From a4dc982b8a38a367b28d425732714105bd1ba882 Mon Sep 17 00:00:00 2001 From: 3rmack Date: Sat, 4 May 2019 16:03:43 +0300 Subject: [PATCH] add aws secrets manager --- define-policies.tf | 28 ++++++++++++++++++++++++++++ variables.tf | 5 +++++ 2 files changed, 33 insertions(+) diff --git a/define-policies.tf b/define-policies.tf index ac4d17b..9cd1d1f 100644 --- a/define-policies.tf +++ b/define-policies.tf @@ -84,6 +84,21 @@ resource "aws_iam_role_policy_attachment" "attach-allow-elb" { # name = "ecsTaskExecutionRole" # } +data "aws_iam_policy_document" "ecs-service-allow-secrets-manager" { + count = "${var.aws_secrets_manager_secret_arn != "" ? 1 : 0}" + statement { + effect = "Allow" + + actions = [ + "secretsmanager:GetSecretValue" + ] + + resources = [ + "${var.aws_secrets_manager_secret_arn}" + ] + } +} + data "aws_iam_policy_document" "ecs-task-access-ecr" { statement { effect = "Allow" @@ -116,6 +131,13 @@ data "aws_iam_policy_document" "ecs-task-access-cloudwatch" { } } +resource "aws_iam_policy" "ecs-service-allow-secrets-manager" { + count = "${var.aws_secrets_manager_secret_arn != "" ? 1 : 0}" + name = "ecs-service-allow-secrets-manager-${var.project}-${var.service}-${var.environment}" + description = "ECS Service policy to access Secrets Manager" + policy = "${data.aws_iam_policy_document.ecs-service-allow-secrets-manager.json}" +} + resource "aws_iam_policy" "ecs-task-access-ecr" { name = "ecs-task-allow-ec2-${var.project}-${var.service}-${var.environment}" description = "ECS task policy to access ECR" @@ -150,6 +172,12 @@ EOF tags = "${merge(local.default_tags, var.tags)}" } +resource "aws_iam_role_policy_attachment" "attach-allow-secrets-manager" { + count = "${var.aws_secrets_manager_secret_arn != "" ? 1 : 0}" + role = "${aws_iam_role.ecs-task-execution.name}" + policy_arn = "${aws_iam_policy.ecs-service-allow-secrets-manager.arn}" +} + resource "aws_iam_role_policy_attachment" "attach-allow-ecr" { role = "${aws_iam_role.ecs-task-execution.name}" policy_arn = "${aws_iam_policy.ecs-task-access-ecr.arn}" diff --git a/variables.tf b/variables.tf index 67d7de6..75e0dff 100644 --- a/variables.tf +++ b/variables.tf @@ -82,6 +82,11 @@ variable "task_role_arn" { default = "" } +variable "aws_secrets_manager_secret_arn" { + description = "ARN of specific AWS Secrets Manager secret which stores credentials for accessing private docker images registry" + default = "" +} + variable "tags" { type = "map" description = "Additional tags for all resources"