From 857de30a195a4685e528f7d3c214501038a80956 Mon Sep 17 00:00:00 2001 From: lycbrian Date: Tue, 22 Apr 2025 11:35:50 +0700 Subject: [PATCH 1/3] update efs volume var --- main.tf | 2 +- variables.tf | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index fd3bb50..6cabaff 100644 --- a/main.tf +++ b/main.tf @@ -275,7 +275,7 @@ resource "aws_ecs_task_definition" "this" { container_definitions = jsonencode(local.container_task_definitions) dynamic "volume" { - for_each = local.volumes + for_each = var.efs_volumes #local.volumes content { host_path = lookup(volume.value, "host_path", null) name = volume.value.name diff --git a/variables.tf b/variables.tf index 38fb463..633f648 100644 --- a/variables.tf +++ b/variables.tf @@ -272,8 +272,7 @@ variable "ordered_placement_strategy" { /* -------------------------------------------------------------------------- */ variable "efs_volumes" { description = "Task EFS volume definitions as list of configuration objects. You cannot define both Docker volumes and EFS volumes on the same task definition." - type = list(any) - default = [] + type = any } /* -------------------------------------------------------------------------- */ From 37064289a7ebbb09d62403b80d17c28eae788555 Mon Sep 17 00:00:00 2001 From: lycbrian Date: Wed, 30 Apr 2025 14:12:26 +0700 Subject: [PATCH 2/3] add secret manager kms condition --- locals.tf | 2 ++ main.tf | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/locals.tf b/locals.tf index 231ba85..c409c62 100644 --- a/locals.tf +++ b/locals.tf @@ -40,6 +40,8 @@ locals { | 1 | 1 | use custom kms */ cloudwatch_log_group_kms_key_arn = var.is_create_cloudwatch_log_group ? var.cloudwatch_log_group_kms_key_arn != null ? var.cloudwatch_log_group_kms_key_arn : var.is_create_default_kms ? module.cloudwatch_log_group_kms[0].key_arn : null : null + secret_kms_key_arn = var.is_create_default_kms && var.secret_kms_key_arn == null ? module.secret_kms_key[0].key_arn : var.secret_kms_key_arn + tags = merge( { "Environment" = var.environment, diff --git a/main.tf b/main.tf index 6cabaff..0dbd716 100644 --- a/main.tf +++ b/main.tf @@ -104,7 +104,7 @@ module "cloudwatch_log_group_kms" { name = format("%s-log-group", var.name) key_type = "service" append_random_suffix = true - description = format("Secure Secrets Manager's service secrets for service %s", local.name) + description = format("Secure log group for service %s", local.name) additional_policies = [data.aws_iam_policy_document.cloudwatch_log_group_kms_policy.json] tags = merge(local.tags, { "Name" : format("%s-log-group", local.name) }) @@ -193,6 +193,7 @@ resource "aws_lb_listener_rule" "this" { /* Secret */ /* -------------------------------------------------------------------------- */ module "secret_kms_key" { + count = var.is_create_default_kms && var.secret_kms_key_arn == null ? 1 : 0 source = "oozou/kms-key/aws" version = "1.0.0" @@ -226,7 +227,7 @@ resource "aws_secretsmanager_secret" "this" { name = "${each.value.name}/${random_string.service_secret_random_suffix[each.key].result}" description = "Secret for service ${local.name}" - kms_key_id = module.secret_kms_key.key_arn + kms_key_id = local.secret_kms_key_arn tags = merge({ Name = "${each.value.name}/${random_string.service_secret_random_suffix[each.key].result}" }, local.tags) } From 8df77010a5131fe984359b4c631dd36a20797045 Mon Sep 17 00:00:00 2001 From: lycbrian Date: Wed, 30 Apr 2025 14:15:53 +0700 Subject: [PATCH 3/3] add secret kms key arn var --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index 633f648..107016c 100644 --- a/variables.tf +++ b/variables.tf @@ -97,6 +97,12 @@ variable "cloudwatch_log_group_kms_key_arn" { default = null } +variable "secret_kms_key_arn" { + description = "The ARN for the secret manager KMS encryption key." + type = string + default = null +} + /* -------------------------------------------------------------------------- */ /* LoadBalancer */ /* -------------------------------------------------------------------------- */