Skip to content

Commit

Permalink
Fix service ECS Exec
Browse files Browse the repository at this point in the history
* The service task role needs `ssmmessages` permissions to create
  channles
  • Loading branch information
Stretch96 committed Jul 12, 2024
1 parent 4271e46 commit ad5fe1f
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.ecs_cluster_infrastructure_draining_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
Expand Down Expand Up @@ -200,6 +201,7 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_user.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
Expand Down
20 changes: 20 additions & 0 deletions ecs-cluster-infrastructure-service.tf
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,25 @@ resource "aws_iam_role" "infrastructure_ecs_cluster_service_task" {
)
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_service_task_ssm_create_channels" {
for_each = {
for k, v in local.infrastructure_ecs_cluster_services : k => v if v["enable_execute_command"] == true
}

name = "${local.resource_prefix}-${substr(sha512("ecs-cluster-service-task-${each.key}-create-channels"), 0, 6)}"
description = "${local.resource_prefix}-ecs-cluster-service-task-${each.key}-create-channels"
policy = templatefile("${path.root}/policies/ssm-create-channels.json.tpl", {})
}

resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_service_task_ssm_create_channels" {
for_each = {
for k, v in local.infrastructure_ecs_cluster_services : k => v if v["enable_execute_command"] == true
}

role = aws_iam_role.infrastructure_ecs_cluster_service_task[each.key].name
policy_arn = aws_iam_policy.infrastructure_ecs_cluster_service_task_ssm_create_channels[each.key].arn
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_service_task_custom" {
for_each = merge([
for service_name, service in local.infrastructure_ecs_cluster_services : {
Expand Down Expand Up @@ -182,6 +201,7 @@ resource "aws_ecs_task_definition" "infrastructure_ecs_cluster_service" {
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_cloudwatch_logs,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_kms_decrypt,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ssm_create_channels,
]
}

Expand Down
15 changes: 15 additions & 0 deletions policies/ssm-create-channels.json.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
}
]
}

0 comments on commit ad5fe1f

Please sign in to comment.