Creates an IAM role for use as an ECS task execution role.
module "ecs_task_execution_role" {
source = "dod-iac/ecs-task-execution-role/aws"
allow_create_log_groups = true
cloudwatch_log_group_names = ["*"]
name = format("app-%s-task-execution-role-%s", var.application, var.environment)
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}Creates an IAM role for use as an ECS task execution role that writes to a specific list of encrypted CloudWatch log groups.
module "cloudwatch_kms_key" {
source = "dod-iac/cloudwatch-kms-key/aws"
name = format("alias/app-%s-cloudwatch-logs-%s", var.application, var.environment)
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}
resource "aws_cloudwatch_log_group" "main" {
name = format("/aws/ecs/app-%s-%s", var.application, var.environment)
retention_in_days = 1 # expire logs after 1 day
kms_key_id = module.cloudwatch_kms_key.aws_kms_key_arn
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}
module "ecs_task_execution_role" {
source = "dod-iac/ecs-task-execution-role/aws"
cloudwatch_log_group_names = [module.cloudwatch_log_group.name]
name = format("app-%s-task-execution-role-%s", var.application, var.environment)
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}Run all terratest tests using the terratest script. If using aws-vault, you could use aws-vault exec $AWS_PROFILE -- terratest. The AWS_DEFAULT_REGION environment variable is required by the tests. Use TT_SKIP_DESTROY=1 to not destroy the infrastructure created during the tests. Use TT_VERBOSE=1 to log all tests as they are run. The go test command can be executed directly, too.
Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.0, < 5.0 |
| Name | Version |
|---|---|
| aws | >= 3.0, < 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.main | resource |
| aws_iam_role.main | resource |
| aws_iam_role_policy_attachment.main | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_policy | data source |
| aws_iam_policy_document.main | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_create_log_groups | Allow role to create CloudWatch log groups. | bool |
false |
no |
| allow_ecr | Allow instance to pull a container image from an ECR repository. | bool |
false |
no |
| assume_role_policy | The assume role policy for the AWS IAM role. If blank, allows ECS tasks in the account to assume the role. | string |
"" |
no |
| cloudwatch_log_group_names | List of names of CloudWatch log groups that this task execution role can write to. Use ["*"] to allow all log groups. | list(string) |
n/a | yes |
| name | The name of the AWS IAM role. | string |
n/a | yes |
| policy_description | The description of the AWS IAM policy attached to the IAM task execution role. Defaults to "The policy for [NAME]". | string |
"" |
no |
| policy_document | The contents of the AWS IAM policy attached to the IAM task execution role. If not defined, then uses a generated policy. | string |
"" |
no |
| policy_name | The name of the AWS IAM policy attached to the IAM task execution role. Defaults to "[NAME]-policy". | string |
"" |
no |
| tags | Tags applied to the AWS IAM role. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) of the AWS IAM Role. |
| name | The name of the AWS IAM Role. |