🐶
Terraform

Terraform Fargate Task Definition Execution Role

By Filip on 10/07/2024

Learn how to configure your Terraform Fargate task definition to request an IAM execution role for secure access to AWS resources.

Terraform Fargate Task Definition Execution Role

Table of Contents

Introduction

When defining an AWS Fargate task definition in Terraform, you must specify the execution_role_arn attribute. This is unlike EC2 launch type tasks, where this attribute is optional. The execution_role_arn attribute points to an IAM role that your Fargate task assumes during execution. This role grants the task the necessary permissions to interact with other AWS services, such as ECR to pull container images or CloudWatch Logs to send logs. Here's how to set up the execution_role_arn in your Terraform code: Create an IAM role specifically for your Fargate task execution. This role should have the necessary permissions for your task's operations. You can use the aws_iam_role resource in Terraform for this. Attach AWS managed policies or create custom policies to grant the required permissions to the IAM role. For instance, if your task needs to pull images from ECR, attach the AmazonEC2ContainerRegistryReadOnly policy. In your aws_ecs_task_definition resource, set the execution_role_arn attribute to the ARN of the IAM role you created. By following these steps, you ensure that your Fargate tasks have the necessary permissions to run and interact with other AWS services.

Step-by-Step Guide

When defining an AWS Fargate task definition in Terraform, you must specify the execution_role_arn attribute. This is unlike EC2 launch type tasks, where this attribute is optional.

The execution_role_arn attribute points to an IAM role that your Fargate task assumes during execution. This role grants the task the necessary permissions to interact with other AWS services, such as ECR to pull container images or CloudWatch Logs to send logs.

Here's how to set up the execution_role_arn in your Terraform code:

  1. Create an IAM role: Define an IAM role specifically for your Fargate task execution. This role should have the necessary permissions for your task's operations. You can use the aws_iam_role resource in Terraform for this.

  2. Attach policies to the role: Attach AWS managed policies or create custom policies to grant the required permissions to the IAM role. For instance, if your task needs to pull images from ECR, attach the AmazonEC2ContainerRegistryReadOnly policy.

  3. Reference the role in your task definition: In your aws_ecs_task_definition resource, set the execution_role_arn attribute to the ARN of the IAM role you created.

By following these steps, you ensure that your Fargate tasks have the necessary permissions to run and interact with other AWS services.

Code Example

This Terraform code defines infrastructure for running a containerized application on AWS Fargate. It creates an IAM role with permissions to pull images from Amazon ECR and assumes this role within the task definition. The task definition specifies resource limits, networking mode, and a container running an Nginx web server. This configuration enables deploying and managing a scalable and serverless application on AWS.

# Create an IAM role for Fargate task execution
resource "aws_iam_role" "fargate_task_role" {
  name = "fargate-task-execution-role"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

# Attach necessary policies to the role
resource "aws_iam_role_policy_attachment" "ecs_task_execution_policy" {
  role       = aws_iam_role.fargate_task_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}

# Define the Fargate task definition
resource "aws_ecs_task_definition" "fargate_task" {
  family = "fargate-task-definition"
  network_mode = "awsvpc"

  requires_compatibilities = ["FARGATE"]
  cpu                      = "256"
  memory                   = "512"

  container_definitions = <<DEFINITION
[
  {
    "name": "my-fargate-container",
    "image": "nginx:latest",
    "essential": true,
    "portMappings": [
      {
        "containerPort": 80,
        "hostPort": 80
      }
    ]
  }
]
DEFINITION

  # Specify the execution role ARN
  execution_role_arn = aws_iam_role.fargate_task_role.arn
}

Explanation:

  1. IAM Role Creation: The code defines an IAM role named fargate-task-execution-role using aws_iam_role. The assume_role_policy allows the ECS service to assume this role.

  2. Policy Attachment: The aws_iam_role_policy_attachment resource attaches the AmazonEC2ContainerRegistryReadOnly policy to the created role. This policy allows the task to pull images from ECR. You can add more policies based on your task's requirements.

  3. Task Definition: The aws_ecs_task_definition resource defines the Fargate task.

    • The execution_role_arn attribute is set to the ARN of the IAM role created earlier (aws_iam_role.fargate_task_role.arn). This ensures that the task assumes the specified role during execution.
    • Other attributes like cpu, memory, network_mode, requires_compatibilities, and container_definitions define the task's resource requirements and container specifications.

This setup ensures that your Fargate task has the necessary permissions to pull images from ECR and perform other actions allowed by the attached policies. Remember to replace placeholders like container image and port mappings with your desired values.

Additional Notes

  • Security Best Practices:

    • It's crucial to follow the principle of least privilege when defining the IAM role. Only grant the permissions absolutely necessary for your Fargate task to function.
    • Avoid attaching overly permissive policies like AmazonEC2ContainerRegistryFullAccess. Instead, opt for more specific policies like AmazonEC2ContainerRegistryReadOnly if your task only needs to pull images.
    • Regularly review and audit the IAM role's permissions to ensure they are still appropriate and haven't become too permissive over time.
  • Troubleshooting:

    • If your Fargate task fails to start, one of the first things to check is whether the execution role has the necessary permissions.
    • CloudWatch Logs (or a similar logging solution) can be invaluable for debugging permission issues. Ensure your task has permissions to write logs and examine them for clues about access denied errors.
  • Alternatives to Managed Policies:

    • While AWS managed policies are convenient, consider creating custom IAM policies for finer-grained control over permissions. This can be particularly useful if you have specific security requirements or want to limit the actions your Fargate tasks can perform.
  • Task Definition Revisions:

    • Each time you update the execution_role_arn in your task definition, Terraform will create a new revision of the task definition. Be mindful of this when managing deployments, especially if you are using older revisions in production.
  • Additional Considerations:

    • If your Fargate task needs to interact with resources in a different AWS account, you'll need to configure cross-account IAM roles.
    • For more complex scenarios, explore using AWS Security Token Service (STS) to generate temporary credentials for your Fargate tasks, further enhancing security.

Summary

This article explains the mandatory execution_role_arn attribute required when defining AWS Fargate tasks in Terraform, unlike EC2 launch types where it's optional.

Key Points:

  • Purpose: The execution_role_arn attribute specifies an IAM role that your Fargate task assumes during execution. This role grants the task permissions to interact with other AWS services (e.g., pulling container images from ECR or sending logs to CloudWatch Logs).
  • Setup:
    1. Create an IAM role: Define a dedicated IAM role for your Fargate task execution using the aws_iam_role resource in Terraform.
    2. Attach policies: Grant necessary permissions to the IAM role by attaching AWS managed policies or creating custom policies. For example, attach AmazonEC2ContainerRegistryReadOnly to allow pulling images from ECR.
    3. Reference in task definition: Set the execution_role_arn attribute in your aws_ecs_task_definition resource to the ARN of the created IAM role.

By following these steps, you ensure your Fargate tasks have the necessary permissions to run and interact with other AWS services.

Conclusion

In conclusion, the execution_role_arn is a critical component when defining AWS Fargate task definitions in Terraform. It ensures your tasks have the necessary permissions to interact with other AWS services. By creating a dedicated IAM role, attaching appropriate policies, and referencing this role in your task definition, you enable secure and controlled access for your Fargate applications. Remember to follow security best practices, troubleshoot diligently, and explore advanced options like custom IAM policies and STS for enhanced security and control over your Fargate deployments.

References

Were You Able to Follow the Instructions?

😍Love it!
😊Yes
😐Meh-gical
😞No
🤮Clickbait