Consolidating roles for ecr and logging

This commit is contained in:
shockrah 2023-02-10 21:28:49 -08:00
parent 5e978b5766
commit 1170e879f0
3 changed files with 53 additions and 18 deletions

View File

@ -8,21 +8,3 @@ resource "aws_cloudwatch_log_group" "alpha" {
retention_in_days = 7 retention_in_days = 7
} }
# Alpha logging role
#####################
resource "aws_iam_role" "alpha_iam_role" {
name = "${var.athens_prefix}-alpha-iam-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Principal = {
Service = [ "ecs-tasks.amazonaws.com" ]
}
Effect = "Allow"
}
]
})
}

12
infra/ecr.tf Normal file
View File

@ -0,0 +1,12 @@
locals {
repos = [
"reverse-proxy",
]
}
resource "aws_ecr_repository" "this" {
for_each = {
for index, repo in local.repos:
index => repo
}
name = each.value
}

View File

@ -1,3 +1,22 @@
# Alpha container role
######################
resource "aws_iam_role" "alpha_iam_role" {
name = "${var.athens_prefix}-alpha-iam-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Principal = {
Service = [ "ecs-tasks.amazonaws.com" ]
}
Effect = "Allow"
}
]
})
}
resource "aws_iam_policy" "alpha_iam_policy" { resource "aws_iam_policy" "alpha_iam_policy" {
name = "${var.athens_prefix}-alpha-iam-policy" name = "${var.athens_prefix}-alpha-iam-policy"
policy = jsonencode({ policy = jsonencode({
@ -17,8 +36,30 @@ resource "aws_iam_policy" "alpha_iam_policy" {
}) })
} }
resource "aws_iam_policy" "ecs_ecr_pull" {
name = "${var.athens_prefix}-allow-ecs-pull-ecr"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"ecr:GetAuthorizationToken",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
"Resource" = "*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "alpha_logs" { resource "aws_iam_role_policy_attachment" "alpha_logs" {
role = aws_iam_role.alpha_iam_role.name role = aws_iam_role.alpha_iam_role.name
policy_arn = aws_iam_policy.alpha_iam_policy.arn policy_arn = aws_iam_policy.alpha_iam_policy.arn
} }
resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" {
role = aws_iam_role.alpha_iam_role.name
policy_arn = aws_iam_policy.ecs_ecr_pull.arn
}