-
Notifications
You must be signed in to change notification settings - Fork 9.6k
Description
What new functionality are you requesting?
provider "aws" {
region = "us-east-1"
}
resource "aws_ecs_cluster" "fargate_cluster" {
name = "fargate-cmk-cluster"
}
resource "aws_cloudwatch_log_group" "ecs_logs" {
name = "/ecs/fargate-cmk-demo"
retention_in_days = 1
}
resource "aws_iam_role" "ecs_task_execution_role" {
name = "ecsTaskExecutionRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
Replace this with your actual CMK ARN
variable "cmk_arn" {
default = "arn:aws:kms:us-east-1:932186207942:key/428dbd0a-0c53-423d-a004-5c8f403a4a70"
}
resource "aws_ecs_task_definition" "fargate_task" {
family = "fargate-task-cmk"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
ephemeral_storage {
size_in_gib = 21
}
runtime_platform {
operating_system_family = "LINUX"
}
container_definitions = jsonencode([
{
name = "demo-container"
image = "amazonlinux"
command = ["echo", "Hello from encrypted ephemeral Fargate"]
essential = true
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.ecs_logs.name
awslogs-region = "us-east-1"
awslogs-stream-prefix = "ecs"
}
}
}
])
kms_key_arn = var.cmk_arn // this is not supported in Terraform
}
Description
For now im trying to attach my own CMK(customer managed key) to the fargate .But I'm not able to achieve this functionality in Terraform code . Why?
Potential Terraform Configuration
provider "aws" {
region = "us-east-1"
}
resource "aws_ecs_cluster" "fargate_cluster" {
name = "fargate-cmk-cluster"
}
resource "aws_cloudwatch_log_group" "ecs_logs" {
name = "/ecs/fargate-cmk-demo"
retention_in_days = 1
}
resource "aws_iam_role" "ecs_task_execution_role" {
name = "ecsTaskExecutionRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
Replace this with your actual CMK ARN
variable "cmk_arn" {
default = "arn:aws:kms:us-east-1:932186207942:key/428dbd0a-0c53-423d-a004-5c8f403a4a70"
}
resource "aws_ecs_task_definition" "fargate_task" {
family = "fargate-task-cmk"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
ephemeral_storage {
size_in_gib = 21
}
runtime_platform {
operating_system_family = "LINUX"
}
container_definitions = jsonencode([
{
name = "demo-container"
image = "amazonlinux"
command = ["echo", "Hello from encrypted ephemeral Fargate"]
essential = true
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.ecs_logs.name
awslogs-region = "us-east-1"
awslogs-stream-prefix = "ecs"
}
}
}
])
kms_key_arn = var.cmk_arn // this is not supported in Terraform
}
References
No response
Would you like to implement the enhancement?
No