added config flag for S3 policy

stroeer · Apr 29, 2024 · a69a131 · a69a131
1 parent b40fcc4
commit a69a131
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -222,6 +222,7 @@ for example.
 | <a name="input_app_mesh"></a> [app\_mesh](#input\_app\_mesh) | Configuration of optional AWS App Mesh integration using an Envoy sidecar. | <pre>object({<br>    container_definition = optional(any, {})<br>    container_name       = optional(string, "envoy")<br>    enabled              = optional(bool, false)<br>    mesh_name            = optional(string, "apps")<br><br>    tls = optional(object({<br>      acm_certificate_arn = optional(string)<br>      root_ca_arn         = optional(string)<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_appautoscaling_settings"></a> [appautoscaling\_settings](#input\_appautoscaling\_settings) | Autoscaling configuration for this service. | `map(any)` | `null` | no |
 | <a name="input_assign_public_ip"></a> [assign\_public\_ip](#input\_assign\_public\_ip) | Assign a public IP address to the ENI of this service. | `bool` | `false` | no |
+| <a name="input_attach_fluentbit_init_policy"></a> [attach\_fluentbit\_init\_policy](#input\_attach\_fluentbit\_init\_policy) | Controls if an IAM policy granting access to fluenbit init config on S3 should be attached to the default ECS task role of this service. Only relevant if `firelens.init_config_files` is not empty. | `bool` | `true` | no |
 | <a name="input_capacity_provider_strategy"></a> [capacity\_provider\_strategy](#input\_capacity\_provider\_strategy) | Capacity provider strategies to use for the service. Can be one or more. | <pre>list(object({<br>    capacity_provider = string<br>    weight            = string<br>    base              = optional(string, null)<br>  }))</pre> | `null` | no |
 | <a name="input_cloudwatch_logs"></a> [cloudwatch\_logs](#input\_cloudwatch\_logs) | CloudWatch logs configuration for the containers of this service. CloudWatch logs will be used as the default log configuration if Firelens is disabled and for the fluentbit and otel containers. | <pre>object({<br>    enabled           = optional(bool, true)<br>    name              = optional(string, "")<br>    retention_in_days = optional(number, 7)<br>  })</pre> | `{}` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ECS cluster id that should run this service | `string` | n/a | yes |

diff --git a/fluentbit.tf b/fluentbit.tf
@@ -68,7 +68,7 @@ module "fluentbit_container_definition" {
 }
 
 data "aws_iam_policy_document" "fluent_bit_config_access" {
-  count = var.firelens.enabled && var.task_role_arn == "" && length(local.s3_init_file_arns) > 0 ? 1 : 0
+  count = var.firelens.enabled && var.task_role_arn == "" && length(local.s3_init_file_arns) > 0 && var.attach_fluentbit_init_policy ? 1 : 0
 
   // allow reading the init config files from S3
   statement {
@@ -86,15 +86,15 @@ data "aws_iam_policy_document" "fluent_bit_config_access" {
 }
 
 resource "aws_iam_policy" "fluent_bit_config_access" {
-  count = var.firelens.enabled && var.task_role_arn == "" && length(local.s3_init_file_arns) > 0 ? 1 : 0
+  count = var.firelens.enabled && var.task_role_arn == "" && length(local.s3_init_file_arns) > 0 && var.attach_fluentbit_init_policy ? 1 : 0
 
   name   = "fluent-bit-config-access-${var.service_name}-${data.aws_region.current.name}"
   path   = "/ecs/task-role/"
   policy = data.aws_iam_policy_document.fluent_bit_config_access[count.index].json
 }
 
 resource "aws_iam_role_policy_attachment" "fluent_bit_config_access" {
-  count = var.firelens.enabled && var.task_role_arn == "" && length(local.s3_init_file_arns) > 0 ? 1 : 0
+  count = var.firelens.enabled && var.task_role_arn == "" && length(local.s3_init_file_arns) > 0 && var.attach_fluentbit_init_policy ? 1 : 0
 
   role       = aws_iam_role.ecs_task_role[count.index].name
   policy_arn = aws_iam_policy.fluent_bit_config_access[count.index].arn

diff --git a/variables.tf b/variables.tf
@@ -50,17 +50,22 @@ variable "app_mesh" {
   })
 }
 
+variable "appautoscaling_settings" {
+  default     = null
+  description = "Autoscaling configuration for this service."
+  type        = map(any)
+}
 
 variable "assign_public_ip" {
   default     = false
   description = "Assign a public IP address to the ENI of this service."
   type        = bool
 }
 
-variable "appautoscaling_settings" {
-  default     = null
-  description = "Autoscaling configuration for this service."
-  type        = map(any)
+variable "attach_fluentbit_init_policy" {
+  default     = true
+  description = "Controls if an IAM policy granting access to fluenbit init config on S3 should be attached to the default ECS task role of this service. Only relevant if `firelens.init_config_files` is not empty."
+  type        = bool
 }
 
 variable "capacity_provider_strategy" {