Terraform定义的任务角色不适用于ECS计划任务 [英] Task role defined by Terraform not working correctly for ECS scheduled task

问题描述

我们的团队有很多cron作业作为ECS计划任务运行.最近，我添加了一个需要使用dynamodb的新作业，因此我在terraform文件中添加了权限，但是继续出现权限失败:

Our team has a bunch of cron jobs running as an ECS scheduled task. Lately I'm adding a new job that requires the use of dynamodb, so I added the permissions in our terraform files, but keep on getting permission failure:

com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException:
User: arn:aws:sts::87********23:assumed-role/tcoe-tableau/74a408106bf543ee95dbe4841d00b0f7 is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics (Service: AmazonDynamoDBv2;
Status Code: 400; Error Code: AccessDeniedException; Request ID: H52U8GCS1JAB74OJ6VSSEFLCQNVV4KQNSO5AEMVJF66Q9ASUAAJG; Proxy: null)

我相关的地形如下:

首先，这是ecs集群和任务定义:

First, here are the ecs cluster and task definition:

resource "aws_ecs_cluster" "ecs-cluster" {
  name = "${var.stack_id}"
  tags {
    StackId = "${var.stack_id}"
  }
  lifecycle {
    ignore_changes = [
      "tags"
    ]
  }
}

resource "aws_ecs_task_definition" "task-definition" {
  family                   = "${var.stack_id}"
  network_mode             = "awsvpc"
  requires_compatibilities = [
    "FARGATE"
  ]
  cpu                      = "${var.cpu}"
  memory                   = "${var.task_memory}"
  task_role_arn            = "${aws_iam_role.task_role.arn}"
  execution_role_arn       = "${aws_iam_role.ecs_task_execution_role.arn}"
  container_definitions    = <<EOF
[
  {
    "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "${var.log_group}",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "${var.stack_id}"
        }
    },
    "ulimits": [
      {
        "name": "nofile",
        "softLimit": 4096,
        "hardLimit": 8192
      }
    ],
    "image": "${var.ecr_account}.dkr.ecr.us-east-1.amazonaws.com/${var.ecr_namespace}/${var.stack_id}:latest",
    "environment": [
      {"name": "ENV", "value": "${var.environment}" }
    ],
    "essential": true,
    "privileged": false,
    "name": "${var.stack_id}",
    "memory": ${var.memory}
  }
]
EOF

  tags {
    StackId = "${var.stack_id}"
  }
}

然后是任务定义的任务角色:

Then here's the task role for the task definition:

resource "aws_iam_role" "task_role" {
  name = "${var.stack_id}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        ${data.aws_caller_identity.current.account_id == var.dev_account ? "\"AWS\": [\"arn:aws:iam::61********19:role/${var.dev_role_name}\"]," : ""}
        "Service": ["ecs-tasks.amazonaws.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "task_role_profile" {
  name = "${var.stack_id}"
  role = "${aws_iam_role.task_role.name}"
}

最后在这里，我将与dynamodb相关的策略添加到任务角色:

Finally here I'm adding the dynamodb-related policy to the task role:

resource "aws_iam_role_policy" "main" {
  name = "${var.stack_id}-extra-policy"
  role = "${aws_iam_role.task_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:Scan",
        "dynamodb:Query",
        "dynamodb:List*",
        "dynamodb:Get*",
        "dynamodb:Describe*",
        "dynamodb:DeleteItem",
        "dynamodb:Put*",
        "dynamodb:UpdateItem",
        "dynamodb:BatchWriteItem"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics",
        "arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics/index/*"
      ]
    }
  ]
}
EOF
}

我在这里做错了什么还是错过了什么吗?

Am I doing something wrong here or missing anything?

推荐答案

我认为我的失败是由于使用role.id而不是role.name，我想弄清楚id和name之间的区别，所以我发布了此问题 aws iam角色IDvs terraform中的角色名称，何时使用?，然后答案/注释表明它们完全相同，这促使我回过头来仔细检查我的提交历史记录和构建历史记录，然后我意识到由于我犯了一些人为错误，所以role.id无法正常工作的原因.我的新代码起作用不是因为我使用了role.name，而是因为我在不知不觉中同时修复了另一个错误.

I thought my failure was due to using role.id instead of role.name, and I wanted to figure out the differences between id and name, so I posted this question aws iam role id vs role name in terraform, when to use which?, then the answer/comment indicated that that are exactly the same, which prompted me to go back and carefully check my commit history and build history, and I realized that the reason role.id didn't work was due to some human error I made. My new codes worked not because I used role.name, but because i unknowingly fixed the other error at the same time.

总而言之，role.id和role.name完全相同.

To summarize, role.id and role.name are exactly the same.

这篇关于Terraform定义的任务角色不适用于ECS计划任务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！