Update EFS & ECS components to allow using EFS in ECS

[Benbentwo]

what

• ECS
  • Fix Logging Name (all containers use their own name, not the component name)
  • Expose task_exec_policy_arns_map to allow mapping a policy onto the task role
• EFS
  • Update module
  • expose additional_security_group_rules to allow a block to define extra security groups

    - key: "fargate_efs"
      type: "ingress"
      from_port: 2049
      to_port: 2049
      protocol: "tcp"
      description: "Allow Fargate EFS Volume mounts ingress"
      cidr_blocks: ["0.0.0.0/0"]

why

ECS can use

...
        task:
          efs_component_volumes:
            - name: "acme-my-service-efs-mount"
              host_path: null
              efs_volume_configuration:
                - component: efs/my-service
                  root_directory: "/"
                  transit_encryption: "ENABLED"
                  transit_encryption_port: 2999
                  authorization_config: []
        task_exec_policy_arns_map:
          efs: arn:aws:iam::01234567890:policy/acme-plat-use2-dev-my-service

to lookup an efs Volume, and add a policy onto the task which allows EFS permissions required see bottom of step 5

Your EFS can have the allowed required ports for Fargate tasks

    efs/my-service:
      metadata:
        component: efs
      vars:
        enabled: true
        name: my-service
        hostname_template: "my-service.%[3]v"
        additional_security_group_rules:
        - key: "fargate_efs"
          type: "ingress"
          from_port: 2049
          to_port: 2049
          protocol: "tcp"
          description: "Allow Fargate EFS Volume mounts ingress"
          cidr_blocks: ["0.0.0.0/0"]

references

• https://repost.aws/knowledge-center/ecs-fargate-mount-efs-containers-tasks
• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/tutorial-efs-volumes.html
• https://aws.amazon.com/blogs/compute/using-amazon-efs-to-persist-data-from-amazon-ecs-containers/