Add explicit_task_exec_secret_arns to complete example

Author: sestrella

examples/complete/main.tf

@@ -50,6 +50,8 @@ module "ecs" {
       cpu    = 1024
       memory = 4096
 
+      explicit_task_exec_secret_arns = true
+
       # Container definition(s)
       container_definitions = {
 

main.tf

@@ -134,10 +134,11 @@ module "service" {
   task_exec_iam_role_max_session_duration = try(each.value.task_exec_iam_role_max_session_duration, null)
 
   # Task execution IAM role policy
-  create_task_exec_policy  = try(each.value.create_task_exec_policy, true)
-  task_exec_ssm_param_arns = lookup(each.value, "task_exec_ssm_param_arns", ["arn:aws:ssm:*:*:parameter/*"])
-  task_exec_secret_arns    = lookup(each.value, "task_exec_secret_arns", ["arn:aws:secretsmanager:*:*:secret:*"])
-  task_exec_iam_statements = lookup(each.value, "task_exec_iam_statements", {})
+  create_task_exec_policy        = try(each.value.create_task_exec_policy, true)
+  task_exec_ssm_param_arns       = lookup(each.value, "task_exec_ssm_param_arns", ["arn:aws:ssm:*:*:parameter/*"])
+  task_exec_secret_arns          = lookup(each.value, "task_exec_secret_arns", ["arn:aws:secretsmanager:*:*:secret:*"])
+  explicit_task_exec_secret_arns = lookup(each.value, "explicit_task_exec_secret_arns", false)
+  task_exec_iam_statements       = lookup(each.value, "task_exec_iam_statements", {})
 
   # Tasks - IAM role
   create_tasks_iam_role               = try(each.value.create_tasks_iam_role, true)

modules/service/main.tf

@@ -26,6 +26,9 @@ locals {
   }
 
   create_service = var.create && var.create_service
+
+  container_definitions_secrets = flatten([for k, v in module.container_definition : v.container_definition.secrets])
+  task_exec_secret_arns = var.explicit_task_exec_secret_arns ? [for v in local.container_definitions_secrets : v.valueFrom] : var.task_exec_secret_arns
 }
 
 resource "aws_ecs_service" "this" {
@@ -836,12 +839,12 @@ data "aws_iam_policy_document" "task_exec" {
   }
 
   dynamic "statement" {
-    for_each = length(var.task_exec_secret_arns) > 0 ? [1] : []
+    for_each = length(local.task_exec_secret_arns) > 0 ? [1] : []
 
     content {
       sid       = "GetSecrets"
       actions   = ["secretsmanager:GetSecretValue"]
-      resources = var.task_exec_secret_arns
+      resources = local.task_exec_secret_arns
     }
   }
 

modules/service/variables.tf

@@ -462,6 +462,12 @@ variable "task_exec_secret_arns" {
   default     = ["arn:aws:secretsmanager:*:*:secret:*"]
 }
 
+variable "explicit_task_exec_secret_arns" {
+  description = "Change the task_exec_secret_arns behavior to get the list of ARNs from the secrets defined in containers_definitions"
+  type        = bool
+  default     = false
+}
+
 variable "task_exec_iam_statements" {
   description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
   type        = any