From 018f09a1677dc6852413c2e28bf4609adad858d0 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steve.sklar@hyperscience.com>
Date: Fri, 27 Aug 2021 10:47:20 -0400
Subject: [PATCH] IAM Fixes (#2)

Fixes IAM permissions related to var.task_role_arn
---
 main.tf      | 4 ++--
 variables.tf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 28caf50..1ee4877 100644
--- a/main.tf
+++ b/main.tf
@@ -224,9 +224,9 @@ data "aws_iam_policy_document" "cloudwatch" {
   statement {
     effect  = "Allow"
     actions = ["iam:PassRole"]
-    resources = [
+    resources = concat([
       aws_iam_role.task_execution_role.arn
-    ]
+    ], var.task_role_arn != null ? [var.task_role_arn] : [])
   }
 }
 
diff --git a/variables.tf b/variables.tf
index 4814113..1e093ab 100644
--- a/variables.tf
+++ b/variables.tf
@@ -46,5 +46,5 @@ variable "extra_container_defs" {
 
 variable "task_role_arn" {
   default     = null
-  description = "IAM role ARN for your task if it needs to access any AWS resources"
+  description = "IAM role ARN for your task if it needs to access any AWS resources.  IMPORTANT: This must have an AssumeRolePolicy that includes the 'ecs-tasks.amazonaws.com' provider!!"
 }