fix(terraform): update IAM configuration for ECS deployment (#2675)

jef · Aug 10, 2021 · 9c346e7 · 9c346e7
1 parent 61af2a4
commit 9c346e7
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -16,7 +16,7 @@ There's an example tfvars file to start you off; rename this with your own prefe
 
 Authenticate yourself with your own AWS account as with any aws commandline tool.
 
-If you wish, add a specific section to your aws credentials file and set that profile name in `terraform.tfvars`.
+If you wish, add a specific section to your aws credentials file and set that profile name in `terraform.tfvars`. More information on how to configure the AWS credentials file can be found in <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html">here</a>.
 
 Then you can:
 

diff --git a/terraform/resource-ecs.tf b/terraform/resource-ecs.tf
@@ -16,8 +16,28 @@ resource "aws_ecs_service" "main" {
   launch_type = "FARGATE"
 }
 
-data "aws_iam_role" "ecs_task_execution_role" {
-  name = "ecsTaskExecutionRole"
+data "aws_iam_policy_document" "ecs_task_execution_role" {
+  version = "2012-10-17"
+  statement {
+    sid     = ""
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name               = var.ecs_task_execution_role_name
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 locals {
@@ -38,5 +58,5 @@ resource "aws_ecs_task_definition" "main" {
   network_mode = "awsvpc"
   cpu = var.cpu
   memory = var.memory
-  execution_role_arn = data.aws_iam_role.ecs_task_execution_role.arn
+  execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -38,3 +38,8 @@ variable "streetmerchant_env" {
   description = "name/value pairs for .env values"
   default = {}
 }
+
+variable "ecs_task_execution_role_name" {
+  description = "ECS task execution role name"
+  default = "myEcsTaskExecutionRole"
+}