From ad5fe1f2fc7b8e99cebd65777559bf282f2d4c89 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Fri, 12 Jul 2024 15:15:37 +0100 Subject: [PATCH] Fix service ECS Exec * The service task role needs `ssmmessages` permissions to create channles --- README.md | 2 ++ ecs-cluster-infrastructure-service.tf | 20 ++++++++++++++++++++ policies/ssm-create-channels.json.tpl | 15 +++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 policies/ssm-create-channels.json.tpl diff --git a/README.md b/README.md index 06783a0..33c6c10 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_service_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.ecs_cluster_infrastructure_draining_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | @@ -200,6 +201,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_user.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | diff --git a/ecs-cluster-infrastructure-service.tf b/ecs-cluster-infrastructure-service.tf index 64cde8e..a776983 100644 --- a/ecs-cluster-infrastructure-service.tf +++ b/ecs-cluster-infrastructure-service.tf @@ -103,6 +103,25 @@ resource "aws_iam_role" "infrastructure_ecs_cluster_service_task" { ) } +resource "aws_iam_policy" "infrastructure_ecs_cluster_service_task_ssm_create_channels" { + for_each = { + for k, v in local.infrastructure_ecs_cluster_services : k => v if v["enable_execute_command"] == true + } + + name = "${local.resource_prefix}-${substr(sha512("ecs-cluster-service-task-${each.key}-create-channels"), 0, 6)}" + description = "${local.resource_prefix}-ecs-cluster-service-task-${each.key}-create-channels" + policy = templatefile("${path.root}/policies/ssm-create-channels.json.tpl", {}) +} + +resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_service_task_ssm_create_channels" { + for_each = { + for k, v in local.infrastructure_ecs_cluster_services : k => v if v["enable_execute_command"] == true + } + + role = aws_iam_role.infrastructure_ecs_cluster_service_task[each.key].name + policy_arn = aws_iam_policy.infrastructure_ecs_cluster_service_task_ssm_create_channels[each.key].arn +} + resource "aws_iam_policy" "infrastructure_ecs_cluster_service_task_custom" { for_each = merge([ for service_name, service in local.infrastructure_ecs_cluster_services : { @@ -182,6 +201,7 @@ resource "aws_ecs_task_definition" "infrastructure_ecs_cluster_service" { aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_cloudwatch_logs, aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles, aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_kms_decrypt, + aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ssm_create_channels, ] } diff --git a/policies/ssm-create-channels.json.tpl b/policies/ssm-create-channels.json.tpl new file mode 100644 index 0000000..785bbfd --- /dev/null +++ b/policies/ssm-create-channels.json.tpl @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel" + ], + "Resource": "*" + } + ] +}