Skip to content

Commit

Permalink
Fix CodePipeline ECS deploy policy
Browse files Browse the repository at this point in the history
* Adds the correct permissions when deploying to ECS (Rolling deploys)
  • Loading branch information
Stretch96 committed Aug 26, 2024
1 parent 315f445 commit 4feb472
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 10 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codestar_connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_scheduled_task_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_scheduled_task_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
Expand Down Expand Up @@ -232,6 +233,7 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_codestar_connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_scheduled_task_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_scheduled_task_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand Down
21 changes: 21 additions & 0 deletions ecs-cluster-infrastructure-service-build-pipeline.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,27 @@ resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_service_co
policy_arn = aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codedeploy[each.key].arn
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_service_codepipeline_ecs_deploy" {
for_each = {
for k, v in local.infrastructure_ecs_cluster_services : k => v if v["deployment_type"] == "rolling"
}

name = "${local.resource_prefix}-${substr(sha512("ecs-service-codepipeline-ecs-deploy-${each.key}"), 0, 6)}"
description = "${local.resource_prefix}-ecs-service-codepipeline-ecs-deploy${each.key}"
policy = templatefile(
"${path.root}/policies/codepipeline-ecs-deploy.json.tpl", {}
)
}

resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_service_codepipeline_ecs_deploy" {
for_each = {
for k, v in local.infrastructure_ecs_cluster_services : k => v if v["deployment_type"] == "rolling"
}

role = aws_iam_role.infrastructure_ecs_cluster_service_codepipeline[each.key].name
policy_arn = aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy[each.key].arn
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_service_codepipeline_kms_encrypt" {
for_each = local.infrastructure_kms_encryption ? local.infrastructure_ecs_cluster_services : {}

Expand Down
10 changes: 0 additions & 10 deletions policies/codepipeline-default.json.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,6 @@
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeServices",
"ecs:UpdateService",
"ecs:DescribeTaskDefinition",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
Expand Down
22 changes: 22 additions & 0 deletions policies/codepipeline-ecs-deploy.json.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:UpdateService",
"ecs:RegisterTaskDefinition"
],
"Resource": [
"*"
]
}
]
}

0 comments on commit 4feb472

Please sign in to comment.