Add more permissions to ecs task role, do not rely on code deploy nam…

…e from vars (#116)
thewca · Jul 22, 2024 · 0c935da · 0c935da
1 parent 53edbfe
commit 0c935da
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/.github/workflows/backdeploy.yaml b/.github/workflows/backdeploy.yaml
@@ -12,6 +12,7 @@ env:
   AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}
   AWS_ACCESS_KEY_ID: ${{ secrets.CI_CD_AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets.CI_CD_AWS_SECRET_ACCESS_KEY }}
+  S3_BUCKET: ${{ vars.IAC_BUCKET_NAME }}
 
 jobs:
   build:
@@ -64,6 +65,6 @@ jobs:
       - name: Blue green deployment
         run: |
           aws deploy create-deployment \
-            --application-name ${{ secrets.APPLICATION_NAME }} \
-            --deployment-group-name ${{ secrets.DEPLOYMENT_GROUP }} \
-            --s3-location ${{ secrets.S3_LOCATION }}
+            --application-name statistics-server-code-deploy-app-prod \
+            --deployment-group-name statistics-server-code-deployment-group-prod \
+            --s3-location bucket=$S3_BUCKET,key=app-spec/statistics-spec-prod.yaml,bundleType=YAML
diff --git a/iac/code-deploy.tf b/iac/code-deploy.tf
@@ -9,6 +9,7 @@ resource "aws_iam_role" "statistics_server_code_deploy_role" {
       app_spec_folder = var.app_spec_folder
       cluster_name    = aws_ecs_cluster.statistics_server_cluster.name
       service_name    = aws_ecs_service.statistics_server_service.name
+      task_role_arn   = aws_iam_role.ecs_task_execution_role.arn
     })
   }
 

diff --git a/iac/ecs.tf b/iac/ecs.tf
@@ -15,6 +15,7 @@ resource "aws_ecs_task_definition" "statistics_server_task_definition" {
   cpu                      = var.statistics_fargate_cpu
   memory                   = var.statistics_fargate_memory
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_execution_role.arn
 
   container_definitions = templatefile("./templates/ecs/statistics_server_app.json.tpl", {
     app_image      = aws_ecr_repository.statistics_server.repository_url

diff --git a/iac/templates/policies/code-deploy-statistics.json b/iac/templates/policies/code-deploy-statistics.json
@@ -2,14 +2,24 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Action": ["ecs:DescribeServices"],
+      "Action": ["s3:GetObject"],
       "Effect": "Allow",
-      "Resource": "arn:aws:ecs:${aws_region}:*:service/${cluster_name}/${service_name}"
+      "Resource": "arn:aws:s3:::${bucket_name}/${app_spec_folder}/*"
     },
     {
-      "Action": ["s3:GetObject"],
+      "Action": ["elasticloadbalancing:*"],
       "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${bucket_name}/${app_spec_folder}/*"
+      "Resource": "*"
+    },
+    {
+      "Action": ["iam:PassRole"],
+      "Effect": "Allow",
+      "Resource": "${task_role_arn}"
+    },
+    {
+      "Action": ["ecs:*"],
+      "Effect": "Allow",
+      "Resource": "*"
     }
   ]
 }