Skip to content

Terraform Limitation - How to attach a Customer Managed Key (CMK) to Fargate's ephemeral storage. #43603

@dileepnagam

Description

@dileepnagam

What new functionality are you requesting?

provider "aws" {
region = "us-east-1"
}

resource "aws_ecs_cluster" "fargate_cluster" {
name = "fargate-cmk-cluster"
}

resource "aws_cloudwatch_log_group" "ecs_logs" {
name = "/ecs/fargate-cmk-demo"
retention_in_days = 1
}

resource "aws_iam_role" "ecs_task_execution_role" {
name = "ecsTaskExecutionRole"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}]
})
}

resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

Replace this with your actual CMK ARN

variable "cmk_arn" {
default = "arn:aws:kms:us-east-1:932186207942:key/428dbd0a-0c53-423d-a004-5c8f403a4a70"
}

resource "aws_ecs_task_definition" "fargate_task" {
family = "fargate-task-cmk"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn

ephemeral_storage {
size_in_gib = 21
}

runtime_platform {
operating_system_family = "LINUX"
}

container_definitions = jsonencode([
{
name = "demo-container"
image = "amazonlinux"
command = ["echo", "Hello from encrypted ephemeral Fargate"]
essential = true
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.ecs_logs.name
awslogs-region = "us-east-1"
awslogs-stream-prefix = "ecs"
}
}
}
])

kms_key_arn = var.cmk_arn // this is not supported in Terraform

}

Description

For now im trying to attach my own CMK(customer managed key) to the fargate .But I'm not able to achieve this functionality in Terraform code . Why?

Potential Terraform Configuration

provider "aws" {
region = "us-east-1"
}

resource "aws_ecs_cluster" "fargate_cluster" {
name = "fargate-cmk-cluster"
}

resource "aws_cloudwatch_log_group" "ecs_logs" {
name = "/ecs/fargate-cmk-demo"
retention_in_days = 1
}

resource "aws_iam_role" "ecs_task_execution_role" {
name = "ecsTaskExecutionRole"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}]
})
}

resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

Replace this with your actual CMK ARN

variable "cmk_arn" {
default = "arn:aws:kms:us-east-1:932186207942:key/428dbd0a-0c53-423d-a004-5c8f403a4a70"
}

resource "aws_ecs_task_definition" "fargate_task" {
family = "fargate-task-cmk"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn

ephemeral_storage {
size_in_gib = 21
}

runtime_platform {
operating_system_family = "LINUX"
}

container_definitions = jsonencode([
{
name = "demo-container"
image = "amazonlinux"
command = ["echo", "Hello from encrypted ephemeral Fargate"]
essential = true
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.ecs_logs.name
awslogs-region = "us-east-1"
awslogs-stream-prefix = "ecs"
}
}
}
])

kms_key_arn = var.cmk_arn // this is not supported in Terraform

}

References

No response

Would you like to implement the enhancement?

No

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageWaiting for first response or review from a maintainer.service/ecsIssues and PRs that pertain to the ecs service.service/iamIssues and PRs that pertain to the iam service.service/logsIssues and PRs that pertain to the logs service.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions