hff-entry-forms/operations/terraform/deployed_env/iam.tf

resource "aws_iam_role" "ecs_task" {
  name  = "${local.environment_name}-EcsTaskRole"

  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Action    = "sts:AssumeRole"
        Effect    = "Allow"
        Sid       = ""
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
      }
    ]
  })

  inline_policy {
    name    = "AllowSecretsAccessForHffEntryFormsApiTasks"
    policy  = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
          Effect    = "Allow"
          Action    = [
            "secretsmanager:GetSecretValue",
            "kms:Decrypt"
          ]
          Resource  = [
            aws_secretsmanager_secret.hff_entry_forms_api.arn
          ]
        }
      ]
    })
  }

  inline_policy {
    name    = "AllowAccessToEcrForHffEntryFormsApiTasks"
    policy  = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
          Effect    = "Allow"
          Action    = [
            "ecr:GetAuthorizationToken"
          ]
          Resource  = [ "*" ]
        },
        {
          Effect    = "Allow"
          Action    = [
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:DescribeImages",
            "ecr:GetDownloadUrlForLayer"
          ]
          Resource  = [
            var.ecr_repo.arn
          ]
        }
      ]
    })
  }

  tags = {
    Name        = "HffEntryForms-EcsTaskRole"
    Environment = local.environment_name
  }
}
operations: terraform to standup prod infrastructure. 2021-10-24 22:23:39 +00:00			`resource "aws_iam_role" "ecs_task" {`
			`name = "${local.environment_name}-EcsTaskRole"`

			`assume_role_policy = jsonencode({`
			`Version = "2012-10-17"`
			`Statement = [`
			`{`
			`Action = "sts:AssumeRole"`
			`Effect = "Allow"`
			`Sid = ""`
			`Principal = {`
			`Service = "ecs-tasks.amazonaws.com"`
			`}`
			`}`
			`]`
			`})`

			`inline_policy {`
			`name = "AllowSecretsAccessForHffEntryFormsApiTasks"`
			`policy = jsonencode({`
			`Version = "2012-10-17"`
			`Statement = [`
			`{`
			`Effect = "Allow"`
			`Action = [`
			`"secretsmanager:GetSecretValue",`
			`"kms:Decrypt"`
			`]`
			`Resource = [`
			`aws_secretsmanager_secret.hff_entry_forms_api.arn`
			`]`
			`}`
			`]`
			`})`
			`}`

			`inline_policy {`
			`name = "AllowAccessToEcrForHffEntryFormsApiTasks"`
			`policy = jsonencode({`
			`Version = "2012-10-17"`
			`Statement = [`
			`{`
			`Effect = "Allow"`
			`Action = [`
			`"ecr:GetAuthorizationToken"`
			`]`
			`Resource = [ "*" ]`
			`},`
			`{`
			`Effect = "Allow"`
			`Action = [`
			`"ecr:BatchGetImage",`
			`"ecr:BatchCheckLayerAvailability",`
			`"ecr:DescribeImages",`
			`"ecr:GetDownloadUrlForLayer"`
			`]`
			`Resource = [`
			`var.ecr_repo.arn`
			`]`
			`}`
			`]`
			`})`
			`}`

			`tags = {`
			`Name = "HffEntryForms-EcsTaskRole"`
			`Environment = local.environment_name`
			`}`
			`}`