Ale*_*lex 2 amazon-web-services terraform terraform-provider-aws
我对 terraform 和 AWS 都是新手。我正在尝试设置enable_execute_command=true现有的 Fargate 服务,其角色和集群/服务/任务定义如下:
data "aws_iam_policy_document" "ecs_task_execution_role_base" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_policy" "ecs_exec_policy" {
name = "ecs_exec_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "ecs_task_execution_role" {
name = var.ecs_task_execution_role_name
assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role_base.json
managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", aws_iam_policy.ecs_exec_policy.arn]
resource "aws_ecs_cluster" "main" {
name = "backendcluster"
}
data "template_file" "backendapp" {
template = file("./templates/ecs/backend_app.json.tpl")
vars = {
server_image = var.server_image
celery_image = var.celery_image
app_port = var.app_port
fargate_cpu = var.fargate_cpu
fargate_memory = var.fargate_memory
aws_region = var.aws_region
database_host = aws_db_instance.default.address
database_port = aws_db_instance.default.port
redis_host = aws_elasticache_cluster.default.cache_nodes.0.address
redis_port = aws_elasticache_cluster.default.cache_nodes.0.port
}
}
resource "aws_ecs_task_definition" "app" {
family = "backend-app-task"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = var.fargate_cpu
memory = var.fargate_memory
container_definitions = data.template_file.backendapp.rendered
}
resource "aws_ecs_service" "main" {
name = "backendservice"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.app.arn
desired_count = var.app_count
launch_type = "FARGATE"
enable_execute_command = true
network_configuration {
security_groups = [aws_security_group.ecs_tasks.id]
subnets = aws_subnet.private.*.id
assign_public_ip = true
}
load_balancer {
target_group_arn = aws_alb_target_group.app.id
container_name = "server"
container_port = var.app_port
}
depends_on = [aws_alb_listener.backend]
}
运行terraform apply给出:
Error: error updating ECS Service (arn:aws:ecs:eu-west-2:00000000:service/backendcluster/backendservice): InvalidParameterException: The service couldn't be updated because a valid taskRoleArn is not being used. Specify a valid task role in your task definition and try again.
在您中,resource "aws_ecs_task_definition" "app"您已指定 an execution_role_arn,但尚未指定 a task_role_arn。这就是错误的真正含义,您需要提供任务角色 ARN。
执行角色向 ECS 服务授予执行诸如从 ECR 存储库读取图像以及在 SecretsManager 中查找需要注入到其创建的容器中的机密等操作的权限。
任务角色向 ECS 任务/容器内运行的软件授予访问 AWS 资源的权限。命令执行权限需要分配给任务角色,而不是执行角色。
至少您可以尝试添加:
task_role_arn = aws_iam_role.ecs_task_execution_role.arn
但遵循最小权限原则将要求您将这些角色分为具有不同权限的单独 IAM 角色。
| 归档时间: |
|
| 查看次数: |
3082 次 |
| 最近记录: |