deployments/.modules/service/policy.tf

57 lines
1.5 KiB
HCL

data "aws_iam_policy_document" "ecs-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = ["ecs-tasks.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "ecs-execution" {
name = "${var.service_name}-${data.aws_region.current.name}-ExecutionRole-role"
assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json
}
resource "aws_iam_role_policy_attachment" "ecs-execution-managed" {
role = aws_iam_role.ecs-execution.id
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
data "aws_iam_policy_document" "task-policy" {
statement {
actions = ["cloudwatch:putMetricData"]
resources = ["*"]
}
dynamic "statement" {
for_each = var.task_policy_statements
content {
actions = statement.value["actions"]
resources = statement.value["resources"]
}
}
}
data "aws_iam_policy_document" "task-assume-role" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = ["ecs-tasks.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "task-execution" {
name = "${var.service_name}-${data.aws_region.current.name}-TaskRole-role"
assume_role_policy = data.aws_iam_policy_document.task-assume-role.json
}
resource "aws_iam_role_policy" "task-role" {
policy = data.aws_iam_policy_document.task-policy.json
role = aws_iam_role.task-execution.id
}