From 9cf65cdc960956cff2908c34ee4f928bbc8e0ebd Mon Sep 17 00:00:00 2001 From: Lukas Deutz Date: Wed, 6 Dec 2023 10:09:00 -0500 Subject: [PATCH] Allow passing repository_credentials for DockerHub access tokens --- ecs.tf | 7 ++++++- iam.tf | 34 +++++++++++++++++++++++++++------- variables.tf | 6 ++++++ 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/ecs.tf b/ecs.tf index 4abc446..39ff2a2 100644 --- a/ecs.tf +++ b/ecs.tf @@ -114,6 +114,11 @@ module "container_definition" { port_mappings = var.app_port_mapping mount_points = var.ecs_mount_points + repository_credentials = (var.repository_credentials_name != null + ? { credentialsParameter = data.aws_secretsmanager_secret.creds[0].arn } + : null + ) + log_configuration = (var.enable_datadog_log_forwarder ? { logDriver = "awsfirelens" options = { @@ -202,4 +207,4 @@ resource "aws_ecs_task_definition" "app" { } } tags = local.local_tags -} \ No newline at end of file +} diff --git a/iam.tf b/iam.tf index 4bc3d39..eb21dd2 100644 --- a/iam.tf +++ b/iam.tf @@ -30,25 +30,45 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution" { policy_arn = element(var.policies_arn, count.index) } -################### -## Secrets Acess ## -################### +#################### +## Secrets Access ## +#################### +data "aws_secretsmanager_secret" "creds" { + count = var.repository_credentials_name != null ? 1 : 0 + name = var.repository_credentials_name +} + +locals { + secretsmanager_arns = [ + "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${local.secret_path}/*", + "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${var.environment}/shared/*" + ] +} data "aws_iam_policy_document" "ecs_task_access_secrets" { statement { effect = "Allow" - resources = [ "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${local.secret_path}/*", - "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${local.secret_path}/*", "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/shared/*", - "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/${var.environment}/shared/*" ] - actions = [ + "ssm:GetParameter", "ssm:GetParameters", + "ssm:GetParametersByPath", + ] + } + + statement { + effect = "Allow" + resources = concat( + local.secretsmanager_arns, + var.repository_credentials_name != null ? [data.aws_secretsmanager_secret.creds[0].arn] : [] + ) + actions = [ "secretsmanager:GetSecretValue", ] + } } diff --git a/variables.tf b/variables.tf index d5354fb..369f75e 100644 --- a/variables.tf +++ b/variables.tf @@ -20,6 +20,12 @@ variable "secret_path" { default = "" } +variable "repository_credentials_name" { + description = "The SecretsManager Secret Name of the repository credentials to use" + type = string + default = null +} + variable "app_fqdn" { description = "FQDN of app to use. Set this only to override Route53 and ALB's DNS name." type = string