From 52bf410c868ca011b76ccb62a25bea3f5204466d Mon Sep 17 00:00:00 2001 From: Tyler Date: Fri, 1 Dec 2023 12:09:34 -0800 Subject: [PATCH] IA-3420: Updated ECS task policy to include permissions to write logs to s3 --- terraform/fargate.tf | 29 ++++++++++++++++----------- terraform/infrastructure-resources.tf | 4 ++++ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/terraform/fargate.tf b/terraform/fargate.tf index 780faf3..ec36b85 100644 --- a/terraform/fargate.tf +++ b/terraform/fargate.tf @@ -39,7 +39,7 @@ module "api" { ## If the ecs task needs to access AWS API for any reason, grant ## it permissions with this parameter and the policy resource below - #task_policy_json = data.aws_iam_policy_document.fargate.json + task_policy_json = data.aws_iam_policy_document.fargate.json # Deployment enable_deployment_rollbacks = true @@ -82,14 +82,19 @@ module "api" { } ## If the ecs task needs to access AWS API for any reason, grant it permissions with this -# -#data "aws_iam_policy_document" "fargate" { -# statement { -# sid = "AllResources" -# actions = [ -# "s3:ListAllMyBuckets", -# "s3:GetBucketLocation", -# ] -# resources = ["*"] -# } -#} + +data "aws_iam_policy_document" "fargate" { + statement { + sid = "AllResources" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:List*", + "s3:GetBucketLocation", + ] + resources = [ + "${data.aws_s3_bucket.logs.arn}", + "${data.aws_s3_bucket.logs.arn}/*" + ] + } +} diff --git a/terraform/infrastructure-resources.tf b/terraform/infrastructure-resources.tf index b0dff1e..d6ce2e1 100644 --- a/terraform/infrastructure-resources.tf +++ b/terraform/infrastructure-resources.tf @@ -72,3 +72,7 @@ data "aws_sns_topic" "alerts" { for_each = toset(["green", "yellow", "red", "security"]) name = "${local.account_name}-teams-${each.value}-notifications" } + +data "aws_s3_bucket" "logs" { + bucket = "${local.account_ids[terraform.workspace]}-${local.region}-logs" +}