Merge pull request #1 from danbarr/v0.3.0

v0.3.0

- Moves the agent token to an SSM SecureString
- Add outputs to module

Author: danbarr

.gitignore

@@ -1,5 +1,7 @@
 .DS_Store
 
+test/
+
 # Local .terraform directories
 **/.terraform/*
 

README.md

@@ -1,18 +1,20 @@
 # Terraform module aws-ecs-tfc-agent
 
-This module deploys a Terraform Cloud Agent task definition and service into an existing ECS Fargate cluster. It includes the required security group and IAM roles for a basic deployment. For all options, see variables.tf
+This module creates a Terraform Cloud Agent pool in a TFC org, and deploys a task definition and service into an existing ECS Fargate cluster. It includes the required security group and IAM roles for a basic deployment. For all options, see variables.tf
 
 Prerequisites:
 
 - An existing VPC with at least one public subnet
 - An existing ECS Fargate cluster
 - A Terraform Cloud organization with self-hosted agent support (Business tier), or a Terraform Enterprise instance
 
+Hat tip to Andy Assareh for his [excellent examples](https://github.com/assareh/tfc-agent).
+
 Minimal example using the standard agent image (hashicorp/tfc-agent):
 
 ```terraform
 module "agent_standard" {
-  source  = "github.com/danbarr/terraform-aws-ecs-tfc-agent?ref=v0.2.4"
+  source  = "github.com/danbarr/terraform-aws-ecs-tfc-agent?ref=v0.3.0"
 
   name                      = "ecs"
   tfc_org_name              = "My-TFC-Org"
@@ -32,7 +34,7 @@ module "agent_cluster" {
 }
 
 module "agent_standard" {
-  source  = "github.com/danbarr/terraform-aws-ecs-tfc-agent?ref=v0.2.4"
+  source  = "github.com/danbarr/terraform-aws-ecs-tfc-agent?ref=v0.3.0"
 
   name                      = "ecs-custom"
   tfc_org_name              = "My-TFC-Org"

example/basic-example.tf

@@ -21,7 +21,7 @@ provider "aws" {
 provider "tfe" {}
 
 module "agent_pool" {
-  source                    = "../"
+  source                    = "github.com/danbarr/terraform-aws-ecs-tfc-agent?ref=v0.3.0"
   name                      = "ecs"
   tfc_org_name              = "My-TFC-Org"
   agent_image               = "hashicorp/tfc-agent:latest"

main.tf

@@ -26,6 +26,13 @@ resource "tfe_agent_token" "ecs_agent_token" {
   description   = "${var.name}-agent-token"
 }
 
+resource "aws_ssm_parameter" "agent_token" {
+  name        = "${var.name}-tfc-agent-token"
+  description = "Terraform Cloud agent token"
+  type        = "SecureString"
+  value       = tfe_agent_token.ecs_agent_token.token
+}
+
 resource "aws_ecs_task_definition" "tfc_agent" {
   family                   = "tfc-agent-${var.tfc_org_name}-${var.name}"
   cpu                      = var.agent_cpu
@@ -68,15 +75,17 @@ resource "aws_ecs_task_definition" "tfc_agent" {
             name  = "TFC_ADDRESS",
             value = var.tfc_address
           },
-          {
-            name  = "TFC_AGENT_TOKEN",
-            value = tfe_agent_token.ecs_agent_token.token
-          },
           {
             name  = "TFC_AGENT_LOG_LEVEL",
             value = var.agent_log_level
           }
-        ], var.extra_env_vars)
+        ], var.extra_env_vars),
+        secrets = [
+          {
+            name      = "TFC_AGENT_TOKEN",
+            valueFrom = aws_ssm_parameter.agent_token.arn
+          }
+        ]
       }
     ]
   )
@@ -132,6 +141,10 @@ resource "aws_security_group_rule" "allow_egress" {
   cidr_blocks       = ["0.0.0.0/0"]
 }
 
+## IAM
+# Two roles are defined: the task execution role used during initialization,
+# and the task role which is assumed by the container(s).
+
 data "aws_iam_policy_document" "agent_assume_role_policy" {
   statement {
     effect  = "Allow"
@@ -153,6 +166,20 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+data "aws_iam_policy_document" "agent_init_policy" {
+  statement {
+    effect    = "Allow"
+    actions   = ["ssm:GetParameters"]
+    resources = [aws_ssm_parameter.agent_token.arn]
+  }
+}
+
+resource "aws_iam_role_policy" "agent_init_policy" {
+  role   = aws_iam_role.ecs_task_execution_role.name
+  name   = "AccessSSMforAgentToken"
+  policy = data.aws_iam_policy_document.agent_init_policy.json
+}
+
 resource "aws_iam_role" "ecs_task_role" {
   name               = "tfc-agent-${var.tfc_org_name}-${var.name}-ecsTaskRole"
   assume_role_policy = data.aws_iam_policy_document.agent_assume_role_policy.json

outputs.tf

@@ -0,0 +1,49 @@
+output "agent_pool_name" {
+  description = "Name of the TFC agent pool."
+  value       = tfe_agent_pool.ecs_agent_pool.name
+}
+
+output "agent_pool_id" {
+  description = "ID of the TFC agent pool."
+  value       = tfe_agent_pool.ecs_agent_pool.id
+}
+
+output "ecs_service_arn" {
+  description = "ARN of the ECS service."
+  value       = aws_ecs_service.tfc_agent.id
+}
+
+output "ecs_task_arn" {
+  description = "ARN of the ECS task definition."
+  value       = aws_ecs_task_definition.tfc_agent.arn
+}
+
+output "ecs_task_revision" {
+  description = "Revision number of the ECS task definition."
+  value       = aws_ecs_task_definition.tfc_agent.revision
+}
+
+output "log_stream_prefix" {
+  description = "Prefix for the CloudWatch log stream."
+  value       = jsondecode(aws_ecs_task_definition.tfc_agent.container_definitions)[0].logConfiguration.options.awslogs-stream-prefix
+}
+
+output "security_group_name" {
+  description = "Name of the VPC security group attached to the service."
+  value       = aws_security_group.tfc_agent.name
+}
+
+output "security_group_id" {
+  description = "ID of the VPC security group attached to the service."
+  value       = aws_security_group.tfc_agent.id
+}
+
+output "task_role_name" {
+  description = "Name of the IAM role attached to the task containers."
+  value       = aws_iam_role.ecs_task_role.name
+}
+
+output "task_role_arn" {
+  description = "ARN of the IAM role attached to the task containers."
+  value       = aws_iam_role.ecs_task_role.arn
+}