Change required version aws provider, Add submodule

Author: oanhnn

.github/dependabot.yml

@@ -4,9 +4,42 @@
 version: 2
 updates:
 
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "weekly"
+      interval: weekly
+      day: monday
+      time: "12:00"
+      timezone: Asia/Ho_Chi_Minh
     labels:
-      - "dependencies"
+      - dependencies
+
+  - package-ecosystem: terraform
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "12:00"
+      timezone: Asia/Ho_Chi_Minh
+    labels:
+      - dependencies
+
+  - package-ecosystem: terraform
+    directory: /modules/ecs-execution-role
+    schedule:
+      interval: weekly
+      day: monday
+      time: "12:00"
+      timezone: Asia/Ho_Chi_Minh
+    labels:
+      - dependencies
+
+  - package-ecosystem: terraform
+    directory: /modules/ecs-task-role
+    schedule:
+      interval: weekly
+      day: monday
+      time: "12:00"
+      timezone: Asia/Ho_Chi_Minh
+    labels:
+      - dependencies

Makefile

@@ -60,6 +60,7 @@ validate: ## Validate Terraform files
 .PHONY: docs
 docs: ## Generate README.md
 	terraform-docs markdown . \
+		--recursive \
 		--sort-by required \
 		--output-file README.md \
 		--output-mode insert

README.md

@@ -7,7 +7,7 @@ Terraform module which creates ECS cluster resources on AWS.
 ```hcl
 module "php" {
   source  = "rabiloo/ecs/aws"
-  version = "~> 0.2.0"
+  version = "~> 0.2.1"
 
   name = "app-ecs-cluster"
   capacity_providers = ["FARGATE", "FARGATE_SPOT"]
@@ -26,14 +26,14 @@ module "php" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.52 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >=4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.52.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >=4.0 |
 
 ## Modules
 
@@ -85,5 +85,5 @@ If you would like to help take a look at the [list of issues](https://github.com
 ## License
 
 This project is released under the MIT License.   
-Copyright © 2021 [Rabiloo Co., Ltd](https://rabiloo.com)   
+Copyright © 2023 [Rabiloo Co., Ltd](https://rabiloo.com)   
 Please see [License File](LICENSE) for more information.

modules/ecs-execution-role/README.md

@@ -0,0 +1,91 @@
+# ECS Task Execution Role submodule
+
+This submodule help create an IAM assumable role for ECS Task Execution Role
+
+## Usage
+
+```hcl
+module "task_execution_role" {
+  source  = "rabiloo/ecs/aws//modules/ecs-execution-role"
+  version = ">=0.2.1"
+
+  name = "custom-ecs-execution-role"
+  path = "/service-roles/"
+
+  readable_kms_keys_arn = [
+    "arn:aws:kms:<region>:<account_id>:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+  ]
+  readable_secrets_arn = [
+    "arn:aws:secretsmanager:<region>:<account_id>:secret:example-123456",
+  ]
+
+  tags = {
+    Owner   = "user"
+    Service = "app-name"
+    Managed = "Terraform"
+  }
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >=4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >=4.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_policy"></a> [policy](#module\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~>5.14.0 |
+| <a name="module_this"></a> [this](#module\_this) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~>5.14.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.AmazonECSTaskExecutionRolePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | The name of the IAM role | `string` | n/a | yes |
+| <a name="input_description"></a> [description](#input\_description) | The description of the IAM role | `string` | `"This is a customized role"` | no |
+| <a name="input_path"></a> [path](#input\_path) | The path to the IAM role | `string` | `"/"` | no |
+| <a name="input_readable_kms_keys_arn"></a> [readable\_kms\_keys\_arn](#input\_readable\_kms\_keys\_arn) | The list KMS key\_id | `list(string)` | `[]` | no |
+| <a name="input_readable_secrets_arn"></a> [readable\_secrets\_arn](#input\_readable\_secrets\_arn) | The list secret ARN | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to apply to the IAM role | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The ARN of the IAM role |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | The unique ID of the IAM role |
+<!-- END_TF_DOCS -->
+
+## Contributing
+
+All code contributions must go through a pull request and approved by a core developer before being merged.
+This is to ensure proper review of all the code.
+
+Fork the project, create a feature branch, and send a pull request.
+
+If you would like to help take a look at the [list of issues](https://github.com/rabiloo/terraform-aws-ecs/issues).
+
+## License
+
+This project is released under the MIT License.
+Copyright © 2023 [Rabiloo Co., Ltd](https://rabiloo.com)
+Please see [License File](https://github.com/rabiloo/terraform-aws-ecs/blob/master/LICENSE) for more information.

modules/ecs-execution-role/main.tf

@@ -0,0 +1,94 @@
+# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
+# The task execution role grants the Amazon ECS container and Fargate agents permission
+# to make AWS API calls on your behalf.
+# It includes the following permissions:
+# - pulling a container image from an Amazon ECR private repository
+# - sends container logs to CloudWatch Logs using the awslogs log driver
+# - using private registry authentication
+# - referencing sensitive data using Secrets Manager secrets or AWS Systems Manager Parameter Store parameters
+
+data "aws_iam_policy" "AmazonECSTaskExecutionRolePolicy" {
+  name = "AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "policy" {
+  // TODO: test this statement is required?
+  statement {
+    sid    = "AllowECSExecCommand"
+    effect = "Allow"
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel"
+    ]
+    resources = ["*"]
+  }
+
+  # statement {
+  #   sid = "AllowGetSecrets"
+  #   effect = "Allow"
+  #   actions = [
+  #     "kms:Decrypt",
+  #     "secretsmanager:GetSecretValue"
+  #   ]
+  #   resources = [
+  #     "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
+  #     "arn:aws:kms:<region>:<aws_account_id>:key/key_id"
+  #   ]
+  # }
+
+  dynamic "statement" {
+    for_each = (length(var.readable_kms_keys_arn) > 0 && length(var.readable_secrets_arn) > 0) ? [true] : []
+    content {
+      sid    = "AllowGetSecrets"
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt",
+        "secretsmanager:GetSecretValue",
+      ]
+      resources = concat(
+        var.readable_kms_keys_arn,
+        var.readable_secrets_arn,
+      )
+    }
+  }
+}
+
+module "policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~>5.14.0"
+
+  name   = "${var.name}-policies"
+  policy = data.aws_iam_policy_document.policy.json
+  tags   = var.tags
+}
+
+module "this" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~>5.14.0"
+
+  role_name        = var.name
+  role_path        = var.path
+  role_description = var.description
+  tags             = var.tags
+
+  create_role       = true
+  role_requires_mfa = false
+
+  trusted_role_actions = [
+    "sts:AssumeRole",
+  ]
+  trusted_role_services = [
+    "ecs.amazonaws.com",
+    "ecs-tasks.amazonaws.com",
+  ]
+  custom_role_policy_arns = [
+    data.aws_iam_policy.AmazonECSTaskExecutionRolePolicy.arn,
+    module.policy.arn,
+  ]
+
+  depends_on = [
+    module.policy,
+  ]
+}

modules/ecs-execution-role/outputs.tf

@@ -0,0 +1,14 @@
+output "iam_role_unique_id" {
+  description = "The unique ID of the IAM role"
+  value       = module.this.iam_role_unique_id
+}
+
+output "iam_role_name" {
+  description = "The name of the IAM role"
+  value       = module.this.iam_role_name
+}
+
+output "iam_role_arn" {
+  description = "The ARN of the IAM role"
+  value       = module.this.iam_role_arn
+}

modules/ecs-execution-role/variables.tf

@@ -0,0 +1,49 @@
+variable "name" {
+  description = "The name of the IAM role"
+  type        = string
+
+  validation {
+    condition     = var.name != ""
+    error_message = "The name MUST be not empty."
+  }
+
+  validation {
+    condition     = var.name == replace(var.name, "/[^a-zA-Z0-9-_]+/", "")
+    error_message = "The name MUST be alphanumeric and can contain dashes and underscores."
+  }
+}
+
+variable "tags" {
+  description = "The list of tags to apply to the IAM role"
+  type        = map(string)
+  default     = {}
+}
+
+variable "path" {
+  description = "The path to the IAM role"
+  type        = string
+  default     = "/"
+
+  validation {
+    condition     = var.path == replace(var.path, "/[^a-zA-Z0-9-_\\/]+/", "")
+    error_message = "The path MUST be alphanumeric and can contain dashes, underscores and slashs."
+  }
+}
+
+variable "description" {
+  description = "The description of the IAM role"
+  type        = string
+  default     = "This is a customized role"
+}
+
+variable "readable_kms_keys_arn" {
+  description = "The list KMS key_id"
+  type        = list(string)
+  default     = []
+}
+
+variable "readable_secrets_arn" {
+  description = "The list secret ARN"
+  type        = list(string)
+  default     = []
+}

modules/ecs-execution-role/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">=1.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=4.0"
+    }
+  }
+}