Learn how to configure your Terraform Fargate task definition to request an IAM execution role for secure access to AWS resources.
When defining an AWS Fargate task definition in Terraform, you must specify the execution_role_arn
attribute. This is unlike EC2 launch type tasks, where this attribute is optional. The execution_role_arn
attribute points to an IAM role that your Fargate task assumes during execution. This role grants the task the necessary permissions to interact with other AWS services, such as ECR to pull container images or CloudWatch Logs to send logs. Here's how to set up the execution_role_arn
in your Terraform code: Create an IAM role specifically for your Fargate task execution. This role should have the necessary permissions for your task's operations. You can use the aws_iam_role
resource in Terraform for this. Attach AWS managed policies or create custom policies to grant the required permissions to the IAM role. For instance, if your task needs to pull images from ECR, attach the AmazonEC2ContainerRegistryReadOnly
policy. In your aws_ecs_task_definition
resource, set the execution_role_arn
attribute to the ARN of the IAM role you created. By following these steps, you ensure that your Fargate tasks have the necessary permissions to run and interact with other AWS services.
When defining an AWS Fargate task definition in Terraform, you must specify the execution_role_arn
attribute. This is unlike EC2 launch type tasks, where this attribute is optional.
The execution_role_arn
attribute points to an IAM role that your Fargate task assumes during execution. This role grants the task the necessary permissions to interact with other AWS services, such as ECR to pull container images or CloudWatch Logs to send logs.
Here's how to set up the execution_role_arn
in your Terraform code:
Create an IAM role: Define an IAM role specifically for your Fargate task execution. This role should have the necessary permissions for your task's operations. You can use the aws_iam_role
resource in Terraform for this.
Attach policies to the role: Attach AWS managed policies or create custom policies to grant the required permissions to the IAM role. For instance, if your task needs to pull images from ECR, attach the AmazonEC2ContainerRegistryReadOnly
policy.
Reference the role in your task definition: In your aws_ecs_task_definition
resource, set the execution_role_arn
attribute to the ARN of the IAM role you created.
By following these steps, you ensure that your Fargate tasks have the necessary permissions to run and interact with other AWS services.
This Terraform code defines infrastructure for running a containerized application on AWS Fargate. It creates an IAM role with permissions to pull images from Amazon ECR and assumes this role within the task definition. The task definition specifies resource limits, networking mode, and a container running an Nginx web server. This configuration enables deploying and managing a scalable and serverless application on AWS.
# Create an IAM role for Fargate task execution
resource "aws_iam_role" "fargate_task_role" {
name = "fargate-task-execution-role"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
# Attach necessary policies to the role
resource "aws_iam_role_policy_attachment" "ecs_task_execution_policy" {
role = aws_iam_role.fargate_task_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
# Define the Fargate task definition
resource "aws_ecs_task_definition" "fargate_task" {
family = "fargate-task-definition"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = "256"
memory = "512"
container_definitions = <<DEFINITION
[
{
"name": "my-fargate-container",
"image": "nginx:latest",
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80
}
]
}
]
DEFINITION
# Specify the execution role ARN
execution_role_arn = aws_iam_role.fargate_task_role.arn
}
Explanation:
IAM Role Creation: The code defines an IAM role named fargate-task-execution-role
using aws_iam_role
. The assume_role_policy
allows the ECS service to assume this role.
Policy Attachment: The aws_iam_role_policy_attachment
resource attaches the AmazonEC2ContainerRegistryReadOnly
policy to the created role. This policy allows the task to pull images from ECR. You can add more policies based on your task's requirements.
Task Definition: The aws_ecs_task_definition
resource defines the Fargate task.
execution_role_arn
attribute is set to the ARN of the IAM role created earlier (aws_iam_role.fargate_task_role.arn
). This ensures that the task assumes the specified role during execution.cpu
, memory
, network_mode
, requires_compatibilities
, and container_definitions
define the task's resource requirements and container specifications.This setup ensures that your Fargate task has the necessary permissions to pull images from ECR and perform other actions allowed by the attached policies. Remember to replace placeholders like container image and port mappings with your desired values.
Security Best Practices:
AmazonEC2ContainerRegistryFullAccess
. Instead, opt for more specific policies like AmazonEC2ContainerRegistryReadOnly
if your task only needs to pull images.Troubleshooting:
Alternatives to Managed Policies:
Task Definition Revisions:
execution_role_arn
in your task definition, Terraform will create a new revision of the task definition. Be mindful of this when managing deployments, especially if you are using older revisions in production.Additional Considerations:
This article explains the mandatory execution_role_arn
attribute required when defining AWS Fargate tasks in Terraform, unlike EC2 launch types where it's optional.
Key Points:
execution_role_arn
attribute specifies an IAM role that your Fargate task assumes during execution. This role grants the task permissions to interact with other AWS services (e.g., pulling container images from ECR or sending logs to CloudWatch Logs).aws_iam_role
resource in Terraform.AmazonEC2ContainerRegistryReadOnly
to allow pulling images from ECR.execution_role_arn
attribute in your aws_ecs_task_definition
resource to the ARN of the created IAM role.By following these steps, you ensure your Fargate tasks have the necessary permissions to run and interact with other AWS services.
In conclusion, the execution_role_arn
is a critical component when defining AWS Fargate task definitions in Terraform. It ensures your tasks have the necessary permissions to interact with other AWS services. By creating a dedicated IAM role, attaching appropriate policies, and referencing this role in your task definition, you enable secure and controlled access for your Fargate applications. Remember to follow security best practices, troubleshoot diligently, and explore advanced options like custom IAM policies and STS for enhanced security and control over your Fargate deployments.