fix: Correct logic for local needs_infrastructure_iam_role check (#224

) * Fix need infrastructure role check. * try adjusting logic. * explicit dep * forgot this default * update example.
terraform-aws-modules · Sep 3, 2024 · 4e1473d · 4e1473d
1 parent deda673
commit 4e1473d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/examples/ec2-autoscaling/main.tf b/examples/ec2-autoscaling/main.tf
@@ -95,7 +95,6 @@ module "ecs_service" {
     }
   }
 
-  create_infrastructure_iam_role = true
   volume_configuration = {
     ebs-volume = {
       managed_ebs_volume = {

diff --git a/main.tf b/main.tf
@@ -100,7 +100,7 @@ module "service" {
   iam_role_statements           = lookup(each.value, "iam_role_statements", {})
 
   # ECS infrastructure IAM role
-  create_infrastructure_iam_role = try(each.value.create_infrastructure_iam_role, false)
+  create_infrastructure_iam_role = try(each.value.create_infrastructure_iam_role, true)
   infrastructure_iam_role_arn = try(each.value.infrastructure_iam_role_arn, null)
   infrastructure_iam_role_name = try(each.value.infrastructure_iam_role_name, null)
   infrastructure_iam_role_use_name_prefix = try(each.value.infrastructure_iam_role_use_name_prefix, true)

diff --git a/modules/service/main.tf b/modules/service/main.tf
@@ -225,7 +225,7 @@ resource "aws_ecs_service" "this" {
         for_each = try([volume_configuration.value.managed_ebs_volume], [])
 
         content {
-          role_arn         = try(aws_iam_role.infrastructure_iam_role[0].arn, var.infrastructure_iam_role_arn)
+          role_arn         = local.infrastructure_iam_role_arn
           encrypted        = try(managed_ebs_volume.value.encrypted, null)
           file_system_type = try(managed_ebs_volume.value.file_system_type, null)
           iops             = try(managed_ebs_volume.value.iops, null)
@@ -254,7 +254,8 @@ resource "aws_ecs_service" "this" {
 
   depends_on = [
     aws_iam_role_policy_attachment.service,
-    aws_iam_role_policy_attachment.infrastructure_iam_role_ebs_policy
+    aws_iam_role_policy_attachment.infrastructure_iam_role_ebs_policy,
+    aws_iam_role.infrastructure_iam_role,
   ]
 
   lifecycle {
@@ -1505,8 +1506,9 @@ resource "aws_security_group_rule" "this" {
 ############################################################################################
 
 locals {
-  needs_infrastructure_iam_role  = var.volume_configuration != null
+  needs_infrastructure_iam_role  = length(var.volume_configuration) > 0
   create_infrastructure_iam_role = var.create && var.create_infrastructure_iam_role && local.needs_infrastructure_iam_role
+  infrastructure_iam_role_arn    = local.needs_infrastructure_iam_role ? try(aws_iam_role.infrastructure_iam_role[0].arn, var.infrastructure_iam_role_arn) : null
   infrastructure_iam_role_name   = try(coalesce(var.infrastructure_iam_role_name, var.name), "")
 }