WIP

somleng · Aug 22, 2024 · 9486ae8 · 9486ae8
1 parent ab54b7b
commit 9486ae8
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 80 deletions.
diff --git a/infrastructure/modules/switch/ecs.tf b/infrastructure/modules/switch/ecs.tf
@@ -318,8 +318,8 @@ resource "aws_ecs_task_definition" "this" {
     }
   ])
 
-  task_role_arn      = aws_iam_role.ecs_task_role.arn
-  execution_role_arn = aws_iam_role.task_execution_role.arn
+  task_role_arn      = local.iam_task_role.arn
+  execution_role_arn = local.iam_task_execution_role.arn
   memory             = module.container_instances.ec2_instance_type.memory_size - 512
 
   volume {

diff --git a/infrastructure/modules/switch/iam.tf b/infrastructure/modules/switch/iam.tf
@@ -1,107 +1,96 @@
-data "aws_iam_policy_document" "ecs_task_assume_role_policy" {
-  version = "2012-10-17"
+locals {
+  create_iam_task_role           = var.iam_task_role == null
+  create_iam_task_execution_role = var.iam_task_execution_role == null
+  iam_task_role                  = local.create_iam_task_role ? aws_iam_role.ecs_task_role[0] : var.iam_task_role
+  iam_task_execution_role        = local.create_iam_task_execution_role ? aws_iam_role.task_execution_role[0] : var.iam_task_execution_role
+}
+
+data "aws_iam_policy_document" "assume_role" {
   statement {
-    sid     = ""
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+    effect = "Allow"
 
     principals {
       type        = "Service"
       identifiers = ["ecs-tasks.amazonaws.com"]
     }
+
+    actions = ["sts:AssumeRole"]
   }
 }
 
+# ECS Task Role
+
 resource "aws_iam_role" "ecs_task_role" {
+  count              = local.create_iam_task_role ? 1 : 0
   name               = "${var.identifier}-ecs-task-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
-resource "aws_iam_role" "task_execution_role" {
-  name = "${var.identifier}-ecsTaskExecutionRole"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": ["ecs-tasks.amazonaws.com"]
-      },
-      "Effect": "Allow"
-    }
-  ]
-}
-EOF
+data "aws_iam_policy_document" "ecs_task_policy" {
+  statement {
+    effect    = "Allow"
+    actions   = ["polly:DescribeVoices", "polly:SynthesizeSpeech"]
+    resources = ["*"]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["lambda:InvokeFunction"]
+    resources = [var.services_function.arn]
+  }
 }
 
-resource "aws_iam_policy" "task_execution_custom_policy" {
-  name = "${var.identifier}-task-execution-custom-policy"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ssm:GetParameters"
-      ],
-      "Resource": [
-        "${local.application_master_key_parameter.arn}",
-        "${local.rayo_password_parameter.arn}",
-        "${local.freeswitch_event_socket_password_parameter.arn}",
-        "${var.json_cdr_password_parameter.arn}",
-        "${local.recordings_bucket_access_key_id_parameter.arn}",
-        "${local.recordings_bucket_secret_access_key_parameter.arn}"
-      ]
-    }
-  ]
+resource "aws_iam_policy" "ecs_task_policy" {
+  count = local.create_iam_task_role ? 1 : 0
+  name  = "${var.identifier}-ecs-task-policy"
+
+  policy = data.aws_iam_policy_document.ecs_task_policy.json
 }
-EOF
+
+resource "aws_iam_role_policy_attachment" "ecs_task_custom_policy" {
+  count      = local.create_iam_task_role ? 1 : 0
+  role       = aws_iam_role.ecs_task_role[0].id
+  policy_arn = aws_iam_policy.ecs_task_policy[0].arn
 }
 
-resource "aws_iam_policy" "ecs_task_policy" {
-  name = "${var.identifier}-ecs-task-policy"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "polly:DescribeVoices",
-        "polly:SynthesizeSpeech"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "lambda:InvokeFunction"
-      ],
-      "Resource": [
-        "${var.services_function.arn}"
-      ]
-    }
-  ]
+# ECS Task Execution Role
+
+resource "aws_iam_role" "task_execution_role" {
+  count              = local.create_iam_task_execution_role ? 1 : 0
+  name               = "${var.identifier}-ecsTaskExecutionRole"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
-EOF
+
+data "aws_iam_policy_document" "task_execution_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["ssm:GetParameters"]
+    resources = [
+      local.application_master_key_parameter.arn,
+      local.rayo_password_parameter.arn,
+      local.freeswitch_event_socket_password_parameter.arn,
+      var.json_cdr_password_parameter.arn,
+      local.recordings_bucket_access_key_id_parameter.arn,
+      local.recordings_bucket_secret_access_key_parameter.arn
+    ]
+  }
 }
 
-resource "aws_iam_role_policy_attachment" "ecs_task_custom_policy" {
-  role       = aws_iam_role.ecs_task_role.id
-  policy_arn = aws_iam_policy.ecs_task_policy.arn
+resource "aws_iam_policy" "task_execution_custom_policy" {
+  count = local.create_iam_task_execution_role ? 1 : 0
+  name  = "${var.identifier}-task-execution-custom-policy"
+
+  policy = data.aws_iam_policy_document.task_execution_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "task_execution_custom_policy" {
-  role       = aws_iam_role.task_execution_role.id
-  policy_arn = aws_iam_policy.task_execution_custom_policy.arn
+  count      = local.create_iam_task_execution_role ? 1 : 0
+  role       = aws_iam_role.task_execution_role[0].id
+  policy_arn = aws_iam_policy.task_execution_custom_policy[0].arn
 }
 
 resource "aws_iam_role_policy_attachment" "task_execution_role_policy" {
-  role       = aws_iam_role.task_execution_role.id
+  count      = local.create_iam_task_execution_role ? 1 : 0
+  role       = aws_iam_role.task_execution_role[0].id
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
diff --git a/infrastructure/modules/switch/outputs.tf b/infrastructure/modules/switch/outputs.tf
@@ -29,3 +29,11 @@ output "freeswitch_event_socket_password_parameter" {
 output "container_instances" {
   value = module.container_instances
 }
+
+output "iam_task_role" {
+  value = local.iam_task_role
+}
+
+output "iam_task_execution_role" {
+  value = local.iam_task_execution_role
+}
diff --git a/infrastructure/modules/switch/variables.tf b/infrastructure/modules/switch/variables.tf
@@ -56,6 +56,14 @@ variable "container_instance_profile" {
   default = null
 }
 
+variable "iam_task_role" {
+  default = null
+}
+
+variable "iam_task_execution_role" {
+  default = null
+}
+
 variable "json_cdr_password_parameter" {}
 variable "services_function" {}
 variable "efs_cache_name" {}

diff --git a/infrastructure/staging/switch.tf b/infrastructure/staging/switch.tf
@@ -52,6 +52,8 @@ module "switch_helium" {
   rayo_password_parameter                       = module.switch.rayo_password_parameter
   freeswitch_event_socket_password_parameter    = module.switch.freeswitch_event_socket_password_parameter
   container_instance_profile                    = module.switch.container_instances.iam_instance_profile
+  iam_task_role                                 = module.switch.iam_task_role
+  iam_task_execution_role                       = module.switch.iam_task_execution_role
 
   min_tasks = 0
   max_tasks = 2