Use map for task & task exec policy arns variables (#194)

* Add option to trigger a redeployment on apply (#193) * Add option to trigger a redeployment on apply * add triggers var to each variation of ecs_service * set redeployment trigger value in locals * Update example version and fixture * Update readme * Bump min tf version to 0.14 doc: rebuild readme * Run pr/auto-format/host locally * Modify task_policy_arns to use map - avoid Terraform for_each error related to dependency on resources known after apply - deprecate var task_policy_arns - replace with task_policy_arns_map * Use map instead of list for task_policy_arns * Replace task_exec_policy_arns with task_exec_policy_arns_map - deprecate task_exec_policy_arns - add test input for task_policy_arns * Rename test policy statement * Update readme * Auto Format * bump tf version for examples --------- Co-authored-by: cloudpossebot <[email protected]>
cloudposse · Mar 1, 2023 · c9f96f1 · MaxymVlasov · Mar 14, 2023 · c9f96f1
1 parent c228577
commit c9f96f1
Show file tree

Hide file tree

Showing 9 changed files with 73 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,7 @@
 
 .build-harness
 build-harness
+
+# Test output
+test.log
+.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -368,10 +368,12 @@ Available targets:
 | <a name="input_task_cpu"></a> [task\_cpu](#input\_task\_cpu) | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match [supported memory values](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no |
 | <a name="input_task_definition"></a> [task\_definition](#input\_task\_definition) | Reuse an existing task definition family and revision for the ecs service instead of creating one | `string` | `null` | no |
 | <a name="input_task_exec_policy_arns"></a> [task\_exec\_policy\_arns](#input\_task\_exec\_policy\_arns) | A list of IAM Policy ARNs to attach to the generated task execution role. | `list(string)` | `[]` | no |
+| <a name="input_task_exec_policy_arns_map"></a> [task\_exec\_policy\_arns\_map](#input\_task\_exec\_policy\_arns\_map) | A map of name to IAM Policy ARNs to attach to the generated task execution role. | `map(string)` | `{}` | no |
 | <a name="input_task_exec_role_arn"></a> [task\_exec\_role\_arn](#input\_task\_exec\_role\_arn) | A `list(string)` of zero or one ARNs of IAM roles that allows the<br>ECS/Fargate agent to make calls to the ECS API on your behalf.<br>If the list is empty, a role will be created for you.<br>DEPRECATED: you can also pass a `string` with the ARN, but that<br>string must be known a "plan" time. | `any` | `[]` | no |
 | <a name="input_task_memory"></a> [task\_memory](#input\_task\_memory) | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match [supported cpu value](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no |
 | <a name="input_task_placement_constraints"></a> [task\_placement\_constraints](#input\_task\_placement\_constraints) | A set of placement constraints rules that are taken into consideration during task placement.<br>Maximum number of placement\_constraints is 10. See [`placement_constraints`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#placement-constraints-arguments) | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | <a name="input_task_policy_arns"></a> [task\_policy\_arns](#input\_task\_policy\_arns) | A list of IAM Policy ARNs to attach to the generated task role. | `list(string)` | `[]` | no |
+| <a name="input_task_policy_arns_map"></a> [task\_policy\_arns\_map](#input\_task\_policy\_arns\_map) | A map of name to IAM Policy ARNs to attach to the generated task role. | `map(string)` | `{}` | no |
 | <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | A `list(string)` of zero or one ARNs of IAM roles that allows<br>your Amazon ECS container task to make calls to other AWS services.<br>If the list is empty, a role will be created for you.<br>DEPRECATED: you can also pass a `string` with the ARN, but that<br>string must be known a "plan" time. | `any` | `[]` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
 | <a name="input_use_alb_security_group"></a> [use\_alb\_security\_group](#input\_use\_alb\_security\_group) | A flag to enable/disable allowing traffic from the ALB security group to the service security group | `bool` | `false` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -121,10 +121,12 @@
 | <a name="input_task_cpu"></a> [task\_cpu](#input\_task\_cpu) | The number of CPU units used by the task. If using `FARGATE` launch type `task_cpu` must match [supported memory values](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `256` | no |
 | <a name="input_task_definition"></a> [task\_definition](#input\_task\_definition) | Reuse an existing task definition family and revision for the ecs service instead of creating one | `string` | `null` | no |
 | <a name="input_task_exec_policy_arns"></a> [task\_exec\_policy\_arns](#input\_task\_exec\_policy\_arns) | A list of IAM Policy ARNs to attach to the generated task execution role. | `list(string)` | `[]` | no |
+| <a name="input_task_exec_policy_arns_map"></a> [task\_exec\_policy\_arns\_map](#input\_task\_exec\_policy\_arns\_map) | A map of name to IAM Policy ARNs to attach to the generated task execution role. | `map(string)` | `{}` | no |
 | <a name="input_task_exec_role_arn"></a> [task\_exec\_role\_arn](#input\_task\_exec\_role\_arn) | A `list(string)` of zero or one ARNs of IAM roles that allows the<br>ECS/Fargate agent to make calls to the ECS API on your behalf.<br>If the list is empty, a role will be created for you.<br>DEPRECATED: you can also pass a `string` with the ARN, but that<br>string must be known a "plan" time. | `any` | `[]` | no |
 | <a name="input_task_memory"></a> [task\_memory](#input\_task\_memory) | The amount of memory (in MiB) used by the task. If using Fargate launch type `task_memory` must match [supported cpu value](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) | `number` | `512` | no |
 | <a name="input_task_placement_constraints"></a> [task\_placement\_constraints](#input\_task\_placement\_constraints) | A set of placement constraints rules that are taken into consideration during task placement.<br>Maximum number of placement\_constraints is 10. See [`placement_constraints`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#placement-constraints-arguments) | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | <a name="input_task_policy_arns"></a> [task\_policy\_arns](#input\_task\_policy\_arns) | A list of IAM Policy ARNs to attach to the generated task role. | `list(string)` | `[]` | no |
+| <a name="input_task_policy_arns_map"></a> [task\_policy\_arns\_map](#input\_task\_policy\_arns\_map) | A map of name to IAM Policy ARNs to attach to the generated task role. | `map(string)` | `{}` | no |
 | <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | A `list(string)` of zero or one ARNs of IAM roles that allows<br>your Amazon ECS container task to make calls to other AWS services.<br>If the list is empty, a role will be created for you.<br>DEPRECATED: you can also pass a `string` with the ARN, but that<br>string must be known a "plan" time. | `any` | `[]` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
 | <a name="input_use_alb_security_group"></a> [use\_alb\_security\_group](#input\_use\_alb\_security\_group) | A flag to enable/disable allowing traffic from the ALB security group to the service security group | `bool` | `false` | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -45,6 +45,29 @@ module "container_definition" {
   port_mappings                = var.container_port_mappings
 }
 
+module "test_policy" {
+  source  = "cloudposse/iam-policy/aws"
+  version = "0.4.0"
+
+  name       = "policy"
+  attributes = ["test"]
+
+  iam_policy_enabled = true
+  description        = "Test policy"
+
+  iam_policy_statements = [
+    {
+      sid        = "DummyStatement"
+      effect     = "Allow"
+      actions    = ["none:null"]
+      resources  = ["*"]
+      conditions = []
+    }
+  ]
+
+  context = module.this.context
+}
+
 module "ecs_alb_service_task" {
   source                             = "../.."
   alb_security_group                 = module.vpc.vpc_default_security_group_id
@@ -65,6 +88,10 @@ module "ecs_alb_service_task" {
   task_memory                        = var.task_memory
   task_cpu                           = var.task_cpu
   ecs_service_enabled                = var.ecs_service_enabled
+  force_new_deployment               = var.force_new_deployment
+  redeploy_on_apply                  = var.redeploy_on_apply
+  task_policy_arns                   = [module.test_policy.policy_arn]
+  # task_policy_arns_map = { test = module.test_policy.policy_arn }
 
   context = module.this.context
 }
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -126,3 +126,15 @@ variable "ecs_service_enabled" {
   description = "Whether or not to create the aws_ecs_service resource"
   default     = true
 }
+
+variable "force_new_deployment" {
+  type        = bool
+  description = "Enable to force a new task deployment of the service."
+  default     = false
+}
+
+variable "redeploy_on_apply" {
+  type        = bool
+  description = "Updates the service to the latest task definition on each apply"
+  default     = false
+}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.14.0"
+  required_version = ">= 1.0"
 
   required_providers {
     aws = {

diff --git a/main.tf b/main.tf
@@ -13,6 +13,10 @@ locals {
   redeployment_trigger = var.force_new_deployment && var.redeploy_on_apply ? {
     redeployment = timestamp()
   } : {}
+
+  task_policy_arns_map = length(var.task_policy_arns) > 0 ? { for i, a in var.task_policy_arns : i => a } : var.task_policy_arns_map
+
+  task_exec_policy_arns_map = length(var.task_exec_policy_arns) > 0 ? { for i, a in var.task_exec_policy_arns : i => a } : var.task_exec_policy_arns_map
 }
 
 module "task_label" {
@@ -163,7 +167,7 @@ resource "aws_iam_role" "ecs_task" {
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task" {
-  for_each   = local.create_task_role ? toset(var.task_policy_arns) : toset([])
+  for_each   = local.create_task_role ? local.task_policy_arns_map : {}
   policy_arn = each.value
   role       = join("", aws_iam_role.ecs_task.*.id)
 }
@@ -290,7 +294,7 @@ resource "aws_iam_role_policy" "ecs_exec" {
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_exec" {
-  for_each   = local.create_exec_role ? toset(var.task_exec_policy_arns) : toset([])
+  for_each   = local.create_exec_role ? local.task_exec_policy_arns_map : {}
   policy_arn = each.value
   role       = join("", aws_iam_role.ecs_exec.*.id)
 }

diff --git a/variables-deprecated.tf b/variables-deprecated.tf
@@ -0,0 +1,11 @@
+variable "task_policy_arns" {
+  type        = list(string)
+  description = "A list of IAM Policy ARNs to attach to the generated task role."
+  default     = []
+}
+
+variable "task_exec_policy_arns" {
+  type        = list(string)
+  description = "A list of IAM Policy ARNs to attach to the generated task execution role."
+  default     = []
+}
diff --git a/variables.tf b/variables.tf
@@ -193,10 +193,10 @@ variable "task_exec_role_arn" {
   default     = []
 }
 
-variable "task_exec_policy_arns" {
-  type        = list(string)
-  description = "A list of IAM Policy ARNs to attach to the generated task execution role."
-  default     = []
+variable "task_exec_policy_arns_map" {
+  type        = map(string)
+  description = "A map of name to IAM Policy ARNs to attach to the generated task execution role."
+  default     = {}
 }
 
 variable "task_role_arn" {
@@ -211,10 +211,10 @@ variable "task_role_arn" {
   default     = []
 }
 
-variable "task_policy_arns" {
-  type        = list(string)
-  description = "A list of IAM Policy ARNs to attach to the generated task role."
-  default     = []
+variable "task_policy_arns_map" {
+  type        = map(string)
+  description = "A map of name to IAM Policy ARNs to attach to the generated task role."
+  default     = {}
 }
 
 variable "service_role_arn" {