Add AWS resource, update Dockerfile.

2023-03-10 23:07:24 -06:00
parent 500c584918
commit c930e89148
5 changed files with 247 additions and 2 deletions
--- a/operations/terraform/iam.tf
+++ b/operations/terraform/iam.tf
@@ -0,0 +1,68 @@
+resource "aws_iam_role" "ecs_task" {
+  name  = "${var.app_name}-EcsTaskRole"
+
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Action    = "sts:AssumeRole"
+        Effect    = "Allow"
+        Sid       = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name    = "AllowSecretsAccessFor${var.app_name}Tasks"
+    policy  = jsonencode({
+      Version   = "2012-10-17"
+      Statement = [
+        {
+          Effect    = "Allow"
+          Action    = [
+            "secretsmanager:GetSecretValue",
+            "kms:Decrypt"
+          ]
+          Resource  = [
+            aws_secretsmanager_secret.toclerbe.arn
+          ]
+        }
+      ]
+    })
+  }
+
+  inline_policy {
+    name    = "AllowAccessToEcrFor${var.app_name}Tasks"
+    policy  = jsonencode({
+      Version   = "2012-10-17"
+      Statement = [
+        {
+          Effect    = "Allow"
+          Action    = [
+            "ecr:GetAuthorizationToken"
+          ]
+          Resource  = [ "*" ]
+        },
+        {
+          Effect    = "Allow"
+          Action    = [
+            "ecr:BatchGetImage",
+            "ecr:BatchCheckLayerAvailability",
+            "ecr:DescribeImages",
+            "ecr:GetDownloadUrlForLayer"
+          ]
+          Resource  = [
+            aws_ecr_repository.toclerbe.arn
+          ]
+        }
+      ]
+    })
+  }
+
+  tags = {
+    Name        = "${var.app_name}-EcsTaskRole"
+  }
+}