Open rclayton-the-terrible opened 9 years ago
+1 thanks @rclayton-the-terrible
This helped me as well. Creating the equivalent roles and policies with Terraform just didn't work for me so I followed your lead and reused the baked in ones.
I was able to eliminate the need to use the Amazon profiles (it requires that somebody go through the wizard at least once). The Amazon documentation provided me with the necessary policies:
resource "aws_iam_instance_profile" "ecs_profile" {
name = "ecs-instance-profile"
roles = ["${aws_iam_role.ecs_instance_role.name}"]
}
# the trick is to provide TWO trust policies -- one for each role
resource "aws_iam_role" "ecs_instance_role" {
name = "ecs-instance-role"
# path = "/"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "ecs_instance_role" {
name = "ecs-instance-role"
role = "${aws_iam_role.ecs_instance_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy" "ecs_scheduler_role" {
name = "ecs-scheduler-role"
role = "${aws_iam_role.ecs_instance_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": "*"
}
]
}
EOF
}
Thank you !
For further reference here is a link to the AWS documentation about this instance role that is necessary for an EC2 instance to communicate with the ECS service on your behalf: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
This info really helped me!
First of all, thank you. This TF config greatly inspired some work I've been doing bootstrapping and ECS cluster.
During my exploration of the process, I've ran into a couple of IAM related issues. I don't think Amazon explains this well enough, and after working with multiple Amazon accounts, I'm baffled at how I got AWS to auto configure itself the first time (subsequent attempts didn't work). Through this experience, I've documented the issues and added Terraform resources to ensure I can consistently provision ECS clusters.
And the referenced Trust relationship: