From 38be5518b981393c75cd92000f9ba3a70ba13118 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 22 Sep 2023 14:32:14 -0400 Subject: [PATCH 1/6] Add support for efs volumes. --- ecs.tf | 40 ++++++++++++++++++++++++++++++++++++++++ variables.tf | 18 +++++++++++++++++- 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/ecs.tf b/ecs.tf index 40fb87a..9db366e 100644 --- a/ecs.tf +++ b/ecs.tf @@ -24,6 +24,46 @@ resource "aws_ecs_task_definition" "main_task" { host_path = volume.value.host_path } } + + dynamic "volume" { + for_each = [for v in var.efs_volumes : { + name = v.name + host_path = v.host_path + file_system_id = v.file_system_id + root_directory = v.root_directory + transit_encryption = v.transit_encryption + transit_encryption_port = v.transit_encryption_port + + authorization_config = v.access_point_id == null && v.iam == null ? [] : [{ + access_point_id = v.access_point_id + iam = v.iam + }] + }] + + content { + name = volume.value.name + host_path = volume.value.host_path + + efs_volume_configuration { + file_system_id = volume.value.file_system_id + root_directory = volume.value.root_directory + transit_encryption = coalesce(volume.value.transit_encryption, "DISABLED") + transit_encryption_port = volume.value.transit_encryption_port + + dynamic "authorization_config" { + for_each = [for a in volume.value.authorization_config : { + access_point_id = a.access_point_id + iam = a.iam + }] + + content { + access_point_id = authorization_config.value.access_point_id + iam = authorization_config.value.iam + } + } + } + } + } } resource "aws_ecs_service" "main_service" { diff --git a/variables.tf b/variables.tf index 9cfa6fb..c55d882 100644 --- a/variables.tf +++ b/variables.tf @@ -172,6 +172,22 @@ variable "volumes" { description = "A list of definitions to attach volumes to the ECS task. Amazon does not allow empty volume names once declared, so defaulting to a dummy name if this var is left unused." } +variable "efs_volumes" { + type = list(object({ + name = string + host_path = string + file_system_id = string + root_directory = string + transit_encryption = string + transit_encryption_port = number + access_point_id = string + iam = string + })) + + default = [] + description = "A list of definitions to attach EFS volumes to the ECS task. Name and file_system_id are required." +} + variable "task_role_arn" { default = "" description = "The arn of the iam role you wish to pass to the ecs task containers." @@ -232,4 +248,4 @@ variable "lb_target_type" { type = string default = "instance" description = "The target type of the LBs, needs to be set to IP for fargate" -} \ No newline at end of file +} From 0a37668facb2a8acb6305912c152623808b2e15a Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 22 Sep 2023 15:48:46 -0400 Subject: [PATCH 2/6] Use optional types for the optional parts of efs_volumes. --- variables.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/variables.tf b/variables.tf index c55d882..c1aa3c9 100644 --- a/variables.tf +++ b/variables.tf @@ -175,13 +175,13 @@ variable "volumes" { variable "efs_volumes" { type = list(object({ name = string - host_path = string + host_path = optional(string) file_system_id = string - root_directory = string - transit_encryption = string - transit_encryption_port = number - access_point_id = string - iam = string + root_directory = optional(string) + transit_encryption = optional(string) + transit_encryption_port = optional(number) + access_point_id = optional(string) + iam = optional(string) })) default = [] From 415d102a324bd6fd27425f257e39633f25820eac Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 29 Sep 2023 16:14:40 -0400 Subject: [PATCH 3/6] Use nested object variable for efs volume authorization config. --- ecs.tf | 8 ++------ variables.tf | 6 ++++-- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/ecs.tf b/ecs.tf index 9db366e..6e6a773 100644 --- a/ecs.tf +++ b/ecs.tf @@ -33,11 +33,7 @@ resource "aws_ecs_task_definition" "main_task" { root_directory = v.root_directory transit_encryption = v.transit_encryption transit_encryption_port = v.transit_encryption_port - - authorization_config = v.access_point_id == null && v.iam == null ? [] : [{ - access_point_id = v.access_point_id - iam = v.iam - }] + authorization_config = v.authorization_config }] content { @@ -53,7 +49,7 @@ resource "aws_ecs_task_definition" "main_task" { dynamic "authorization_config" { for_each = [for a in volume.value.authorization_config : { access_point_id = a.access_point_id - iam = a.iam + iam = coalesce(a.iam, "DISABLED") }] content { diff --git a/variables.tf b/variables.tf index c1aa3c9..52eb53e 100644 --- a/variables.tf +++ b/variables.tf @@ -180,8 +180,10 @@ variable "efs_volumes" { root_directory = optional(string) transit_encryption = optional(string) transit_encryption_port = optional(number) - access_point_id = optional(string) - iam = optional(string) + authorization_config = optional(object({ + access_point_id = optional(string) + iam = optional(string) + })) })) default = [] From 068fb5c116ab25cef419e0ea58b9d32896267cd2 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 29 Sep 2023 16:31:11 -0400 Subject: [PATCH 4/6] Use simpler for_each for in nested dynamic authorization_config block. --- ecs.tf | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/ecs.tf b/ecs.tf index 6e6a773..2c4a123 100644 --- a/ecs.tf +++ b/ecs.tf @@ -47,14 +47,11 @@ resource "aws_ecs_task_definition" "main_task" { transit_encryption_port = volume.value.transit_encryption_port dynamic "authorization_config" { - for_each = [for a in volume.value.authorization_config : { - access_point_id = a.access_point_id - iam = coalesce(a.iam, "DISABLED") - }] + for_each = volume.value.authorization_config content { - access_point_id = authorization_config.value.access_point_id - iam = authorization_config.value.iam + access_point_id = authorization_config.value["access_point_id"] + iam = authorization_config.value["iam"] } } } From 2dd975f295c6824e40e6b06ab31014bb25ac3e7e Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 29 Sep 2023 16:38:42 -0400 Subject: [PATCH 5/6] Wrap auth config in list for dynamic block. --- ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs.tf b/ecs.tf index 2c4a123..3c51cb3 100644 --- a/ecs.tf +++ b/ecs.tf @@ -47,7 +47,7 @@ resource "aws_ecs_task_definition" "main_task" { transit_encryption_port = volume.value.transit_encryption_port dynamic "authorization_config" { - for_each = volume.value.authorization_config + for_each = [volume.value.authorization_config] content { access_point_id = authorization_config.value["access_point_id"] From 9a867df2c6482b165dab84a5271b89b5661d19e0 Mon Sep 17 00:00:00 2001 From: Jeremy Wood Date: Fri, 29 Sep 2023 16:43:54 -0400 Subject: [PATCH 6/6] Force transit encryption when using authorization_config on efs volumes. --- ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs.tf b/ecs.tf index 3c51cb3..f693c75 100644 --- a/ecs.tf +++ b/ecs.tf @@ -43,7 +43,7 @@ resource "aws_ecs_task_definition" "main_task" { efs_volume_configuration { file_system_id = volume.value.file_system_id root_directory = volume.value.root_directory - transit_encryption = coalesce(volume.value.transit_encryption, "DISABLED") + transit_encryption = coalesce(volume.value.transit_encryption, volume.value.authorization_config != null ? "ENABLED" : "DISABLED") transit_encryption_port = volume.value.transit_encryption_port dynamic "authorization_config" {