Terraform Fargate任务定义请求执行角色

时间:2018-07-31 11:40:15

标签: amazon-web-services terraform amazon-ecs

我正在使用Terraform在AWS中创建一些服务。这些服务之一是ECS任务定义。我遵循了文档,并不断收到以下错误:

aws_ecs_task_definition.github-backup: ClientException: Fargate requires task definition to have execution role ARN to support ECR images.
status code: 400, request id: 84df70ec-94b4-11e8-b116-97f92c6f483f

首先task_role_arn是可选的,我可以看到已经创建了一个新角色。我还尝试使用任务定义所需的权限自己创建角色。

这就是我所拥有的:

任务定义:

resource "aws_ecs_task_definition" "github-backup" {
  family                   = "${var.task_name}"
  requires_compatibilities = ["FARGATE"]
  network_mode             = "awsvpc"
  cpu                      = "${var.fargate_cpu}"
  memory                   = "${var.fargate_memory}"
  task_role_arn            = "${aws_iam_role.github-role.arn}"

  container_definitions = <<DEFINITION
[
    {
        "cpu": ${var.fargate_cpu},
        "image": "${var.image}",
        "memory": ${var.fargate_memory},
        "name": "github-backup",
        "networkMode": "awsvpc"
    }
]
DEFINITION
}

IAM政策:

resource "aws_iam_policy" "access_policy" {
  name = "github_policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "Stmt1532966429082",
        "Action": [
        "s3:PutObject",
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::zego-github-backup11"
    },
    {
        "Sid": "Stmt1532967608746",
        "Action": "lambda:*",
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}

IAM角色:

resource "aws_iam_role" "github-role" {
  name = "github-backup"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
            "Service": [
                "s3.amazonaws.com",
                "lambda.amazonaws.com",
                "ecs.amazonaws.com"
            ]
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

IAM政策附件:

resource "aws_iam_role_policy_attachment" "test-attach" {
    role       = "${aws_iam_role.github-role.name}"
    policy_arn = "${aws_iam_policy.access_policy.arn}"
}

Terraform计划没有显示任何错误。仅当运行Terraform apply时,才会出现此错误。我为角色提供了任务定义所需的权限,但仍然可以实现。怎么了?

1 个答案:

答案 0 :(得分:10)

AWS ECS User Guide Fargate任务中所述,要求将执行角色指定为任务定义的一部分。

EC2启动类型任务不需要这样做,因为EC2实例本身应具有IAM角色,以使它们能够拉出容器映像并将日志推送到Cloudwatch。

因为对于EC2启动类型这是可选的,所以Terraform需要将此选项设置为可选,否则会破坏这些设置。严格来说,Terraform无法在计划时进行跨场验证,因此无法在计划中告诉您,因为您有Fargate启动类型任务,因此需要指定&.feature-box__link { &:link, &:visited { text-decoration: none; color:black; } } 。在提供程序源中使用execution_role_arn可以解决此问题,但是它很棘手,并且目前仅在几个地方使用。

请注意,执行角色是启动任务所需的角色,而不是任务所具有的允许任务执行任务的角色。

因此,您应该从IAM策略中删除与ECS相关的权限,因为该任务根本不应与S3进行交互。只需添加具有适当权限的角色作为执行角色即可。

要使用AWS托管的ECS任务执行角色,您将执行以下操作:

CustomizeDiff
相关问题
最新问题