57 lines
1.5 KiB
HCL
57 lines
1.5 KiB
HCL
data "aws_iam_policy_document" "ecs-role-policy" {
|
|
statement {
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
identifiers = ["ecs-tasks.amazonaws.com"]
|
|
type = "Service"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "ecs-execution" {
|
|
name = "${var.service_name}-${data.aws_region.current.name}-ExecutionRole-role"
|
|
assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "ecs-execution-managed" {
|
|
role = aws_iam_role.ecs-execution.id
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
|
|
}
|
|
|
|
data "aws_iam_policy_document" "task-policy" {
|
|
statement {
|
|
actions = ["cloudwatch:putMetricData"]
|
|
resources = ["*"]
|
|
}
|
|
|
|
dynamic "statement" {
|
|
for_each = var.task_policy_statements
|
|
content {
|
|
actions = statement.value["actions"]
|
|
resources = statement.value["resources"]
|
|
}
|
|
}
|
|
}
|
|
|
|
data "aws_iam_policy_document" "task-assume-role" {
|
|
statement {
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
identifiers = ["ecs-tasks.amazonaws.com"]
|
|
type = "Service"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "task-execution" {
|
|
name = "${var.service_name}-${data.aws_region.current.name}-TaskRole-role"
|
|
assume_role_policy = data.aws_iam_policy_document.task-assume-role.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "task-role" {
|
|
policy = data.aws_iam_policy_document.task-policy.json
|
|
role = aws_iam_role.task-execution.id
|
|
}
|