我对地形和AWS都是新手。我正在尝试在现有的fargate服务上设置enable_execute_command=true,角色和集群/服务/任务定义如下:
data "aws_iam_policy_document" "ecs_task_execution_role_base" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_policy" "ecs_exec_policy" {
name = "ecs_exec_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "ecs_task_execution_role" {
name = var.ecs_task_execution_role_name
assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role_base.json
managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", aws_iam_policy.ecs_exec_policy.arn]
resource "aws_ecs_cluster" "main" {
name = "backendcluster"
}
data "template_file" "backendapp" {
template = file("./templates/ecs/backend_app.json.tpl")
vars = {
server_image = var.server_image
celery_image = var.celery_image
app_port = var.app_port
fargate_cpu = var.fargate_cpu
fargate_memory = var.fargate_memory
aws_region = var.aws_region
database_host = aws_db_instance.default.address
database_port = aws_db_instance.default.port
redis_host = aws_elasticache_cluster.default.cache_nodes.0.address
redis_port = aws_elasticache_cluster.default.cache_nodes.0.port
}
}
resource "aws_ecs_task_definition" "app" {
family = "backend-app-task"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = var.fargate_cpu
memory = var.fargate_memory
container_definitions = data.template_file.backendapp.rendered
}
resource "aws_ecs_service" "main" {
name = "backendservice"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.app.arn
desired_count = var.app_count
launch_type = "FARGATE"
enable_execute_command = true
network_configuration {
security_groups = [aws_security_group.ecs_tasks.id]
subnets = aws_subnet.private.*.id
assign_public_ip = true
}
load_balancer {
target_group_arn = aws_alb_target_group.app.id
container_name = "server"
container_port = var.app_port
}
depends_on = [aws_alb_listener.backend]
}
运行terraform apply给出:
Error: error updating ECS Service (arn:aws:ecs:eu-west-2:00000000:service/backendcluster/backendservice): InvalidParameterException: The service couldn't be updated because a valid taskRoleArn is not being used. Specify a valid task role in your task definition and try again.
在resource "aws_ecs_task_definition" "app"中,您已指定了execution_role_arn,但尚未指定task_role_arn。这就是错误所说的,你需要提供一个任务角色ARN。
执行角色赋予ECS服务权限,让它可以从ECR存储库中读取映像,并在SecretsManager中查找需要注入到创建的容器中的机密。
任务角色赋予在ECS任务/容器内运行的软件访问AWS资源的权限。命令执行权限需要分配给任务角色,而不是执行角色。
至少你可以尝试添加:
task_role_arn = aws_iam_role.ecs_task_execution_role.arn
但是,遵循最低特权原则将要求您将这些角色划分为具有不同特权的独立IAM角色。