Consolidating roles for ecr and logging

infra/cluster-logging.tf

@@ -8,21 +8,3 @@ resource "aws_cloudwatch_log_group" "alpha" {
   retention_in_days = 7
 }
 
-# Alpha logging role 
-#####################
-resource "aws_iam_role" "alpha_iam_role" {
-  name = "${var.athens_prefix}-alpha-iam-role"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Principal = {
-          Service = [ "ecs-tasks.amazonaws.com" ]
-        }
-        Effect = "Allow"
-      }
-    ]
-  })
-}
-

infra/ecr.tf

@@ -0,0 +1,12 @@
+locals {
+  repos = [
+    "reverse-proxy",
+  ]
+}
+resource "aws_ecr_repository" "this" {
+  for_each = {
+    for index, repo in local.repos:
+      index => repo
+  }
+  name = each.value
+}

infra/roles.tf

@@ -1,3 +1,22 @@
+# Alpha container role 
+######################
+resource "aws_iam_role" "alpha_iam_role" {
+  name = "${var.athens_prefix}-alpha-iam-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = [ "ecs-tasks.amazonaws.com" ]
+        }
+        Effect = "Allow"
+      }
+    ]
+  })
+}
+
+
 resource "aws_iam_policy" "alpha_iam_policy" {
   name = "${var.athens_prefix}-alpha-iam-policy"
   policy = jsonencode({
@@ -17,8 +36,30 @@ resource "aws_iam_policy" "alpha_iam_policy" {
   })
 }
 
+resource "aws_iam_policy" "ecs_ecr_pull" {
+  name = "${var.athens_prefix}-allow-ecs-pull-ecr"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr:GetAuthorizationToken",
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer"
+        ]
+        "Resource" = "*"
+      }
+    ]
+  })
+}
+
 resource "aws_iam_role_policy_attachment" "alpha_logs" {
   role        = aws_iam_role.alpha_iam_role.name
   policy_arn  = aws_iam_policy.alpha_iam_policy.arn
 }
 
+resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" {
+  role        = aws_iam_role.alpha_iam_role.name
+  policy_arn  = aws_iam_policy.ecs_ecr_pull.arn
+}