Utils
Merge
https://github.com/hyperscience/tf-aws-cron-job/blob/main/main.tf
locals {
container_definitions = [
merge({
"name" : var.task_name,
"image" : "${data.aws_ecr_repository.existing.repository_url}:${var.image_tag}",
"cpu" : var.task_cpu / 1024,
"memoryReservation" : var.task_memory,
"essential" : true,
"logConfiguration" : {
"logDriver" : "awslogs",
"options" : {
"awslogs-region" : data.aws_region.current.name,
"awslogs-group" : var.task_name,
"awslogs-stream-prefix" : var.task_name,
"awslogs-create-group" : "true"
}
}
}, var.extra_container_defs)
]
}
Iam Roles and Policies
file
https://kulasangar.medium.com/creating-and-attaching-an-aws-iam-role-with-a-policy-to-an-ec2-instance-using-terraform-scripts-aa85f3e6dfff
file2
https://gist.github.com/clstokes/7116a368025fe6c7dfef1636df3234cf
assume-role-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
main.tf
resource "aws_iam_role" "test" {
name = "test-role"
assume_role_policy = "${file("assume-role-policy.json")}"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = "${file("policy-s3-bucket.json")}"
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
roles = ["${aws_iam_role.test.name}"]
policy_arn = "${aws_iam_policy.policy.arn}"
}
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
roles = ["${aws_iam_role.test.name}"]
}
resource "aws_instance" "main" {
ami = "ami-9a562df2"
instance_type = "t2.small"
iam_instance_profile = "${aws_iam_instance_profile.test_profile.name}"
vpc_security_group_ids = ["${aws_security_group.main.id}"]
}
policy-s3-bucket.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucketname>"]
},
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::<bucketname>/*"]
}
]
}
inline
https://towardsaws.com/aws-ecs-service-autoscaling-terraform-included-d4b46997742b
resource "aws_iam_role" "ecs-autoscale-role" {
name = "ecs-scale-application"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "application-autoscaling.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "ecs-autoscale" {
role = aws_iam_role.ecs-autoscale-role.id
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole"
}
inline 2
https://www.lewuathe.com/how-to-add-new-policy-to-iam-role.html
resource "aws_iam_role" "my-role" {
name = "my-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "my-policy" {
name = "my-policy"
role = "${aws_iam_role.my-role.id}"
# This policy is exclusively available by my-role.
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
}
]
}
EOF
resource "aws_iam_role_policy_attachment" "my-policy-attach" {
role = "${aws_iam_role.my-role.name}"
policy_arn = "${aws_iam_policy.my-policy.arn}"
}
inline 3 with variables
https://www.chakray.com/creating-fargate-ecs-task-aws-using-terraform/
container_definitions = <<DEFINITION
[
{
"image": "${var.account}.dkr.ecr.eu-west-1.amazonaws.com/project:latest",
"name": "project-container",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-region" : "eu-west-1",
"awslogs-group" : "stream-to-log-fluentd",
"awslogs-stream-prefix" : "project"
}
},
"secrets": [{
"name": "secret_variable_name",
"valueFrom": "arn:aws:ssm:region:acount:parameter/parameter_name"
}],
"environment": [
{
"name": "bucketName",
"value": "${var.bucket_name}"
},
{
"name": "folder",
"value": "${var.folder}"
}
]
}
]
DEFINITION
}
inline policy aws_iam_policy_document
https://youtu.be/AX5uUX2MGik?t=676
inline with jsonencode
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
resource "aws_iam_role" "test_role" {
name = "test_role"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
tags = {
tag-key = "tag-value"
}
}
aws_iam_role assume_role_policy + inline_policy
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
inline_policy {
name = "my_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ec2:Describe*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
inline_policy {
name = "policy-8675309"
policy = data.aws_iam_policy_document.inline_policy.json
}
}
data "aws_iam_policy_document" "inline_policy" {
statement {
actions = ["ec2:DescribeAccountAttributes"]
resources = ["*"]
}
}