Merge pull request #184 from USSBA/IA-3420

IA-3420: Updated ECS task policy to include permissions to write logs…
USSBA · Dec 11, 2023 · 4400174 · 4400174
2 parents 759c336 + 52bf410
commit 4400174
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 12 deletions.
diff --git a/terraform/fargate.tf b/terraform/fargate.tf
@@ -39,7 +39,7 @@ module "api" {
 
   ## If the ecs task needs to access AWS API for any reason, grant
   ## it permissions with this parameter and the policy resource below
-  #task_policy_json       = data.aws_iam_policy_document.fargate.json
+  task_policy_json = data.aws_iam_policy_document.fargate.json
 
   # Deployment
   enable_deployment_rollbacks        = true
@@ -82,14 +82,19 @@ module "api" {
 }
 
 ## If the ecs task needs to access AWS API for any reason, grant it permissions with this
-#
-#data "aws_iam_policy_document" "fargate" {
-#  statement {
-#    sid = "AllResources"
-#    actions = [
-#      "s3:ListAllMyBuckets",
-#      "s3:GetBucketLocation",
-#    ]
-#    resources = ["*"]
-#  }
-#}
+
+data "aws_iam_policy_document" "fargate" {
+  statement {
+    sid = "AllResources"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:List*",
+      "s3:GetBucketLocation",
+    ]
+    resources = [
+      "${data.aws_s3_bucket.logs.arn}",
+      "${data.aws_s3_bucket.logs.arn}/*"
+    ]
+  }
+}
diff --git a/terraform/infrastructure-resources.tf b/terraform/infrastructure-resources.tf
@@ -72,3 +72,7 @@ data "aws_sns_topic" "alerts" {
   for_each = toset(["green", "yellow", "red", "security"])
   name     = "${local.account_name}-teams-${each.value}-notifications"
 }
+
+data "aws_s3_bucket" "logs" {
+  bucket = "${local.account_ids[terraform.workspace]}-${local.region}-logs"
+}