Fix tests/terraform

- Split task role and task execution role. - An execution role can assum role from current caller identity.
kayac · May 8, 2023 · fd77de4 · fd77de4
1 parent 5452757
commit fd77de4
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 20 deletions.
diff --git a/tests/terraform/config.tf b/tests/terraform/config.tf
@@ -25,3 +25,9 @@ terraform {
 
 data "aws_caller_identity" "current" {
 }
+
+resource "random_string" "random" {
+  length  = 8
+  lower   = true
+  special = false
+}
diff --git a/tests/terraform/ecs-task-def.jsonnet b/tests/terraform/ecs-task-def.jsonnet
@@ -8,7 +8,7 @@
         logDriver: 'awslogs',
         options: {
           'awslogs-create-group': 'true',
-          'awslogs-group': '{{tfstate `aws_cloudwatch_log_group.main.name`}}',
+          'awslogs-group': '{{ tfstate `aws_cloudwatch_log_group.main.name` }}',
           'awslogs-region': '{{ must_env `AWS_REGION` }}',
           'awslogs-stream-prefix': 'nginx',
         },
@@ -36,7 +36,7 @@
         logDriver: 'awslogs',
         options: {
           'awslogs-create-group': 'true',
-          'awslogs-group': '{{tfstate `aws_cloudwatch_log_group.main.name`}}',
+          'awslogs-group': '{{ tfstate `aws_cloudwatch_log_group.main.name` }}',
           'awslogs-region': '{{ must_env `AWS_REGION` }}',
           'awslogs-stream-prefix': 'bash',
         },
@@ -45,15 +45,15 @@
       secrets: [
         {
           name: 'FOO',
-          valueFrom: '{{tfstate `aws_ssm_parameter.foo.name`}}'
+          valueFrom: '{{ tfstate `aws_ssm_parameter.foo.name` }}'
         },
         {
           name: 'BAR',
-          valueFrom: '{{tfstate `aws_secretsmanager_secret.bar.arn`}}'
+          valueFrom: '{{ tfstate `aws_secretsmanager_secret.bar.arn` }}'
         },
         {
           name: 'JSON_KEY',
-          valueFrom: '{{tfstate `aws_secretsmanager_secret.json.arn`}}:key::'
+          valueFrom: '{{ tfstate `aws_secretsmanager_secret.json.arn` }}:key::'
         },
       ],
     },
@@ -62,7 +62,7 @@
   ephemeralStorage: {
     sizeInGiB: 30,
   },
-  executionRoleArn: '{{tfstate `aws_iam_role.ecs-task.arn`}}',
+  executionRoleArn: '{{tfstate `aws_iam_role.ecs-task-execution.arn`}}',
   family: 'ecspresso',
   memory: '512',
   networkMode: 'awsvpc',

diff --git a/tests/terraform/iam.tf b/tests/terraform/iam.tf
@@ -16,17 +16,12 @@ resource "aws_iam_role" "ecs-task" {
 }
 
 resource "aws_iam_policy" "ecs-task" {
-  name = var.project
+  name = "${var.project}-ecs-task"
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
         Action = [
-          "logs:CreateLogStream",
-          "logs:PutLogEvents",
-          "ssm:GetParameter",
-          "ssm:GetParameters",
-          "secretsmanager:GetSecretValue",
           "ssmmessages:CreateControlChannel",
           "ssmmessages:CreateDataChannel",
           "ssmmessages:OpenControlChannel",
@@ -39,10 +34,6 @@ resource "aws_iam_policy" "ecs-task" {
   })
 }
 
-resource "aws_iam_role_policy_attachment" "ecs-task" {
-  role       = aws_iam_role.ecs-task.name
-  policy_arn = aws_iam_policy.ecs-task.arn
-}
 
 resource "aws_iam_role" "ecs-task-execution" {
   name = "${var.project}-ecs-task-execution"
@@ -56,16 +47,50 @@ resource "aws_iam_role" "ecs-task-execution" {
         }
         Effect = "Allow"
         Sid    = ""
+      },
+      {
+        Action = "sts:AssumeRole"
+        Principal = {
+          AWS = data.aws_caller_identity.current.arn // for debugging ecspresso verify
+        }
+        Effect = "Allow"
       }
     ]
   })
 }
 
+resource "aws_iam_policy" "ecs-task-execution" {
+  name = "${var.project}-ecs-task-execution"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "secretsmanager:GetSecretValue",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+
 data "aws_iam_policy" "ecs-task-exection" {
   arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
-resource "aws_iam_role_policy_attachment" "ecs-task-execution" {
+resource "aws_iam_role_policy_attachment" "ecs-task-execution-managed" {
   role       = aws_iam_role.ecs-task-execution.name
   policy_arn = data.aws_iam_policy.ecs-task-exection.arn
 }
+
+resource "aws_iam_role_policy_attachment" "ecs-task-execution-custom" {
+  role       = aws_iam_role.ecs-task-execution.name
+  policy_arn = aws_iam_policy.ecs-task-execution.arn
+}
diff --git a/tests/terraform/secrets.tf b/tests/terraform/secrets.tf
@@ -1,12 +1,12 @@
 
 resource "aws_ssm_parameter" "foo" {
-  name  = "/${var.project}/foo"
+  name  = "/${var.project}/foo-${random_string.random.result}"
   type  = "SecureString"
   value = "FOO"
 }
 
 resource "aws_secretsmanager_secret" "bar" {
-  name = "${var.project}-bar"
+  name = "${var.project}-bar-${random_string.random.result}"
 }
 
 resource "aws_secretsmanager_secret_version" "bar" {
@@ -15,7 +15,7 @@ resource "aws_secretsmanager_secret_version" "bar" {
 }
 
 resource "aws_secretsmanager_secret" "json" {
-  name = "${var.project}-json"
+  name = "${var.project}-json-${random_string.random.result}"
 }
 
 resource "aws_secretsmanager_secret_version" "json" {