Comments (13)
This is an example of how policies are added in this module
terraform-aws-ecs/examples/ec2-autoscaling/main.tf
Lines 274 to 277 in b9be574
For details on a reproduction https://github.com/bryantbiggs/how-to-create-reproduction
from terraform-aws-ecs.
@vagharsh i ran into this also. but i found that the role arn that i was looking for was in module.ecs.services.<service_name>.task_exec_iam_role_arn. i didn't look too deeply at what's going on but i my ecs cluster is only hosting workloads on fargate.
from terraform-aws-ecs.
can you provide a reproduction so we can triage and provide guidance
from terraform-aws-ecs.
what do you mean by reproduction ?
how can i add policies externally to the role created by this module ?
from terraform-aws-ecs.
i was able to add policies into the module finally but still curious on how not to inject policies into the module implementation . but add policies by using the module output task_exec_iam_role_arn which is not working and returning null
from terraform-aws-ecs.
but why am i getting the above mentioned error when doing that ?
with already created policies it's working , but in policies that the code will create is throwing the error
from terraform-aws-ecs.
but why am i getting the above mentioned error when doing that ?
Again, I don't know without seeing a full reproduction that I can reproduce on my end
from terraform-aws-ecs.
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
version = "5.0.0"
cluster_name = "api-qa"
tags = {
Environment = "Test"
}
depends_on = [
aws_iam_policy.secret_manager_get_secret_policy,
aws_iam_policy.allow_ssm_exec_policy
]
services = {
qa = {
desired_count = 1
launch_type = "FARGATE"
platform_version = "LATEST"
deployment_maximum_percent = 200
deployment_minimum_healthy_percent = 100
assign_public_ip = false
create_security_group = true
# security_group_ids = ["sg-XXXXA"]
subnet_ids = ["subnet-XXXX", "subnet-XXXY", "subnet-XXXZ"]
health_check_grace_period_seconds = 0
scheduling_strategy = "REPLICA"
task_exec_iam_role_policies = {
"policy1": aws_iam_policy.secret_manager_get_secret_policy.arn
"policy2": aws_iam_policy.allow_ssm_exec_policy.arn
}
create_task_exec_iam_role = true
create_task_exec_policy = true
task_exec_iam_role_name = "qa-TaskExecutionRole"
### task definition
cpu = "2048"
memory = "4096"
network_mode = "awsvpc"
family = "api"
requires_compatibilities = ["FARGATE"]
container_definitions = {
api = {
cpu = 0
essential = true
image = "12345.dkr.ecr.eu-central-1.amazonaws.com/api:0.1.0"
port_mappings = [
{
containerPort = 8000,
hostPort = 8000,
protocol = "tcp"
}
]
log_configuration = {
logDriver = "awslogs",
options = {
awslogs-group = "api",
awslogs-region = "eu-central-1",
awslogs-stream-prefix = "api"
}
}
health_check = {
command = [
"CMD-SHELL",
"curl -f http://127.0.0.1:8000/api/v1/health/ || exit 1"
],
interval = 35,
timeout = 30,
retries = 5,
startPeriod = 300
}
}
}
##
}
}
}
resource "aws_iam_policy" "allow_ssm_exec_policy" {
name = "qa-AllowSSMExec"
path = "/"
description = "Allow SSm EXEC int"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
}
]
})
}
resource "aws_iam_policy" "secret_manager_get_secret_policy" {
name = "qa-SecretManagerGetSecretPolicy"
path = "/"
description = "Allow getting secret value"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:eu-central-1:123456:secret:eu-central-1/qa-XXXXX"
]
}
]
})
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.55.0"
}
}
}
provider "aws" {
region = "eu-central-1"
}
from terraform-aws-ecs.
any update on this ? @bryantbiggs
from terraform-aws-ecs.
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
from terraform-aws-ecs.
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
from terraform-aws-ecs.
apologies but the code provided is still not deployable - we should be able to copy+paste and then terraform init && terraform apply
the provided code to reproduce the issue.
Instead, I would encourage you to refer to the examples we have provided https://github.com/terraform-aws-modules/terraform-aws-ecs/tree/master/examples
Closing this out for now, but if you have a deployable reproduction we can take another look
from terraform-aws-ecs.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-ecs.
Related Issues (20)
- Enable managed draining for autoscaling_capacity_providers in ecs cluster HOT 3
- Support Blue/Green Deployment CodeDeploy for ECS Service HOT 4
- Restore AWS required version HOT 13
- Custom scaling policy exemple HOT 3
- Dynamic network configuration in service module fails for external deployments HOT 2
- ECS Fargate volumesFrom container definition not working HOT 13
- needs_iam_role condition is not sufficient HOT 1
- Add Palestine Support just as you do for Ukraine 🇵🇸
- Add TLS Support for ECS Service Connect with ACM PCA HOT 4
- Update aws provider version HOT 4
- Support setting the `path` attribute of the service task execution IAM policy HOT 3
- Race condition for aws_iam_role_policy.tasks HOT 4
- Feature Request: Add Support for EBS Volumes HOT 1
- Maximum two tasks are running on one instance HOT 5
- Trying to get AWS to create log groups fails with Log driver awslogs option 'awslogs-group' should not be null or empty. HOT 5
- Why set `create_cloudwatch_log_group = false enable_cloudwatch_logging = false ` but it still create new log group? HOT 2
- Container Definition error when deploying an app and fluentbit container HOT 4
- cluster_tags also added to cloudwatch groups HOT 2
- Provider variable for service registry HOT 3
- Add support for managed_storage_configuration block HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-ecs.