created custom role for ecs exec (able to read newly created secret)

PUGX · Dec 30, 2024 · d5f2add · d5f2add
1 parent 50b3134
commit d5f2add
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 7 deletions.
diff --git a/sys/terraform/cloudwatch.tf b/sys/terraform/cloudwatch.tf
@@ -8,7 +8,7 @@ resource "aws_cloudwatch_event_rule" "eventrulecontributorsupdate" {
   //   {
   //     Id = "phpfpm"
   //     Arn = aws_ecs_cluster.ecscluster.arn
-  //     RoleArn = var.exec_role_arn
+  //     RoleArn = aws_iam_role.ecs_task_role.arn
   //     Input = "{"containerOverrides":[{"name":"phpfpm","command":["./bin/console","app:contributors:update"]}]}"
   //     EcsParameters = {
   //       TaskDefinitionArn = aws_ecs_task_definition.ecstask.arn

diff --git a/sys/terraform/ecs.tf b/sys/terraform/ecs.tf
@@ -75,7 +75,7 @@ resource "aws_ecs_service" "ecsservice" {
 }
 
 resource "aws_ecs_task_definition" "ecstask" {
-  execution_role_arn = var.exec_role_arn
+  execution_role_arn = aws_iam_role.ecs_task_role.arn
   container_definitions = templatefile("ecs/task-definition.json", {
     account_id              = data.aws_caller_identity.current.account_id
     aws_region              = data.aws_region.current.name

diff --git a/sys/terraform/iam.tf b/sys/terraform/iam.tf
@@ -43,3 +43,42 @@ resource "aws_iam_user" "iamusergithubactions" {
 resource "aws_iam_access_key" "iamkey" {
   user = aws_iam_user.iamusergithubactions.name
 }
+
+resource "aws_iam_role" "ecs_task_role" {
+  name = "${var.service_name}-ecs-exec"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "read_secrets_policy" {
+  name = "read-secrets"
+  role = aws_iam_role.ecs_task_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+    {
+        Action   = ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]
+        Effect   = "Allow"
+        Resource = aws_secretsmanager_secret.poser.arn
+    },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_role" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
diff --git a/sys/terraform/variables.tf b/sys/terraform/variables.tf
@@ -18,11 +18,6 @@ variable "environment" {
   type        = string
 }
 
-variable "exec_role_arn" {
-  description = "Specifies the ARN of the Execution Role for ECS."
-  type        = string
-}
-
 variable "exec_role_arn_autoscale" {
   description = "Specifies the ARN of the Execution Role for Autoscaling."
   type        = string