search

terraform-aws-modules / terraform-aws-ecs

Terraform module to create AWS ECS resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/ecs/aws
Apache License 2.0
575 stars 542 forks source link

Support setting the `path` attribute of the service task execution IAM policy #199

Closed yngvark closed 4 months ago

yngvark commented 6 months ago

Is your request related to a new offering from AWS?

It's not a new offering - path has been available for the aws_iam_policy since 2015.

Is your request related to a problem? Please describe.

Yes.

The parameters task_exec_iam_role_path and tasks_iam_role_path allow me to set the path attribute for the IAM roles created by the service module. However, when I set task_exec_iam_role_path, I get an IAM policy without the path set. This is currently not supported, as the iam policy for the service doesn't take any input for setting its path. Code.

I would like to set the path attribute for the task execution IAM policy, because it enables me to set flexible IAM constraints.

Motivation:

I am trying to define an IAM role with permission to the action iam:GetPolicy for the ECS task execution IAM policy created by the service module.

I want my role to allow iam:GetPolicy for resources under the path

"arn:aws:iam::${var.account_id}:policy/some-path/ecs-task-exec*"

This is not possible. Instead, I can only constrain the permission to

arn:aws:iam::${var.account_id}:policy/ecs-task-exec*

Describe the solution you'd like.

I want a parameter that allow me to set the path attribute of the resource aws_iam_policy.task_exec, defined here.

Not sure what would be a good name. task_exec_iam_policy_path perhaps?

Describe alternatives you've considered.

Instead of using the task_exec_iam_role_path, I can include a prefix in the task_exec_iam_role_name variable, for instance 

task_exec_iam_role_name = "some-path-subname"

But there is a maximum length for IAM role names (and policy names I assume), which is why I want to use a path instead.

Additional context

github-actions[bot] commented 5 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 4 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 3 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.