var.tags, var.task_exec_iam_role_tags)
}
resource "aws_iam_role_policy_attachment" "task_exec" {
@@ -1024,13 +1024,22 @@ data "aws_iam_policy_document" "tasks" {
}
}
-resource "aws_iam_role_policy" "tasks" {
+resource "aws_iam_policy" "tasks" {
count = local.create_tasks_iam_role && (length(var.tasks_iam_role_statements) > 0 || var.enable_execute_command) ? 1 : 0
name = var.tasks_iam_role_use_name_prefix ? null : local.tasks_iam_role_name
name_prefix = var.tasks_iam_role_use_name_prefix ? "${local.tasks_iam_role_name}-" : null
+ description = coalesce(var.tasks_iam_role_description, "Task role IAM policy")
policy = data.aws_iam_policy_document.tasks[0].json
- role = aws_iam_role.tasks[0].id
+ path = var.tasks_iam_policy_path
+ tags = merge(var.tags, var.tasks_iam_role_tags)
+}
+
+resource "aws_iam_role_policy_attachment" "tasks_policy" {
+ count = local.create_tasks_iam_role && (length(var.tasks_iam_role_statements) > 0 || var.enable_execute_command) ? 1 : 0
+
+ role = aws_iam_role.tasks[0].name
+ policy_arn = aws_iam_policy.tasks[0].arn
}
################################################################################
diff --git a/modules/service/variables.tf b/modules/service/variables.tf
index 1c542e1..207e413 100644
--- a/modules/service/variables.tf
+++ b/modules/service/variables.tf
@@ -468,6 +468,12 @@ variable "task_exec_iam_statements" {
default = {}
}
+variable "task_exec_iam_policy_path" {
+ description = "Path for the iam role"
+ type = string
+ default = null
+}
+
################################################################################
# Tasks - IAM role
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
@@ -533,6 +539,12 @@ variable "tasks_iam_role_statements" {
default = {}
}
+variable "tasks_iam_policy_path" {
+ description = "Path for the tasks iam policy"
+ type = string
+ default = null
+}
+
################################################################################
# Task Set
################################################################################
diff --git a/wrappers/service/main.tf b/wrappers/service/main.tf
index 3dbd9e4..9a7d6ae 100644
--- a/wrappers/service/main.tf
+++ b/wrappers/service/main.tf
@@ -98,6 +98,7 @@ module "wrapper" {
tags = try(each.value.tags, var.defaults.tags, {})
task_definition_arn = try(each.value.task_definition_arn, var.defaults.task_definition_arn, null)
task_definition_placement_constraints = try(each.value.task_definition_placement_constraints, var.defaults.task_definition_placement_constraints, {})
+ task_exec_iam_policy_path = try(each.value.task_exec_iam_policy_path, var.defaults.task_exec_iam_policy_path, null)
task_exec_iam_role_arn = try(each.value.task_exec_iam_role_arn, var.defaults.task_exec_iam_role_arn, null)
task_exec_iam_role_description = try(each.value.task_exec_iam_role_description, var.defaults.task_exec_iam_role_description, null)
task_exec_iam_role_max_session_duration = try(each.value.task_exec_iam_role_max_session_duration, var.defaults.task_exec_iam_role_max_session_duration, null)