fix: property lookup in ecs_target block (terraform-aws-modules#8)

Author: svenlito

.github/workflows/pre-commit.yml

@@ -38,7 +38,7 @@ jobs:
         uses: actions/setup-python@v2
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.0.1
+        uses: clowdhaus/terraform-min-max@v1.0.2
         with:
           directory: ${{ matrix.directory }}
       - name: Install Terraform v${{ steps.minMax.outputs.minVersion }}
@@ -50,14 +50,11 @@ jobs:
       - name: Execute pre-commit
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        run:
-          pre-commit run terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*
+        run: pre-commit run terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*
       - name: Execute pre-commit
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        run:
-          pre-commit run terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)
-
+        run: pre-commit run terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)
 
   # Max Terraform version
   getBaseVersion:
@@ -68,7 +65,7 @@ jobs:
         uses: actions/checkout@v2
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.0.1
+        uses: clowdhaus/terraform-min-max@v1.0.2
     outputs:
       minVersion: ${{ steps.minMax.outputs.minVersion }}
       maxVersion: ${{ steps.minMax.outputs.maxVersion }}
@@ -94,7 +91,7 @@ jobs:
       - name: Install pre-commit dependencies
         run: |
           pip install pre-commit
-          curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-v0.12\..+?-linux-amd64" | head -n1)" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+          curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.13.0/terraform-docs-v0.13.0-$(uname)-amd64.tar.gz && tar -xzf terraform-docs.tar.gz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
           curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
       - name: Execute pre-commit
         # Run all pre-commit checks on max version supported

examples/complete/README.md

@@ -34,6 +34,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_ecs"></a> [ecs](#module\_ecs) | terraform-aws-modules/ecs/aws | ~> 3.0 |
 | <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | ../../ |  |
 | <a name="module_step_function"></a> [step\_function](#module\_step\_function) | terraform-aws-modules/step-functions/aws | ~> 2.0 |
 
@@ -42,6 +43,8 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_ecs_service.hello_world](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
+| [aws_ecs_task_definition.hello_world](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_kinesis_stream.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) | resource |
 | [aws_sqs_queue.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.fifo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |

examples/complete/main.tf

@@ -32,6 +32,9 @@ module "eventbridge" {
   attach_cloudwatch_policy = true
   cloudwatch_target_arns   = [aws_cloudwatch_log_group.this.arn]
 
+  attach_ecs_policy = true
+  ecs_target_arns   = [aws_ecs_task_definition.hello_world.arn]
+
   rules = {
     orders = {
       description   = "Capture all order data"
@@ -90,6 +93,15 @@ module "eventbridge" {
         dead_letter_arn   = aws_sqs_queue.dlq.arn
         input_transformer = local.order_input_transformer
         attach_role_arn   = true
+      },
+      {
+        name            = "process-email-with-ecs-task",
+        arn             = module.ecs.ecs_cluster_arn,
+        attach_role_arn = true
+        ecs_target = {
+          task_count          = 1
+          task_definition_arn = aws_ecs_task_definition.hello_world.arn
+        }
       }
     ]
   }
@@ -248,3 +260,43 @@ module "step_function" {
     }
   }
 }
+
+######
+# ECS
+######
+
+module "ecs" {
+  source  = "terraform-aws-modules/ecs/aws"
+  version = "~> 3.0"
+
+  name = random_pet.this.id
+
+  capacity_providers = ["FARGATE", "FARGATE_SPOT"]
+}
+
+resource "aws_ecs_service" "hello_world" {
+  name            = "hello_world-${random_pet.this.id}"
+  cluster         = module.ecs.ecs_cluster_id
+  task_definition = aws_ecs_task_definition.hello_world.arn
+  launch_type     = "FARGATE"
+
+  desired_count = 1
+
+  deployment_maximum_percent         = 100
+  deployment_minimum_healthy_percent = 0
+}
+
+resource "aws_ecs_task_definition" "hello_world" {
+  family = "hello_world-${random_pet.this.id}"
+
+  container_definitions = <<EOF
+[
+  {
+    "name": "hello_world-${random_pet.this.id}",
+    "image": "hello-world",
+    "cpu": 0,
+    "memory": 128
+  }
+]
+EOF
+}

iam.tf

@@ -171,14 +171,14 @@ data "aws_iam_policy_document" "ecs" {
     sid       = "ECSAccess"
     effect    = "Allow"
     actions   = ["ecs:RunTask"]
-    resources = var.ecs_target_arns
+    resources = [for arn in var.ecs_target_arns : replace(arn, "/:\\d+$/", ":*")]
   }
 
   statement {
     sid       = "PassRole"
     effect    = "Allow"
     actions   = ["iam:PassRole"]
-    resources = [aws_iam_role.eventbridge[0].arn]
+    resources = ["*"]
   }
 }
 

main.tf

@@ -70,20 +70,24 @@ resource "aws_cloudwatch_event_target" "this" {
   }
 
   dynamic "ecs_target" {
-    for_each = lookup(each.value, "ecs_target", null) != null ? [true] : []
+    for_each = lookup(each.value, "ecs_target", null) != null ? [
+      each.value.ecs_target
+    ] : []
 
     content {
       group               = lookup(ecs_target.value, "group", null)
       launch_type         = lookup(ecs_target.value, "launch_type", null)
       platform_version    = lookup(ecs_target.value, "platform_version", null)
       task_count          = lookup(ecs_target.value, "task_count", null)
-      task_definition_arn = ecs_target.value.task_definition_arn
+      task_definition_arn = lookup(ecs_target.value, "task_definition_arn", null)
 
       dynamic "network_configuration" {
-        for_each = lookup(ecs_target.value, "network_configuration", null) != null ? [true] : []
+        for_each = lookup(each.value.ecs_target, "network_configuration", null) != null ? [
+          each.value.ecs_target.network_configuration
+        ] : []
 
         content {
-          subnets          = network_configuration.value.subnets
+          subnets          = lookup(network_configuration.value, "subnets", null)
           security_groups  = lookup(network_configuration.value, "security_groups", null)
           assign_public_ip = lookup(network_configuration.value, "assign_public_ip", null)
         }