Merge pull request #10 from lagerfeuer/master

Allow passing `repository_credentials` for DockerHub access tokens
robertomoutinho · Dec 6, 2023 · 98efa49 · 98efa49
2 parents feff3eb + 9cf65cd
commit 98efa49
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 8 deletions.
diff --git a/ecs.tf b/ecs.tf
@@ -114,6 +114,11 @@ module "container_definition" {
   port_mappings = var.app_port_mapping
   mount_points  = var.ecs_mount_points
 
+  repository_credentials = (var.repository_credentials_name != null
+    ? { credentialsParameter = data.aws_secretsmanager_secret.creds[0].arn }
+    : null
+  )
+
   log_configuration = (var.enable_datadog_log_forwarder ? {
     logDriver = "awsfirelens"
     options = {
@@ -202,4 +207,4 @@ resource "aws_ecs_task_definition" "app" {
     }
   }
   tags = local.local_tags
-}
+}
diff --git a/iam.tf b/iam.tf
@@ -30,25 +30,45 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
   policy_arn = element(var.policies_arn, count.index)
 }
 
-###################
-## Secrets Acess ##
-###################
+####################
+## Secrets Access ##
+####################
+data "aws_secretsmanager_secret" "creds" {
+  count = var.repository_credentials_name != null ? 1 : 0
+  name  = var.repository_credentials_name
+}
+
+locals {
+  secretsmanager_arns = [
+    "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${local.secret_path}/*",
+    "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${var.environment}/shared/*"
+  ]
+}
 
 data "aws_iam_policy_document" "ecs_task_access_secrets" {
   statement {
     effect = "Allow"
-
     resources = [
       "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${local.secret_path}/*",
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${local.secret_path}/*",
       "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/shared/*",
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${var.environment}/shared/*"
     ]
-
     actions = [
+      "ssm:GetParameter",
       "ssm:GetParameters",
+      "ssm:GetParametersByPath",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    resources = concat(
+      local.secretsmanager_arns,
+      var.repository_credentials_name != null ? [data.aws_secretsmanager_secret.creds[0].arn] : []
+    )
+    actions = [
       "secretsmanager:GetSecretValue",
     ]
+
   }
 }
 

diff --git a/variables.tf b/variables.tf
@@ -20,6 +20,12 @@ variable "secret_path" {
   default     = ""
 }
 
+variable "repository_credentials_name" {
+  description = "The SecretsManager Secret Name of the repository credentials to use"
+  type        = string
+  default     = null
+}
+
 variable "app_fqdn" {
   description = "FQDN of app to use. Set this only to override Route53 and ALB's DNS name."
   type        = string