-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathfargate-execution-role.tf
56 lines (55 loc) · 1.76 KB
/
fargate-execution-role.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
data "aws_iam_policy_document" "ecs_execution_principal" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
locals {
extracted_container_secrets = flatten([for c in local.container_definitions : try(c.secrets, [])])
}
data "aws_iam_policy_document" "ecs_execution" {
statement {
sid = "ServiceDefaults"
effect = "Allow"
actions = [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = ["*"]
}
# If secrets have been provided with the container defs, then an extra statement block will be created
# that will allow the exec to pull those secrets and inject them into the container runtime.
dynamic "statement" {
for_each = length(local.extracted_container_secrets) > 0 ? ["enabled"] : []
content {
sid = "ServiceSecrets"
effect = "Allow"
actions = [
"ssm:GetParameter",
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
]
resources = local.extracted_container_secrets.*.valueFrom
}
}
}
resource "aws_iam_role" "ecs_execution" {
name = "${var.family}-exec-basic"
assume_role_policy = data.aws_iam_policy_document.ecs_execution_principal.json
tags = merge(var.tags, var.tags_iam_role)
path = var.iam_role_path
permissions_boundary = var.iam_role_permissions_boundary
}
resource "aws_iam_role_policy" "ecs_execution" {
name = "${var.family}-exec-basic"
role = aws_iam_role.ecs_execution.id
policy = data.aws_iam_policy_document.ecs_execution.json
}