operations: Complete migration to AWS ECS.

operations/terraform/deployed_env/iam.tf

@@ -0,0 +1,70 @@
+resource "aws_iam_role" "ecs_task" {
+  name  = "${local.environment_name}-EcsTaskRole"
+
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Action    = "sts:AssumeRole"
+        Effect    = "Allow"
+        Sid       = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name    = "AllowSecretsAccessForPmApiTasks"
+    policy  = jsonencode({
+      Version   = "2012-10-17"
+      Statement = [
+        {
+          Effect    = "Allow"
+          Action    = [
+            "secretsmanager:GetSecretValue",
+            "kms:Decrypt"
+          ]
+          Resource  = [
+            aws_secretsmanager_secret.pmapi_auth.arn,
+            aws_secretsmanager_secret.pmapi_db_conn_string.arn
+          ]
+        }
+      ]
+    })
+  }
+
+  inline_policy {
+    name    = "AllowAccessToEcrForPmApiTasks"
+    policy  = jsonencode({
+      Version   = "2012-10-17"
+      Statement = [
+        {
+          Effect    = "Allow"
+          Action    = [
+            "ecr:GetAuthorizationToken"
+          ]
+          Resource  = [ "*" ]
+        },
+        {
+          Effect    = "Allow"
+          Action    = [
+            "ecr:BatchGetImage",
+            "ecr:BatchCheckLayerAvailability",
+            "ecr:DescribeImages",
+            "ecr:GetDownloadUrlForLayer"
+          ]
+          Resource  = [
+            var.ecr_repo.arn
+          ]
+        }
+      ]
+    })
+  }
+
+  tags = {
+    Name        = "PersonalMeasure-EcsTaskRole"
+    Environment = local.environment_name
+  }
+}