tmknom · djt5019 · May 5, 2020
diff --git a/README.md b/README.md
@@ -63,6 +63,9 @@ module "ecs_scheduled_task" {
   create_ecs_task_execution_role = false
   ecs_task_execution_role_arn    = var.ecs_events_role_arn
 
+  create_ecs_task_role = false
+  ecs_task_role_arn    = var.ecs_task_role_arn
+
   tags = {
     Environment = "prod"
   }

diff --git a/main.tf b/main.tf
@@ -120,6 +120,10 @@ resource "aws_ecs_task_definition" "default" {
   # A unique name for your task definition.
   family = var.name
 
+  # The ARN of the role to attach to the task, this is what your container will assume
+  # https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#task_role_arn
+  task_role_arn = var.create_ecs_task_role ? join("", aws_iam_role.ecs_task_role.*.arn) : var.ecs_task_role_arn
+
   # The ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume.
   execution_role_arn = var.create_ecs_task_execution_role ? join("", aws_iam_role.ecs_task_execution.*.arn) : var.ecs_task_execution_role_arn
 
@@ -197,9 +201,34 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
 
 locals {
   ecs_task_execution_iam_name = "${var.name}-ecs-task-execution"
+  ecs_task_iam_name           = "${var.name}-ecs-task"
   enabled_ecs_task_execution  = var.enabled && var.create_ecs_task_execution_role ? 1 : 0
+  enabled_ecs_task            = var.enabled && var.create_ecs_task_role ? 1 : 0
 }
 
 data "aws_iam_policy" "ecs_task_execution" {
   arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
+
+
+# ECS Task Role for Fargate
+data "aws_iam_policy_document" "ecs_task_role_assume_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "ecs-tasks.amazonaws.com",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs_task_role" {
+  count              = local.enabled_ecs_task
+  name               = local.ecs_task_iam_name
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_role_assume_policy.json
+}
diff --git a/outputs.tf b/outputs.tf
@@ -127,3 +127,13 @@ output "ecs_task_execution_policy_document" {
   value       = join("", aws_iam_policy.ecs_task_execution.*.policy)
   description = "The policy document of the ECS Task Execution IAM Policy."
 }
+
+output "ecs_task_role_arn" {
+  value       = join("", aws_iam_role.ecs_task_role.*.arn)
+  description = "The ARN assigned by AWS to this ECS Task IAM Policy."
+}
+
+output "ecs_task_role_name" {
+  value       = join("", aws_iam_role.ecs_task_role.*.name)
+  description = "The name of the ECS Task IAM Role."
+}
diff --git a/variables.tf b/variables.tf
@@ -118,3 +118,15 @@ variable "ecs_task_execution_role_arn" {
   type        = string
   description = "The ARN of the ECS Task Execution IAM Role."
 }
+
+variable "create_ecs_task_role" {
+  default     = true
+  type        = string
+  description = "Specify true to indicate that ECS Task IAM Role creation."
+}
+
+variable "ecs_task_role_arn" {
+  default     = ""
+  type        = string
+  description = "The ARN of the ECS Task IAM Role."
+}