From b9f96a815da138d7058068c79e3dafad9ac6c407 Mon Sep 17 00:00:00 2001 From: Jazeel Date: Tue, 31 Oct 2023 10:57:40 +0800 Subject: [PATCH 1/5] Update example for ECS exec --- examples/fargate/data.tf | 19 +++++++++++++------ examples/fargate/main.tf | 6 +++++- examples/fargate/output.tf | 4 ++++ 3 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 examples/fargate/output.tf diff --git a/examples/fargate/data.tf b/examples/fargate/data.tf index 5ea1b09..ebe4399 100644 --- a/examples/fargate/data.tf +++ b/examples/fargate/data.tf @@ -31,17 +31,24 @@ data "aws_iam_policy_document" "execution_custom_policy" { } } -data "aws_iam_policy_document" "task_custom_policy" { +data "aws_iam_policy_document" "task_ecs_exec_policy" { statement { - sid = "CustomTaskPolicy" - actions = [ - "s3:Get*", - "s3:List*", + "kms:Decrypt", + "kms:GenerateDataKey", ] resources = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + module.ecs_cluster.ecs_cluster_kms_arn + ] + } + statement { + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", ] + resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"] } } diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf index 392bee8..95ae950 100644 --- a/examples/fargate/main.tf +++ b/examples/fargate/main.tf @@ -27,6 +27,10 @@ module "ecs_task_role" { role_name = "ecs-task-role-${var.name}" trusted_role_services = ["ecs-tasks.amazonaws.com"] - policy = data.aws_iam_policy_document.task_custom_policy.json + custom_role_policy_arns = [ + "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + ] + policy = data.aws_iam_policy_document.task_ecs_exec_policy.json policy_name = "ecs-task-policy-${var.name}" } diff --git a/examples/fargate/output.tf b/examples/fargate/output.tf new file mode 100644 index 0000000..53c7ad2 --- /dev/null +++ b/examples/fargate/output.tf @@ -0,0 +1,4 @@ +output "ecs_cluster_kms_arn" { + value = module.fargate_cluster.ecs_cluster_kms_arn + description = "The AWS Key Management Service key ID to encrypt the data between the local client and the container" +} From 16b2ea02e165f0aa86f4d9aa134a9a8bb9acd826 Mon Sep 17 00:00:00 2001 From: Jazeel Date: Tue, 31 Oct 2023 10:58:39 +0800 Subject: [PATCH 2/5] fmt --- examples/fargate/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf index 95ae950..eb97de5 100644 --- a/examples/fargate/main.tf +++ b/examples/fargate/main.tf @@ -31,6 +31,6 @@ module "ecs_task_role" { "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ] - policy = data.aws_iam_policy_document.task_ecs_exec_policy.json - policy_name = "ecs-task-policy-${var.name}" + policy = data.aws_iam_policy_document.task_ecs_exec_policy.json + policy_name = "ecs-task-policy-${var.name}" } From 3a27ed4e9247d59ff6fc2636d9b0fa4b483a2868 Mon Sep 17 00:00:00 2001 From: Jazeel Date: Tue, 31 Oct 2023 11:03:06 +0800 Subject: [PATCH 3/5] update typo --- examples/fargate/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/fargate/data.tf b/examples/fargate/data.tf index ebe4399..0ba0f94 100644 --- a/examples/fargate/data.tf +++ b/examples/fargate/data.tf @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "task_ecs_exec_policy" { ] resources = [ - module.ecs_cluster.ecs_cluster_kms_arn + module.fargate_cluster.ecs_cluster_kms_arn ] } statement { From c6e92f9e8697b0169c207888a528ea55cb04c987 Mon Sep 17 00:00:00 2001 From: Jazeel Date: Wed, 1 Nov 2023 10:47:12 +0800 Subject: [PATCH 4/5] update task policy --- examples/fargate/data.tf | 10 +++++++++- examples/fargate/main.tf | 1 - 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/examples/fargate/data.tf b/examples/fargate/data.tf index 0ba0f94..bc00310 100644 --- a/examples/fargate/data.tf +++ b/examples/fargate/data.tf @@ -35,7 +35,6 @@ data "aws_iam_policy_document" "task_ecs_exec_policy" { statement { actions = [ "kms:Decrypt", - "kms:GenerateDataKey", ] resources = [ @@ -51,4 +50,13 @@ data "aws_iam_policy_document" "task_ecs_exec_policy" { ] resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"] } + statement { + actions = [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel", + ] + resources = "*" + } } diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf index eb97de5..61f27fd 100644 --- a/examples/fargate/main.tf +++ b/examples/fargate/main.tf @@ -29,7 +29,6 @@ module "ecs_task_role" { trusted_role_services = ["ecs-tasks.amazonaws.com"] custom_role_policy_arns = [ "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ] policy = data.aws_iam_policy_document.task_ecs_exec_policy.json policy_name = "ecs-task-policy-${var.name}" From 844af44ad9bf314c82fb9ecdc57bac73bd351898 Mon Sep 17 00:00:00 2001 From: Jazeel Date: Wed, 1 Nov 2023 10:53:17 +0800 Subject: [PATCH 5/5] use list for resources --- examples/fargate/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/fargate/data.tf b/examples/fargate/data.tf index bc00310..47aa142 100644 --- a/examples/fargate/data.tf +++ b/examples/fargate/data.tf @@ -57,6 +57,6 @@ data "aws_iam_policy_document" "task_ecs_exec_policy" { "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel", ] - resources = "*" + resources = ["*"] } }