Fix instance refresh lambda policy

* It needs permissions to start an instance refresh
dxw · Nov 26, 2024 · 34dc151 · 34dc151
1 parent 8e9863f
commit 34dc151
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -151,6 +151,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_ecs_describe_cluster_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ecs_cluster_infrastructure_pending_task_metric_cloudwatch_put_metric_data_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -235,6 +236,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_metric_asg_describe_asg_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_metric_ecs_describe_cluster_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_pending_task_cloudwatch_metric_put_metric_data_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

diff --git a/ecs-cluster-infrastructure-instance-refresh-lambda.tf b/ecs-cluster-infrastructure-instance-refresh-lambda.tf
@@ -38,6 +38,25 @@ resource "aws_iam_role_policy_attachment" "ecs_cluster_infrastructure_instance_r
   policy_arn = aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_lambda[0].arn
 }
 
+resource "aws_iam_policy" "ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh" {
+  count = local.infrastructure_ecs_cluster_instance_refresh_lambda_schedule_expression != "" ? 1 : 0
+
+  name = "${local.resource_prefix}-ecs-cluster-infrastructure-instance-refresh-allow-instance-refresh"
+  policy = templatefile(
+    "${path.root}/policies/asg-instance-refresh.json.tpl",
+    {
+      asg_arns = jsonencode([aws_autoscaling_group.infrastructure_ecs_cluster[0].arn])
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh" {
+  count = local.infrastructure_ecs_cluster_instance_refresh_lambda_schedule_expression != "" ? 1 : 0
+
+  role       = aws_iam_role.ecs_cluster_infrastructure_instance_refresh_lambda[0].name
+  policy_arn = aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh[0].arn
+}
+
 resource "aws_iam_policy" "ecs_cluster_infrastructure_instance_refresh_kms_encrypt" {
   count = local.infrastructure_ecs_cluster_instance_refresh_lambda_schedule_expression != "" && local.infrastructure_kms_encryption ? 1 : 0
 
@@ -79,7 +98,7 @@ resource "aws_lambda_function" "ecs_cluster_infrastructure_instance_refresh" {
 
   environment {
     variables = {
-      asgName = local.infrastructure_ecs_cluster_name
+      asgName = aws_autoscaling_group.infrastructure_ecs_cluster[0].name
     }
   }
 

diff --git a/policies/asg-instance-refresh.json.tpl b/policies/asg-instance-refresh.json.tpl
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "autoscaling:StartInstanceRefresh",
+      "Resource": ${asg_arns}
+    }
+  ]
+}