Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Attach ssm permissions to ecs fargate job module #407

Merged
merged 2 commits into from
Jul 7, 2022
Merged

feat: Attach ssm permissions to ecs fargate job module #407

merged 2 commits into from
Jul 7, 2022

Conversation

tapanr
Copy link
Contributor

@tapanr tapanr commented Jul 6, 2022
edited
Loading

Adding an option to attach ssm permission to ecs fargate job module. This option can be used when the task running in ECS Fargate needs to use parameter store to retrieve secret credentials.

Background on why we needed this: We plan to deploy a docker image on ECS Fargate which needs to set some authentication credentials as its environment variables. Since these are confidential credentials, we have stored them in parameter store and hence ECS task needs access to that store to retrieve them.

@tapanr tapanr requested a review from a team as a code owner July 6, 2022 17:49
@tapanr tapanr requested a review from naihsuanshao July 6, 2022 17:49
@tapanr tapanr changed the title Attach ssm permissions to ecs fargate job module feat: Attach ssm permissions to ecs fargate job module Jul 6, 2022
michaelmcchen
michaelmcchen reviewed Jul 6, 2022
View reviewed changes
aws-ecs-job-fargate/variables.tf Outdated
variable "ssm_arn" {
type = string
default = null
description = "Parameter Store ARN"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Parameter Store ARN"
description = "SSM Parameter Store ARN. If present, allows ECS task to make ssm:GetParameters call."

aws-ecs-job-fargate/iam.tf Outdated
"ssm:GetParameters",
]

resources = [var.ssm_arn]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resources = [var.ssm_arn]
resources = var.ssm_parameter_store_arns

I'd make this a list so that we're granting access to specific keys in Parameter Store. Even though you can somewhat achieve the same behavior by providing an ARN prefix, I think this is much more flexible.

@tapanr tapanr force-pushed the add-ssm-permissions-to-ecs-fargate-job branch from d7f2dc8 to 21c66f9 Compare July 7, 2022 22:38
alldoami
alldoami approved these changes Jul 7, 2022
View reviewed changes
Copy link
Contributor

@alldoami alldoami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reviewing @michaelmcchen! @tapanr lmk if you need a release after this

@alldoami alldoami merged commit 5696d1d into main Jul 7, 2022
@alldoami alldoami deleted the add-ssm-permissions-to-ecs-fargate-job branch July 7, 2022 22:58
@czi-github-helper czi-github-helper bot mentioned this pull request Jul 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelmcchen michaelmcchen michaelmcchen left review comments

@alldoami alldoami alldoami approved these changes

@naihsuanshao naihsuanshao Awaiting requested review from naihsuanshao naihsuanshao is a code owner automatically assigned from chanzuckerberg/czi-shared-infra

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tapanr @michaelmcchen @alldoami