Cleaning up roles

infra/fargate/local.tf

@@ -3,9 +3,10 @@ locals {
   repos = [
     "reverse-proxy",
   ]
-  buckets = [
+  domains = [
     "shockrah.xyz",
-    "resume.shockrah.xyz"
+    "resume.shockrah.xyz",
+    "temper.tv"
   ]
   nginx_name = "${var.athens_prefix}-nginx-static-content"
   nginx_hp_check_interval = 300

infra/fargate/nginx-role.tf

@@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "assume" {
+  statement {
+    actions = [ "sts:AssumeRole" ]
+
+    principals {
+      type        = "Service"
+      identifiers = [ "ecs-tasks.amazonaws.com" ]
+    }
+  }
+}
+
+# General ECS Tasks
+###################
+data "aws_iam_policy_document" "nginx" {
+  # Pull images from ECR
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+    resources = [ "*" ]
+  }
+  # General logging to cloudwatch
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+    ]
+    resources = [ "*" ]
+  }
+  dynamic "statement" {
+    for_each = tolist(local.domains)
+    content {
+      effect    = "Allow"
+      actions   = [ "s3:*" ]
+      resources  = [ "arn:aws:s3:::${statement.value}" ]
+    }
+  }
+}
+resource "aws_iam_policy" "nginx" {
+  name = "${var.athens_prefix}-alpha-nginx-policy"
+  policy = data.aws_iam_policy_document.nginx.json
+}
+
+resource "aws_iam_role" "nginx" {
+  name = "${var.athens_prefix}-alpha-nginx-role"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "nginx" {
+  role        = aws_iam_role.nginx.name
+  policy_arn  = aws_iam_policy.nginx.arn
+}
+

infra/fargate/nginx.tf

@@ -3,7 +3,7 @@ resource "aws_ecs_task_definition" "beta" {
 
   network_mode = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  execution_role_arn = aws_iam_role.alpha_iam_role.arn
+  execution_role_arn = aws_iam_role.nginx.arn
 
   cpu = 256
   memory = 512

infra/fargate/roles.tf

@@ -1,65 +0,0 @@
-# Alpha container role 
-######################
-resource "aws_iam_role" "alpha_iam_role" {
-  name = "${var.athens_prefix}-alpha-iam-role"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Principal = {
-          Service = [ "ecs-tasks.amazonaws.com" ]
-        }
-        Effect = "Allow"
-      }
-    ]
-  })
-}
-
-
-resource "aws_iam_policy" "alpha_iam_policy" {
-  name = "${var.athens_prefix}-alpha-iam-policy"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:DescribeLogStreams",
-          "logs:PutLogEvents",
-        ]
-        "Resource" = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy" "ecs_ecr_pull" {
-  name = "${var.athens_prefix}-allow-ecs-pull-ecr"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "ecr:GetAuthorizationToken",
-          "ecr:BatchGetImage",
-          "ecr:GetDownloadUrlForLayer"
-        ]
-        "Resource" = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "alpha_logs" {
-  role        = aws_iam_role.alpha_iam_role.name
-  policy_arn  = aws_iam_policy.alpha_iam_policy.arn
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" {
-  role        = aws_iam_role.alpha_iam_role.name
-  policy_arn  = aws_iam_policy.ecs_ecr_pull.arn
-}