Update example for ECS exec (#18)

Co-authored-by: Jazeel <[email protected]>

examples/fargate/data.tf

@@ -31,17 +31,32 @@ data "aws_iam_policy_document" "execution_custom_policy" {
   }
 }
 
-data "aws_iam_policy_document" "task_custom_policy" {
+data "aws_iam_policy_document" "task_ecs_exec_policy" {
   statement {
-    sid = "CustomTaskPolicy"
-
     actions = [
-      "s3:Get*",
-      "s3:List*",
+      "kms:Decrypt",
     ]
 
     resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",
+      module.fargate_cluster.ecs_cluster_kms_arn
+    ]
+  }
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+    ]
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"]
+  }
+  statement {
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel",
     ]
+    resources = ["*"]
   }
 }

examples/fargate/main.tf

@@ -27,6 +27,9 @@ module "ecs_task_role" {
 
   role_name             = "ecs-task-role-${var.name}"
   trusted_role_services = ["ecs-tasks.amazonaws.com"]
-  policy                = data.aws_iam_policy_document.task_custom_policy.json
-  policy_name           = "ecs-task-policy-${var.name}"
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
+  ]
+  policy      = data.aws_iam_policy_document.task_ecs_exec_policy.json
+  policy_name = "ecs-task-policy-${var.name}"
 }

examples/fargate/output.tf

@@ -0,0 +1,4 @@
+output "ecs_cluster_kms_arn" {
+  value       = module.fargate_cluster.ecs_cluster_kms_arn
+  description = "The AWS Key Management Service key ID to encrypt the data between the local client and the container"
+}