Cleaning up roles

2023-10-06 22:30:24 -07:00 · 2023-10-06 22:30:24 -07:00 · 7a388534f1
commit 7a388534f1
parent 8298dbb4f7
4 changed files with 63 additions and 68 deletions
--- a/infra/fargate/local.tf
+++ b/infra/fargate/local.tf
@ -3,9 +3,10 @@ locals {
  repos = [
    "reverse-proxy",
  ]
-  buckets = [
+  domains = [
    "shockrah.xyz",
-    "resume.shockrah.xyz"
+    "resume.shockrah.xyz",
+    "temper.tv"
  ]
  nginx_name = "${var.athens_prefix}-nginx-static-content"
  nginx_hp_check_interval = 300
--- a/infra/fargate/nginx-role.tf
+++ b/infra/fargate/nginx-role.tf
@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "assume" {
+  statement {
+    actions = [ "sts:AssumeRole" ]
+
+    principals {
+      type        = "Service"
+      identifiers = [ "ecs-tasks.amazonaws.com" ]
+    }
+  }
+}
+
+# General ECS Tasks
+###################
+data "aws_iam_policy_document" "nginx" {
+  # Pull images from ECR
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+    resources = [ "*" ]
+  }
+  # General logging to cloudwatch
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+    ]
+    resources = [ "*" ]
+  }
+  dynamic "statement" {
+    for_each = tolist(local.domains)
+    content {
+      effect    = "Allow"
+      actions   = [ "s3:*" ]
+      resources  = [ "arn:aws:s3:::${statement.value}" ]
+    }
+  }
+}
+resource "aws_iam_policy" "nginx" {
+  name = "${var.athens_prefix}-alpha-nginx-policy"
+  policy = data.aws_iam_policy_document.nginx.json
+}
+
+resource "aws_iam_role" "nginx" {
+  name = "${var.athens_prefix}-alpha-nginx-role"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "nginx" {
+  role        = aws_iam_role.nginx.name
+  policy_arn  = aws_iam_policy.nginx.arn
+}
+
--- a/infra/fargate/nginx.tf
+++ b/infra/fargate/nginx.tf
@ -3,7 +3,7 @@ resource "aws_ecs_task_definition" "beta" {

  network_mode = "awsvpc"
  requires_compatibilities = ["FARGATE"]
-  execution_role_arn = aws_iam_role.alpha_iam_role.arn
+  execution_role_arn = aws_iam_role.nginx.arn

  cpu = 256
  memory = 512
--- a/infra/fargate/roles.tf
+++ b/infra/fargate/roles.tf
@ -1,65 +0,0 @@
-# Alpha container role 
-######################
-resource "aws_iam_role" "alpha_iam_role" {
-  name = "${var.athens_prefix}-alpha-iam-role"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Principal = {
-          Service = [ "ecs-tasks.amazonaws.com" ]
-        }
-        Effect = "Allow"
-      }
-    ]
-  })
-}
-
-
-resource "aws_iam_policy" "alpha_iam_policy" {
-  name = "${var.athens_prefix}-alpha-iam-policy"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:DescribeLogStreams",
-          "logs:PutLogEvents",
-        ]
-        "Resource" = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy" "ecs_ecr_pull" {
-  name = "${var.athens_prefix}-allow-ecs-pull-ecr"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "ecr:GetAuthorizationToken",
-          "ecr:BatchGetImage",
-          "ecr:GetDownloadUrlForLayer"
-        ]
-        "Resource" = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "alpha_logs" {
-  role        = aws_iam_role.alpha_iam_role.name
-  policy_arn  = aws_iam_policy.alpha_iam_policy.arn
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" {
-  role        = aws_iam_role.alpha_iam_role.name
-  policy_arn  = aws_iam_policy.ecs_ecr_pull.arn
-}