Update example for ECS exec

SPHTech-Platform · Oct 31, 2023 · b9f96a8 · b9f96a8
1 parent 75be249
commit b9f96a8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/examples/fargate/data.tf b/examples/fargate/data.tf
@@ -31,17 +31,24 @@ data "aws_iam_policy_document" "execution_custom_policy" {
   }
 }
 
-data "aws_iam_policy_document" "task_custom_policy" {
+data "aws_iam_policy_document" "task_ecs_exec_policy" {
   statement {
-    sid = "CustomTaskPolicy"
-
     actions = [
-      "s3:Get*",
-      "s3:List*",
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
     ]
 
     resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",
+      module.ecs_cluster.ecs_cluster_kms_arn
+    ]
+  }
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
     ]
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"]
   }
 }
diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf
@@ -27,6 +27,10 @@ module "ecs_task_role" {
 
   role_name             = "ecs-task-role-${var.name}"
   trusted_role_services = ["ecs-tasks.amazonaws.com"]
-  policy                = data.aws_iam_policy_document.task_custom_policy.json
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  ]
+  policy                = data.aws_iam_policy_document.task_ecs_exec_policy.json
   policy_name           = "ecs-task-policy-${var.name}"
 }
diff --git a/examples/fargate/output.tf b/examples/fargate/output.tf
@@ -0,0 +1,4 @@
+output "ecs_cluster_kms_arn" {
+  value       = module.fargate_cluster.ecs_cluster_kms_arn
+  description = "The AWS Key Management Service key ID to encrypt the data between the local client and the container"
+}