From 1170e879f0df7efe4ceabf272245731f9bd415d1 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 10 Feb 2023 21:28:49 -0800 Subject: [PATCH] Consolidating roles for ecr and logging --- infra/cluster-logging.tf | 18 ------------------ infra/ecr.tf | 12 ++++++++++++ infra/roles.tf | 41 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 18 deletions(-) create mode 100644 infra/ecr.tf diff --git a/infra/cluster-logging.tf b/infra/cluster-logging.tf index f06ed82..14345d2 100644 --- a/infra/cluster-logging.tf +++ b/infra/cluster-logging.tf @@ -8,21 +8,3 @@ resource "aws_cloudwatch_log_group" "alpha" { retention_in_days = 7 } -# Alpha logging role -##################### -resource "aws_iam_role" "alpha_iam_role" { - name = "${var.athens_prefix}-alpha-iam-role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Principal = { - Service = [ "ecs-tasks.amazonaws.com" ] - } - Effect = "Allow" - } - ] - }) -} - diff --git a/infra/ecr.tf b/infra/ecr.tf new file mode 100644 index 0000000..2412110 --- /dev/null +++ b/infra/ecr.tf @@ -0,0 +1,12 @@ +locals { + repos = [ + "reverse-proxy", + ] +} +resource "aws_ecr_repository" "this" { + for_each = { + for index, repo in local.repos: + index => repo + } + name = each.value +} diff --git a/infra/roles.tf b/infra/roles.tf index a21bd56..19b03d2 100644 --- a/infra/roles.tf +++ b/infra/roles.tf @@ -1,3 +1,22 @@ +# Alpha container role +###################### +resource "aws_iam_role" "alpha_iam_role" { + name = "${var.athens_prefix}-alpha-iam-role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Principal = { + Service = [ "ecs-tasks.amazonaws.com" ] + } + Effect = "Allow" + } + ] + }) +} + + resource "aws_iam_policy" "alpha_iam_policy" { name = "${var.athens_prefix}-alpha-iam-policy" policy = jsonencode({ @@ -17,8 +36,30 @@ resource "aws_iam_policy" "alpha_iam_policy" { }) } +resource "aws_iam_policy" "ecs_ecr_pull" { + name = "${var.athens_prefix}-allow-ecs-pull-ecr" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ecr:GetAuthorizationToken", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ] + "Resource" = "*" + } + ] + }) +} + resource "aws_iam_role_policy_attachment" "alpha_logs" { role = aws_iam_role.alpha_iam_role.name policy_arn = aws_iam_policy.alpha_iam_policy.arn } +resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" { + role = aws_iam_role.alpha_iam_role.name + policy_arn = aws_iam_policy.ecs_ecr_pull.arn +}