Pass Task Exec. policy ARN as an input variable or default to AmazonECSTaskExecutionRolePolicy

[bsuv]

terraform-aws-atlantis/main.tf

Line 186 in 508eb0c

policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

When I tried to use atlantis plan or apply I found that it needed permissions for at least for (depending on the config files of course):

• • access to the backend (say S3)
• • access to IAM
    among others.

Initially I began by attaching existing policies, before I determine the which ones are most restrictive. Alternatively, one could pass the overly permissive https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator if they're confident that the Task runs securely.

[ldormoy]

I'm also interested in having policy_arn as an input variable that defaults to its current value.

Right now I have to include AWS CLI credentials into the docker image, which isn't optimal from a security PoV.

[antonbabenko]

@ldormoy has fixed it, and v1.4.0 has been just released.

Sorry that it took so long to get this issue resolved - all PRs are very much appreciated, because I don't have enough time to fix them all alone.

[kerin]

I've just tried this, and it does not work if the policy ARN is a computed value, or anything other than a string literal:

data "aws_iam_policy_document" "atlantis_terraform" {
  statement {
    actions = ["ec2:*"]
    resources = ["*"]
    effect = "Allow"
  }
}

resource "aws_iam_policy" "atlantis_terraform" {
  name   = "atlantis-terraform"
  policy = "${data.aws_iam_policy_document.atlantis_terraform.json}"
}

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "1.5.1"

  name = "atlantis"

  policies_arn = [
    "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
    "${aws_iam_policy.atlantis_terraform.arn}"
  ]
}

When running:

$ terraform plan
...
Error: Error refreshing state: 1 error(s) occurred:

* module.atlantis.aws_iam_role_policy_attachment.ecs_task_execution: aws_iam_role_policy_attachment.ecs_task_execution: value of 'count' cannot be computed

It looks to me like the only means of having Atlantis run with AWS credentials using this module is to bake static creds into the atlantis container, unless I'm missing something?

[statwoodland]

I'm getting the same error as kerin.

Terraform v0.11.11 and this module's release v1.11.0

[chenrui333]

I am curious how we can deal with the credentials usage for stuff other than AWS resources?

[bryantbiggs]

this issue appears to be resolved with the latest versions - please update and let us know if there are any additional issues that need attention, thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.