From 4feb4727e00de0ee1361385e3df6ea6db0eb1a0a Mon Sep 17 00:00:00 2001
From: Chris Wright <chris@dxw.com>
Date: Mon, 26 Aug 2024 16:25:20 +0100
Subject: [PATCH] Fix CodePipeline ECS deploy policy

* Adds the correct permissions when deploying to ECS (Rolling deploys)
---
 README.md                                     |  2 ++
 ...r-infrastructure-service-build-pipeline.tf | 21 ++++++++++++++++++
 policies/codepipeline-default.json.tpl        | 10 ---------
 policies/codepipeline-ecs-deploy.json.tpl     | 22 +++++++++++++++++++
 4 files changed, 45 insertions(+), 10 deletions(-)
 create mode 100644 policies/codepipeline-ecs-deploy.json.tpl

diff --git a/README.md b/README.md
index 3bef262..5a805ab 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codestar_connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_service_scheduled_task_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_service_scheduled_task_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -232,6 +233,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_codestar_connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_scheduled_task_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_scheduled_task_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
diff --git a/ecs-cluster-infrastructure-service-build-pipeline.tf b/ecs-cluster-infrastructure-service-build-pipeline.tf
index f056034..2d47242 100644
--- a/ecs-cluster-infrastructure-service-build-pipeline.tf
+++ b/ecs-cluster-infrastructure-service-build-pipeline.tf
@@ -48,6 +48,27 @@ resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_service_co
   policy_arn = aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codedeploy[each.key].arn
 }
 
+resource "aws_iam_policy" "infrastructure_ecs_cluster_service_codepipeline_ecs_deploy" {
+  for_each = {
+    for k, v in local.infrastructure_ecs_cluster_services : k => v if v["deployment_type"] == "rolling"
+  }
+
+  name        = "${local.resource_prefix}-${substr(sha512("ecs-service-codepipeline-ecs-deploy-${each.key}"), 0, 6)}"
+  description = "${local.resource_prefix}-ecs-service-codepipeline-ecs-deploy${each.key}"
+  policy = templatefile(
+    "${path.root}/policies/codepipeline-ecs-deploy.json.tpl", {}
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_service_codepipeline_ecs_deploy" {
+  for_each = {
+    for k, v in local.infrastructure_ecs_cluster_services : k => v if v["deployment_type"] == "rolling"
+  }
+
+  role       = aws_iam_role.infrastructure_ecs_cluster_service_codepipeline[each.key].name
+  policy_arn = aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy[each.key].arn
+}
+
 resource "aws_iam_policy" "infrastructure_ecs_cluster_service_codepipeline_kms_encrypt" {
   for_each = local.infrastructure_kms_encryption ? local.infrastructure_ecs_cluster_services : {}
 
diff --git a/policies/codepipeline-default.json.tpl b/policies/codepipeline-default.json.tpl
index dff0db5..f2a2402 100644
--- a/policies/codepipeline-default.json.tpl
+++ b/policies/codepipeline-default.json.tpl
@@ -23,16 +23,6 @@
       "Resource": "*",
       "Effect": "Allow"
     },
-    {
-      "Action": [
-        "ecs:DescribeServices",
-        "ecs:UpdateService",
-        "ecs:DescribeTaskDefinition",
-        "ecs:RegisterTaskDefinition"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
     {
       "Action": "iam:PassRole",
       "Effect": "Allow",
diff --git a/policies/codepipeline-ecs-deploy.json.tpl b/policies/codepipeline-ecs-deploy.json.tpl
new file mode 100644
index 0000000..8a17135
--- /dev/null
+++ b/policies/codepipeline-ecs-deploy.json.tpl
@@ -0,0 +1,22 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DescribeClusters",
+        "ecs:DescribeServices",
+        "ecs:DescribeTaskDefinition",
+        "ecs:DescribeTasks",
+        "ecs:ListClusters",
+        "ecs:ListServices",
+        "ecs:ListTaskDefinitions",
+        "ecs:UpdateService",
+        "ecs:RegisterTaskDefinition"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}