- Added more roles to ecs web task definition

- Renamed web task definition

infrastructure/cloud/environments/sandbox/webapp.tf

@@ -22,12 +22,12 @@ module "networking" {
 }
 
 module "container" {
-  source                          = "../../modules/container"
-  environment                     = var.environment
-  app_name                        = var.app_name
-  ecs_task_execution_iam_role_arn = module.security.ecs_task_execution_iam_role_arn
-  subnet_id                       = module.networking.subnet_id
-  ecs_sg_id                       = module.networking.ecs_sg_id
-  lb_listener                     = module.networking.lb_listener
-  lb_tg_arn                       = module.networking.lb_tg_arn
+  source                              = "../../modules/container"
+  environment                         = var.environment
+  app_name                            = var.app_name
+  ecs_web_task_execution_iam_role_arn = module.security.ecs_web_task_execution_iam_role_arn
+  subnet_id                           = module.networking.subnet_id
+  ecs_sg_id                           = module.networking.ecs_sg_id
+  lb_listener                         = module.networking.lb_listener
+  lb_tg_arn                           = module.networking.lb_tg_arn
 }

infrastructure/cloud/modules/container/ecr.tf

@@ -1,5 +1,5 @@
 resource "aws_ecr_repository" "ecr_repository" {
-  name                 = "${var.app_name}-repo-${var.environment}"
+  name                 = "${var.app_name}-ecr-repo-${var.environment}"
   image_tag_mutability = "MUTABLE"
   force_delete         = true
 

infrastructure/cloud/modules/container/ecs.tf

@@ -28,8 +28,8 @@ resource "aws_ecs_task_definition" "ecs_web_task_definition" {
     }
   ])
 
-  execution_role_arn = var.ecs_task_execution_iam_role_arn
-  task_role_arn      = var.ecs_task_execution_iam_role_arn
+  execution_role_arn = var.ecs_web_task_execution_iam_role_arn
+  task_role_arn      = var.ecs_web_task_execution_iam_role_arn
 }
 
 resource "aws_ecs_service" "ecs_web_service" {

infrastructure/cloud/modules/container/variables.tf

@@ -8,8 +8,8 @@ variable "app_name" {
   type        = string
 }
 
-variable "ecs_task_execution_iam_role_arn" {
-  description = "ECS Task Execution IAM Role ARN"
+variable "ecs_web_task_execution_iam_role_arn" {
+  description = "ECS Task Execution IAM Role ARN for Web app"
 }
 
 variable "subnet_id" {

infrastructure/cloud/modules/security/iam.tf

@@ -1,5 +1,5 @@
-resource "aws_iam_role" "ecs_task_execution_role" {
-  name = "${var.app_name}-ecs-task-execution-role-${var.environment}"
+resource "aws_iam_role" "ecs_web_task_execution_role" {
+  name = "${var.app_name}-ecs-web-task-execution-role-${var.environment}"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -9,13 +9,19 @@ resource "aws_iam_role" "ecs_task_execution_role" {
         Principal = {
           Service = "ecs-tasks.amazonaws.com"
         }
-        Action = "sts:AssumeRole"
+        Action = [
+          "sts:AssumeRole",
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetAuthorizationToken"
+        ]
       }
     ]
   })
 }
 
-resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
-  role       = aws_iam_role.ecs_task_execution_role.name
+resource "aws_iam_role_policy_attachment" "ecs_web_task_execution_role_policy" {
+  role       = aws_iam_role.ecs_web_task_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
+

infrastructure/cloud/modules/security/outputs.tf

@@ -3,6 +3,6 @@ output "kms_key_alias" {
   value = aws_kms_alias.kms_alias.name
 }
 
-output "ecs_task_execution_iam_role_arn" {
-  value = aws_iam_role.ecs_task_execution_role.arn
+output "ecs_web_task_execution_iam_role_arn" {
+  value = aws_iam_role.ecs_web_task_execution_role.arn
 }