Support setting the path attribute of the service task execution IAM policy #199
Description
Is your request related to a new offering from AWS?
It's not a new offering - path has been available for the aws_iam_policy since 2015.
Is your request related to a problem? Please describe.
Yes.
The parameters task_exec_iam_role_path and tasks_iam_role_path allow me to set the path attribute for the IAM roles created by the service module. However, when I set task_exec_iam_role_path, I get an IAM policy without the path set. This is currently not supported, as the iam policy for the service doesn't take any input for setting its path. Code.
I would like to set the path attribute for the task execution IAM policy, because it enables me to set flexible IAM constraints.
Motivation:
I am trying to define an IAM role with permission to the action iam:GetPolicy for the ECS task execution IAM policy created by the service module.
I want my role to allow iam:GetPolicy for resources under the path
"arn:aws:iam::${var.account_id}:policy/some-path/ecs-task-exec*"
This is not possible. Instead, I can only constrain the permission to
arn:aws:iam::${var.account_id}:policy/ecs-task-exec*
Describe the solution you'd like.
I want a parameter that allow me to set the path attribute of the resource aws_iam_policy.task_exec, defined here.
Not sure what would be a good name. task_exec_iam_policy_path perhaps?
Describe alternatives you've considered.
Instead of using the task_exec_iam_role_path, I can include a prefix in the task_exec_iam_role_name variable, for instance
task_exec_iam_role_name = "some-path-subname"
But there is a maximum length for IAM role names (and policy names I assume), which is why I want to use a path instead.