From 4626312630cbb324df804096f71a01d7bca562e2 Mon Sep 17 00:00:00 2001 From: Jazeel <48310743+jaezeu@users.noreply.github.com> Date: Wed, 1 Nov 2023 11:00:44 +0800 Subject: [PATCH] Update example for ECS exec (#18) Co-authored-by: Jazeel --- examples/fargate/data.tf | 27 +++++++++++++++++++++------ examples/fargate/main.tf | 7 +++++-- examples/fargate/output.tf | 4 ++++ 3 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 examples/fargate/output.tf diff --git a/examples/fargate/data.tf b/examples/fargate/data.tf index 5ea1b09..47aa142 100644 --- a/examples/fargate/data.tf +++ b/examples/fargate/data.tf @@ -31,17 +31,32 @@ data "aws_iam_policy_document" "execution_custom_policy" { } } -data "aws_iam_policy_document" "task_custom_policy" { +data "aws_iam_policy_document" "task_ecs_exec_policy" { statement { - sid = "CustomTaskPolicy" - actions = [ - "s3:Get*", - "s3:List*", + "kms:Decrypt", ] resources = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + module.fargate_cluster.ecs_cluster_kms_arn + ] + } + statement { + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + ] + resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"] + } + statement { + actions = [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel", ] + resources = ["*"] } } diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf index 392bee8..61f27fd 100644 --- a/examples/fargate/main.tf +++ b/examples/fargate/main.tf @@ -27,6 +27,9 @@ module "ecs_task_role" { role_name = "ecs-task-role-${var.name}" trusted_role_services = ["ecs-tasks.amazonaws.com"] - policy = data.aws_iam_policy_document.task_custom_policy.json - policy_name = "ecs-task-policy-${var.name}" + custom_role_policy_arns = [ + "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", + ] + policy = data.aws_iam_policy_document.task_ecs_exec_policy.json + policy_name = "ecs-task-policy-${var.name}" } diff --git a/examples/fargate/output.tf b/examples/fargate/output.tf new file mode 100644 index 0000000..53c7ad2 --- /dev/null +++ b/examples/fargate/output.tf @@ -0,0 +1,4 @@ +output "ecs_cluster_kms_arn" { + value = module.fargate_cluster.ecs_cluster_kms_arn + description = "The AWS Key Management Service key ID to encrypt the data between the local client and the container" +}