From 7a388534f1676f4f2d9c66e88c6a17e722b5e476 Mon Sep 17 00:00:00 2001
From: shockrah <dev@shockrah.xyz>
Date: Fri, 6 Oct 2023 22:30:24 -0700
Subject: [PATCH] Cleaning up roles

---
 infra/fargate/local.tf      |  5 +--
 infra/fargate/nginx-role.tf | 59 +++++++++++++++++++++++++++++++++
 infra/fargate/nginx.tf      |  2 +-
 infra/fargate/roles.tf      | 65 -------------------------------------
 4 files changed, 63 insertions(+), 68 deletions(-)
 create mode 100644 infra/fargate/nginx-role.tf
 delete mode 100644 infra/fargate/roles.tf

diff --git a/infra/fargate/local.tf b/infra/fargate/local.tf
index 2eb5d6c..156515a 100644
--- a/infra/fargate/local.tf
+++ b/infra/fargate/local.tf
@@ -3,9 +3,10 @@ locals {
   repos = [
     "reverse-proxy",
   ]
-  buckets = [
+  domains = [
     "shockrah.xyz",
-    "resume.shockrah.xyz"
+    "resume.shockrah.xyz",
+    "temper.tv"
   ]
   nginx_name = "${var.athens_prefix}-nginx-static-content"
   nginx_hp_check_interval = 300
diff --git a/infra/fargate/nginx-role.tf b/infra/fargate/nginx-role.tf
new file mode 100644
index 0000000..98777bf
--- /dev/null
+++ b/infra/fargate/nginx-role.tf
@@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "assume" {
+  statement {
+    actions = [ "sts:AssumeRole" ]
+
+    principals {
+      type        = "Service"
+      identifiers = [ "ecs-tasks.amazonaws.com" ]
+    }
+  }
+}
+
+# General ECS Tasks
+###################
+data "aws_iam_policy_document" "nginx" {
+  # Pull images from ECR
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+    resources = [ "*" ]
+  }
+  # General logging to cloudwatch
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+    ]
+    resources = [ "*" ]
+  }
+  dynamic "statement" {
+    for_each = tolist(local.domains)
+    content {
+      effect    = "Allow"
+      actions   = [ "s3:*" ]
+      resources  = [ "arn:aws:s3:::${statement.value}" ]
+    }
+  }
+}
+resource "aws_iam_policy" "nginx" {
+  name = "${var.athens_prefix}-alpha-nginx-policy"
+  policy = data.aws_iam_policy_document.nginx.json
+}
+
+resource "aws_iam_role" "nginx" {
+  name = "${var.athens_prefix}-alpha-nginx-role"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "nginx" {
+  role        = aws_iam_role.nginx.name
+  policy_arn  = aws_iam_policy.nginx.arn
+}
+
diff --git a/infra/fargate/nginx.tf b/infra/fargate/nginx.tf
index a5e9be6..ef6a6cb 100644
--- a/infra/fargate/nginx.tf
+++ b/infra/fargate/nginx.tf
@@ -3,7 +3,7 @@ resource "aws_ecs_task_definition" "beta" {
 
   network_mode = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  execution_role_arn = aws_iam_role.alpha_iam_role.arn
+  execution_role_arn = aws_iam_role.nginx.arn
 
   cpu = 256
   memory = 512
diff --git a/infra/fargate/roles.tf b/infra/fargate/roles.tf
deleted file mode 100644
index 19b03d2..0000000
--- a/infra/fargate/roles.tf
+++ /dev/null
@@ -1,65 +0,0 @@
-# Alpha container role 
-######################
-resource "aws_iam_role" "alpha_iam_role" {
-  name = "${var.athens_prefix}-alpha-iam-role"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Principal = {
-          Service = [ "ecs-tasks.amazonaws.com" ]
-        }
-        Effect = "Allow"
-      }
-    ]
-  })
-}
-
-
-resource "aws_iam_policy" "alpha_iam_policy" {
-  name = "${var.athens_prefix}-alpha-iam-policy"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:DescribeLogStreams",
-          "logs:PutLogEvents",
-        ]
-        "Resource" = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy" "ecs_ecr_pull" {
-  name = "${var.athens_prefix}-allow-ecs-pull-ecr"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "ecr:GetAuthorizationToken",
-          "ecr:BatchGetImage",
-          "ecr:GetDownloadUrlForLayer"
-        ]
-        "Resource" = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "alpha_logs" {
-  role        = aws_iam_role.alpha_iam_role.name
-  policy_arn  = aws_iam_policy.alpha_iam_policy.arn
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" {
-  role        = aws_iam_role.alpha_iam_role.name
-  policy_arn  = aws_iam_policy.ecs_ecr_pull.arn
-}