Enable awsvpcTrunking for container instance role

[jack-michaud]

As of version 3.68.0, the Terraform AWS provider supports specifying account settings flags. (Docs)

Is it possible to set the awsvpcTrunking flag for the container instance role through this module? With an option like that, it would save me from SSHing into my container instance and manually setting this account flag.

[jonassvalin]

Hi @jack-michaud
If I understand it correctly, this functionality is related to updating the settings for your entire account, not a particular cluster. As this module is specifically related to managing a single cluster, it does not feel like the correct place to manage such a setting.

When we implement the infrastructure setup for a greenfield project ourselves, we will typically have a repository called "application-account" or such, which represents various base configuration that should apply to an AWS account. Such a repository would seem like an appropriate place to leverage this resource.

Best regards
Jonas

[jack-michaud]

Hi @jonassvalin, thanks for taking the time to respond!

Yes, account settings should not be set by an ECS cluster module. However, my initial statement was misleading -- I am proposing that this module enables awsvpcTrunking for the container instance role.

From the AWS docs,

Your account or container instance IAM role must opt-in to the awsvpcTrunking account setting. This can be done in the following ways:
...
A container instance role can opt itself in when the PutAccountSetting API is run on an instance prior to it being registered with a cluster

Since this module creates an instance role for a cluster, I think it's within this module's responsibility to set that flag for the role.

[jonassvalin]

@jack-michaud I see. Do you know if there's a corresponding terraform resource for configuring this on an individual iam role level? I did some googling but didn't immediately find anything. If you know of one then feel free to suggest or open a PR.