update

terraform-modules · Apr 21, 2022 · 8594f79 · 8594f79
1 parent 81a595d
commit 8594f79
Showing 1 changed file with 28 additions and 9 deletions.
diff --git a/examples/fargate-cluster/roles.tf b/examples/fargate-cluster/roles.tf
@@ -3,18 +3,27 @@
 # task execution role
 #---
 locals {
-  vpc_id         = data.aws_vpc.ecs_vpc.id
   vpc_short_name = var.vpc_short_name
-  vpc_endpoints  = ["ecr_api", "ecr_dkr", "ecs", "logs", "secretsmanager", "ssm", ]
+  vpc_endpoints  = ["ecr.api", "ecr.dkr", "ecs", "logs", "secretsmanager", "ssm", ]
 
   task_base_format = "%v-ecs-task-execution-%v-%v"
-  task_base_name   = format(local.task_base_format, var.app_program, var.vpc_short_name, local.region)
+  task_base_name   = format(local.task_base_format, var.app_name, var.vpc_short_name, local.region)
   task_policy_name = format("p-%v", local.task_base_name)
 }
 
+data "aws_vpc_endpoint_service" "vpc_endpoints" {
+  for_each = toset(local.vpc_endpoints)
+  service  = each.key
+  filter {
+    name   = "service-type"
+    values = ["Interface"]
+  }
+}
+
 data "aws_vpc_endpoint" "vpc_endpoints" {
-  for_each     = toset(local.vpc_endpoints)
-  service_name = each.key
+  for_each     = data.aws_vpc_endpoint_service.vpc_endpoints
+  service_name = each.value.service_name
+  vpc_id       = data.aws_vpc.ecs_vpc.id
 }
 
 # note you have to create the policy before creating the role module
@@ -24,7 +33,7 @@ module "ecs_task_role" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
 
   role_name               = local.task_base_name
-  role_description        = format("Role for ECS for %v-%v task execution", var.app_program, var.app_environment)
+  role_description        = format("Role for ECS for %v-%v task execution", var.app_name, var.app_environment)
   attached_policies       = [aws_iam_policy.ecr_task_policy.arn]
   assume_policy_document  = data.aws_iam_policy_document.ecs_task_assume.json
   enable_instance_profile = false
@@ -39,7 +48,7 @@ module "ecs_task_role" {
 
 resource "aws_iam_policy" "ecr_task_policy" {
   name        = local.task_policy_name
-  description = format("Policy for ECS for %v-%v task execution", var.app_program, var.app_environment)
+  description = format("Policy for ECS for %v-%v task execution", var.app_name, var.app_environment)
   path        = "/"
   policy      = data.aws_iam_policy_document.ecr_task_policy.json
 }
@@ -81,7 +90,7 @@ data "aws_iam_policy_document" "ecr_task_policy" {
     condition {
       test     = "StringEquals"
       variable = "aws:sourceVpce"
-      values   = [for k, v in data.aws_vpc_endpoint : v.id]
+      values   = [for k, v in data.aws_vpc_endpoint.vpc_endpoints : v.id]
     }
     condition {
       test     = "StringEquals"
@@ -122,7 +131,7 @@ module "ecs_instance_role" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
 
   role_name               = local.instance_base_name
-  role_description        = format("Role for ECS for %v-%v instance", var.app_program, var.app_environment)
+  role_description        = format("Role for ECS for %v-%v instance", var.app_name, var.app_environment)
   attached_policies       = [for k, p in data.aws_iam_policy.instance_managed_policies : p.arn]
   assume_policy_document  = data.terraform_remote_state.common.outputs.custom_policy_documents["ec2_assume"].policy
   enable_instance_profile = true
@@ -134,3 +143,13 @@ module "ecs_instance_role" {
     { "Name" = local.instance_base_name },
   )
 }
+
+output "ecs_task_role_arn" {
+  description = "ECS Task Role ARN"
+  value = module.ecs_task_role.role_arn
+}
+
+output "ecs_instance_role_arn" {
+  description = "ECS Instance Role ARN"
+  value = module.ecs_instance_role.role_arn
+}