cn-terraform / terraform-aws-ecs-fargate-scheduled-task Goto Github PK

Under the current configuration there is no support to add a permissions boundaries
when creating IAM Resources.

resource "aws_iam_role" "scheduled_task_cw_event_role" {
  count              = var.event_rule_role_arn == null ? 1 : 0
  name               = "${var.name_prefix}-st-cw-role"
  assume_role_policy = data.aws_iam_policy_document.scheduled_task_cw_event_role_assume_role_policy.json
}

Proposed fix :

resource "aws_iam_role" "scheduled_task_cw_event_role" {
  count              = var.event_rule_role_arn == null ? 1 : 0
  name               = "${var.name_prefix}-st-cw-role"
  assume_role_policy = data.aws_iam_policy_document.scheduled_task_cw_event_role_assume_role_policy.json

  permissions_boundary = var.permissions_boundary == null ? null : var.permissions_boundary
  }
  

I'm not seeing anything in the documentation in regards to setting a command override on the container

I have many ECS scheduled tasks implementing the same task definition but each one of those individual ECS scheduled tasks needs to run a unique command override

Any help would be appreciated as this seems to be the only scheduled task module that works well

Would be nice to tag each resource with tags to help search ect.

Providing event_rule_role_arn input to module is ignored and module.ecs-fargate-scheduled-task.aws_iam_role.scheduled_task_cw_event_role is used in event target.

  # module.ecs-fargate-scheduled-task.aws_cloudwatch_event_target.ecs_scheduled_task will be created
  + resource "aws_cloudwatch_event_target" "ecs_scheduled_task" {
      + arn            = "arn:aws:ecs:ap-southeast-2:445645794583:cluster/hydrofluxdr-prod"
      + event_bus_name = "default"
      + id             = (known after apply)
      + role_arn       = (known after apply)

https://github.com/cn-terraform/terraform-aws-ecs-fargate-scheduled-task/blob/main/main.tf#L64

Hi Julian! - I have a couple of fargate tasks that are currently running on a 24/7 basis. We would like to schedule a start/stop time on this fargate tasks. Would this module be helpful to achieve this? I was not able to set the cron correctly.

Regards

as titled, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule#is_enabled

╷
│ Warning: Argument is deprecated
│
│   with [redacted],
│   on [redacted] line 57, in resource "aws_cloudwatch_event_rule" "event_rule":
│   57:   is_enabled          = var.event_rule_is_enabled
│
│ Use "state" instead
╵

code that needs update: https://github.com/cn-terraform/terraform-aws-ecs-fargate-scheduled-task/blob/main/main.tf#L57

As per AWS documentation on the matter:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/CWE_IAM_role.html

If your scheduled tasks require the use of the task execution role, a task role, or a task role override, then you must add iam:PassRole permissions for each task execution role, task role, or task role override to the CloudWatch Events IAM role.

Using the built-in Scheduled Task CW Event Role doesn't work if the task definition includes a task role. This is because the Terraform code doesn't add them to the IAM role as roles to be passed using the action "iam:PassRole".

Workaround

Changing the role_arn value to the default ecsEvents role via WebUI or API works, because of the role being more permissive.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Hi Team,

I have used this module to create scheduled task. When i am deploying scheduled task using terraform its working fine. Post this activity we are deploying new code via Jenkins pipeline into scheduled task so accordingly task definition getting updated in scheduled task.

Now at some instance if i am updating something in scheduled task for having some new feature and execute terraform pipeline then this pipeline execution reverting back latest task definition from scheduled task and its bringing back task definition to older one which is stored in state file, this is causing application break.

Similar pipeline i am using for normal ecs service deployment where i haven't seen this type of behaviour.

Can you let me know if i am doing something wrong here?

My code snippet :

module "scheduled-task" {
  source                                      = "cn-terraform/ecs-fargate-scheduled-task/aws"
  version                                     = "~> 1.0.22"
  ecs_cluster_arn                             = var.cluster_arn
  ecs_execution_task_role_arn                 = var.ecs_task_execution_role_arn
  ecs_task_role_arn                           = var..ecs_task_role_arn
  event_rule_description                      = "This event rule will trigger ECS Task "
  event_rule_name                             = var.eventrulename
  event_rule_schedule_expression              = "rate(1 hour)"
  event_target_ecs_target_subnets             = var.vpc.private_subnets
  event_target_ecs_target_security_groups     = var.security_group_id
  event_target_ecs_target_task_definition_arn = var.ecs_task_definition_arn
  event_target_ecs_target_assign_public_ip    = true
  name_prefix                                 = var.nameprefix
  event_target_target_id                      = "1"
}

Thanks.

I've created a task with jnonino/ecs-fargate-task-definition/aws and am now trying to use jnonino/ecs-fargate-scheduled-task/aws to schedule a task, but it appears to be trying to create the same role that the td module has already created.

I end up with the following error:
Error: Error creating IAM Role session-based-container-reco-ecs-task-execution-role: EntityAlreadyExists: Role with name session-based-container-reco-ecs-task-execution-role already exists. status code: 409, request id: b2446842-bebb-11e9-ab18-c7397f4134f6

code:

module "scheduled_task" {
  source          = "jnonino/ecs-fargate-scheduled-task/aws"
  version         = "1.0.3"
  name_preffix    = var.container_name
  profile         = var.profile
  region          = var.region
  ecs_cluster_arn = module.ecs-cluster.aws_ecs_cluster_cluster_arn
  event_rule_name = "${var.container_name}-cron"
  event_rule_schedule_expression = "cron(30 10 * * ? *)"
  event_rule_description                      = "run daily at 10:30 am"
  event_target_ecs_target_task_definition_arn = module.td.aws_ecs_task_definition_td_arn
  event_target_ecs_target_subnets             = var.private_subnets_ids
}

It seems that the aws_cloudwatch_event_target.ecs_scheduled_task provides both input and input_path which according to terraform 0.12 considers that invalid as only one of those options can be specified.

Getting this when trying to run plan.

Error: "input": conflicts with input_path

  on .terraform/modules/.../jnonino-terraform-aws-ecs-fargate-scheduled-task-0fbb11c/main.tf line 48, in resource "aws_cloudwatch_event_target" "ecs_scheduled_task":
  48: resource "aws_cloudwatch_event_target" "ecs_scheduled_task" {

Hello, there.

I have a use case where I am using a for_each meta argument to create many tasks. I noticed that, in spite of providing a custom Events role arn, another role with the same permissions is always created on each module call, thus creating unnecessary resources. Given that we only need one such Events role per ecs cluster, the module should default to skip the creation of a custom role when the user already provided one.

I have a working fork where this behavior enabled a considerable reduction in the number of redundant resources. I will contribute a PR and I am willing to contribute to this issue further.

If variable PropagateTags=TASK_DEFINITION (per https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_EcsParameters.html#eventbridge-Type-EcsParameters-PropagateTags and on https://github.com/cn-terraform/terraform-aws-ecs-fargate-scheduled-task/blob/main/main.tf#L72)

Error appears as STRING is not a boolean value. This value should be STRING, with allowed values "TASK_DEFINITION" or ""

If I set this value to empty string, similar message is given, just from one component more downstream.

I've also raise PR to fix this in #19

╷
│ Error: Invalid value for module argument
│ 
│   on main.tf line 113, in module "ecs_fargate_scheduled_task":
│  113:   event_target_ecs_target_propagate_tags      = "TASK_DEFINITION"
│ 
│ The given value is not suitable for child module variable "event_target_ecs_target_propagate_tags" defined at
│ .terraform/modules/ecs_fargate_scheduled_task/variables.tf:114,1-50: a bool is required.