Skip to content

Commit

Permalink
feat: Replace dynamic DNS suffix resolution for trusted service endpo…
Browse files Browse the repository at this point in the history 
…ints with static `*.amazonaws.com` (#125)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
@hsalluri259 @bryantbiggs
hsalluri259 and bryantbiggs committed Oct 31, 2023
1 parent e987d95 commit f84dc7d
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 8 deletions.
1 change: 0 additions & 1 deletion modules/cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,6 @@ No modules.
| [aws_iam_role_policy_attachment.task_exec_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_policy_document.task_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.task_exec_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

## Inputs

Expand Down
4 changes: 1 addition & 3 deletions modules/cluster/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
data "aws_partition" "current" {}

################################################################################
# Cluster
################################################################################
Expand Down Expand Up @@ -194,7 +192,7 @@ data "aws_iam_policy_document" "task_exec_assume" {

principals {
type = "Service"
identifiers = ["ecs-tasks.${data.aws_partition.current.dns_suffix}"]
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
Expand Down
7 changes: 3 additions & 4 deletions modules/service/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ data "aws_caller_identity" "current" {}

locals {
account_id = data.aws_caller_identity.current.account_id
dns_suffix = data.aws_partition.current.dns_suffix
partition = data.aws_partition.current.partition
region = data.aws_region.current.name
}
Expand Down Expand Up @@ -419,7 +418,7 @@ data "aws_iam_policy_document" "service_assume" {

principals {
type = "Service"
identifiers = ["ecs.${local.dns_suffix}"]
identifiers = ["ecs.amazonaws.com"]
}
}
}
Expand Down Expand Up @@ -760,7 +759,7 @@ data "aws_iam_policy_document" "task_exec_assume" {

principals {
type = "Service"
identifiers = ["ecs-tasks.${local.dns_suffix}"]
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
Expand Down Expand Up @@ -911,7 +910,7 @@ data "aws_iam_policy_document" "tasks_assume" {

principals {
type = "Service"
identifiers = ["ecs-tasks.${local.dns_suffix}"]
identifiers = ["ecs-tasks.amazonaws.com"]
}

# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#create_task_iam_policy_and_role
Expand Down

0 comments on commit f84dc7d

Please sign in to comment.