Removing external dependencies #14
Conversation
Added new optional variables to the module:
- `code_build_role`
- `code_pipeline_role`
- `code_pipeline_artifact_bucket`
If the user supplies those variables/resources those are used instead of creating these resources for each service.
```terraform
module "service" {
source = "git@github.com:stroeer/terraform-aws-ecs-fargate.git"
...
create_deployment_pipeline = true
artifact_bucket_name = "codepipeline-bucket-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
code_build_role = "codebuild_role"
code_pipeline_role = "codepipeline_role"
```
fixes stroeer#9
fixes stroeer#11
main.tf
Outdated
| @@ -107,6 +107,9 @@ module "code_deploy" { | |||
| cluster_name = var.cluster_id | |||
| ecr_repository_name = module.ecr.name | |||
| service_name = var.service_name | |||
| code_build_role = var.code_build_role | |||
| "iam:PassRole" | ||
| ] | ||
| resources = ["*"] | ||
| # resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ecs/task-role/*"] |
There was a problem hiding this comment.
commented code...., just remove or can we target the role path specifically?
There was a problem hiding this comment.
that is tailored to the task-def-role we are using (it is an external dependency that is pulled in by name and cannot be overriden)
| @@ -0,0 +1,19 @@ | |||
| module "s3_bucket" { | |||
| source = "terraform-aws-modules/s3-bucket/aws" | |||
There was a problem hiding this comment.
sort configuration lexicographically :)
| @@ -0,0 +1,19 @@ | |||
| module "s3_bucket" { | |||
There was a problem hiding this comment.
the acl is private by default, but are there, from a security perspective, any other values we should set (e.g block_public_acls and block_public_policy?
There was a problem hiding this comment.
private means that only the owner can access those files. with the block_* you can additionally block put requests that would violate this acl.
but since this is only a "technical bucket for artifact storage", no user should ever actually interfere with its contents.
Added new optional variables to the module:
code_build_rolecode_pipeline_rolecode_pipeline_artifact_bucketIf the user supplies those variables/resources those are used instead of creating these resources for each service.
fixes #9
fixes #11